Welcome back to our second edition of ‘In Perspective’ from Xcina’s Data Protection Team, we highlight the key issues and developments dominating the headlines in recent days.
Our weekly review aims to keep readers informed of the latest news and provide the knowledge and insight to help businesses maintain a defensible position against the requirements of data protection law.
The UK government’s Department of Digital, Culture, Media and Sport (DCMS) have published their consultation paper on proposed reforms to the country’s data protection regime.
Following Brexit, the UK is now free to develop its own data protection laws.
The consultation paper includes recommendations to replace the requirement for businesses to designate a Data Protection Officer, remove obligations relating to the completion of Data Protection Impact Assessments and introduce a fee regime when responding to a data subject access request.
Cookies and other similar technologies are also covered within the paper including proposals to permit businesses to use analytics cookies without the user’s consent.
Why It Matters
Many businesses have been working to ensure they have an effective privacy programme in place to achieve accountable data protection practices.
The changes that are being suggested will compel businesses to, once again, reassess what they are doing and act accordingly.
Whilst many of the proposals indicate a ‘watering-down’ of current requirements, UK businesses that target and monitor individuals in the EU would still be affected by the EU GDPR.
Lastly, this consultation represents the first stage in the ‘legislation journey’, with the final reforms likely to be fairly different and months or even years until they are law.
Hot off the heels of being fined by the Irish data protection regulator, WhatsApp have been issued another fine by the Turkish data protection authority for not offering users a free choice on whether to share their personal data.
The Turkish data protection regulator considered that, in this case, consent would be invalid as it is not freely given.
When requesting consent to process someone’s personal data, it must be ‘freely given’.
This means people must be able to refuse consent without detriment and must be able to withdraw consent easily at any time.
It also means consent should be unbundled from other terms and conditions wherever possible.
Freely given consent will also be more difficult to obtain in the context of a relationship where there is an imbalance of power e.g. between an employer and an employee.
The UK’s Information Commissioner’s Office (ICO) has fined Glasgow-based company DialADeal Scotland Limited for making more than half a million nuisance marketing calls, including calls relating to loft insulation and boiler replacement services.
These calls were made to numbers registered with the Telephone Preference Service (TPS) where people had not given their permission to receive them.
Following an investigation by the ICO, the company were fined £150,000.
Why It Matters
The rules on direct marketing via telephone calls are clear.
In general, organisations must not make marketing calls to any number listed on the TPS or Corporate TPS (CTPS), unless that person or business has specifically consented to marketing calls.
Internal procedures relating to telephone marketing should therefore include steps to screen call lists against the TPS and CTPS beforehand.