Lore Leitner

Subscribe to Lore Leitner's Posts

The Information Commissioner’s Office (ICO) has confirmed that by November 23, 2019, it will present its Age Appropriate Design Code of Practice to the UK Parliament for approval. Unless Parliament objects, this mandatory code will be issued and in force (albeit with a transition period) as early as January 2020.

The final code has been hotly anticipated since the call for input on the issue of age appropriate design in June 2018. Since then, the ICO has worked with a large number of stakeholders to understand the key challenges when designing child-accessible services. In that context, it published its draft iteration of the code for consultation earlier this year (the Draft Code). This Draft Code sets out 16 standards (the Standards) which must be followed when designing online services accessible to children under 18. In an August update, the ICO recognized that the code will cause shifts in the design processes for online services which make use of children’s data, such as the tech, e-gaming and interactive entertainment industries. In light of this the ICO, as well as providing clearer guidelines in the code itself, will provide additional guidance for designers and engineers. The ICO adds, however, that non-compliance is not an option, stressing that “[t]here is no room for companies who decide children’s privacy is a problem that’s simply too hard to solve.”
Continue Reading UK’s Age Appropriate Design Code Pending

On July 5, 2019, the UK’s Data Protection Authority (ICO) issued its “Guidance on the use of cookies and similar technologies” (the Guidance) along with a brief explanatory blog post. At the same time the ICO updated its own website cookie notice and consent, leading by example. The ICO’s blog post makes clear that cookie compliance will increasingly be a regulatory priority, and that companies should start working towards compliance now.
Continue Reading The ICO Issues Its Cookies Guidance: Clarified Stance and Enforcement Priorities

The UK Supervisory Authority (the ICO) has had a headline-busting month. On July 9, 2019, the ICO announced its intention to fine Marriott International more than £99 million under the GDPR (General Data Protection Regulation) for a data breach which took place last year,[1] a figure that would have been record breaking had the ICO not announced its intention to fine British Airways £183 million 24 hours earlier.[2] While it is clear that both of these hefty penalties relate to deficiencies in security practices, the actions that paved the way for such draconian fines are yet to be made public (see “Massive GDPR Fine Proposed by UK ICO Confirms Trend of Increased Focus on EU Data Breaches.”)
Continue Reading Looking Back: The ICO’s Busy Year and Its Record-Breaking Fines

On June 20, 2019, the UK’s Data Protection Authority (ICO) published a report on adtech and real-time bidding. The report highlights the main problems faced by the industry when applying the General Data Protection Regulation’s (GDPR’s) stringent requirements, and calls for further engagement on these issues by the different adtech players in the space.

Background

When the GDPR became effective on May 25, 2018, it imposed new and strict obligations on companies processing personal data. In the UK, the Privacy and Electronic Communications Regulations (PECR), which implements the EU e-Privacy Directive and will soon be replaced by the e-Privacy Regulation, complements the GDPR requirements. Both the GDPR and PECR govern how data is collected and further processed in the online advertising industry, including requiring notice and a legal basis for processing. The PECR specifically applies to the use of cookies and similar technologies and sets out the rules for consent to use these technologies.Continue Reading The ICO Publishes Its Stance on Adtech and Real-Time Bidding

On January 23, 2019, the European Data Protection Board (EDPB) issued an opinion (Opinion) on the interplay between the Clinical Trial Regulation (CTR) and the General Data Protection Regulation (GDPR), an issue which has been the subject of intense debate and that resulted in a draft, and still non-public, FAQ prepared by the EU Commission. The Opinion comments on the draft FAQ and provides some insight on data protection regulators’ view on how the GDPR applies to patient data collected as a part of a clinical trial.

In short, the EDPB takes the position that consent under the GDPR, and informed consent under the CTR, are different concepts, and that various legal grounds, including consent, are available under the GDPR to process patient personal data in the clinical trial context. Practically speaking, organizations will have to conduct a case-by-case assessment of the various options available.
Continue Reading EDPB Opinion on Consent and Legal Basis in Clinical Trials