A study of 500 information technology specialists in the U.K. found one-third of professionals have not received any artificial intelligence training and nearly half have no workplace policies for the technology, Infosecurity Magazine reports. Nearly all specialists said they were worried about their organization's ambitions for AI because of inadequate preparation.Full story... Read More

The U.K. Information Commissioner's Office released guidelines for lawful employee monitoring in the workplace. ICO-commissioned research showed 70% of the public views employee monitoring as an invasion of privacy. Deputy Commissioner Emily Keaney said the guidance, aimed at public and private-sector employers, will "remind organisations that business interests must never be prioritised over the privacy of their workers" and "transparency and fairness are key to building trust."Full story... Read More

The U.K. Home Office released guidelines on the interplay between end-to-end encryption standards and children's safety as it relates to the recently passed U.K. Online Safety Bill. The office explained the overlap between the two topics, Meta's leading example on the matter, and current techniques and technological solutions being used. Notably, the guidance also lays out the application of the Online Safety Bill in the encryption-child safety context.Full story... Read More

The U.K. Parliament passed the Online Safety Bill. Secretary of State for Science, Innovation and Technology Michelle Donelan called the bill "a game-changing piece of legislation" with a "common-sense approach." Once the bill becomes law, after receiving Royal Assent, the Office of Communications will take a phased approach to bringing it into force. Companies could face fines of up to 18 million GBP or 10% of their global annual revenue for noncompliance. Full story... Read More

The U.K. Information Commissioner's Office published guidance to help employers understand data protection obligations under the U.K. General Data Protection Regulation and Data Protection Act when handling employees' health information. The ICO said the guidance will "provide greater regulatory certainty," "protect workers' data protection rights" and "help employers to build trust with workers."Full story... Read More

The U.K. Information Commissioner's Office warned organizations against using the blind carbon copy function when sending emails containing sensitive personal information. The ICO also published guidance for organizations on protecting personal information when sending bulk emails. "Organisations that use and share large amounts of data, including sensitive personal information, should consider using other secure means to send communications, such as bulk email services, so information is not sh... Read More

Beyond security obligations and liabilities for controllers and processors under the EU and U.K. General Data Protection Regulations and the U.S. Federal Trade Commission's reasonable security measures requirements, other security-related laws are being enacted. Privacy professionals must be aware of the overlaps between data protection and other security-related laws, not just because of their relevance to liability for security under privacy laws but because compliance with these laws will lik... Read More

The EU General Data Protection Regulation, which came into effect pre-Brexit in May 2018, introduced a consistent framework of fines to enforce compliance with data protection regulations across the EU. Some five years later, the European Data Protection Board released new guidelines on calculating administrative fines under the GDPR 24 May. These new guidelines aim to provide clarity and consistency in the calculation of fines across all EU member states and, in the EDPB's own words, "aim to ha... Read More

The U.K. Department for Science, Innovation and Technology published a white paper with its approach to regulating artificial intelligence technologies. The regulatory framework seeks to "build public trust in cutting-edge technologies and make it easier for businesses to innovate, grow and create jobs." The approach consists of five AI principles: safety, transparency, fairness, accountability and governance, and redress. U.K. regulators will roll out guidance within the next 12 months to help ... Read More

The U.K. Information Commissioner’s Office approved the fourth set of U.K. General Data Protection Regulation certification scheme criteria for training and qualifying service providers. The scheme's intention will "enable … candidates to make informed choices when applying for training" programs so they can maintain confidence their personal data is being processed in accordance with the law. Other certification schemes released so far cover secure disposal and reuse of IT equipment, age assura... Read More

Several significant figures in the privacy landscape shared their thoughts on the keynote stage at the IAPP Data Protection Intensive: U.K. here in London Thursday. The state of play and future of EU enforcement and international data transfers were the focus of a keynote panel moderated by IAPP Research and Insights Director Joe Jones and featuring former U.K. Information Commissioner and current Baker McKenzie International Advisor Elizabeth Denham and NOYB Honorary Chair Max Schrems.  Separa... Read More

Amid the introduction of a new data protection reform bill Wednesday, U.K. Information Commissioner John Edwards said the goals within the ICO25 strategic plan "are not predicated or dependent on law reform." "We can still achieve everything we’ve set out to achieve regardless of the direction the law goes in, within certain limits, but I’m very confident of those limits," Edwards said in a keynote address at the IAPP Data Protection Intensive: U.K. in London, reflecting on his first year in of... Read More

The U.K. released draft data protection reform of its General Data Protection Regulation. On Wednesday, U.K. Secretary of State for Science, Innovation and Technology Michelle Donelan introduced the Data Protection and Digital Information (No. 2) Bill to Parliament.  The first version of the reform bill was originally proposed by the government in July 2022 but was put on pause last September in the wake of Liz Truss's then-appointment as prime minister.  "Co-designed with business from the st... Read More

U.K. Prime Minister Rishi Sunak announced the creation of four new government departments, including a dedicated Department for Science, Innovation and Technology focused on technical innovations. The changes remove digital and data policy responsibility from the Department for Culture, Media and Sport and create the DSIT. The department will “drive the innovation that will deliver improved public services, create new and better-paid jobs and grow the economy,” a press release stated. “Having ... Read More

The U.K. government and Dubai International Financial Centre Authority released a joint statement committing to increased facilitation of personal data flows. The two sides called the new agreement "a robust data bridge" that will help realize "the benefits of the important role that the trustworthy use of data across borders play." The U.K. and the DIFC indicated a mutual understanding on "the importance of existing and future regulatory cooperation as a means of enhancing our objectives."Full ... Read More

Leaders in the U.K. and Japan have established the U.K.-Japan Digital Partnership, a framework to "jointly deliver concrete digital policy outcomes" for citizens, businesses and economies. The partnership will focus initially on four pillars: digital infrastructure and technologies, data, digital regulation and standards, and digital transformation. The countries noted the work ahead of them includes "championing data flows," exploring joint collaboration on data innovation measures and working ... Read More

Work on the proposed U.K. Data Protection and Digital Information Bill is about to gain steam once again. U.K. Department for Digital, Culture, Media and Sport Deputy Director for Domestic Data Protection Policy Owen Rowland told privacy professionals at the IAPP Data Protection Congress 2022 in Brussels, Belgium, that the latest consultation on the stalled bill will begin shortly. The bill previously laid dormant since its introduction to the U.K. House of Commons in July prior to the governme... Read More

In July, the U.K. government introduced the Data Protection and Digital Information Bill, setting out its proposed amendments to U.K. data protection laws. The proposals stem from a consultation conducted by the Department for Digital, Culture, Media and Sport last year. The consultation received nearly 3,000 responses from domestic and overseas organizations representing a cross-section of the U.K. economy. However, not all changes proposed in the bill were included in the consultation process.... Read More

The U.K. government Monday introduced a pair of post-Brexit data reform initiatives aimed at guiding responsible use of data while promoting innovation in the economy, according to two government releases.  In the House of Commons, the government released the Data Protection and Digital Information Bill. In a separate statement, Minister for Media, Data and Digital Infrastructure Matt Warman said the data protection reform bill will help "transform the UK's independent data laws."  In parallel... Read More

Consent is one of the EU General Data Protection Regulation legal bases that can be used to justify the collection, handling or storage of personal data. For consent to be valid, it must be clearly distinguishable from other matters, intelligible and in clear and plain language, freely given, as easy to withdraw as it was to provide, specific, informed and unambiguous (GDPR Article 6, 7 and Recitals 32, 33 and 43). In the employment context, consent is deemed to be problematic. An actual or per... Read More

Since becoming U.K. Information Commissioner, John Edwards has been busy. Officially taking the reins Jan. 4, Edwards embarked on a listening tour to learn the ins and outs of the U.K. The former New Zealand Privacy Commissioner gave his first major public speech since heading up the ICO at the IAPP Data Protection Intensive in London last month and joined German Federal Commissioner for Data Protection and Freedom of Information Ulrich Kelber for a “commissioner’s chat” at the IAPP Global Priva... Read More

In December 2020, the British government presented its national data strategy, outlining its ambition to unlock data value and promote responsible growth by reducing the administrative burden on technology innovators and digital entrepreneurs. The strategy prompted concerns in Brussels that the new U.K. data policy might strive away from the EU General Data Protection Regulation. In early 2020, Prime Minister Boris Johnson announced that the U.K. would establish its own "sovereign" rules in the... Read More

Addressing a room full of privacy professionals at the IAPP Global Privacy Summit 2022, U.K. Information Commissioner John Edwards envisioned many would be looking to regulators to “just tell us what we need to do” to minimize risks, reach compliance and reduce associated costs. “That’s fine,” Edwards said. But he was quick to point out, the most “important thing” about privacy and data protection is “the human story.” “You’re going to see your drug counselor later today. You made that insuran... Read More

Among the many topics top of mind for privacy pros at the IAPP Data Protection Intensive: UK in London is proposed reforms to the UK General Data Protection Regulation and the future of transborder data flows. This comes as the U.K.'s post-Brexit international data transfers agreement officially went into force Monday and negotiations around the current trans-Atlantic impasse continue behind the scenes.  A day after U.K. Information Commissioner John Edwards made his first major public speech s... Read More

Third-party cookies have long been “the glue that holds together the independent ad tech world.” Far surpassing their original purpose of giving “memory” to websites, these cookies are heavily relied upon by marketers to analyze and track online users. Indeed, cookie-based targeted advertisements are the reason why websites can sustain their “free” business models. But what’s good for industry has not been good for user privacy—and the tide is starting to turn. Part one of this two-part series ... Read More

On Aug. 26, the United Kingdom announced big new plans for international data transfers. As one of the world’s largest economies, a long-time leader in multilateral privacy fora, and a frequent interpreter between European and U.S. approaches to data protection, the U.K. is well-positioned to innovate in this endlessly challenging and integral policy arena. Last week, I had the opportunity to discuss the U.K.’s plans with Joe Jones, Deputy Director of International Data Transfers at the U.K. De... Read More

A period of transition for the U.K. data regime has morphed into a complete overhaul. Along with its recent announcement on the future of international data transfers, the U.K. government is now planning further shakeups that could dramatically alter the country's data protection landscape. U.K. Secretary of State for Digital, Culture, Media and Sport Oliver Dowden announced Thursday the government opened a consultation on a series of reforms aimed at reshaping the U.K.'s use and regulation of ... Read More

Plenty of questions around data transfers emerged within the U.K. following Brexit, and it seems the privacy industry is starting to get some answers. In June, the European Commission adopted a pair of adequacy decisions for the U.K., and now the British government has laid out a new slate of initiatives to clarify the picture even further. The U.K. plans to strike independent data adequacy decisions with its international partners, with the goal of delivering alternative data transfer mechani... Read More

Almost five years to the day from when the Brexit vote took place, the questions around U.K. adequacy have been laid to rest, at least for now. The European Commission announced it officially adopted a pair of adequacy decisions for the U.K., one for the EU General Data Protection Regulation and another for the Law Enforcement Directive. The announcement comes just days before the "bridging mechanism" for data transfers between the EU and U.K. was set to expire. "The U.K. has left the EU but t... Read More

Under the recent amendments to the U.K. Network and Information System Regulations, digital service providers needed to appoint a NIS representative by March 31, 2021, in the U.K. The NIS Directive (EU 2016/1148 – NISD) aims to achieve a high standard network and information systems security in the European Union, including the U.K. when initiated. It applies to two types of organizations: operators of essential services and DSPs.   Due to its legal nature, the NIS Directive is different from ... Read More

With the Brexit transitional period ending, the beginning of the year finally brought some clarity about the future of data flows between the EU and U.K. A legally dubious, as not explicitly permitted by the EU General Data Protection Regulation, interim agreement on transborder data flows has been part of the EU-U.K. Trade and Cooperation Agreement and grants a temporary respite for privacy professionals, as well as lawmakers to prepare an adequacy decision. However, the obligations to appoint ... Read More

On Feb. 19, 2021, the European Commission, making use of the powers conferred to it by Article 45(3) of the EU General Data Protection Regulation, released two draft decisions on the adequate protection of personal data by the U.K.: one under the General Data Protection Regulation, the other under the Law Enforcement Directive. If approved, the decisions would grant adequacy status to the U.K. under the GDPR and LED, thereby ensuring EU personal data can continue to flow freely to the U.K., now ... Read More

After years of uncertainty in the wake of the U.K.'s vote in 2016 to leave the EU, there are finally sign posts for privacy pros to look to as both regions aim to secure cross-border data transfers through U.K. adequacy. In a massive trade agreement signed last Christmas Eve, both regions secured a temporary transfer period that provides the U.K. government and European Commission time to complete an adequacy agreement.  But, of course, the clock is ticking.  "We don't see why the U.K. shouldn... Read More

Data brokers, data processing, credit agencies  — for some of us, these terms are mere ambiguities, while for others, common technology buzzwords. For the U.K. legal scene, though, they describe one of the most discussed cases, involving some billion-dollar industries that operate under the radar: "Credit Reference Agencies" and data brokers. The U.K. Information Commissioner's Office recently ordered the credit reference agency Experian to obey its enforcement order and make critical modifica... Read More

After years of wrangling and with the clock ticking louder by the day, British and European negotiators provided a temporary grace period for data flows to continue between the EU and U.K. In the Trade and Cooperation Agreement signed between the EU and U.K. Dec. 24, 2020, data transfers for business and law enforcement purposes can continue until adequacy decisions under the EU General Data Protection Regulation and the Law Enforcement Directive are approved before the end of a six-month grace ... Read More