ESTABLISHED 1987 ‘Battle tested’ Denham ready Issue 85 May 2016 NEWS to take reins at the ICO 2- Comment Laura Linkomies reports from Parliament in Westminster on the Next steps for data protection appointment that now awaits the signature of the Queen. 13 - Royal Mail becomes certified lizabeth Denham, currently previous afternoon. online identity provider Information and Privacy “I’m battle tested as a Commis - Commissioner in British sioner,” she said. “I have never ANALYSIS EColumbia, Canada, was confirmed as shrunk away from an important 8- Legitimate interest ground the next UK Information Commis - issue. I cross swords with the largest under the GDPR: Change ahead sioner by the House of Commons tech companies – I led the first inves - 10 - Member States’ derogations Department of Culture, Media and tigation into Facebook – no other undermine the GDPR Sport (DCMS) Select Committee on 16 - Data Protection in the new 28 April after interviewing her the Continued on p.3 world of Artificial Intelligence MANAGEMENT 7 - Do employers have the right to Get GDPR ready and update read employees’ private emails? 18 - How Transport for London your privacy policy now protects customer privacy As the ICO nudges companies to begin GDPR preparations, Lore 20 - It is time to get GDPR compliant Leitner and Calum Docherty look at the privacy policy options. 22 - Book Review: Protecting yourself recent study found that 38% protect companies rather than to in a world full of scammers of Americans are confused enlighten their users. 23 - UK sessions at Great Expectations by privacy policies. 1 This is As we wrote in last September’s PL&B’s 29th Annual Conference Anot surprising. Many Internet users issue of PL&B UK Report , Septem - and customers find the information ber 2015 pp. 7-8 ), the General Data FREEDOM OF INFORMATION provided in privacy policies notori - Protection Regulation (GDPR), 23 - Latest FOI disclosure logs ously impenetrable, and, at times, which was adopted last month after Delphic. Often, these policies are NEWS IN BRIEF drafted – by lawyers – with a view to Continued on p.4 12 - Government fights cyber crime 12 - Blacklisted construction workers Search by key word on win compensation 15 - Privacy and consumer advocacy www.privacylaws.com 15 - High Court decides on ‘abuse’ of Subscribers to paper and electronic editions can access the following: SAR process • Back Issues since 2000 • Materials from PL&B events 17 - Degradation of privacy standards • Special Reports • Videos and audio recordings ‘abuse’ under competition law ? See the back page or www.privacylaws.com/subscription_info 21 - EU DP Regulation will apply 25 May 2018 To check your type of subscription, contact [email protected] or telephone +44 (0)20 8868 9200. 22 - ICO issues Undertaking on HSCIC 22 - Around 1 in 45 patients opt-out PL&B Services: Publications • Conferences • Consulting • Recruitment Training • Compliance Audits • Privacy Officers Networks • Roundtables • Research COMMENT ISSUE NO 85 MAY 2016 PUBLISHER Stewart H Dresner Next steps for data [email protected] protection in the UK EDITOR Now that we have the EU Data Protection Regulation, the next thing Laura Linkomies to look out for is UK implementation, which is expected to be – again [email protected] – different from most EU Member States. The derogations obviously give all Member States some leeway ( p.10 ) but it is more than likely SUB EDITOR Tom Cooper that the UK government will continue its business-friendly manner of regulating data protection. Watch out for any announcements of a new REPORT SUBSCRIPTIONS data protection law or other type of UK regulation in the Queen’s Glenn Daif-Burns Speech on 18 May. [email protected] Whatever happens, the new EU regime will create much more work CONTRIBUTORS for the ICO, to be headed after 28 June by Elizabeth Denham, currently Information and Privacy Commissioner, British Columbia, Lore Leitner & Calum Docherty Canada. We at Privacy Laws & Business are fortunate to have had a Latham & Watkins LLP great working relationship with her for many years and look forward Merrill Dresner to seeing how she will apply her Canadian experience in the UK ( p.1 ). PL&B Correspondent The ICO is preparing guidance on the GDPR. In the meantime, read Michael D. Smith what our contributors say about revising privacy policies for the Reed Smith LLP GDPR era ( p.1 ), and how to start a successful GDPR compliance Dugie Standeford programme ( p.20 ). In the public sector, changes to the legitimate PL&B Correspondent interest ground for processing are causing extra concern ( p.8 ). William Long & Francesca Blythe Our management stories in this issue include a report on the Sidley Austin LLP experience of the Royal Mail ( p.13 ) and Transport for London ( p.18 ). Also, read on p.16 about the new world of Artificial Intelligence and Nicola Fulford & Gemma Lockyer Kemp Little LLP consequential challenges to data protection concepts. The Data Retention and Investigatory Powers Act 2013 (DRIPA) is due to expire in December 2016, and the government is therefore in a hurry to adopt the Investigatory Powers Bill. Having visited Westminster to attend Elizabeth Denham’s hearing before the Department of Culture, Media and Sport Select Committee, and PUBLISHED BY Privacy Laws & Business, 2nd Floor, having listened to the joint committee and the three witnesses on the Monument House, 215 Marsh Road, Pinner, human rights aspects of the Bill, I must say that it sounds to me that Middlesex HA5 5NE, United Kingdom the issues are still far from clear. The experts basically concluded that Tel: +44 (0)20 8868 9200 the Bill does not include proper human rights protections. The main Fax: +44 (0)20 8868 5215 Email: [email protected] issue is about proportionality. But a European court case may soon Website: www.privacylaws.com challenge the legality of UK’s surveillance laws anyway (http://bit.ly/1SZEfLx ). In the meantime, the Open Rights Group has Subscriptions: The Privacy Laws & Business United Kingdom Report is produced six times a year and is available on an published an informative comparison of changes between the first and annual subscription basis only. Subscription details are at the current version of the Bill ( http://bit.ly/1TPx88Z ). back of this report. Whilst every care is taken to provide accurate information, the publishers cannot accept liability for errors or omissions or for any advice given. Laura Linkomies, Editor Design by ProCreative +44 (0)845 3003753 PRIvACy LAWS & BUSINESS Printed by Rapidity Communications Ltd +44 (0)20 7689 8686 ISSN 2047-1479 Contribute to PL&B reports Copyright: No part of this publication in whole or in part may Do you wish to contribute to PL&B UK Report ? Please contact be reproduced or transmitted in any form without the prior written permission of the publisher. Laura Linkomies, Editor (tel: +44 (0)20 8868 9200 or email: [email protected] ) to discuss your idea, or offer to be interviewed about your organisation’s data protec - © 2016 Privacy Laws & Business tion/Freedom of Information work. O=========j^v=OMNS ==================PRIVACY LAWS & BUSINESS UNITED KINGDOM REPORT © 2016 PRIVACY LAWS & BUSINESS NEWS Elizabeth Denham ... from p.1 Commissioner for British Columbia foi aspects (BC), to becoming the UK Informa - The MPs were particularly interested DPA had gone there. I knocked on tion Commissioner. in hearing how Denham would deal their door in 2008 when they had a “The Information Commissioner in with government communications mere 300 million users. This was a the United Kingdom has similar under the FOIA. Referring to use of small office in Canada investigating powers to the powers that I have as a private e-mails and social media for Facebook. The same with Google Commissioner in British Columbia, so official public sector communications, when I served at the Federal office –I I have order-making power; I have she explained that her guiding principle started an investigation into Google quasi-judicial decision making in free - is that “it is the message not the medi - Streetview because they were hoover - dom of information that is appealable um” that is important. “Even private ing up unsecured WiFi data that had to the courts on an error in law, on emails can be caught under FOIA,” she been illegally collected by the company judicial review, so that is very, very sim - said. “There should be a duty to docu - when they were collecting Streetview ilar. When it comes to data protection ment serious decisions.” images. That was a serious investigation though, I would say Canada has softer She suggested that government, the that took us down to Google’s lab so laws. The Privacy Commissioners in civil service, and MPs should use only that we could witness the destruction, Canada do not have the civil monetary government communication networks, the deletion, of the Canadian data. I penalties and powers that exist for the and use two separate mobile phones – think we might have been the only Information Commissioner on the data one for business and another one for Data Protection Authority that fol - protection side in the United private matters. lowed through to make sure that col - Kingdom.” She said she supports extending lected data was properly and securely Denham explained that Canada has FOIA to not-for-profit organisations deleted.” In 2008, Facebook had no 30 years of experience of Freedom of and companies carrying out work for privacy controls, Denham explained, Information law compared with 10 public sector bodies. She said that but its response after the investigation years in the UK. As a result of her proactive disclosures cut down the was to put controls in place worldwide. investigations, the BC government had number of FOI requests, and should Both companies are now more careful responded in a serious way making therefore be encouraged.