UK’s ICO Fines Marketing Company Over Unsolicited Emails
Posted on September 18, 2018
The UK’s data protection authority, the ICO, recently fined marketing firm Everything DM Ltd for sending almost 1.5 million marketing emails without obtaining sufficient consent as required by the UK’s Privacy and Electronic Communications Regulations. In particular, the company sent messages on its clients behalf, the messages appeared to the recipient to come from the client, not Everything DM Ltd, yet Everything DM could not establish for the ICO that either it or its clients had obtained consent. Of concern to the ICO was that Everything DM merely “relied on the consent of third parties but didn’t take reasonable steps” to make sure that the appropriate consents were in place. Everything DM has paid a £60,000 fine, and the ICO has served them with an enforcement notice to comply with the law in the future.
PUTTING IT INTO PRACTICE: This case is a reminder that the regulators -including the ICO- are looking closely at whether company’s are using information in compliance with the law. We anticipate we may see more such actions in the future.
EU and Japan Strike Tentative Data Transfer Deal
Posted on August 9, 2018
The EU and Japan have reached a “reciprocal adequacy” agreement to allow data to flow more easily between them. As part of a larger bilateral trade deal which included commitments by both parties to reduce tariffs, Japan also agreed to enact additional safeguards to comply with new EU data protection standards. Those additional safeguards include increased data subject rights to access and correction, restrictions upon transfers of EU data from Japan to third countries, and limits on the use of sensitive data. Japan’s independent data protection authority would have enforcement authority over the new rules, and would investigate and resolve complaints from European data subjects. If it is approved by internal committees and regulators in both the EU and Japan, the deal will come into effect this Fall. This agreement comes after pressure this summer from the EU Parliament to suspend the US-EU agreement currently in place (the “Privacy Shield” program).
PUTTING IT INTO PRACTICE: While several steps will need to be taken before this agreement is put into place, it demonstrates that countries are increasingly looking at the international flow of data, in particular between the EU and non-EU countries.
FTC Signals that It Will Enforce Statements of GDPR Compliance
Posted on July 3, 2018
Just as companies may be catching their breath after sprinting to get ready for GDPR in time for its recent implementation date, the FTC has now entered the enforcement fray. It has stated that, where companies are choosing to apply GDPR protections to American consumers, the FTC may enforce any failures to abide by those commitments. What does this mean for US companies? As many implemented compliance with GDPR, a number of companies stated publicly that they would be providing some -or all- of the same protections to their other customers. It made sense for the companies – once they were reconfiguring their policies and systems to meet the GDPR requirements for European customers, why not offer the same protections to individuals outside the EU? It was comparatively easy to do and it was good consumer PR. But now the FTC plans to hold them to it.
PUTTING IT INTO PRACTICE: Making sure companies keep their promises is central to the FTC’s mission. This is no different. Think carefully about what you commit to when describing your privacy practices to consumers. Once you make a commitment, make sure you keep it, or the FTC could come calling.
                       39 Eye on Privacy 2018 Year in Review