DCMS publishes guidance for tech companies on online safety for children, ICO investigates mobile phone data extraction by police in the UK, ICO issues fine of £200,000 for making nuisance calls and more in this week’s round-up of UK and EU techlaw news developments not covered elsewhere on the SCL website.
DCMS publishes guidance for tech companies about online safety for children
The Department for Digital, Culture, Media & Sport has published new guidance on how technology companies can improve online protection for children within their services. There are two sets of guidance. The “safety by design” guidance aims to help companies increase and prioritise the safety measures of their products and minimise risks of online harm happening. The second piece of guidance considers a ‘one- stop shop’ safety measure which aims to provide businesses with guidance to protect children when using their platforms. It also provides information about data protection and privacy, user interactions and protecting children from online sexual exploitation and abuse.
ICO investigates mobile phone data extraction by police in the UK
The ICO has investigated mobile phone extraction by police across the UK. It says that mobile phones often store large amounts of highly sensitive data, including biometric, financial and medical data, as well as personal information that reveals an individual’s location, political or religious beliefs, sexual orientation, and ethnic origin. When the ICO investigated concerns about the potential for excessive processing of personal data extracted from mobile phones by police forces, in a process known as mobile phone extraction, it found it to be a complex area, covered by a broad range of legislation relating to criminal justice and data protection. It has now published investigation reports for all home nations of the UK, including an update for England and Wales and new reports for the other home nations. The reports examine the relevant data protection rules in some detail and provide key recommendations on how to comply with the law: Scotland, Northern Ireland and England and Wales.
ICO issues fine of £200,000 for nuisance calls
The ICO has issued a fine of £200,000 to a Leeds-based firm for making more than 11 million unlawful claims management calls. An ICO investigation, prompted by complaints from the public, found that the firm concerned had made repeated nuisance calls to people about PPI. It failed to provide evidence that it had sufficient consent to call any of the complainants. The ICO also found no evidence to suggest that any staff training had been provided about the requirements of the Privacy and Electronic Communications Regulations and the specific rules for claims management firms. The ICO also issued an Enforcement Notice.
European Data Protection Supervisor issues opinion on proposed regulation on markets in crypto assets.
The European Commission adopted a proposal for a regulation on markets in crypto assets in September 2020. The EDPS has now issued an opinion on the proposal. It says that broader reflection is required about how to better ensure that the underlying technology of crypto assets respects data protection rules and principles. The EDPS also stresses that EU lawmakers are responsible for ensuring that processing in the proposed Regulation can be implemented in a way that complies with data protection law. It also emphasises the responsibility of controllers to ensure compliance in accordance with the principle of accountability. The EDPS considers that issuers of crypto assets would typically be controllers under the GDPR, and this should be explicitly designated in the proposed Regulation. In addition, processing personal data may meet two or more of the criteria that indicate that processing is likely to result in a high risk under data protection law, and therefore the issuer of crypto assets will need to perform a data protection impact assessment. The EDPS welcomes the objective of the proposed regulation to enhance the protection of consumers. However, the proposal should also require issuers to make particularly prominent certain guarantees regarding data protection. The impact on the protection of the personal data of individuals should be considered when calculating administrative penalties. The EDPS also said that the principle of storage limitation requires that personal data is stored for no longer than is necessary for the purposes for which it is stored, and recommends setting out a maximum, rather than a minimum, data retention period.