Over The Counter Culture» Blog Archive » UK government amends data protection and cookies law

UK government amends data protection and cookies law

The heel dragging is over: just three weeks before the legal deadline for the incorporation of EU changes to online tracking and data protection laws (set out in Directive2009/136/EC) expired, the UK government has finally implemented those changes (too little, too late?). There will be a total of three Statutory Instrument delivering the amendments*; the main one, published very recently, is The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 No. 1208) is here: http://www.legislation.gov.uk/uksi/2011/1208/made

What key changes does it make?

Personal data breaches will now have to be notified to the Information Commissioner;
Stronger enforcement provisions; and
Consumers will now have to give their consent for the import of cookies on to their machines

Beyond more obvious data protection provisions, like the definition of a ‘personal data breach’ (and according duty to notify the Information Commissioner and the victim – backed by a £1,000 fine, reduced to £800 if paid within 21 days), they also force service providers to take proportionate measures to protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration. If your webmail was deleted, for example, this may give rise to a breach of statutory duty by the service provider. It does away with allowance for implied consents largely throughout communications law insofar as it relates to businesses using user data or monitoring user usage of services (express consent is now king).

Regulation 10 makes provision to allow police and the security services to have access to personal data of users of public electronic communications networks and services. It also makes provision to compel service providers to establish and maintain procedures to allow access to that data.

Fines for noncompliance with the regulations are now considerably more severe, as they now reflect Data Protection Act fines (of up to £500,000 for grave breaches).

* The three implementing statutory instruments to look out for are:

The Electronic Communications (Universal Service) (Amendment) Order 2011;
The Electronic Communications and Wireless Telegraphy Regulations 2011; and
The Communications Act 2003 (Maximum Penalty for Contravention of Information Requirements) Order 2011

NB: Be aware that, rather unhelpfully, the UK’s main store of legislation (legislation.gov.uk) does not update the text of secondary legislation (such as these Regulations) when they get amended, so it’s unlikely that when browsing the official register of such laws, you’re actually getting an accurate picture of the law. Just saying.

Bookmark/Share:

Related:

The Facebook Data Protection Act letter

Here is the letter I sent Facebook to ask for my data (for the background to this story, see this post) TO: Data Controller / Legal Compliance Facebook Ireland Ltd Hanover Reach 5-7 Hanover Quay Dublin 2 IRELAND RE: Subject Access Request (Data Protection Acts) Dear Facebook (Ireland), I wish to make a subject [...]...

Facebook is Irish! (let the fun begin)

I am on a very geeky mission: to use the Data Protection Act to tell me exactly what information is used and processed about me. Thanks to a great spot by a Twitter contact, a breakthrough came yesterday: Facebook is an Irish company (for anyone not in the USA), so falls under all the juicy EU pro-consumer law (and Irish laws to boot). Things have just got interesting - read on:...

Related posts brought to you by Yet Another Related Posts Plugin.

This entry was posted on Monday, May 9th, 2011 at 1:49 pm and is filed under Legal. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.