Privacy & Information Security Law Blog

On June 28, 2016, the UK Information Commissioner’s Office (“ICO”) released its Annual Report for 2015 -2016 (the “Report”).

According to the Report, the ICO has dealt with an increase in the number of data protection concerns, handling 16,388 complaints in total. Particularly noteworthy is the £130,000 fine imposed on Pharmacy 2U for breach of the fair processing requirements under the UK Data Protection Act 1998. Pharmacy 2U sold details of over 20,000 customers to a list marketing company without customers' knowledge or consent.

This past year also has seen a rise in the number of incidents reported by companies under the Privacy and Electronic Communications Regulation (“PECR”). This may, in part, be a consequence of the ICO’s mailing campaign to the top lead generation companies. The ICO issued 17 civil monetary penalties under the PECR totaling £1,985,000 to organizations that engaged in a range of unlawful marketing activities; such as nuisance calls.

Christopher Graham, the UK Information Commissioner, has stressed that during the past year the ICO has responded efficiently to unexpected developments, such as the large data breach suffered by Talk Talk, the aftermath of the Schrems decision and the impact on transatlantic data flows, and the consultation regarding the Investigatory Powers Bill in the context of surveillance and security.

The Report highlighted that one of the main challenges for the ICO in the coming years will be to efficiently guide companies in implementing the new EU General Data Protection Regulation and to assess the impact of the UK's referendum decision to leave the EU on future work in this area.