Data Protection News Update 16 October 2023

United Kingdom

ICO looking for entrants for it’s 2024 Regulatory Sandbox

  • “If you’re part of an organisation that’s tackling complex data protection considerations as you create innovative new products and services, the ICO’s Regulatory Sandbox team wants to hear from you”.
  • Current areas of focus that the ICO is accepting expression of interest in are:
    • Biometric processing;
    • Emerging technologies; or
    • Exception innovations.

Court of Appeals rules that the ICO acted lawfully in SAR complaint litigation

  • This ruling comes after a long running battle over a SAR complaint.
  • According to the ICO, this case “raised important questions about how far the ICO has to go in investigation and reaching a decision on the merits of every complaint.”
  • You can find the judgment here:
  • The original facts involved a Mr Delo putting through a complaint to the ICO when he was refused information in a SAR to a financial institution. The ICO responded that the financial institution had complied with its obligations, and that no further action would be taken. Mr Delo then brought a claim for judicial review, which was dismissed.
  • The latest appeal ruling focused on two questions:
    • 1) “Is the Commissioner obliged to reach a definitive decision on the merits of each and every such complaint or does he have a discretion to decide that some other outcome is appropriate?
    • (2) “if the Commissioner has a discretion, did he nonetheless act unlawfully in this case by declining to investigate or declining to determine the merits of the complaint made by the claimant?”

United States

FTC and CFPB Settlement to Require Trans Union to Pay 15 million dollars

  • The settlement comes after Trans Union failed to ensure accuracy of tenant screening reports.


EU General Court rules against interim measures to pause the implementation of the EU – US Data Privacy Framework

  • The Court ruled that Latombe – the French Member of European Parliament that filed against the transfer agreement and subsequent adequacy decision – could not prove the individual or collective harm the agreement raises.

AEPD updates controllers’ data breach response tool


New Zealand privacy commissioner shares its two cents on CCTV use in school bathrooms

  • Schools want to know if they can install CCTV networks in the bathrooms of children and other young people, to tackle negative behaviour such as vaping and bullying.
  • The Office of the Privacy Commissioner recommends schools looking to do this to do a privacy impact assessment beforehand.


More Posts

Send Us A Message