Friday, September 11, 2015

International (UK): First-tier Tribunal dismisses Optical Express appeal on marketing texts

Although not local - take note of what consent means when you want to use Personal Information for Direct Marketing - the same principle/condition will apply in the RSA as well:

The First-tier Tribunal has upheld the Information Commissioner’s enforcement notice requiring Optical Express (Westfield) Limited (Optical Express) to stop sending unsolicited marketing texts, in contravention of section 22(2) of the Privacy Regulations 2003 (as amended), to individuals whose details were obtained under data supplier agreements.
Case: Optical Express used personal data provided by a number of suppliers, including Thomas Cook, to send text messages marketing its laser eye surgery. The Information Commissioner received 7506 complaints from individuals about this. Optical Express argued, among other things, that if their suppliers agreed in their contracts to only supply "consented data" that should be sufficient proof of consent. Brian Kennedy QC disagreed, " ... when consent was obtained by Thomas Cook or whomever, it was not stipulated (or at least it has not been shown to have been stipulated) that the personal data would be processed by OE. Neither was the marketing of specific types of products stipulated ... This falls under the "to guarantee fair processing" category. If the data subject doesn't know what other products might be marketed then how can he exercise his right to object to some of them whilst being happy to receive others?" In failing to obtain "proper, fully informed and specific consent", Optical Express had not met the requirements of regulation 22(2

Friday, September 04, 2015

Data Protection: How important is it to know what to do if there is a data breach?

Grupo Financiero Banorte, Mexico’s third largest bank, suffered a data breach earlier this year and is now reportedly being fined 32 million pesos ($1.98 million) by the Mexican data protection authority, the National Institute of Transparency, Access to Information and Protection of Personal Data, for failing to inform all of its clients immediately after the hack occurred.  Mexico’s National Banking and Securities Commission is also investigating the matter  and is expected to issue corrective measures.

To formulate and implement an effective incident response solution, including but not limited to an attorney and forensic experts on stand buy, contact Gerrie van Gaalen

International: The Right To Forget Metadata

The UK’s Information Commissioner’s Office (ICO) has enforced the European cyber law’s “right to be forgotten” against Google over search results linked to a minor crime committed by an individual ten years ago.  Last month, the ICO released an enforcement notice ordering the search engine to remove within 35 days nine links associated with the individual’s crime.  In some respects, the decision represents an expansion of the right as it involves removing links to articles about Google's removal of articles about the individual. 

If you need assistance on submitting a request to remove certain information about you from the search engines, then contact Gerrie van Gaalen

© Copyright 2015 Steptoe & Johnson LLP