European Data Protection Board adopts guidelines on application of Article 6(1)(b) GDPR
The European Data Protection Board has adopted guidelines on the scope and application of Article 6(1)(b) of the General Data Protection Regulation 2016/679 in relation to information society services. In its guidelines, the EDPB makes general observations regarding data protection principles and the interaction of Article 6(1)(b) GDPR with other lawful bases. In addition, the guidelines contain guidance on the applicability of Article 6(1)(b) GDPR in cases of bundling of separate services and termination of contract.
ICO fines funeral plan firm and serves enforcement notice
The ICO has issued Avalon, a company selling funeral plans, with a monetary penalty notice of £80,000 for making unlawful marketing calls to people who had made it explicitly clear they did not want to receive them. The ICO’s investigation revealed that Avalon had made almost 52,000 calls to people who were registered with the Telephone Preference Service between 1 March and 20 November 2017. Avalon said it had purchased numbers from a third-party lead provider, but had no specific consent to call people registered on the TPS. It failed to carry out proper due diligence or check the numbers against the TPS register. The ICO’s investigation into Avalon found two of the company’s directors at the time of the contravention, had previously been involved in an unconnected ICO investigation and that the company involved in that case had been fined in January 2018 for carrying out unsolicited direct marketing. Those same two people were also the directors of the lead generator company used by Avalon for the data collection in this case, so they would have understood their legal obligations. The ICO understands the directors concerned are no longer associated with Avalon. In addition to the fine, Avalon has also been served with an Enforcement Notice ordering it to improve its practices.
NCSC issues guidance on AI security tools
The National Cyber Security Centre has published guidance on artificial intelligence security tools. The guidance is designed for those looking to use an off the shelf security tool that employs AI as a core component. It may also be of use to those developing in-house AI security tools or when considering AI for some non-security business function. Following a brief primer on AI, the guidance divides the consideration of intelligent security tools in four sections. Each section poses a series of questions to help decide whether an intelligent solution is practical and advantageous for an organisation’s particular security needs.
European Commission issues reports on disinformation
The European Commission has published the latest reports by Facebook, Google and Twitter covering the progress made in March 2019 to fight disinformation. The three online platforms are signatories to the Code of Practice against disinformation and have committed to report monthly on their actions ahead of the European Parliament elections in May 2019. As part of the implementation of the Code of Practice, the platforms met with national regulatory authorities, part of the European Regulators Group for Audiovisual Media Services to discuss the functionality of their political ads repositories. The reports allow the European Commission to verify that effective policies to ensure integrity of the electoral processes are in place before the European elections in May 2019. The European Commission will carry out a comprehensive assessment of the Code’s initial 12-month period by the end of 2019. If the results prove unsatisfactory, the European Commission may propose further actions, including of a regulatory nature.
IAB Europe seeks comments on GDPR framework
The Interactive Advertising Bureau Europe, an industry association for digital advertising, has launched a consultation. It seeks views on the Policies and Technical Specifications for version 2.0 of the of the Transparency & Consent Framework. The consultation ends on 25 May 2019. Following the close of consultation, once the technical specifications and policies have been finalised, detailed implementation manuals will be issued for vendors, publishers and consent management platforms.