by Laura Spencer Laura Spencer No Comments


The Information Commissioner’s Office (‘ICO’) has called for a government review into the systemic risks and areas for improvement around the use of private correspondence channels – including private email, WhatsApp and other similar messaging apps. This comes after the announcement of an enquiry into the messaging systems used by government throughout the pandemic, earlier this year.  The ICO report details a yearlong investigation, launched in 2021 by Commissioner Elizabeth Denham, into the use of these channels by Ministers and officials at the Department of Health and Social Care (‘DHSC’) during the pandemic.

The investigation found that the lack of clear controls and the rapid increase in the use of messaging apps and technologies – such as WhatsApp – had the potential to lead to important information around the government’s response to the pandemic being lost or insecurely handled.

Action Taken:

  • The ICO has now issued DHSC with a practice recommendation ordering the department to improve its management of FOI requests and address inconsistencies in its existing FOI guidance. This will ensure FOI requests are better managed, particularly in relation to any material created or contained in personal accounts.
  • A reprimand has also been issues
  • To make sure wider lessons are learnt, the ICO is also calling for the government to set up a separate review into the use of these channels and how the benefits of new technologies, including private messaging services, can be realised whilst ensuring data protection and transparency requirements are met.

This is a particularly important story when we think about WhatsApp. If you are a regular on our podcast or a regular newsletter reader, at Digital Law we regularly mention WhatsApp and the dangers of using this platform for business related purposes. This year alone, we have discussed multiple stories, including one from the MOD, informing service personnel to use alternative messaging apps such as Signal due to WhatsApp’s security. This is because while the app is ‘encrypted’, due to the fact that the messages are stored on the cloud, this makes it more accessible for hackers. Alternative messaging apps such as Signal are more secure because no messages are stored on the cloud, rather they are stored on the device themselves, effectively then the only way to get the messages would be to take the device itself.

Finally, for the avoidance of all doubt, this is not a new policy. You should not be using WhatsApp for business purposes. Especially considering highly regulated sectors such as law, finance and government. Highly regulated sectors, in this particular case, relating to the government, really highlights why, for a regulated sector, using unsecure platforms can be a real problem. It also highlights the stance that the ICO are likely to take if you, as an organisation, have a breach and you are using WhatsApp or other similar messaging platforms such as Telegram.

For more information as well as advice and guidance, please do not hesitate to contact us at

by Laura Spencer Laura Spencer No Comments

GDPR v PECR: The ICO Multi-Million Pound Enforcement

Since May 2021, the Information Commissioner’s Office (‘ICO’) have issued 37 fines for a total of £3.04 million to companies for nuisance calls and messages.

These fines fall under the Privacy and Electronic Communications Regulations (‘PECR’) and not the General Data Protection Regulation (‘GDPR’). This is an important distinction when we are thinking about ICO fines, due to the fact that the ICO typically focus on PECR fines over GDPR. Looking at the amount of fines that will have had to have been given out, the figures would suggest that it is mainly mid-tier SME businesses that have been subject to these fines.

The UK government, outlined in the new Data Reform Bill proposal, have proposed an increase in fines to organisations that breach PECR, with the aim of preventing companies contacting people for marketing purposes without consent. It proposes that the ICO’s power to fine companies will increase from the current maximum of £500,000 to up to four per cent global turnover or £17.5 million, whichever is greater.

Why is this important?

If you are a business who regularly calls customers and potential customers, you may want to consider your marketing strategy and how this may be affected by the change. Similarly, this is a testament to the increased powers that the ICO will have under the proposed new legislation.

As it stands, the ICO can only penalise organisations for calls that are answered however, legislation, outlined in the Data Reform Bill, will allow them to take action over high volumes of unanswered calls. However, a key thing to mention here is the fact that these calls do need to be reported before the ICO can take action and therefore, while the fine increase is a step in the right direction, arguably it does not do enough to protect consumers.

by Laura Spencer Laura Spencer No Comments


General Data Protection Regulation (‘GDPR’) and  Privacy and Electronic Communications Regulations 2003 (‘PECR’)

The UK had to follow rigid guidelines in relation to data protection and electronic regulations as a result of being an EU member. However, as the UK have left the EU, the government is trying to move away from EU standards and ‘cut the red tape’ for organisations and businesses. Hence, changing the laws and regulations around data, in order for businesses to prosper.

Current Regulation:

Under the current legislation, cookies are not allowed to be placed on a device without the consent of the user. There are currently only two limited exceptions from gaining consent. These are:

  1. for purposes that are essential to provide an online service at someone’s request (e.g. to remember what’s in their online basket, or to ensure security in online banking); or
  2. where needed to transmit a communication over a communications network.

Consent is usually sought through a pop-up notice or banner which appears when a person visits a website. However, as you are no doubt aware, most of the time when a cookie consent banner pops up, you click the accept button without taking the time to read the terms. The UK in trying to change these regulations, aims to ensure that the ‘tick box’ attitude is adapted so that users are more aware, in practice, as to how their personal data is being used.

Proposed Changes:

The government intends to remove the need for websites to display cookie banners to UK users. This would see the government allowing cookies to be installed on a user’s device without explicit consent (for non-intrusive purposes). Moving forward, the government would operate an opt-out model of consent for cookies. This would mean cookies could be set without seeking a user’s consent however, the website must give the user clear information on how to opt out. Objectively, this would achieve a more hands on approach, breaking away from the ‘tick box’ consent that we are using currently.

How could this affect my business?

As a business, this may mean that you will no longer have to display a cookie banner on your website, in turn, this may provide a smoother and more enjoyable experience for your users. However, this is a change that the UK are considering and therefore it does not apply to other country’s regulations. Therefore, it may still be necessary for you to display such banners if you plan on operating outside of the UK. Although, this being said, the EU are also consulting plans to make changes to cookies and the consent surrounding this however, any such changes are unclear at the moment.

So what?

As it stands, the UK has been granted data adequacy by the European Commission, this means that personal data can travel freely (as it did before Brexit) between countries in the EEA and the UK. Without adequacy, it would make carrying out business and trade by UK businesses with customers outside of the UK very difficult. Therefore, when the proposed changes are being made, the UK will need to keep the EU ‘on side’ in order to retain this adequacy decision. Hence, if any drastic changes are made, the EU may revoke the decision.