Brexit and the Future of Data Protection

June 24th, 2016 by Anya Proops QC


As we all reel in shock at today’s news, thoughts will inevitably turn to how our impending divorce from Europe will impact on the sphere of data protection. Our own data protection laws have of course been profoundly shaped by Europe. Until yesterday, many had assumed that Europe’s control over our data protection laws would in due course become even more intensive, as we journeyed into a world in which the EU Data Protection Regulation reigned supreme across Europe. However, the clocks have stopped. The Regulation is not to become law in the UK. The future of data protection law is therefore necessarily shrouded in mystery. Read more »


Environmental information: Court of Appeal to consider the bigger picture

June 21st, 2016 by Robin Hopkins

It is often remarked that there is a paucity of clear binding authority on how to interpret the definition of “environmental information” set out in regulation 2 of the Environmental Information Regulations 2004. The issue is important: it is pivotal to whether a request for information is considered under the EIR or under FOIA. The leading domestic authority to date is the decision of the Upper Tribunal in DECC v IC and Henney [2015] UKUT 0671 (AAC). Read more »


Hold Me Close, I’m an Academic

June 10th, 2016 by Christopher Knight

If I am an extremely well-regarded academic at Cambridge (don’t snigger at the back, I could be) and due to my eminence I do some unpaid voluntary work for a major international group (here, the Inter-Governmental Panel on Climate Change), the work in relation to which I do over my university email account, are those emails held by the University under the Environmental Information Regulations 2004 (“EIR”)?

Read more »


Employment Law and Data Protection

June 3rd, 2016 by Christopher Knight

Employment lawyers have tended to see data protection as an employee weapon; in particular the strategic fishing expedition subject access request as a precursor to High Court or Tribunal claims. But there is at least one angle from which the DPA can be used as a weapon of attack by employers against former employees. Where an employee leaves their employer and takes a client list with him, not only will he be in breach of the usual restrictive covenants he is likely to have, but he may also have committed a criminal offence under section 55 DPA. Read more »


International Data Transfers – Again

May 27th, 2016 by Christopher Knight

Remember how the whole point of the Schrems litigation was that the Irish Data Protection Commissioner wasn’t doing enough (/anything) to query the protections available for data subjects in the US under the Safe Harbor scheme? Well, with the zeal of the convert – or alternatively, on the basis of once bitten, twice shy – the Irish DPC has now announced that its new-found energy encompasses a desire to call into question the compatibility of US data transfers under the approved Standard Contract Clauses, in the light of the Schrems judgment.

Read more »


Dynamic IP addresses can be personal data – Advocate General Opines

May 20th, 2016 by Anya Proops QC

The question of the extent to which privacy rights have a practical purchase in the online world is very much in the news this week (see below my post on this topic earlier today). An important aspect of this issue is the extent to which individuals are positively identifiable as and when they operate within the online environment. If they are not identifiable then, certainly from a data protection perspective, it cannot be said that their data privacy rights are engaged. This identifiability issue was itself central to the Court of Appeal’s analysis in the case of Vidal-Hall v Google. There the issue was whether the tracking data which Google amassed in respect of the online browsing habits of Google users amounted to personal data, so as to engage data protection legislation. The Court of Appeal had no difficulty in concluding that there was at the very least a serious issue to be tried on this question.

But what about dynamic IP addresses are they also sufficiently identifying to amount to personal data? This is the issue which is currently before the Court of Justice of the European Union in the case of Breyer Case C582/14. Importantly, the Advocate General has now given his opinion on the issue, concluding that dynamic IP addresses can indeed constitute personal data (see here). This is an important development, not least because it reaffirms the fact that the clear direction of travel within Europe is firmly in favour of putting data privacy rights centre stage within the online environment.

Finally, it is worth noting that 11KBW’s Tim Pitt-Payne QC and Robin Hopkins have recently been engaged in battle on a very similar issue before the UK’s information tribunal – see here.

Anya Proops QC