Donald, Where’s Your Schedule 3 Condition to Share Information Aboot Your Troosers?

August 25th, 2016 by Christopher Knight

The insularity of English lawyers can often mean that limited attention is paid to legal developments north of the border. Scotland, like the past, is a legally foreign country and they do things differently there. However, we here at Panopticon are never afraid to join a rousing chorus of ‘500 Miles’ by The Proclaimers (you should see some of the blog’s team at the Christmas Party – carnage). Readers with elephantine memories and little to do by way of fun may recall my post on the Inner House’s judgment concerning the ‘Named Person Service’. At the end of term, the case reached the Supreme Court in The Christian Institute v Lord Advocate [2016] UKSC 51. Apologies in advance for the length of the post which follows… Read more »


Data protection and e-privacy – New Article 29 Working Party Opinion

August 2nd, 2016 by Anya Proops QC

The question of how data privacy rights bite within the online environment is undoubtedly one of the most important questions with which 21st century information rights practitioners have to grapple. It is also one of the most difficult. This is not least because this is an area which is dominated by a European legislative triumvirate which is highly complex and, in a number of areas, heavily under-tested. That triumvirate comprises: the Data Protection Directive (95/46/EC), the E-Privacy Directive (2002/58/EC) and the E-Commerce Directive (2000/31/EC). Read more »


J’accuse! Zola in the Court of Appeal

August 1st, 2016 by Christopher Knight

FOIA does not have a particularly illustrious history in the Court of Appeal. Very few of the judgments which have issued from those august halls provide wider appellate guidance of the type generally useful from the higher courts, and some have been so deathly dull (I’m looking at you, Innes) that even the data protection cases look exciting. So it is with the Court of Appeal decision in Department for Work and Pensions v Information Commissioner & Zola [2016] EWCA Civ 758.

Read more »


Data Protection and the Applicable Law

August 1st, 2016 by Christopher Knight

One of the most interesting difficulties for data protection lawyers over the last few years (wake up at the back) has been the application of a DPA and a Directive drafted in an analogue age to a new digital world. The internet has posed many difficulties, and working out how to apply data protection law to it has been just one of them. It is an area which has begun to repeatedly trouble the CJEU. In Case C-191/15, Verein für Konsumenteninformation v Amazon EU Sàrl (judgment of 28 July 2016) the CJEU returned to the tricky and sui generis way the Directive deals with questions of the applicable law to data protection disputes. Read more »


Multi-jurisdictional personal data processing? Advocate General thinks not.

July 15th, 2016 by Robin Hopkins

While on the subject of data protection and jurisdictional questions (see my earlier post about the Microsoft case), I thought it worth pointing out the Advocate General’s opinion in Verein für Konsumenteninformation v Amazon EU Sàrl (Case C-191/15), issued in recent weeks.

The Microsoft case concerned the limits of US jurisdiction over data held on servers in the EU. What about data held within the EU, but which is being processed in a number of EU member states? Is the data controller subject to the jurisdiction of all of those states? If so, life is potentially very complicated: data protection law in the EU is supposed to be harmonised, but there will always be legitimate variations in how member states implement aspects of the overarching law. Read more »


Clouds, data centres and the location of data: a victory for Microsoft

July 15th, 2016 by Robin Hopkins

The judgment of the 2nd US Circuit Court of Appeals in New York in Microsoft Corporation v USA (Case 14-2985), handed down on 14 July 2016, has been hailed as an important victory not only for the technology giant, but for privacy rights as well.

In brief, the case concerned a warrant issued under the Stored Communications Act (dating from 1986), ordering Microsoft to seize and produce to the US government the contents of a customer’s email account, on the grounds that there was cause to believe the email account was being used for the purposes of drugs trafficking. Microsoft refused to comply in full, on the grounds that the contents of the email account were stored on a server in Dublin. A court held Microsoft to be in contempt. Microsoft appealed. It won. Read more »