The Data Protection Bill: some initial observations

September 18th, 2017 by Robin Hopkins

Anyone who has anything to do with data protection will know that the UK’s Data Protection Bill was published and put before Parliament on Thursday 14 September. But to digest it in full, one needs time, commitment, and coffee. It is not a straightforward read. It seeks to implement the GDPR in full and in Brexit-proof fashion, to plug the gaps that the GDPR requires member states to fill, and also to apply a GDPR-like regime to areas of data processing that are not covered by the GDPR itself. The Bill is of course liable to change in the coming months, but here are some observations and highlights in the meantime. Read more »


Data protection developments: fines, group actions and right to be forgotten

September 12th, 2017 by Robin Hopkins

The GDPR is still eight months away from coming into force, but – as with any such sea-change – it is informing much of our data protection thinking already. In its recent judgment in the Barbulescu case about monitoring employee communications, for example, the European Court of Human Rights cited provisions of the GDPR. Here are some substantive recent developments illustrating the direction of travel in contentious data protection. Read more »


Monitoring employees’ communications: the final word

September 5th, 2017 by Robin Hopkins

In January 2016, Panopticon brought you a post entitled “Employer was entitled to access employee’s private Yahoo! messages (and to sack him)”. It concerned an eye-catching judgment of the Fourth Section of the European Court of Human Rights in the case of Barbulescu v Romania (application 61496/08).

In a nutshell: the applicant had used his employer’s Yahoo! messenger service (intended for work use) for personal communications, including with his fiancé and brother. His employer monitored those communications and sacked him for misuse of its messenger service. Did that monitoring of his private communications breach his privacy rights under Article 8 ECHR? No, said the Romanian courts, and Strasbourg’s Fourth Chamber said likewise (a victory for common sense, said many employers!). But on a further appeal to the Grand Chamber of the ECHR, that assessment has been reversed: the last word is that Article 8 was indeed breached here (what now, ask many employers?). Read more »


Brexit and Data Protection

August 24th, 2017 by Christopher Knight

Data protection lawyers and specialists have long been used to their area of expertise being treated as a rather mould-infested and irritating area of the law, like champerty but with more Schedules. Amongst other things, Brexit seems to have caused a bit of an upsurge in interest in how cross-border data flows are going to be managed in the brave new world. (Panopticon has seen articles in the last few months mentioning the GDPR and data protection after Brexit in the LRB and Private Eye, which is a bit like unexpectedly finding your girlfriend on page 3 of the Sun and the New Left Review on the same day.) HM Government have also recognised the importance of the issue, and have today published their position paper entitled ‘The exchange and protection of personal data’. Read more »


The Wages of Sin is: the Ability to Rely on Section 12

August 24th, 2017 by Christopher Knight

What happens when your FOIA request to a public authority is met with the response that it would breach the cost limits set under section 12 to respond to the request because the authority’s record keeping systems are in a particular (i.e. poor) state? In a word: tough. Read more »


Government publishes data protection bill proposals

August 7th, 2017 by Anya Proops QC

For those of you champing at the bit to learn of the Government’s plans for domesticating the GDPR, I have some good news. The Government has today, in the personage of Matt Hancock MP, Digital Minister, published its ‘statement of intent’ in respect of the new data protection bill – see here. Some key highlights of the proposals include the following: Read more »