Employment lawyers have tended to see data protection as an employee weapon; in particular the strategic fishing expedition subject access request as a precursor to High Court or Tribunal claims. But there is at least one angle from which the DPA can be used as a weapon of attack by employers against former employees. Where an employee leaves their employer and takes a client list with him, not only will he be in breach of the usual restrictive covenants he is likely to have, but he may also have committed a criminal offence under section 55 DPA. Continue reading →

Remember how the whole point of the Schrems litigation was that the Irish Data Protection Commissioner wasn’t doing enough (/anything) to query the protections available for data subjects in the US under the Safe Harbor scheme? Well, with the zeal of the convert – or alternatively, on the basis of once bitten, twice shy – the Irish DPC has now announced that its new-found energy encompasses a desire to call into question the compatibility of US data transfers under the approved Standard Contract Clauses, in the light of the Schrems judgment.

Continue reading →

The question of the extent to which privacy rights have a practical purchase in the online world is very much in the news this week (see below my post on this topic earlier today). An important aspect of this issue is the extent to which individuals are positively identifiable as and when they operate within the online environment. If they are not identifiable then, certainly from a data protection perspective, it cannot be said that their data privacy rights are engaged. This identifiability issue was itself central to the Court of Appeal’s analysis in the case of Vidal-Hall v Google. There the issue was whether the tracking data which Google amassed in respect of the online browsing habits of Google users amounted to personal data, so as to engage data protection legislation. The Court of Appeal had no difficulty in concluding that there was at the very least a serious issue to be tried on this question.

But what about dynamic IP addresses are they also sufficiently identifying to amount to personal data? This is the issue which is currently before the Court of Justice of the European Union in the case of Breyer Case C582/14. Importantly, the Advocate General has now given his opinion on the issue, concluding that dynamic IP addresses can indeed constitute personal data (see here). This is an important development, not least because it reaffirms the fact that the clear direction of travel within Europe is firmly in favour of putting data privacy rights centre stage within the online environment.

Finally, it is worth noting that 11KBW’s Tim Pitt-Payne QC and Robin Hopkins have recently been engaged in battle on a very similar issue before the UK’s information tribunal – see here.

Anya Proops QC

Google has today published an op-ed in which it makes clear its intention to appeal against the CNIL’s ruling that the so-called ‘right to be forgotten’ has global reach, requiring Google to deindex links not just within Europe but across the world – see here.

This is an important step by Google and brings into sharp focus the question of how privacy rights should operate within an effectively globalised online environment. It is interesting that this development comes so soon after the Supreme Court’s judgment in PJS (as to which see Robin’s post here). In PJS, we have seen the Supreme Court trying to hold back the tide of online publicity in order to protect the remnants of PJS’s privacy. Now Google is mounting an appeal which is effectively designed to geo-locate privacy rights, giving them a purchase in some jurisdictions but not others. Of course, the PJS case itself illustrates the practical difficulties which such a parochialising approach to the protection of privacy rights can create. On the other hand, is it really right that domestic courts within Europe are in effect able to foist their legal culture on other jurisdictions, jurisdictions which may well approach the protection of privacy rights in a very different way? Is this a kind of intolerable legal imperialism or is it an approach which can be justified on the basis that the right to privacy is indeed a universal right which does not wax and wane based on geographical factors? These are all really important questions which now lie at the heart of debates surrounding the relationship between data privacy rights and online freedoms.

Anya Proops QC

The Supreme Court has today given judgment in PJS v News Group Newspapers [2016] UKSC 26. It has overturned by a majority (Lords Mance, Neuberger, Reed and Lady Hale) the Court of Appeal’s judgment of 18 April 2015 in the ‘celebrity threesome’ case and restored the interim reporting injunction pending trial. It concluded that, notwithstanding internet publications and articles in the press outside of this jurisdiction, it was not pointless to maintain the interim injunction, and that no genuine public interest in this story had yet been demonstrated. Continue reading →

A few transparency-related updates for readers, which will have a potential impact on (a) the engagement of exemptions under FOIA and the EIR, and (b) the public interest balance. As the Government insists on more openness about certain types of information, including its own, so the withholding of similar information will be harder to justify. There is also now a confirmation that a revised Code of Practice under section 45 FOIA is on its way. Continue reading →