For those of you who missed Elizabeth Denham’s first speech as the UK Information Commissioner, you can read it here. Ms Denham also spoke on Friday’s Radio 4 PM programme, which you can listen to here.

One of the core themes emerging from Ms Denham’s speech was the importance of public trust when it comes to the management of personal data. The delivery of Ms Denham’s speech was particularly timely in view of the fact that it coincided with the release of a survey by the Chartered Institute of Marketing (CIM) survey which showed that, of the 2,500 people surveyed, 57% did not trust companies to handle their data responsibly – see here. Continue reading →

The question of how data privacy rights bite within the online environment is undoubtedly one of the most important questions with which 21^st century information rights practitioners have to grapple. It is also one of the most difficult. This is not least because this is an area which is dominated by a European legislative triumvirate which is highly complex and, in a number of areas, heavily under-tested. That triumvirate comprises: the Data Protection Directive (95/46/EC), the E-Privacy Directive (2002/58/EC) and the E-Commerce Directive (2000/31/EC). Continue reading →

So five days on from the Brexit referendum and it is clear that that there is no clear, carefully thought out strategy for extricating ourselves from the EU legal edifice. If you feel that this ‘make it up as we go along’ approach to the biggest legal and political challenge which our country has faced in decades is somewhat less than satisfactory, you will be pleased to learn you are not alone.

But if the path to Brexit is unclear you can at least assume that the journey will not be swift. Indeed, it seems likely that it will take at least two years and probably more before we part company with our EU brethren. Why does this matter, apart from the fact that it leaves our country in a protracted state of general confusion and uncertainty? Well for the readers of this blog it matters because there is at least one major piece of EU legislation which is due to take effect within the next two years, namely the EU General Data Protection Regulation.

Continue reading →

THIS POST SHOULD BE READ IN CONJUNCTION WITH MY MORE RECENT POST ON THIS SUBJECT – SEE HERE

As we all reel in shock at today’s news, thoughts will inevitably turn to how our impending divorce from Europe will impact on the sphere of data protection. Our own data protection laws have of course been profoundly shaped by Europe. Until yesterday, many had assumed that Europe’s control over our data protection laws would in due course become even more intensive, as we journeyed into a world in which the EU Data Protection Regulation reigned supreme across Europe. However, the clocks have stopped. The Regulation is not to become law in the UK. The future of data protection law is therefore necessarily shrouded in mystery. Continue reading →

The question of the extent to which privacy rights have a practical purchase in the online world is very much in the news this week (see below my post on this topic earlier today). An important aspect of this issue is the extent to which individuals are positively identifiable as and when they operate within the online environment. If they are not identifiable then, certainly from a data protection perspective, it cannot be said that their data privacy rights are engaged. This identifiability issue was itself central to the Court of Appeal’s analysis in the case of Vidal-Hall v Google. There the issue was whether the tracking data which Google amassed in respect of the online browsing habits of Google users amounted to personal data, so as to engage data protection legislation. The Court of Appeal had no difficulty in concluding that there was at the very least a serious issue to be tried on this question.

But what about dynamic IP addresses are they also sufficiently identifying to amount to personal data? This is the issue which is currently before the Court of Justice of the European Union in the case of Breyer Case C582/14. Importantly, the Advocate General has now given his opinion on the issue, concluding that dynamic IP addresses can indeed constitute personal data (see here). This is an important development, not least because it reaffirms the fact that the clear direction of travel within Europe is firmly in favour of putting data privacy rights centre stage within the online environment.

Finally, it is worth noting that 11KBW’s Tim Pitt-Payne QC and Robin Hopkins have recently been engaged in battle on a very similar issue before the UK’s information tribunal – see here.

Anya Proops QC

Google has today published an op-ed in which it makes clear its intention to appeal against the CNIL’s ruling that the so-called ‘right to be forgotten’ has global reach, requiring Google to deindex links not just within Europe but across the world – see here.

This is an important step by Google and brings into sharp focus the question of how privacy rights should operate within an effectively globalised online environment. It is interesting that this development comes so soon after the Supreme Court’s judgment in PJS (as to which see Robin’s post here). In PJS, we have seen the Supreme Court trying to hold back the tide of online publicity in order to protect the remnants of PJS’s privacy. Now Google is mounting an appeal which is effectively designed to geo-locate privacy rights, giving them a purchase in some jurisdictions but not others. Of course, the PJS case itself illustrates the practical difficulties which such a parochialising approach to the protection of privacy rights can create. On the other hand, is it really right that domestic courts within Europe are in effect able to foist their legal culture on other jurisdictions, jurisdictions which may well approach the protection of privacy rights in a very different way? Is this a kind of intolerable legal imperialism or is it an approach which can be justified on the basis that the right to privacy is indeed a universal right which does not wax and wane based on geographical factors? These are all really important questions which now lie at the heart of debates surrounding the relationship between data privacy rights and online freedoms.

Anya Proops QC