Lloyd v Google in the EU: Damage and the AG

October 7th, 2022 by Christopher Knight

When I learned from Twitter that Advocate General Campos Sánchez-Bordona had been writing an Opinion dedicated to the late-90s R&B boyband Damage, I was surprised but not shocked. This, I thought, is precisely the sort of esoteric approach to middling music-based law that resulted in so many voting to leave the EU. Imagine, then, my surprise to find upon reading the Opinion in Case C-300/12 UI v Österreichische Post AG (EU:C:2022:756) that there is almost no mention of Jade Jones’ long-term relationship with Spice Girl Emma Bunton, but instead there is a detailed Lloyd v Google style analysis of in what circumstances damages can be obtained for contravention of the GDPR. Read more »


GLO-ing with Satisfaction? Conducting Data Breach Litigation

June 22nd, 2022 by Christopher Knight

Post the little-known judgment in Lloyd v Google LLC, those representing data subjects affected by a data breach (usually, although not always, a data security breach incident) have been considering alternative ways of litigating a large number of small value claims arising from the same factual matrix. The obvious alternative, well-established in various areas of the law, is a group litigation order (“GLO”). (This post does not concern the Netflix series about women’s wrestling. There is more violence, but less lycra. Each to their own.) Read more »


Bounty – A Taste of Data Protection Paradise?

April 14th, 2022 by Christopher Knight

In April 2019, the ICO fined Bounty UK Ltd £400,000 for a breach of the first data protection principle under the DPA 1998, in circumstances where it operated a data broking service alongside pregnancy and parenting support services, but failed transparently and fairly to make clear to data subjects that it would share their data. One of the ways in which Bounty got access to data subjects, was under contracts with NHS Trusts, giving them access to new mothers. Read more »


Substance Abuse: Section 166 Applications and the End of the Road

November 25th, 2021 by Christopher Knight

One of the conspicuous failures of the DPA 2018 has been the right to apply to the Tribunal under s166 for an order that the ICO progress a complaint made to it. Data subjects assume that this allows them to ask the Tribunal to overturn how the ICO has resolved their complaint. They perhaps not unreasonably assume the process would be of limited value if it were limited to the sort of procedural steps set out in s166(1), and they are instead left having to sue the controller under ss167-169. Some very well-regarded commentators have expressed the view that s166 ought to be interpreted more generously. They may think all of those things. But they would think wrong. Read more »


Personal Data and Identifiability

November 24th, 2021 by Christopher Knight

It is a common problem encountered by data controllers that a dataset is in principle anonymous, but where the numbers within that dataset are sufficiently small, the individual data subject(s) to which they relate may be identifiable, particularly when taken with other publicly available information. Datasets released often refuse to provide the specific number where it is below five for that reason. In NHS Business Authority v Information Commissioner & Spivack [2021] UKUT 192 (AAC), the Upper Tribunal reviewed and revisited that issue. Read more »


Immigration Exemption Update

October 11th, 2021 by Christopher Knight

Back in late May 2021, it will be recalled that the Court of Appeal found the immigration exemption in para 4 of Schedule 2 to the Data Protection Act 2018 to be unlawful in its failure to comply with Article 23(2) GDPR: see the post here. The judgment made clear that the question of relief would be a matter for further submissions. A hearing was held on the question of relief on 8 October 2021, at the end of which the Court of Appeal announced in open court its decision. The immigration exemption will be declared to be unlawful, but that declaration will be suspended until 31 January 2022. In other words, the Government has until the end of January 2022 to introduce and bring into effect legislation amending the exemption, so as to avoid harm to the public interest. If it fails to do so, the exemption will be disapplied from that date. The Government’s current stated intention is to amend para 4 by means of regulations made under section 16 DPA. The reasons for that ruling will be handed down in due course.

Christopher Knight