How Do You Solve a Problem Like Korea?

January 5th, 2023 by Christopher Knight

By making it the subject of the UK’s first post-Brexit UK GDPR data adequacy decision of course! With effect from 19 December 2022, the UK has designated the Republic of Korea as providing an adequate level of personal data: see the Data Protection (Adequacy) (Republic of Korea) Regulation 2022. Regulation 2(2) specifies that a “transfer described by this subsection is a transfer of personal data to a person in the Republic of Korea who is subject to the Personal Information Protection Act as that Act forms part of the law of the Republic of Korea and has effect from time to time“. Read more »

 

Lloyd v Google in the EU: Damage and the AG

October 7th, 2022 by Christopher Knight

When I learned from Twitter that Advocate General Campos Sánchez-Bordona had been writing an Opinion dedicated to the late-90s R&B boyband Damage, I was surprised but not shocked. This, I thought, is precisely the sort of esoteric approach to middling music-based law that resulted in so many voting to leave the EU. Imagine, then, my surprise to find upon reading the Opinion in Case C-300/12 UI v Österreichische Post AG (EU:C:2022:756) that there is almost no mention of Jade Jones’ long-term relationship with Spice Girl Emma Bunton, but instead there is a detailed Lloyd v Google style analysis of in what circumstances damages can be obtained for contravention of the GDPR. Read more »

 

GLO-ing with Satisfaction? Conducting Data Breach Litigation

June 22nd, 2022 by Christopher Knight

Post the little-known judgment in Lloyd v Google LLC, those representing data subjects affected by a data breach (usually, although not always, a data security breach incident) have been considering alternative ways of litigating a large number of small value claims arising from the same factual matrix. The obvious alternative, well-established in various areas of the law, is a group litigation order (“GLO”). (This post does not concern the Netflix series about women’s wrestling. There is more violence, but less lycra. Each to their own.) Read more »

 

Bounty – A Taste of Data Protection Paradise?

April 14th, 2022 by Christopher Knight

In April 2019, the ICO fined Bounty UK Ltd £400,000 for a breach of the first data protection principle under the DPA 1998, in circumstances where it operated a data broking service alongside pregnancy and parenting support services, but failed transparently and fairly to make clear to data subjects that it would share their data. One of the ways in which Bounty got access to data subjects, was under contracts with NHS Trusts, giving them access to new mothers. Read more »

 

Substance Abuse: Section 166 Applications and the End of the Road

November 25th, 2021 by Christopher Knight

One of the conspicuous failures of the DPA 2018 has been the right to apply to the Tribunal under s166 for an order that the ICO progress a complaint made to it. Data subjects assume that this allows them to ask the Tribunal to overturn how the ICO has resolved their complaint. They perhaps not unreasonably assume the process would be of limited value if it were limited to the sort of procedural steps set out in s166(1), and they are instead left having to sue the controller under ss167-169. Some very well-regarded commentators have expressed the view that s166 ought to be interpreted more generously. They may think all of those things. But they would think wrong. Read more »

 

Personal Data and Identifiability

November 24th, 2021 by Christopher Knight

It is a common problem encountered by data controllers that a dataset is in principle anonymous, but where the numbers within that dataset are sufficiently small, the individual data subject(s) to which they relate may be identifiable, particularly when taken with other publicly available information. Datasets released often refuse to provide the specific number where it is below five for that reason. In NHS Business Authority v Information Commissioner & Spivack [2021] UKUT 192 (AAC), the Upper Tribunal reviewed and revisited that issue. Read more »