A Data Bridge over Troubled Waters?

On 12 October 2023, the Data Protection (Adequacy) (United States of America) Regulations 2023 will come into effect and the UK-USA ‘data bridge’ will be effected. This will mean that, under the terms of the revised EU-US Data Privacy Framework, and the UK Extension to it, transfers of personal data from the UK to a person in the USA on the Data Privacy Framework List, will be deemed to meet the test of adequacy for the purposes of the UK GDPR and the DPA 2018. Continue reading

How Do You Solve a Problem Like Korea?

By making it the subject of the UK’s first post-Brexit UK GDPR data adequacy decision of course! With effect from 19 December 2022, the UK has designated the Republic of Korea as providing an adequate level of personal data: see the Data Protection (Adequacy) (Republic of Korea) Regulation 2022. Regulation 2(2) specifies that a “transfer described by this subsection is a transfer of personal data to a person in the Republic of Korea who is subject to the Personal Information Protection Act as that Act forms part of the law of the Republic of Korea and has effect from time to time“. Continue reading

Lloyd v Google in the EU: Damage and the AG

When I learned from Twitter that Advocate General Campos Sánchez-Bordona had been writing an Opinion dedicated to the late-90s R&B boyband Damage, I was surprised but not shocked. This, I thought, is precisely the sort of esoteric approach to middling music-based law that resulted in so many voting to leave the EU. Imagine, then, my surprise to find upon reading the Opinion in Case C-300/12 UI v Österreichische Post AG (EU:C:2022:756) that there is almost no mention of Jade Jones’ long-term relationship with Spice Girl Emma Bunton, but instead there is a detailed Lloyd v Google style analysis of in what circumstances damages can be obtained for contravention of the GDPR. Continue reading

GLO-ing with Satisfaction? Conducting Data Breach Litigation

Post the little-known judgment in Lloyd v Google LLC, those representing data subjects affected by a data breach (usually, although not always, a data security breach incident) have been considering alternative ways of litigating a large number of small value claims arising from the same factual matrix. The obvious alternative, well-established in various areas of the law, is a group litigation order (“GLO”). (This post does not concern the Netflix series about women’s wrestling. There is more violence, but less lycra. Each to their own.) Continue reading

Bounty – A Taste of Data Protection Paradise?

In April 2019, the ICO fined Bounty UK Ltd £400,000 for a breach of the first data protection principle under the DPA 1998, in circumstances where it operated a data broking service alongside pregnancy and parenting support services, but failed transparently and fairly to make clear to data subjects that it would share their data. One of the ways in which Bounty got access to data subjects, was under contracts with NHS Trusts, giving them access to new mothers. Continue reading

Substance Abuse: Section 166 Applications and the End of the Road

One of the conspicuous failures of the DPA 2018 has been the right to apply to the Tribunal under s166 for an order that the ICO progress a complaint made to it. Data subjects assume that this allows them to ask the Tribunal to overturn how the ICO has resolved their complaint. They perhaps not unreasonably assume the process would be of limited value if it were limited to the sort of procedural steps set out in s166(1), and they are instead left having to sue the controller under ss167-169. Some very well-regarded commentators have expressed the view that s166 ought to be interpreted more generously. They may think all of those things. But they would think wrong. Continue reading