The High Court (Langstaff J) has today handed down an almost 200 paragraph judgment in the first ever group litigation data breach case to come before the courts. The issue for the court was whether the defendant data controller, Morrisons, was in principle either directly or vicariously liable for the actions of a rogue employee who had, as an act of malice directed at his employer, taken payroll data relating to some 100,000 employees and published it online. The court concluded that, despite itself having been entirely innocent of the misuse, Morrisons was in principle liable to compensate all the claimants in the group, some 5,500 individuals, on the basis of the application of common law (no fault) vicarious liability principles. Continue reading →

Time for a few data protection-related updates which don’t merit a full post of their own (or at least, not one I can be bothered to write) but which readers may or may not have missed. Continue reading →

Data protection developments are not often seen through a constitutional lens, but readers may be interested to glance at the recent post by Oliver Butler from the UK Constitutional Law Blog on concerns about clause 15 of the Data Protection Bill and the delegated legislation powers it provides. There will be much to watch out for as the Bill progresses.

Christopher Knight

Data protection lawyers and specialists have long been used to their area of expertise being treated as a rather mould-infested and irritating area of the law, like champerty but with more Schedules. Amongst other things, Brexit seems to have caused a bit of an upsurge in interest in how cross-border data flows are going to be managed in the brave new world. (Panopticon has seen articles in the last few months mentioning the GDPR and data protection after Brexit in the LRB and Private Eye, which is a bit like unexpectedly finding your girlfriend on page 3 of the Sun and the New Left Review on the same day.) HM Government have also recognised the importance of the issue, and have today published their position paper entitled ‘The exchange and protection of personal data’. Continue reading →

What happens when your FOIA request to a public authority is met with the response that it would breach the cost limits set under section 12 to respond to the request because the authority’s record keeping systems are in a particular (i.e. poor) state? In a word: tough. Continue reading →

It is worth noting a couple of data protection developments from our European neighbours from the last week or so. First, Advocate General Kokott has handed down an Opinion in Case C-434/16 Nowak v Data Protection Commissioner (ECLI:EU:C:2017:582) about examination scripts. Second, the CJEU has delivered itself of Opinion 1/15 (ECLI:EU:C:2017:592) on the compatibility with Charter rights of the envisaged agreement between the EU and Canada on Passenger Name Record data. Continue reading →