We previously noted on this blog the decision in Leighton v Information Commissioner (No.2) [2020] UKUT 23 (AAC), emphasising the limited procedural scope of the right to apply to the Tribunal under section 166 DPA 2018. As that was strictly a permission decision, it is worth updating readers that Judge Wikeley repeated has repeated his analysis in a substantive appeal decision in Scranage v Information Commissioner [2020] UKUT 196 (AAC): see particularly at [6], which notes and corrects the “widespread misunderstanding about the reach of section 166”. The appeal itself concerned the time limit provisions, in now historic form, and need not trouble readers unduly. But Judge Wikeley did return to the jurisdiction at the end of his judgment, querying whether the section 166 jurisdiction was working as intended, given the disproportionate resources they enveloped, along with a concern about the lack of coherence between such procedural matters being raised before the FTT and substantive issues having to be raised in the ordinary courts. Whether anyone takes up that baton remains to be seen. We fear it is not top of the legislative to-do list.

Christopher Knight

Amidst the headlines about standard clauses post-Schrems II, there are a number of other practical issues to remember about international data transfers. In particular, if you are relying on binding corporate rules where your chosen supervisory authority is the ICO in the UK. The EDPB has published an Information Note reminding controllers that before the end of the transition period, they need to have identified and chosen a new EU supervisory authority AND to have obtained an approval decision from that new authority in respect of the BCRs before the end of the transition. So don’t delay. Supervisory authorities are not renowned for their administrative speed. Continue reading →

It is a common trope of media lawyers that defamation claims have been on the wane since the Defamation Act 2013, and that data protection law might be the way to fill the gap. (We at Panopticon scorn such arriviste tendencies.) And in Warby J, there is a willing champion of alignment of legal principles between defamation and data protection. He particularly emphasised the read-across in the context of complaints of inaccurate data processing in NT1 v Google LLC [2018] EWHC 799 (QB) (see here) and he has done so again in his very interesting judgment in Aven v Orbis Business Intelligence Ltd [2020] EWHC 1812 (QB). Continue reading →

Are national Parliaments subject to the GDPR? Yes, says the CJEU, they are: Case C-272/19 VK v Land Hessen (EU:C:2020:535). The reference to a “public authority” within the definition of “controller” in Article 4(7) GDPR was capable of including the Petitions Committee of the State Parliament, and the CJEU noted that there was no exception in Article 23 for legislative bodies. Continue reading →

Is a private registered provider of social housing, a housing association, a public authority within the meaning of the Environmental Information Regulations 2004 and the Fish Legal line of authority (on which see here re the CJEU and here re the UT)? In Information Commissioner v Poplar Housing Association and Regeneration Community Association [2020] UKUT 182 (AAC) (ICO v Poplar Housing), Farbey J (CP) agreed with the First-tier Tribunal that it was not. Continue reading →

When the First-tier Tribunal decides an information rights appeal and finds in favour of the requestor, who has the responsibility for enforcing any non-compliance with that judgment? Is it the FTT, or is the Information Commissioner? In an interesting judgment of Judge Jacobs in Moss v Information Commissioner & Royal Borough of Kingston upon Thames [2020] UKUT 174 (AAC), the Upper Tribunal has held that it is the FTT. Continue reading →