In its (in)famous Google Spain judgment in 2014, the CJEU breathed life into the right to be forgotten. That right – explicitly preserved in the GDPR – is one of the more divisive limbs of EU data protection law: it is good for privacy, but it can be very bad for freedom of expression. That concern is drawn out sharply in current litigation between Google and the French data protection authority, Commission Nationale Informatique et Libertes (CNIL). The crux of the dispute is this: does your EU-given right to be forgotten apply across the whole world? Continue reading →

Remember Jeremy Corbyn in his pre-cult figure days? (Okay, I know he has always been a cult figure to some – but I mean before the election and Glastonbury and so on). Remember the CCTV footage of him slouching about in a vestibule on a busy Virgin train? If so, you will probably remember that Virgin responded to the suggestion of overcrowding by publishing CCTV footage from the train journey to show that there were seats available. Did it breach the DPA in doing so? Continue reading →

You are a journalist wanting to report on an issue of indisputable public interest. The issue involves people’s personal data, but it comes from publicly available sources. There could be no possible objection to your publishing that personal data as part of your story, right? Wrong – at least on the facts of the Satamedia v Finland case, on which the Grand Chamber of the ECtHR gave judgment this week. Continue reading →

As Panopticon devotees will know, the early months of 2017 brought a flurry of judgments about subject access requests – most importantly, in the Dawson-Damer and Ittihadieh/Deer cases. The principles from those judgments have now been incorporated into a revised ICO Code of Practice on subject access requests, published last week. The revised Code is important not only because it reflects up-to-date caselaw, but also because it tells us how the ICO expects to see subject access requests dealt with in practice.

Here are some of the key revisions. Continue reading →

What factors should be taken into account when setting the amount of a monetary penalty for serious contraventions of data protection and privacy laws? Perhaps surprisingly, our case law has to date had precious little to say on this. The recent decision of the First-Tier Tribunal in LAD Media v IC (EA/2017/0022) is a notable exception. Continue reading →

As we all know, the GDPR is all about the harmonisation of data protection across Europe – hence its form as a regulation (directly effective) rather than a directive (domestic implementing legislation needed). Yes, but: the GDPR leaves an awful lot to member states to implement. For example: exemptions to data subjects’ rights, mechanisms for reconciling data protection and freedom of expression, and the machinery of enforcement by supervisory authorities. Until we have domestic implementing legislation, we can’t fully understand how data protection will work after 25 May 2018. Continue reading →