In January 2016, Panopticon brought you a post entitled “Employer was entitled to access employee’s private Yahoo! messages (and to sack him)”. It concerned an eye-catching judgment of the Fourth Section of the European Court of Human Rights in the case of Barbulescu v Romania (application 61496/08).

In a nutshell: the applicant had used his employer’s Yahoo! messenger service (intended for work use) for personal communications, including with his fiancé and brother. His employer monitored those communications and sacked him for misuse of its messenger service. Did that monitoring of his private communications breach his privacy rights under Article 8 ECHR? No, said the Romanian courts, and Strasbourg’s Fourth Chamber said likewise (a victory for common sense, said many employers!). But on a further appeal to the Grand Chamber of the ECHR, that assessment has been reversed: the last word is that Article 8 was indeed breached here (what now, ask many employers?). Continue reading →

In its (in)famous Google Spain judgment in 2014, the CJEU breathed life into the right to be forgotten. That right – explicitly preserved in the GDPR – is one of the more divisive limbs of EU data protection law: it is good for privacy, but it can be very bad for freedom of expression. That concern is drawn out sharply in current litigation between Google and the French data protection authority, Commission Nationale Informatique et Libertes (CNIL). The crux of the dispute is this: does your EU-given right to be forgotten apply across the whole world? Continue reading →

Remember Jeremy Corbyn in his pre-cult figure days? (Okay, I know he has always been a cult figure to some – but I mean before the election and Glastonbury and so on). Remember the CCTV footage of him slouching about in a vestibule on a busy Virgin train? If so, you will probably remember that Virgin responded to the suggestion of overcrowding by publishing CCTV footage from the train journey to show that there were seats available. Did it breach the DPA in doing so? Continue reading →

You are a journalist wanting to report on an issue of indisputable public interest. The issue involves people’s personal data, but it comes from publicly available sources. There could be no possible objection to your publishing that personal data as part of your story, right? Wrong – at least on the facts of the Satamedia v Finland case, on which the Grand Chamber of the ECtHR gave judgment this week. Continue reading →

As Panopticon devotees will know, the early months of 2017 brought a flurry of judgments about subject access requests – most importantly, in the Dawson-Damer and Ittihadieh/Deer cases. The principles from those judgments have now been incorporated into a revised ICO Code of Practice on subject access requests, published last week. The revised Code is important not only because it reflects up-to-date caselaw, but also because it tells us how the ICO expects to see subject access requests dealt with in practice.

Here are some of the key revisions. Continue reading →

What factors should be taken into account when setting the amount of a monetary penalty for serious contraventions of data protection and privacy laws? Perhaps surprisingly, our case law has to date had precious little to say on this. The recent decision of the First-Tier Tribunal in LAD Media v IC (EA/2017/0022) is a notable exception. Continue reading →