While on the subject of data protection and jurisdictional questions (see my earlier post about the Microsoft case), I thought it worth pointing out the Advocate General’s opinion in Verein für Konsumenteninformation v Amazon EU Sàrl (Case C-191/15), issued in recent weeks.

The Microsoft case concerned the limits of US jurisdiction over data held on servers in the EU. What about data held within the EU, but which is being processed in a number of EU member states? Is the data controller subject to the jurisdiction of all of those states? If so, life is potentially very complicated: data protection law in the EU is supposed to be harmonised, but there will always be legitimate variations in how member states implement aspects of the overarching law. Continue reading →

The judgment of the 2^nd US Circuit Court of Appeals in New York in Microsoft Corporation v USA (Case 14-2985), handed down on 14 July 2016, has been hailed as an important victory not only for the technology giant, but for privacy rights as well.

In brief, the case concerned a warrant issued under the Stored Communications Act (dating from 1986), ordering Microsoft to seize and produce to the US government the contents of a customer’s email account, on the grounds that there was cause to believe the email account was being used for the purposes of drugs trafficking. Microsoft refused to comply in full, on the grounds that the contents of the email account were stored on a server in Dublin. A court held Microsoft to be in contempt. Microsoft appealed. It won. Continue reading →

Facebook nemesis Max Schrems threw into serious disarray the whole (commercially vital) business of EU-US data transfers when his litigation destroyed the Safe Harbor arrangements. A fix was needed, quickly. The European Commission came up with a fix called the “Privacy Shield”. Some, including members of the Panopticon fold, had a disdainful – even gently mocking – take on the Privacy Shield: see for example Chris’ synopsis here. More importantly, the EU’s Article 29 Working Party did not seem entirely impressed by the Privacy Shield proposal.

Earlier this month, however, the EU member states approved the Privacy Shield. Continue reading →

It is often remarked that there is a paucity of clear binding authority on how to interpret the definition of “environmental information” set out in regulation 2 of the Environmental Information Regulations 2004. The issue is important: it is pivotal to whether a request for information is considered under the EIR or under FOIA. The leading domestic authority to date is the decision of the Upper Tribunal in DECC v IC and Henney [2015] UKUT 0671 (AAC). Continue reading →

The Supreme Court has today given judgment in PJS v News Group Newspapers [2016] UKSC 26. It has overturned by a majority (Lords Mance, Neuberger, Reed and Lady Hale) the Court of Appeal’s judgment of 18 April 2015 in the ‘celebrity threesome’ case and restored the interim reporting injunction pending trial. It concluded that, notwithstanding internet publications and articles in the press outside of this jurisdiction, it was not pointless to maintain the interim injunction, and that no genuine public interest in this story had yet been demonstrated. Continue reading →

We have crossed the Rubicon. Several years of tortuous haggling, drafting and editing have culminated in the new General Data Protection Regulation, which will become the bedrock for EU data protection law. In the last couple of hours, the European Parliament has voted on and approved the final agreed text of the GDPR. The GDPR is expected to come into force around mid-2018. You can read the final text here, and (courtesy of @PrivacyMatters), you can find a photo here of the GDPR’s champion, Jan Albrecht, smiling at the outcome, in his trademark jaunty stiped shirt and jacket.

In the meantime, the immediate future of EU-US personal data transfers is much less certain. Chris Knight has previously explained the ‘Privacy Shield’, a kind of emergency sticking plaster measure introduced in the wake of the Schrems litigation, which killed off the Safe Harbor arrangements for transatlantic transfers. The Article 29 Working Party – perhaps the EU’s most authoritative voice on data protection matters – has this week endorsed aspects of Privacy Shield as an improvement on Safe Harbor. Crucially, however, the A29 WP is far from convinced that Privacy Shield is up the answer. It has ‘strong concerns’, which you can read about here. No Rubicons crossed on this issue just yet.

Robin Hopkins @hopkinsrobin