We have crossed the Rubicon. Several years of tortuous haggling, drafting and editing have culminated in the new General Data Protection Regulation, which will become the bedrock for EU data protection law. In the last couple of hours, the European Parliament has voted on and approved the final agreed text of the GDPR. The GDPR is expected to come into force around mid-2018. You can read the final text here, and (courtesy of @PrivacyMatters), you can find a photo here of the GDPR’s champion, Jan Albrecht, smiling at the outcome, in his trademark jaunty stiped shirt and jacket.

In the meantime, the immediate future of EU-US personal data transfers is much less certain. Chris Knight has previously explained the ‘Privacy Shield’, a kind of emergency sticking plaster measure introduced in the wake of the Schrems litigation, which killed off the Safe Harbor arrangements for transatlantic transfers. The Article 29 Working Party – perhaps the EU’s most authoritative voice on data protection matters – has this week endorsed aspects of Privacy Shield as an improvement on Safe Harbor. Crucially, however, the A29 WP is far from convinced that Privacy Shield is up the answer. It has ‘strong concerns’, which you can read about here. No Rubicons crossed on this issue just yet.

Robin Hopkins @hopkinsrobin

Suppose confidential, private and sensitive information is sold, leaked or otherwise wrongly disclosed by a rogue employee: is the employer vicariously liable? This question is a troubling one for many an employer and data controller. A new judgment on a claim for misuse of private information sheds some light on this question – and will not be comforting for employers and data controllers. The case is Axon v Ministry of Defence [2016] EWHC 787 (QB).

The Claimant was the commanding officer of a Royal Navy frigate when, in December 2004, he was summoned to London and relieved of his command following an investigation into his alleged bullying of officers on his ship. In that same month, the Sun published articles about the incident (‘Mutiny Skipper Sacked’ and so on). Continue reading →

Gurieva & Anor v Community Safety Development (UK) Ltd [2016] EWHC 643 (QB), a judgment of Warby J of 6 April 2016, is the High Court’s latest word on subject access requests. It illustrates some of the emerging trends in subject access litigation. It is also a salutary reminder to ensure that, for subject access request cases as for any other, adequate evidence is presented. Continue reading →

The Royal Family has been the subject of a good deal of information rights litigation. The most famous is of course the Evans saga, about the ‘advocacy correspondence’ of Prince Charles. There have also been cases about (to name just a few subjects) the cost of police protection for the Royal Family, whether or not the Duchy of Lancaster is a public authority, royal wills and alleged heirs to the throne, as well as – most recently – whether the Duke or Duchy of Cornwall is a public authority for the purposes of the Environmental Information Regulations (EIRs). The most recent judgment focuses on Her Majesty the Queen herself, and reveals the views of Charles (J). Continue reading →

The Duchy of Cornwall was established by Edward III in 1337 for his son. There is a landed estate (the Duchy) and a title (the Duke). Edward III was no doubt unconcerned about any legal duties that may attach to the Duchy; he had bigger fish to fry. In the 21^st century, however, at least one knotty question of legal duty has surfaced. Continue reading →

If you made a successful ‘right to be forgotten’ request to Google in the UK, the outcome would be that the URL you complained of would no longer appear in search results through the google.co.uk search engine. However, by simply using the .com version of the browser instead, that outcome would be neatly sidestepped: the offending URL would appear in the search list against your name, unaffected by your exercise of your right to be forgotten.

Google has announced today that, as requested by the ICO among others, it will change that practice and introduce consistency across the versions of its browser. Continue reading →