Data-sharing safeguards: no ‘micro-managing’

January 25th, 2021 by Robin Hopkins

Data-sharing arrangements between one controller and another proliferate across all sorts of processing contexts, aimed at all sorts of purposes. If those arrangements are to comply with the GDPR and/or DPA 2018, they need to be structured so as to ensure that the data-sharing satisfies the data protection principles. This includes having ‘appropriate technical and organisational measures’ in place. So far, so clear. But how do you assess whether your measures are ‘appropriate’? And if push comes to shove, how will a court approach that assessment? Read more »


Overseas websites and the GDPR’s reach

January 19th, 2021 by Robin Hopkins

Suppose I run a website in the US. I only have staff and offices there, and my target audience is America. Sometimes punters in the UK read my stuff and even buy the odd thing from my website, but not that much, and I don’t really care if they do or not. Is the territorial reach of the GDPR – and/or UKGDPR – wide enough to get me, and thereby expose me to risks of the ICO or civil claimants going after me in the UK? Read more »


Bittersweet Child of Mine: journalistic exemption and monetary penalties

January 14th, 2021 by Robin Hopkins

This week’s decision of the First-Tier Tribunal’s decision in True Vision Productions v IC (EA/2019/0170) is probably one of the last to deal with enforcement action under the old DPA 1998, but it is one of the first that deals with the journalism exemption (section 32 of the DPA 1998, reincarnated in substantially the same form in paragraph 26 of Schedule 2 to the DPA 2018). The exemption saved the controller – the production company, TVP – from part, but not all of its difficulties. TVP did enough, however, to persuade the Tribunal to slash the ICO’s £120k monetary penalty notice to £20k. Read more »


Moss: Article 10 ECHR is irrelevant to FOIA

September 3rd, 2020 by Robin Hopkins

The free expression right conferred by Article 10 ECHR encompasses a right “to receive and impart information and ideas without interference by public authority”. Does this create a right to request information from a public authority, such that a refusal to disclose would constitute an interference with Article 10? Read more »


Key points from the Bridges facial recognition appeal

September 3rd, 2020 by Robin Hopkins

September: Panopticon is scraping itself off furlough and bounding back to school. Here are two information rights from August that are worth noting, both anchored in ECHR rights.

First, readers will recall the high-profile case of R (Bridges) v Chief Constable of South Wales Police and Others. Bridges concerned a challenge on (among others) Article 8 ECHR and DP grounds to the police force’s use of automated facial recognition (AFR) as part of a pilot project aimed at spotting the faces of suspects on wanted lists among the crowds. Read more »


Further (unhappy) thoughts on Schrems II

July 17th, 2020 by Robin Hopkins

In yesterday’s post outlining the Schrems II judgment, I said international data transfers were now in a fine mess. As I re-read the CJEU’s judgment, it occurs to me that my assessment was wrong. It is not a fine mess. It is an awful, almighty mess, it seems to me. Read more »