FOIA and security bodies: running sections 23 and 24 together

Some knotty FOIA debates end up generating confusing and apparently contradictory case law; some others get resolved by an authoritative three-person Upper Tribunal. The recent judgment of the UT (Mrs Justice Farbey and UT Judges Mullan and Wikeley) in FCDO v IC, Williams and Others [2021] UKUT 248 (AAC) is a neat example of the latter. It deals with the interplay between sections 23 and 24 of FOIA. Continue reading

Court of Appeal finds DPA exemption is unlawful under GDPR

The Court of Appeal’s judgment in R (Open Rights Group and the3million) v Secretary of State for the Home Department and Others [2021] EWCA Civ 800, handed down this morning, concludes that the ‘immigration exemption’ in Schedule 2 to the DPA 2018 is not compliant with the GDPR. That is a very significant conclusion in its own right, from the perspectives of both immigration and data protection law. But the Court’s analysis also applies to a more general question: what does a valid (i.e. GDPR-compliant) exemption from data protection rights and duties look like? Continue reading

FOIA and security bodies: the definitive principles

My colleague Christopher Knight is a man of principle. In particular, he articulated the “Goldsmith Principles”, a kind of roadmap for dealing with the legitimate interests processing condition under DP law – see the Goldsmith judgment, and the approval of the Goldsmith Principles in Cooper. In a recent judgment from the Upper Tribunal, he has done the same for the security bodies exemption under section 23 of FOIA. Continue reading

Leave it out: marketing content in non-marketing emails

Regulation 22 of PECR 2003 makes just about anybody working with marketing emails wince. It prohibits the sending of “unsolicited communications for the purposes of direct marketing” by electronic means (emails, texts, etc.) unless the recipient has consented, or unless the “soft opt-in” applies. How does this apply to emails with mixed content, i.e. that contain some bits of marketing material? Are these caught or not? Continue reading

Data-sharing safeguards: no ‘micro-managing’

Data-sharing arrangements between one controller and another proliferate across all sorts of processing contexts, aimed at all sorts of purposes. If those arrangements are to comply with the GDPR and/or DPA 2018, they need to be structured so as to ensure that the data-sharing satisfies the data protection principles. This includes having ‘appropriate technical and organisational measures’ in place. So far, so clear. But how do you assess whether your measures are ‘appropriate’? And if push comes to shove, how will a court approach that assessment? Continue reading