Schrems II: standard contractual clauses survive; Privacy Shield dead

July 16th, 2020 by Robin Hopkins

Well this is a fine mess. Austrian privacy campaigner Max Schrems has struck again: transfers of personal data from the EU to the US are suddenly vulnerable again, thanks to today’s CJEU judgment in Data Protection Commissioner v Facebook Ireland and Max Schrems (Case C-311/18; 16 July 2020) – the so-called Schrems II judgment. The judgment (see here: Schrems II Judgment) is complex and multi-faceted, but I’ll aim for a nutshell summary just now. Read more »


ZXC v Bloomberg: privacy expectations about criminal investigations

May 15th, 2020 by Robin Hopkins

The Court of Appeal has today given judgment in the long-running ZXC v Bloomberg litigation ([2020] EWCA Civ 611). The key points:

  1. In general, a person does have a reasonable expectation of privacy about the fact that/details of their being subject to a police investigation, up to the point of charge.
  2. Reporting about alleged conduct is different from reporting about a criminal investigation into that conduct.

Read more »


Spam sandwiches: Tribunal dismisses Leave.EU PECR appeals

March 8th, 2020 by Robin Hopkins

Regulation 22 of PECR 2003 – the prohibition on non-consensual electronic direct marketing communications – has been a favourite ICO hunting ground for monetary penalties for many years. Nevertheless, its dos and don’ts have remained stubbornly fuzzy at the edges. Thankfully, the Tribunal’s most recent decision on direct marketing communications is helpful and illuminating. It’s also quite entertaining: a nice montage of Arron Banks, spam, kangaroos and stuff. Read more »


Mean Ms Mustard (Or: covert recordings as admissible evidence)

October 15th, 2019 by Robin Hopkins

Ms Mustard was injured in a road traffic accident, for which she claims compensation. She was examined by medical experts appointed by the insurer. She covertly recorded two of those consultations deliberately, and a third accidentally. She wants to deploy those recordings as evidence in support of her claim. The insurer objected, arguing that the recordings constituted unlawful processing contrary to the GDPR and the DPA 2018. Read more »


Google: forget the right to be forgotten – here come class actions

October 2nd, 2019 by Robin Hopkins

Google got a good result from the CJEU last week on the right to be forgotten front: in Google LLC v CNIL (Case C‑507/17), the French DP regulator’s rather ambitious demand for global delisting on right to be forgotten grounds was overturned. In a nutshell:

Google has acknowledged that the EU’s RTBF rights are undermined if an internet user can simply switch to a non-EU version of Google and see the offending search results. So it implemented geo-blocking measures, whereby an EU user is automatically routed to an EU version of Google (one that doesn’t deliver the offending references), regardless of whether they type in a non-EU Google domain name.

Not good enough, said the CNIL, slapping Google with a €100k fine: Google must de-reference the offending links from search results delivered through any Google domain in the world. Read more »


Facial recognition: a GDPR fine and some further regulation?

September 5th, 2019 by Robin Hopkins

Facial recognition is certainly a hot topic just now. I blogged yesterday about the judgment in Bridges, which saw the Divisional Court dismiss challenges – principally on privacy and data protection grounds – to the use of automated facial recognition technology in a policing context. It would be a mistake, however, for data controllers to assume that the legal and regulatory environment is generally relaxed and permissive about facial recognition. Here are two interesting recent developments to bear in mind alongside the Bridges judgment. Read more »