Overseas websites and the GDPR’s reach

Suppose I run a website in the US. I only have staff and offices there, and my target audience is America. Sometimes punters in the UK read my stuff and even buy the odd thing from my website, but not that much, and I don’t really care if they do or not. Is the territorial reach of the GDPR – and/or UKGDPR – wide enough to get me, and thereby expose me to risks of the ICO or civil claimants going after me in the UK? Continue reading

Bittersweet Child of Mine: journalistic exemption and monetary penalties

This week’s decision of the First-Tier Tribunal’s decision in True Vision Productions v IC (EA/2019/0170) is probably one of the last to deal with enforcement action under the old DPA 1998, but it is one of the first that deals with the journalism exemption (section 32 of the DPA 1998, reincarnated in substantially the same form in paragraph 26 of Schedule 2 to the DPA 2018). The exemption saved the controller – the production company, TVP – from part, but not all of its difficulties. TVP did enough, however, to persuade the Tribunal to slash the ICO’s £120k monetary penalty notice to £20k. Continue reading

Key points from the Bridges facial recognition appeal

September: Panopticon is scraping itself off furlough and bounding back to school. Here are two information rights from August that are worth noting, both anchored in ECHR rights.

First, readers will recall the high-profile case of R (Bridges) v Chief Constable of South Wales Police and Others. Bridges concerned a challenge on (among others) Article 8 ECHR and DP grounds to the police force’s use of automated facial recognition (AFR) as part of a pilot project aimed at spotting the faces of suspects on wanted lists among the crowds. Continue reading

Schrems II: standard contractual clauses survive; Privacy Shield dead

Well this is a fine mess. Austrian privacy campaigner Max Schrems has struck again: transfers of personal data from the EU to the US are suddenly vulnerable again, thanks to today’s CJEU judgment in Data Protection Commissioner v Facebook Ireland and Max Schrems (Case C-311/18; 16 July 2020) – the so-called Schrems II judgment. The judgment (see here: Schrems II Judgment) is complex and multi-faceted, but I’ll aim for a nutshell summary just now. Continue reading