In yesterday’s post outlining the Schrems II judgment, I said international data transfers were now in a fine mess. As I re-read the CJEU’s judgment, it occurs to me that my assessment was wrong. It is not a fine mess. It is an awful, almighty mess, it seems to me. Continue reading →

Well this is a fine mess. Austrian privacy campaigner Max Schrems has struck again: transfers of personal data from the EU to the US are suddenly vulnerable again, thanks to today’s CJEU judgment in Data Protection Commissioner v Facebook Ireland and Max Schrems (Case C-311/18; 16 July 2020) – the so-called Schrems II judgment. The judgment (see here: Schrems II Judgment) is complex and multi-faceted, but I’ll aim for a nutshell summary just now. Continue reading →

The Court of Appeal has today given judgment in the long-running ZXC v Bloomberg litigation ([2020] EWCA Civ 611). The key points:

1. In general, a person does have a reasonable expectation of privacy about the fact that/details of their being subject to a police investigation, up to the point of charge.
2. Reporting about alleged conduct is different from reporting about a criminal investigation into that conduct.

Continue reading →

Regulation 22 of PECR 2003 – the prohibition on non-consensual electronic direct marketing communications – has been a favourite ICO hunting ground for monetary penalties for many years. Nevertheless, its dos and don’ts have remained stubbornly fuzzy at the edges. Thankfully, the Tribunal’s most recent decision on direct marketing communications is helpful and illuminating. It’s also quite entertaining: a nice montage of Arron Banks, spam, kangaroos and stuff. Continue reading →

Ms Mustard was injured in a road traffic accident, for which she claims compensation. She was examined by medical experts appointed by the insurer. She covertly recorded two of those consultations deliberately, and a third accidentally. She wants to deploy those recordings as evidence in support of her claim. The insurer objected, arguing that the recordings constituted unlawful processing contrary to the GDPR and the DPA 2018. Continue reading →

Google got a good result from the CJEU last week on the right to be forgotten front: in Google LLC v CNIL (Case C‑507/17), the French DP regulator’s rather ambitious demand for global delisting on right to be forgotten grounds was overturned. In a nutshell:

Google has acknowledged that the EU’s RTBF rights are undermined if an internet user can simply switch to a non-EU version of Google and see the offending search results. So it implemented geo-blocking measures, whereby an EU user is automatically routed to an EU version of Google (one that doesn’t deliver the offending references), regardless of whether they type in a non-EU Google domain name.

Not good enough, said the CNIL, slapping Google with a €100k fine: Google must de-reference the offending links from search results delivered through any Google domain in the world. Continue reading →