Scarcely a week goes by without my saying to someone or other (clients, colleagues, my children round the dinner table): the GDPR is not an exhaustive regime – where applicable, you need to ensure compliance with ePrivacy laws as well. Especially when it comes to electronic marketing communications, cookies and related ad tech. This inevitably prompts the question: aren’t we supposed to be getting a new ePrivacy law? What’s the delay? Continue reading →

Information notices have so rarely surfaced in information rights litigation that I can almost hear a number of Panopticon readers saying ‘what is an information notice again?’. Fair question. Continue reading →

To what extent is an individual potentially on the hook, in terms of data protection liabilities, for material they post on their personal social media accounts, such as video clips on YouTube? The CJEU’s ruling in Sergejs Buivids (Case C–345/17) is the most recent addition to the line of authorities about the intersection between personal use of online networks, potential journalistic purposes and data protection duties. Continue reading →

Perhaps the most commonplace GDPR soundbite concerns swingeing financial penalties: in the most serious cases, up to €20m or 4% of global annual turnover, whichever is the greater. We have now had our first flexing of that maximal muscle, in the form of the decision of the French supervisory authority, the CNIL, to impose a €50m penalty on Google. The CNIL’s decision, announced yesterday, is summarised here. (The penalty notice itself is not yet available in English).

Notable features of the case include the following: Continue reading →

Large-scale civil litigation is one of the developing contours of data protection law. Last week’s judgment in Lloyd v Google – a novel representative action based on allegedly unlawful processing activities – is one illustration. When it comes to group litigation on the back of a data breach, our best illustration thus far is the groundbreaking group action against Morrisons. Continue reading →

Popular impressions of data protection range from the tedious (“the GDPR forces me to get consent for everything”) to the apocalyptic (“if you breach the GDPR, you will automatically get multi-million pound fine”, etc.). A common apocalyptic theme is that contraventions affecting large numbers of individuals may well trigger financially ruinous group litigation. They might. But this morning’s judgment of Warby J in Lloyd v Google [2018] EWHC 2599 (QB) is an important corrective to apocalyptic thinking. Continue reading →