So, we approach the GDPR’s first birthday. You know what’s nice for birthdays? Fines. Really big ones. According to an article in today’s Times (paywall), significant GDPR monetary penalties from the ICO are imminent, around the 1-year mark for our new data protection regime. The Irish DPC is apparently limbering up likewise. And it also announced its investigation into Google’s Ad Exchange this week, which could develop into a very significant foray into online ad tech. Continue reading →

Scarcely a week goes by without my saying to someone or other (clients, colleagues, my children round the dinner table): the GDPR is not an exhaustive regime – where applicable, you need to ensure compliance with ePrivacy laws as well. Especially when it comes to electronic marketing communications, cookies and related ad tech. This inevitably prompts the question: aren’t we supposed to be getting a new ePrivacy law? What’s the delay? Continue reading →

Information notices have so rarely surfaced in information rights litigation that I can almost hear a number of Panopticon readers saying ‘what is an information notice again?’. Fair question. Continue reading →

To what extent is an individual potentially on the hook, in terms of data protection liabilities, for material they post on their personal social media accounts, such as video clips on YouTube? The CJEU’s ruling in Sergejs Buivids (Case C–345/17) is the most recent addition to the line of authorities about the intersection between personal use of online networks, potential journalistic purposes and data protection duties. Continue reading →

Perhaps the most commonplace GDPR soundbite concerns swingeing financial penalties: in the most serious cases, up to €20m or 4% of global annual turnover, whichever is the greater. We have now had our first flexing of that maximal muscle, in the form of the decision of the French supervisory authority, the CNIL, to impose a €50m penalty on Google. The CNIL’s decision, announced yesterday, is summarised here. (The penalty notice itself is not yet available in English).

Notable features of the case include the following: Continue reading →

Large-scale civil litigation is one of the developing contours of data protection law. Last week’s judgment in Lloyd v Google – a novel representative action based on allegedly unlawful processing activities – is one illustration. When it comes to group litigation on the back of a data breach, our best illustration thus far is the groundbreaking group action against Morrisons. Continue reading →