It’s as if everyone has their head down preparing for the GDPR. Recent weeks have produced very little by way of judgments in the data protection area. They have, however, produced an Advocate General’s opinion in a case about the data controllers of Facebook fan pages. That opinion is worth noting because (rightly or wrongly) it casts the net very widely, bringing multiple entities within the definition of data controllers. Continue reading →

Al-Ko Kober Ltd and Paul Jones v Balvinder Sambhi [2017] EWHC 2474 (QB) is, rather improbably, a DPA case about caravan tow-bars and braking systems. A commercial operator used Youtube videos to malign a competitor business and its marketing manager, until the High Court (Mrs Justice Whipple) granted injunctions last week. Continue reading →

The Data Protection Bill contains some wonderful provisions. For example: “Chapter 2 of this Part applies for the purposes of the applied GDPR as it applies for the purposes of the GDPR. In this Chapter, “the applied Chapter 2” means Chapter 2 of this Part as applied by this Chapter.” And suchlike.

It is just possible that there are some of you who need to get your head around the Bill, but haven’t yet had the time or stomach for it. You are probably thinking “surely some data protection obsessive has read it and summarised it for me somewhere?”. As ever, Panopticon is the proud home of data protection obsessives. Here is a link to an overview of the Bill which I did for Practical Law. Enjoy!

Robin Hopkins @hopkinsrobin

Anyone who has anything to do with data protection will know that the UK’s Data Protection Bill was published and put before Parliament on Thursday 14 September. But to digest it in full, one needs time, commitment, and coffee. It is not a straightforward read. It seeks to implement the GDPR in full and in Brexit-proof fashion, to plug the gaps that the GDPR requires member states to fill, and also to apply a GDPR-like regime to areas of data processing that are not covered by the GDPR itself. The Bill is of course liable to change in the coming months, but here are some observations and highlights in the meantime. Continue reading →

The GDPR is still eight months away from coming into force, but – as with any such sea-change – it is informing much of our data protection thinking already. In its recent judgment in the Barbulescu case about monitoring employee communications, for example, the European Court of Human Rights cited provisions of the GDPR. Here are some substantive recent developments illustrating the direction of travel in contentious data protection. Continue reading →

In January 2016, Panopticon brought you a post entitled “Employer was entitled to access employee’s private Yahoo! messages (and to sack him)”. It concerned an eye-catching judgment of the Fourth Section of the European Court of Human Rights in the case of Barbulescu v Romania (application 61496/08).

In a nutshell: the applicant had used his employer’s Yahoo! messenger service (intended for work use) for personal communications, including with his fiancé and brother. His employer monitored those communications and sacked him for misuse of its messenger service. Did that monitoring of his private communications breach his privacy rights under Article 8 ECHR? No, said the Romanian courts, and Strasbourg’s Fourth Chamber said likewise (a victory for common sense, said many employers!). But on a further appeal to the Grand Chamber of the ECHR, that assessment has been reversed: the last word is that Article 8 was indeed breached here (what now, ask many employers?). Continue reading →