How Do You Solve a Problem Like Korea?

January 5th, 2023 by Christopher Knight

By making it the subject of the UK’s first post-Brexit UK GDPR data adequacy decision of course! With effect from 19 December 2022, the UK has designated the Republic of Korea as providing an adequate level of personal data: see the Data Protection (Adequacy) (Republic of Korea) Regulation 2022. Regulation 2(2) specifies that a “transfer described by this subsection is a transfer of personal data to a person in the Republic of Korea who is subject to the Personal Information Protection Act as that Act forms part of the law of the Republic of Korea and has effect from time to time“. Read more »


11KBW Information Law Conference 2023 *DATE ANNOUNCED*

December 20th, 2022 by lawrence

We are delighted to announce our Information Law Conference will be taking place on 24 April 2023.

11KBW’s market-leading specialists to provide insights and updates across the information law spectrum.

Click here to view the conference programme.

Conference details

Date: 24 April 2023

Registration from: 9.00am

Duration of Conference: 9.30am – 3.30pm

Drinks Reception from: 3.30pm – 5pm

Venue: Royal College of Surgeons, 38-43 Lincoln’s Inn Fields, London, WC2A 3PE

Cost: £199 + VAT per person.

To book a place please email


Erasure requests: accuracy and images

December 12th, 2022 by Robin Hopkins

The right to be forgotten – remember that? It isn’t often the subject of litigation, in the UK at least: uncertainty about outcomes is probably a significant reason why parties usually opt not to put their disputes before the courts. Last week’s judgment of the Grand Chamber of the CJEU in TU and RE v Google LLC (Case C‑460/20) won’t remove uncertainty about judicial approaches to such cases, but it does shed helpful light on some common elements of disputes under Article 17 (UK) GDPR. Read more »


DPA breach at “lowest end of spectrum”: High Court awards £250

October 17th, 2022 by Robin Hopkins

Just about anyone who works in data protection will probably have asked, or have been asked: what do courts tend to award claimants who suffer data breaches? They will probably also be used to an answer along the lines that ‘it’s quite difficult to say; there isn’t very much case law’. Last week’s judgment of Knowles J in Driver v Crown Prosecution Service [2022] EWHC 2500 (KB) is a helpful contribution to this limited line of authority. Read more »


Lawful processing conditions and special category data in the CJEU

October 17th, 2022 by Robin Hopkins

With apologies for the delay, Panopticon now brings you highlights from a CJEU judgment from August 2022, that contributes to case law – albeit of a post-Brexit variety – on two GDPR issues. These are (i) the necessity and proportionality of the legislative basis for relying on Article 6(1)(e), and (ii) whether data can be ‘special category data’ by reason of an inference. Here are some key points from the Grand Chamber’s judgment in OT v Vyriausioji tarnybinės etikos komisija (Case C‑184/20). Read more »


Lloyd v Google in the EU: Damage and the AG

October 7th, 2022 by Christopher Knight

When I learned from Twitter that Advocate General Campos Sánchez-Bordona had been writing an Opinion dedicated to the late-90s R&B boyband Damage, I was surprised but not shocked. This, I thought, is precisely the sort of esoteric approach to middling music-based law that resulted in so many voting to leave the EU. Imagine, then, my surprise to find upon reading the Opinion in Case C-300/12 UI v Österreichische Post AG (EU:C:2022:756) that there is almost no mention of Jade Jones’ long-term relationship with Spice Girl Emma Bunton, but instead there is a detailed Lloyd v Google style analysis of in what circumstances damages can be obtained for contravention of the GDPR. Read more »