As had been trailed for a couple of days, on 19 February 2021, the European Commission formally announced that it had launched the procedure for the adoption of two adequacy decisions for transfers of personal data to the United Kingdom, under the GDPR and the Law Enforcement Directive. The draft decisions have been published here. The draft decisions will be considered by the European Data Protection Board, and then a committee of Member State representatives. The European Parliament has plays an active role in scrutinising the Commission’s approach and, of course, any decision adopted can (and doubtless will) be the subject of legal challenge, ultimately before the CJEU. There is some way to go yet, but at this first stage the Commission has accepted the general proposition that as the UK has retained EU data protection law, it provides in principle an adequate level of protection (albeit over 88 and 51 pages respectively). Much food for thought.

Christopher Knight

Not infrequently in the Tribunals an issue will arise about the handling of documents or evidence disclosed in the course of an information rights appeal, in a context where the GRC and UT Rules do not contain an equivalent to CPR r.31.22. Some useful guidance has now been given from the Upper Tribunal in DVLA v Information Commissioner & Williams [2020] UKUT 310 (AAC). Continue reading →

Two recent judgments of the civil courts which touch upon data protection concerns warrant brief note. The first concerns the confidential nature of redactions in subject access request disclosures, and the second concerns disclosure obligations in civil litigation attaching to the personal devices of former employees. Continue reading →

My colleague Christopher Knight is a man of principle. In particular, he articulated the “Goldsmith Principles”, a kind of roadmap for dealing with the legitimate interests processing condition under DP law – see the Goldsmith judgment, and the approval of the Goldsmith Principles in Cooper. In a recent judgment from the Upper Tribunal, he has done the same for the security bodies exemption under section 23 of FOIA. Continue reading →

Regulation 22 of PECR 2003 makes just about anybody working with marketing emails wince. It prohibits the sending of “unsolicited communications for the purposes of direct marketing” by electronic means (emails, texts, etc.) unless the recipient has consented, or unless the “soft opt-in” applies. How does this apply to emails with mixed content, i.e. that contain some bits of marketing material? Are these caught or not? Continue reading →

Data-sharing arrangements between one controller and another proliferate across all sorts of processing contexts, aimed at all sorts of purposes. If those arrangements are to comply with the GDPR and/or DPA 2018, they need to be structured so as to ensure that the data-sharing satisfies the data protection principles. This includes having ‘appropriate technical and organisational measures’ in place. So far, so clear. But how do you assess whether your measures are ‘appropriate’? And if push comes to shove, how will a court approach that assessment? Continue reading →