The right to be forgotten – remember that? It isn’t often the subject of litigation, in the UK at least: uncertainty about outcomes is probably a significant reason why parties usually opt not to put their disputes before the courts. Last week’s judgment of the Grand Chamber of the CJEU in TU and RE v Google LLC (Case C‑460/20) won’t remove uncertainty about judicial approaches to such cases, but it does shed helpful light on some common elements of disputes under Article 17 (UK) GDPR. Continue reading →

Just about anyone who works in data protection will probably have asked, or have been asked: what do courts tend to award claimants who suffer data breaches? They will probably also be used to an answer along the lines that ‘it’s quite difficult to say; there isn’t very much case law’. Last week’s judgment of Knowles J in Driver v Crown Prosecution Service [2022] EWHC 2500 (KB) is a helpful contribution to this limited line of authority. Continue reading →

With apologies for the delay, Panopticon now brings you highlights from a CJEU judgment from August 2022, that contributes to case law – albeit of a post-Brexit variety – on two GDPR issues. These are (i) the necessity and proportionality of the legislative basis for relying on Article 6(1)(e), and (ii) whether data can be ‘special category data’ by reason of an inference. Here are some key points from the Grand Chamber’s judgment in OT v Vyriausioji tarnybinės etikos komisija (Case C‑184/20). Continue reading →

When I learned from Twitter that Advocate General Campos Sánchez-Bordona had been writing an Opinion dedicated to the late-90s R&B boyband Damage, I was surprised but not shocked. This, I thought, is precisely the sort of esoteric approach to middling music-based law that resulted in so many voting to leave the EU. Imagine, then, my surprise to find upon reading the Opinion in Case C-300/12 UI v Österreichische Post AG (EU:C:2022:756) that there is almost no mention of Jade Jones’ long-term relationship with Spice Girl Emma Bunton, but instead there is a detailed Lloyd v Google style analysis of in what circumstances damages can be obtained for contravention of the GDPR. Continue reading →

Ofcom has today published its ‘roadmap to regulation’  if and when the Online Safety Bill becomes law, together with a ‘call for evidence’ for the first phase of online safety regulation. Both are premised on the current version of the Online Safety Bill, which is acknowledged to be subject to alteration as the legislation goes through the Parliamentary process.

Continue reading →

Post the little-known judgment in Lloyd v Google LLC, those representing data subjects affected by a data breach (usually, although not always, a data security breach incident) have been considering alternative ways of litigating a large number of small value claims arising from the same factual matrix. The obvious alternative, well-established in various areas of the law, is a group litigation order (“GLO”). (This post does not concern the Netflix series about women’s wrestling. There is more violence, but less lycra. Each to their own.) Continue reading →