FOIA and security bodies: the definitive principles

February 11th, 2021 by Robin Hopkins

My colleague Christopher Knight is a man of principle. In particular, he articulated the “Goldsmith Principles”, a kind of roadmap for dealing with the legitimate interests processing condition under DP law – see the Goldsmith judgment, and the approval of the Goldsmith Principles in Cooper. In a recent judgment from the Upper Tribunal, he has done the same for the security bodies exemption under section 23 of FOIA. Read more »


Leave it out: marketing content in non-marketing emails

February 11th, 2021 by Robin Hopkins

Regulation 22 of PECR 2003 makes just about anybody working with marketing emails wince. It prohibits the sending of “unsolicited communications for the purposes of direct marketing” by electronic means (emails, texts, etc.) unless the recipient has consented, or unless the “soft opt-in” applies. How does this apply to emails with mixed content, i.e. that contain some bits of marketing material? Are these caught or not? Read more »


Data-sharing safeguards: no ‘micro-managing’

January 25th, 2021 by Robin Hopkins

Data-sharing arrangements between one controller and another proliferate across all sorts of processing contexts, aimed at all sorts of purposes. If those arrangements are to comply with the GDPR and/or DPA 2018, they need to be structured so as to ensure that the data-sharing satisfies the data protection principles. This includes having ‘appropriate technical and organisational measures’ in place. So far, so clear. But how do you assess whether your measures are ‘appropriate’? And if push comes to shove, how will a court approach that assessment? Read more »


Overseas websites and the GDPR’s reach

January 19th, 2021 by Robin Hopkins

Suppose I run a website in the US. I only have staff and offices there, and my target audience is America. Sometimes punters in the UK read my stuff and even buy the odd thing from my website, but not that much, and I don’t really care if they do or not. Is the territorial reach of the GDPR – and/or UKGDPR – wide enough to get me, and thereby expose me to risks of the ICO or civil claimants going after me in the UK? Read more »


Bittersweet Child of Mine: journalistic exemption and monetary penalties

January 14th, 2021 by Robin Hopkins

This week’s decision of the First-Tier Tribunal’s decision in True Vision Productions v IC (EA/2019/0170) is probably one of the last to deal with enforcement action under the old DPA 1998, but it is one of the first that deals with the journalism exemption (section 32 of the DPA 1998, reincarnated in substantially the same form in paragraph 26 of Schedule 2 to the DPA 2018). The exemption saved the controller – the production company, TVP – from part, but not all of its difficulties. TVP did enough, however, to persuade the Tribunal to slash the ICO’s £120k monetary penalty notice to £20k. Read more »


The Gerrard litigation:  the death-knell for litigation surveillance?

December 9th, 2020 by Timothy Pitt-Payne QC

The recent decision of the High Court (Richard Spearman QC, sitting as a Judge of the Queen’s Bench Division) in David Neil Gerrard and Elizabeth Ann Gerrard v Eurasian Natural Resources Corporation Limited and Diligence International LLC [2020] EWHC 3241 (QB), relates to one aspect of the complex litigation between Mr. Gerrard (currently a partner at Dechert LLP, a law firm) and ENRC (his former client).   The decision deals with various interlocutory applications in a claim that is itself ancillary to the main proceedings.  Nevertheless, even though it relates to a skirmish in a much more extensive battle, the decision is of considerable interest in its own right, in particular as to the use of covert surveillance in the context of litigation.

Mr. Gerrard was ENRC’s solicitor between December 2010 and March 2013, acting for ENRC in relation to a SFO investigation.  In 2017, ENRC brought proceedings against Mr. Gerrard in the Commercial Court alleging that Mr. Gerrard had acted negligently and in breach of fiduciary duty by seeking to extend the scope of the SFO’s investigation into ENRC, and by leaking information about ENRC to the media and the SFO.  In 2019, ENRC brought further proceedings in the Chancery Division against the Director of the SFO, for (among other matters) inducing Dechert LLP and/or Mr. Gerrard to breach their fiduciary duty to ENRC. Read more »