Google: forget the right to be forgotten – here come class actions

October 2nd, 2019 by Robin Hopkins

Google got a good result from the CJEU last week on the right to be forgotten front: in Google LLC v CNIL (Case C‑507/17), the French DP regulator’s rather ambitious demand for global delisting on right to be forgotten grounds was overturned. In a nutshell:

Google has acknowledged that the EU’s RTBF rights are undermined if an internet user can simply switch to a non-EU version of Google and see the offending search results. So it implemented geo-blocking measures, whereby an EU user is automatically routed to an EU version of Google (one that doesn’t deliver the offending references), regardless of whether they type in a non-EU Google domain name.

Not good enough, said the CNIL, slapping Google with a €100k fine: Google must de-reference the offending links from search results delivered through any Google domain in the world. Read more »


Facial recognition: a GDPR fine and some further regulation?

September 5th, 2019 by Robin Hopkins

Facial recognition is certainly a hot topic just now. I blogged yesterday about the judgment in Bridges, which saw the Divisional Court dismiss challenges – principally on privacy and data protection grounds – to the use of automated facial recognition technology in a policing context. It would be a mistake, however, for data controllers to assume that the legal and regulatory environment is generally relaxed and permissive about facial recognition. Here are two interesting recent developments to bear in mind alongside the Bridges judgment. Read more »


Fashionably late

September 5th, 2019 by Robin Hopkins

With Panopticon having been prorogued for much of the summer, we didn’t get round to a timely blog post on the CJEU’s judgment from the end of July in Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV (Case C-40/17). In case you were likewise lounging around Rees-Mogg style and failed to keep up with data protection judgments, here is a brief summary to help you disguise that from your boss or clients. Read more »


Police use of automated facial recognition: a justified privacy intrusion

September 4th, 2019 by Robin Hopkins

The opening sentence of today’s judgment in R (Bridges) v Chief Constable of South Wales Police and Others [2019] EWHC 2341 (Admin) is right up Panopticon’s alley: “The algorithms of the law must keep pace with new and emerging technologies”. In precisely that spirit, the Divisional Court’s (Haddon-Cave LJ and Swift J) dismissal of the challenge to South Wales Police’s use of Automated Facial Recognition technology (“AFR”) contains very significant lessons in how to apply privacy and data protection law to beneficial but intrusive technology. Read more »


A New Home for Data Protection

August 9th, 2019 by Christopher Knight

All data protection claims issued after 1 October 2019 will now have to be issued in the new, formal, Media and Communications List of the High Court. On that date, a new Part 53 of the CPR will take effect – set out in the Schedule to the Civil Procedure (Amendment No. 3) Rules 2019 – along with two new Practice Directions. Read more »


Norwich Pharmacal orders, the GDPR – and porn

July 18th, 2019 by Robin Hopkins

The GDPR has had its first brush (to my knowledge at least) with the pornography industry in the Courts of England and Wales. In Mircom International and Golden Eye International v Virgin Media and Persons Unknown [2019] EWHC 1827 (Ch), a judgment of 16 July, the High Court declined to order Virgin Media to hand over the IP addresses of persons who had allegedly downloaded and shared porn films in breach of copyright. It was not, however, the GDPR that saved those naughty “persons unknown”. If I can be explicit about it, the Court’s GDPR analysis was highly problematic. Read more »