The GDPR has had its first brush (to my knowledge at least) with the pornography industry in the Courts of England and Wales. In Mircom International and Golden Eye International v Virgin Media and Persons Unknown [2019] EWHC 1827 (Ch), a judgment of 16 July, the High Court declined to order Virgin Media to hand over the IP addresses of persons who had allegedly downloaded and shared porn films in breach of copyright. It was not, however, the GDPR that saved those naughty “persons unknown”. If I can be explicit about it, the Court’s GDPR analysis was highly problematic. Continue reading
Schrems 2: CJEU opinion on international transfers due in December
We’re over a year into the GDPR era, and uncertainty persists on (among other things) mechanisms for the lawful transfer of personal data to non-EU countries whose data protection standards have not been certified as adequate. The US is of course the most notable country on that list – and Max Schrems is the most energetic opponent of transatlantic data transfers. Continue reading
The Facebook Appeal and Procedural Grounds
What sort of grounds of challenge can be run on an appeal against a monetary penalty notice issued by the Information Commissioner? Where the Tribunal has a full merits jurisdiction, is there scope for grounds of challenge relating to the process by which the MPN was reached? Continue reading
Jurisdiction, the GDPR and Brussels I
How is jurisdiction determined in a claim for breach of the GDPR? We know the rule in Article 79(2) GPDR. But how does that interplay with the ordinary private international law rules of jurisdiction, set out in Brussels I Recast Regulation: Regulation (EU) 1215/2012? What about where the controller seeks to rely on a jurisdiction agreement, which under Article 25 of the Brussels I Recast Regulation, would take priority? Continue reading
Morrisons in the Supreme Court – hearing date
We reported recently that the Supreme Court had given Morrisons permission to appeal against the Court of Appeal’s judgment in Various Claimants v Morrison Supermarkets Plc (vicarious liability/data breach case). I can now confirm that the hearing of the appeal is due to take place on 6-7 November 2019.
Anya Proops QC
Data Transfers to the USA
On 9 July the CJEU will hear oral submissions by the parties in Case C-311/18 Facebook Ireland & Schrems, in which the Irish Data Protection Commissioner (not Mr Schrems) is seeking to invalidate the Commission’s Decisions setting out standard contractual clauses. The basis for that attempt is the ability of national security bodies in the USA to gain access to personal data transferred to the US from the EU under SCCs. The fact that SCCs apply generally to all international transfers, and not just to the USA, is a point which has not eluded most of the other parties involved before the CJEU. Nonetheless it is likely that there will be some degree of comment from the CJEU on the Privacy Shield mechanism as part of the context to the issues. Continue reading