If you think you understand how the DPA 2018 has implemented EU law in the shape of the GDPR (Part 1) and the Law Enforcement Directive (“LED”) (Part 3), and that is that, you may want to think again. What the DPA does not just depend on the language and the Part, but may also require consideration of the scope of EU law. R (El Gizouli) v Secretary of State for the Home Department [2019] EWHC 60 (Admin) is such a case. Indeed, it is the first decided case of significance to consider the DPA 2018 at all. Continue reading
The Court of Appeal Rolls out the DP Barrel
Sometimes a case comes along which, whether through range of issues or over-enthusiastic pleading, seems to touch on more or less every data protection provision going. To this end, at least for the DPA 1998, we give you the lengthy treatise of Sales LJ that is: Cooper v National Crime Agency [2019] EWCA Civ 16. Continue reading
Confidentiality
Two recent decisions of the FTT on confidential information are of interest, one under FoIA, the other under the EIR, with a local authority being the public authority in both cases.
The FoIA case is Driver v Information Commissioner and Thanet District Council, EA/2017/0218. It concerned the absolute Section 41 exemption from disclosure: information provided in confidence to the public authority by a third party. The FTT held that the exemption did not apply because the information was not obtained by the Council from another person. The information was the names of parties who had been paid compensation by the Council. This was pursuant to settlements concluded between the Council and businesses involved in the export of live animals from the Port at Ramsgate. The Council had imposed a ban. The High Court found that the ban was unlawful and that the Council was liable in damages. Continue reading
Bearing a Burden: Prosecuting under the DPA
A rare foray into the Criminal Division of the Court of Appeal for the Data Protection Act 1998 recently, as the Court considered the nature of the reverse burden imposed by the section 55 offence in Shepherd v Information Commissioner [2019] EWCA Crim 2. In short, Jay J held that section 55, properly construed, imposed only an evidential burden on a defendant rather than a legal burden. Continue reading
GDPR financial penalties: €50m for Google in France
Perhaps the most commonplace GDPR soundbite concerns swingeing financial penalties: in the most serious cases, up to €20m or 4% of global annual turnover, whichever is the greater. We have now had our first flexing of that maximal muscle, in the form of the decision of the French supervisory authority, the CNIL, to impose a €50m penalty on Google. The CNIL’s decision, announced yesterday, is summarised here. (The penalty notice itself is not yet available in English).
Notable features of the case include the following: Continue reading
Open Up: ICO Consultation on FOIA/EIR
News comes our way of a consultation exercise being run by the ICO on its new proposed ‘Access to Information Strategy’. You can read more about it here. Titled ‘Openness by Design’, it is a proposed strategy which will – in particular – aim to improve standards of openness, transparency and participation on the part of public authorities, including by increasing the impact of enforcement activity through targeting of systemic non-compliance. That is probably the most significant headline of the draft, but there are a number of aims to improve confidence in the openness and accountability of public authorities, by greater proactivity on the part of the ICO. Consultation responses are sought by 8 March 2019.
Christopher Knight