One of the most interesting difficulties for data protection lawyers over the last few years (wake up at the back) has been the application of a DPA and a Directive drafted in an analogue age to a new digital world. The internet has posed many difficulties, and working out how to apply data protection law to it has been just one of them. It is an area which has begun to repeatedly trouble the CJEU. In Case C-191/15, Verein für Konsumenteninformation v Amazon EU Sàrl (judgment of 28 July 2016) the CJEU returned to the tricky and sui generis way the Directive deals with questions of the applicable law to data protection disputes. Continue reading
Multi-jurisdictional personal data processing? Advocate General thinks not.
While on the subject of data protection and jurisdictional questions (see my earlier post about the Microsoft case), I thought it worth pointing out the Advocate General’s opinion in Verein für Konsumenteninformation v Amazon EU Sàrl (Case C-191/15), issued in recent weeks.
The Microsoft case concerned the limits of US jurisdiction over data held on servers in the EU. What about data held within the EU, but which is being processed in a number of EU member states? Is the data controller subject to the jurisdiction of all of those states? If so, life is potentially very complicated: data protection law in the EU is supposed to be harmonised, but there will always be legitimate variations in how member states implement aspects of the overarching law. Continue reading
Clouds, data centres and the location of data: a victory for Microsoft
The judgment of the 2nd US Circuit Court of Appeals in New York in Microsoft Corporation v USA (Case 14-2985), handed down on 14 July 2016, has been hailed as an important victory not only for the technology giant, but for privacy rights as well.
In brief, the case concerned a warrant issued under the Stored Communications Act (dating from 1986), ordering Microsoft to seize and produce to the US government the contents of a customer’s email account, on the grounds that there was cause to believe the email account was being used for the purposes of drugs trafficking. Microsoft refused to comply in full, on the grounds that the contents of the email account were stored on a server in Dublin. A court held Microsoft to be in contempt. Microsoft appealed. It won. Continue reading
Privacy Shield to be activated soon
Facebook nemesis Max Schrems threw into serious disarray the whole (commercially vital) business of EU-US data transfers when his litigation destroyed the Safe Harbor arrangements. A fix was needed, quickly. The European Commission came up with a fix called the “Privacy Shield”. Some, including members of the Panopticon fold, had a disdainful – even gently mocking – take on the Privacy Shield: see for example Chris’ synopsis here. More importantly, the EU’s Article 29 Working Party did not seem entirely impressed by the Privacy Shield proposal.
Earlier this month, however, the EU member states approved the Privacy Shield. Continue reading
Vidal-Hall Appeal Withdrawn; Section 13(2) DPA Still Dead
There have been rumours, but Panopticon can confirm that the appeal to the Supreme Court in Google v Vidal-Hall on the disapplication of section 13(2) of the Data Protection Act 1998 has been withdrawn following an agreement being reached between the parties. This is obviously a disappointment to those wanting to see what the Supremes would make of the Court of Appeal’s very important judgment permitting damages claims for distress without the need to show pecuniary loss (and indeed to those interested in the use of the Charter of Fundamental Rights to disapply primary legislation). What it does mean is that the Court of Appeal decision stands (as discussed here). Whether it will stand for all time, or whether another case will try and re-open the point in the light of the Supreme Court having accepted that it was arguable is another matter, but for the moment continuity reigns and section 13(2) can return to the oblivion from which it had sought to rise.
Christopher Knight
Brexit and the GDPR – the Government Speaks
Anya has already posted about what Brexit means for the future of data protection in the UK and there is a general consensus that anyone thinking they can ignore the GDPR now should think again. But just in case Anya Proops QC wasn’t authoritative enough for you (unlikely, I know), Baroness Neville-Rolfe gave a speech on 4 July which touched on data protection in our brave new world. Baroness Neville-Rolfe is, as any fule noe, the Minister for Data Protection. Continue reading