Photo of John O'Brien

On 14 November 2019, the Information Commissioner’s Office (ICO) published guidance (link here for organisations that process special category personal data (the Guidance). Previously, organisations tended to focus only on GDPR article 9 processing bases when processing special category personal data. Following this update from the ICO, organisations are reminded that they must have both GDPR article 6 and article 9 processing bases when they process special category personal data. Additionally, in some cases, the ICO will require organisations to: (i) prove they have carried out data protection impact assessments; and (ii) have an appropriate policy document (a template is provided by the Guidance) where they rely on GDPR article 9 to process special category personal data and meet their Data Protection Act 2018 (DPA 2018) obligations.


Special categories of personal data are set out at GDPR article 9(1) and clarified at recital 51. Special category personal data is more sensitive than ordinary personal data. As a result, GDPR affords special category personal data greater protection. Special category personal data concerns data subjects’ racial or ethnic origin, health information, trade union membership, religious beliefs, sexual history or preference, and so on. Genetic and biometric identification data is also included. There are “significant risks to the individual’s fundamental rights and freedoms” when processing such personal data. Organisations therefore need to ensure that greater care is taken when processing it.Continue Reading Updated ICO guidance on handling special category data

On 23 October 2019, the European Commission (the Commission) released its report on the third annual review of the functioning of the EU–U.S. Privacy Shield (Privacy Shield). The report summarises various improvements in the functioning of the framework, and further ‘concrete steps’ that need to be taken to ensure its continued effectiveness.


The Commission’s Privacy Shield adequacy decision obligates the Commission to carry out annual reviews of the framework. To date, there have been two annual reviews (September 2017 and October 2018). The 2019 review took place in Washington D.C., with representatives from the Commission, European Data Protection Board (EDPB), and various U.S. government departments and offices in attendance. The Commission’s findings are divided between:

  • commercial aspects of the framework (compliance, administration, oversight, enforcement by U.S. authorities); and
  • aspects concerning public authorities’ access to personal data transferred under Privacy Shield.

We focus our discussion on the commercial aspects of the review.Continue Reading EU–U.S. Privacy Shield: EU Commission issues its third annual review report

The long-running e-Privacy Regulation saga continues. On 18 September 2019, the Council of the European Union (the Council) released proposed amendments to the draft regulation. We take a look at some of the proposals.


The draft e-Privacy Regulation will replace the current Directive 2002/58/EC to “reinforce trust and security in the Digital Single Market”. It was meant to be introduced concurrently with GDPR in May 2018. However, it has been subject to many delays, debates and inter-EU institutional wrangling. The Council (under its current Finnish presidency) has now proposed additional changes to the existing draft.

The most eye-catching changes are new obligations regarding processing of electronic communications data to detect, delete and report child pornography.Continue Reading The e-Privacy Regulation saga rumbles on

In July 2019, the UK privacy regulator, the Information Commissioner’s Office (ICO) issued a warning about the privacy implications of automated facial recognition technology (AFR). The ICO was concerned that AFR “represent[s] the widespread processing of biometric data of thousands of people as they go about their daily lives.”

The UK High Court recently handed

Earlier this year, the Information Commissioner’s Office (ICO) issued a consultation on a draft code of practice for designing age-appropriate access for children accessing online services (Code). The consultation closed on 31 May 2019 but the ICO has recently released an update on its progress in producing the Code.

The finalised Code will be informed

The UK’s new prime minister, Boris Johnson, has vowed that the UK will leave the EU on October 31, 2019. A unilateral (or “hard”) Brexit poses many privacy and data protection challenges for companies that operate in the UK.  Post-Brexit privacy and data protection issues that you need to consider include:

  • how to maintain uninterrupted

Avid readers of this blog (and we trust there are many of you!) will recall that the UK government recently published a white paper. The white paper sets out the UK government’s approach to regulating the internet to tackle online harms. The Information Commissioner’s Office (ICO) has just published the Information Commissioner’s (Commissioner) full

Never one to miss a bandwagon, the European Commission has published three documents to mark the first year of GDPR:

  • a Eurobarometer survey on data protection (Eurobarometer Survey);
  • a multi-stakeholder expert group (MEG Report); and
  • guidance on the free flow of non-personal data within the EU (reported on here).

We set out some of

Britain’s data protection and broadcasting regulators, the Information Commissioner’s Office and Ofcom, have published a joint Report looking into internet users’ concerns about online harms. The British government’s recently published White Paper, which outlined its approach for regulating the internet to tackle online harms, was informed by this Report.


Over 3,000 interviews were