Photo of Nona Keyhani

The Information Commissioner’s Office (ICO) announced a £100,000 fine imposed on the telecoms company, EE Limited (EE), for breaching the Privacy and Electronic Communications Regulations 2003 (PECR). The timing of the breach meant that the General Data Protection Regulation 2016/679 (GDPR) was not applicable.

What happened?

EE sent customers a text message encouraging them to

The Information Commissioner’s Office (ICO) and the Alan Turing Institute have recently released an interim report (Report) outlining their approach to best practices in explaining artificial intelligence (AI) to users. The Report is of particular relevance to operators of AI systems who may be considering their duties under the General Data Protection Regulation 2016/679 (GDPR).

The European Data Protection Board (EDPB) met for its fifth plenary session on 4 and 5 December 2018.

The EDPB published a press release, highlighting the three main areas of discussion:

  1. EU-Japan draft adequacy decision. The EDPB adopted an opinion on the European Commission’s draft adequacy decision. In adopting its opinion, the

In September 2017, we published a blog that outlined the Commission’s proposal for a framework on this subject (you can view our blog here). In June 2018, we further reported that the European Parliament, Council of the European Union and the European Commission had reached a political agreement on the rules for the free

On 22 October 2018, the supermarket chain Morrisons lost its appeal to the High Court ruling that it is liable for a data breach that resulted in thousands of its employees’ personal data being posted online. The Court of Appeal’s (CoA) judgment can be found here.

Over 5,000 Morrisons’ employees brought a class action in the High Court after a company employee, Andrew Skelton, stole personal data, which included payroll information of almost 100,000 employees, including names, addresses, bank account details and salaries (see our previous blog on the High Court decision here).

Morrisons argued that Mr Skelton’s actions were insufficiently closely connected for it to be liable, as he perpetrated the act in his own home, on a personal computer and a number of weeks after he had stolen the personal data. The CoA rejected this, and was instead of the view that Mr Skelton’s actions fell “within the field of activities assigned to him” by Morrisons and that there was an unbroken chain of events linking his role as an employee to the disclosure of the personal data.

The CoA also rejected Morrisons’ argument that it was not vicariously liable on the basis that Mr Skelton’s motive was to harm his employer, and not to benefit himself in some way or inflict harm on a third party. All three of the CoA judges therefore agreed with the High Court that Morrisons was vicariously liable for the data breach.

Continue Reading Morrisons loses appeal against class action data breach

On 13 September 2018, the European Court of Human Rights (ECtHR) issued a much anticipated judgment in Big Brother Watch and others v. United Kingdom (Applications nos. 58170/13, 62322/14 and 24960/15) [2018] ECHR 722.

This judgment, the first mass electronic surveillance case against the UK, addressed the proportionality of bulk interception of communications. This ruling comes at the end of a lengthy challenge to Britain’s spying powers, initially revealed by Edward Snowden in 2013. The ECtHR held that these rules, which provide the UK with the ability to conduct mass surveillance, violated the rights to privacy and freedom of expression.

The judgment is both long and complex, and it would not do it justice to fully summarise it here. However, in brief, the Judges made a number of key findings.

Continue Reading ECtHR rules on UK mass surveillance under RIPA