Photo of Thomas C. Evans

Following the United Kingdom’s vote to leave the European Union, one thing is clear: the negotiations for the terms of the UK’s exit are likely to overlap with the implementation across the EU of the General Data Protection Regulation (GDPR) in May 2018.

We have prepared a client alert to lay out the facts as

Following the CJEU’s judgment of October 2015 invalidating the European Commission’s Safe Harbor Decision, the Data Protection Authority Hamburg (“DPA Hamburg“) started investigations against 35 internationally operating companies in Hamburg. According to a press release of DPA Hamburg of 6 June 2016, these investigations revealed that the majority of the companies under investigation

The options available to EU organisations for lawfully transferring personal data from Europe to the United States appear to be dwindling. In particular, there have been further setbacks to the approval of the Privacy Shield and, separately, a new legal challenge to the validity of EU model contract clauses. For more information click here to

On 27 January, the High Court of Northern Ireland granted British MP George Galloway leave to serve proceedings on Google Inc. out of the jurisdiction. The application was based on a variety of claims including libel, harassment, misuse of private information, and unlawful data processing under the Data Protection Act 1998 (the Act).

The claims relate to three videos uploaded to Google’s YouTube platform by William Frazer. It was claimed that these videos had been uploaded unlawfully. The court stated that there could be no doubt that one of the three videos contained sensitive personal data, but that the question of whether Google was a data processor or data controller would be a “fact specific investigation” which would have to wait until full trial. The view was expressed in the judgment that “[T]he facts as presently put before the court would suggest that Google will not find it easy to defend this claim if it is found to be a data controller.”
Continue Reading Galloway v Frazer & Others – A glimpse to the future of data protection litigation

The long-awaited General Data Protection Regulation was published in the Official Journal of the European Union on 4 May 2016. This means that the most comprehensive reform to the EU’s omnibus data protection law in 20 years will apply throughout the European Union from 25 May 2018.

We have written in previous posts (here

The UK Information Commissioner’s Office (ICO) has released updated guidance on the use of encryption. The guidance highlights that in many areas, the ICO expects encryption software to be used, and in the future where data breaches occur and encryption has not been used, “regulatory action may be pursued”.

Although the term “encryption” is not found in the UK’s Data Protection Act 1998, the requirement to implement the technique for certain types of data is derived from the obligation to implement “appropriate technical and organisational measures” to protect against loss, destruction or damage to personal data. The guidance makes clear that while it is not necessary or possible to encrypt all personal data, organisations must take a risk-based approach to using the technique.
Continue Reading New Encryption Guidance Published by the ICO

After four years of protracted discussions and negotiations, the General Data Protection Regulation (the “GDPR”) gained final approval from the European Parliament 14 April. It will enter into force 20 days after publication in the Official Journal of the European Union (expected imminently), and it comes into force two years after that date – i.e., mid-2018.

The GDPR replaces the Data Protection Directive 95/46/EC (the “Directive”) and the legislation enacted by Member States to implement it. As a regulation, the GDPR will be directly applicable in all Member States; indeed, one of its core aims is to harmonise legal requirements across the EU, eliminating many of the inconsistencies that developed under the Directive.

The GDPR constitutes the single biggest change to EU data protection rules for 20 years and is considerably more comprehensive and onerous than the regime it replaces. We set out below some of the most significant changes.
Continue Reading The Data Protection Directive Is Dead! Long Live the General Data Protection Regulation!

At the end of March, the Information Commissioner’s Office (ICO) issued updated guidance on the law in relation to Direct Marketing. The ICO notes in its accompanying blog post that the law applies “equally to any and all organisations who are engaging in direct marketing activity via electronic means, regardless of their sector.”

The updated guidance gives new focus to:

  • The collection of third-party (indirect) consent, which it indicates will only be validly obtained in limited circumstances
  • How to ensure that consent is freely given, and how this interacts with either incentivising individuals to give consent, or making access to a service conditional on giving consent

Continue Reading Information Commissioner’s Office issues updated guidance on Direct Marketing