On 14 September 2017, the Government published the long-awaited draft of the Data Protection Bill (the Bill). The Bill will incorporate the General Data Protection Regulation (EU) 2016/679 into UK law. While the Bill will repeal the existing Data Protection Act 1998 (the DPA), it preserves many of the tailored exemptions which continue to exist
Data Protection Act 1998
Unlimited fines may now be imposed by UK Magistrates’ Court Data Protection offences
Since the Legal Aid, Sentencing and Punishment of Offenders Act 2012 (Fines on Summary Conviction) Regulations 2015 came into force 12 March 2015, the Magistrates’ Court has had the ability to impose unlimited fines for criminal offences under the Data Protection Act 1998 (‘DPA’).
Under s.55 DPA, an individual can be convicted of a criminal offence if he or she obtains or discloses personal data without the consent of the data controller. Before 12 March, a £5,000 fine cap existed, but this has now been removed, allowing for fines of any amount to be imposed at sentencing.
Google loses its appeal in ‘David v Goliath’ Safari tracking case opening the door for a substantial class action
The UK Court of Appeal found that individuals can be awarded compensation for breaches of data protection laws even where no financial damage exists. In a case where Google sought to block claimants from data protection claims, Vidal-Hall et al v Google, the Court of Appeal found the claimants could pursue claims seeking damages relating to Google’s bypassing of security measures on the Apple Safari internet browser.
The claims allege that Google introduced tracking cookies on Apple’s Safari browser in breach of Apple’s policies, which allowed Google to gather data users’ online behavior, including information about their financial status and ethnicity to be used for targeted advertising. The claimants argue the tracking caused them anxiety and distress.
NGOs may rely on UK’s Journalism Exemption
The UK Information Commissioner’s Officer (the “ICO”), in a letter to Global Witness (in Steinmetz and others v Global Witness) (the “Letter”), stated that non-media organisations may rely on the special-purposes exemption for journalism in s32 of the Data Protection Act 1998 (the “DPA”), to withhold personal data in response to…
UK Court of Appeal limits typical damages for a data protection breach to £751
This post was written by Cynthia O’Donoghue.
The UK Civil Division of the Court of Appeal ruled in favour of an individual data subject on the point of damages under the Data Protection Act 1998 (DPA), but limited the award to £751 GBP. The judgment in Halliday v. Creation Consumer Finance Limited, [2013]…
UK Government issues consultation on consumer data access proposals as part of “midata” strategy
This post was written by Cynthia O’Donoghue.
The Business Innovations and Skills Department of the UK Government has issued a public consultation on a proposal to create a requirement on suppliers of goods and services to provide their customers, when requested, with information on historic transactions and consumption data in an open standard, machine-readable…
The ICO Issues New Guidance on Access Rights and Data Controllers
The UK Information Commissioner’s Office (“ICO”) released recommendations advising organisations to ensure that the data held regarding individuals is thoroughly and securely searchable so they can meet their obligations under the Data Protection Act 1998 (“DPA”). The ICO also clarified when companies can be classified as data controllers. The recommendations came through three sets of…