Tag Archives: personal data

The Queen’s Speech 2017: The future for UK data protection regulation

The Queen’s Speech was delivered 21 June 2017, setting out the government’s legislative plans. Key proposals from a data protection perspective include: The introduction of a new Data Protection Bill, which will incorporate the General Data Protection Regulation ((EU) 2016/679) (“GDPR”), and the new Directive which applies to law enforcement data processing into UK law; and A … Continue Reading

Legitimate interests: a balancing act

The Court of Justice of the European Union (CJEU) recently gave its preliminary ruling on the interpretation of the legitimate interests condition under Article 7(f) of the Data Protection Directive 95/46/EC (the Directive) in the context of processing by a public authority. A collision In 2012, a passenger in a taxi in Latvia suddenly opened … Continue Reading

German Federal Supreme Court confirms: Dynamic IP addresses may constitute personal data

According to a press release dated 16 May 2017, and following the Court of Justice of the European Union’s (CJEU) preliminary ruling in Case C-582/14 dated 19 October 2016 (see our previous blog), the German Federal Supreme Court (Bundesgerichtshof – FSC) confirmed in a judgment of 15 May 2017, case no. VI ZR 135/13 that dynamic IP addresses constitute personal data within … Continue Reading

EU data protection authorities approve Google’s Cloud commitments for international data transfers

Google has announced that the EU data protection authorities have reviewed and confirmed its Google Cloud services’ contractual commitments as fully compliant with the EU requirements for transferring personal data to third countries outside the European Economic Area (“EEA”). Model contract clauses The review was carried out in line with Working Paper 226 (‘WP 226’). … Continue Reading

EU-US Privacy Shield challenged in the European Court of Justice

Just four months after its adoption by the European Commission, the EU-U.S. Privacy Shield is facing its first formal legal challenge. The challenge comes from the Irish advocacy group Digital Rights Ireland, who is joined by French privacy advocacy group La Quadrature du Net and non-profit internet service provider French Data Network.… Continue Reading

TLT v SoS: How do you quantify damages for data breaches?

A recent High Court decision, TLT and others v Secretary of State for the Home Office [2016] EWHC 2217 (QB) (“TLT v SoS”), paves the way for the greater recognition of distress in cases of data breaches and the misuse of private information. The victims of a data breach, in this case asylum seekers, successfully … Continue Reading

CJEU says dynamic IP addresses can constitute personal data

The Court of Justice of the European Union (“CJEU”) has ruled that dynamic IP addresses can constitute personal data. Dynamic IP addresses, registered by a website provider when an individual accesses its website, shall constitute personal data where the operator has the legal means to combine the data with additional data (held by the internet … Continue Reading

Changes on the horizon for the e-commerce sector?

On 15 September 2016, the European Commission published its Preliminary Report on the e-commerce sector inquiry. The report provides an overview of the prevailing market trends of e-commerce in goods and digital content, and the likely impact this will have on competition and consumer choice. While that is the focus of the report, the outcome … Continue Reading

ICO Reminds Organisations of EU-U.S. Personal Data Transfer Obligations

The Interim Deputy Commissioner at the Information Commissioner’s Office (“ICO”), Steve Wood, has published a blog reminding organisations of their obligations when transferring personal data to the United States, pursuant to the case brought by Max Schrems in 2015, which led to the Safe Harbor framework being declared immediately invalid. Wood reminds organisations that continued … Continue Reading

High Court Permits University’s Contravention of Its Own Privacy Policy

The High Court in Bangura v Loughborough University [2016] EWHC 1503 (QB) ruled 19 May that Loughborough University acted lawfully under the Data Protection Act 1998 (“DPA”) in supplying Leicestershire Police with the registration form of a student suspected of sexual assault and rape. In contravention of the university’s data protection policy, the registration form … Continue Reading

Advocate General’s opinion states that IP addresses are Personal Data

On 12 May, the Advocate General’s (AG) opinion in Case C-582/14 Patrick Breyer v Germany was released, stating that dynamic IP addresses should be considered personal data for the purposes of EU data protection law. Although opinions of the AG are not binding on the Court of Justice of the European Union, whose full judgment … Continue Reading

Superior Court of Pennsylvania Denies Data Breach Class Certification

In an encouraging development for data breach defendants, the Superior Court of Pennsylvania recently affirmed a trial court decision rejecting class certification in a suit filed against two Medicare programs for losing a flash drive containing personal information of 286,000 subscribers. The appellate court found that since the Philadelphia Court of Common Pleas “carefully considered the … Continue Reading

Turkish Parliament Enacts New Data Protection Law

In a step toward its accession to the EU, Turkey has enacted its first comprehensive Data Protection Law. The law was passed by the Turkish Parliament 24 March and published in the Official Gazette 7 April. The law is based largely on the EU Data Protection Directive (95/46/EC), and as such introduces familiar definitions of … Continue Reading

New Encryption Guidance Published by the ICO

The UK Information Commissioner’s Office (ICO) has released updated guidance on the use of encryption. The guidance highlights that in many areas, the ICO expects encryption software to be used, and in the future where data breaches occur and encryption has not been used, “regulatory action may be pursued”. Although the term “encryption” is not … Continue Reading

Information Commissioner’s Office issues updated guidance on Direct Marketing

At the end of March, the Information Commissioner’s Office (ICO) issued updated guidance on the law in relation to Direct Marketing. The ICO notes in its accompanying blog post that the law applies “equally to any and all organisations who are engaging in direct marketing activity via electronic means, regardless of their sector.” The updated … Continue Reading

New Decree defines the scope of Kazakhstan’s state electronic database

At the end of February, the Government of the Republic of Kazakhstan enacted Decree No. 117, providing that the types of personal data to be stored in the state’s electronic database are: Full names and addresses of data subjects Birth dates and birth places Nationality and citizenship Gender and family status Individual identification numbers and … Continue Reading

Update on the UK’s Information Commissioner, IP Addresses and Russia’s ‘Right to be Forgotten’ Laws

With the Privacy Shield, the Umbrella Agreement and the GDPR capturing significant attention, it would be easy to overlook some of the other important developments that have taken place in the data protection sphere. We have rounded up some of the main stories. Next UK Information Commissioner announced Pending the formal approval process, Elizabeth Denham … Continue Reading

Russia ramps up compliance checks under its Data Localisation Law

Russia’s data protection authority, the Roskomnadzor, has recently announced its intention to increase the number of data localisation audits it carries out in 2016. It has pledged to conduct around 1,000 data localisation compliance audits and 2,000 monitoring procedures in a bid to check whether businesses are meeting their obligations under data localisation law. Russia’s … Continue Reading

Data Localisation Law – clarifications published with one month to go…

Just one month before the new Data Localisation Law (‘the law’) is due to come into force, the Russian Ministry of Communications has published its long-awaited clarifications (in Russian) to the new law. These clarifications, although unofficial and non-binding, provide further guidance on the new law which will require all organisations processing personal data on … Continue Reading

Hong Kong Privacy Commissioner Ends 2014 with Special Interest in Mobile Apps

The Hong Kong Privacy Commissioner of Personal Data (the “Commissioner”) ended 2014 with a special interest in mobile applications (“apps”). In a media statement published 15 December 2014, the Commissioner reported that versions 4.3 and earlier of Google’s Android operating system contained a flaw that allowed others to read shared memory in mobile devices without … Continue Reading

EDPS publishes Guidelines on data protection in EU financial services regulation

The European Data Protection Supervisor published ‘Guidelines on data protection in EU financial services regulation’ (Guidelines) to be used as a “practical toolkit for ensuring that EU data protection rules are integrated when developing EU financial policies and rules.” The Guidelines address the processing of personal information involved in supervising financial markets, particularly through the … Continue Reading

ICO issues updated code of practice on subject access requests

The UK Information Commissioner’s Office (ICO) has issued an updated code of practice (the Code) on subject access requests, less than a year after releasing its original guidance paper on the topic. The Code is designed to help organisations fulfill their duties under the Data Protection Act 1998 (DPA) and contains guidance in relation to … Continue Reading

UK High Court Defines Tests To Determine if Data is Personal

This post was written by Cynthia O’Donoghue. The UK High Court was forced to re-examine the concept of ‘personal data’ in the recent case of Kelway v The Upper Tribunal, Northumbria Police and the Information Commissioner (2013) EWHC 2575 (Admin). The case involved an application for judicial review by Dr Kelway against two decisions of … Continue Reading
LexBlog