personal data

Subscribe to personal data

In one of the most highly anticipated judgments in recent years, the UK Supreme Court has unanimously rejected a class-action style compensation claim under the Data Protection Act 1998. The Supreme Court decision was handed down as a result of a claim raised against Google LLC (Google) by Richard Lloyd on behalf of four million data subjects.
Continue Reading Lloyd v. Google: Supreme Court rejects compensation claim

Colorado’s recently passed privacy act, the Colorado Privacy Act (CPA), is scheduled to take effect on July 1, 2023, if signed into law by Governor Jared Polis. While the CPA is a comprehensive privacy act which provides certain rights to consumers regarding their personal data, it does not include a private right of action. It

In Bellingham, Alex v. Reed, Michael [2021] SGHC 125 (Alex v. Reed) The Singapore High Court considered the loss or damage needed for a private action to be brought against an organisation for a breach of the PDPA. In particular, the court found that a mere loss of control over personal data, or emotional distress

On 19 May 2021, the European Data Protection Board (EDPB) adopted Recommendations on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions, available here.

Scope of the recommendations

The recommendations specifically address online providers of goods and services who store credit card data to facilitate future purchases once an individual has provided their credit card data to conclude a transaction online.

The recommendations do not apply to payment institutions operating in online stores or public authorities. They also do not apply where credit card data is stored for a different purpose, for example to comply with a legal obligation or to establish a recurring payment.

Why are these recommendations needed?

As the digital economy and e-commerce continue to develop, the risks of using credit card data online also continue to increase. In addition to ever-present payment fraud risks, there is also an increased risk of credit card data security breaches where the credit card data is stored. Controllers must therefore act to reduce the risk of unlawful processing of this data.Continue Reading Storing credit card details for future purchases – EDPB recommends online retailers do so only with consent

The EU General Data Protection Regulation (GDPR) came into effect on 25 May 2018. It became one of the leading pieces of legislation in the world to offer the highest levels of protection to the personal data of individuals. Many countries followed suit to raise the bar in how organisations handle personal data. The trend

The European Commission published a draft decision on UK adequacy for transfers of personal data from the EU to the UK, which you can read here. This EC conducted an assessment of the UK’s GDPR framework under the UK Data Protection Act 2018, including data protection rules applicable to UK law enforcement and national security and surveillance. It concludes that the UK ensures an ‘essentially equivalent’ level of protection to that within the EU, under the General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED), meaning data transfers can flow from the EU to the UK without further safeguards.
Continue Reading Data flows to the UK from the EU won’t hit a dam

The Court of Justice of the European Union (CJEU) handed down its judgment on a case brought by privacy rights activist, Max Schrems (C-311/18, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems) (Schrems II) yesterday, July 16, 2020. The case concerned the transfer of personal data to recipients in the United States via the

In a matter of three days, Parliament passed a bill granting emergency powers to the government to deal with the COVID-19 outbreak. The Queen granted Royal Assent on 25 March 2020, bringing into force the Coronavirus Act 2020 (the Act) (the Act).

The Act, amongst other things, gives the government wide-ranging powers to restrict events and social gatherings, shut down premises and isolate or detain ‘potentially infectious persons’. The Act also provides means for extending time limits for retention of fingerprints and DNA profiles (which would have been taken under various police and terrorism legislation) for up to 12 months if necessary and in the interests of national security. Whilst these measures have been implemented to help curb the spread of COVID-19, the enforcement of such measures could impact individuals’ rights to privacy and data protection.Continue Reading A whistle-stop tour of the potential data protection implications of the new Coronavirus Act

According to a report issued last week, tens of thousands of cannabis dispensary customers’ personal data has been exposed following a data breach of a sales system that at least three (and likely more) cannabis dispensaries may have used to manage their sales to customers. Our recent client alert highlights the increasing threat that cyber