The government has released a Statement of Intent (“the Statement”) for a new Data Protection Bill (“the Bill”). The Bill was originally announced in the Queen’s Speech earlier this year (see our previous blog on this). This Statement provides further detail on the government’s proposed reforms to data protection laws in the UK.

The Bill is intended to “bring EU law into domestic law” – referring to both the General Data Protection Regulation (“GDPR”) and the Data Protection Law Enforcement Directive (“DPLED”), which come into force next year. Essentially, the Bill helps the UK to prepare for post-Brexit and facilitate the uninterrupted flow of data between the UK and the EU.

The Bill will repeal the Data Protection Act 1998 (“DPA”). It will remove inconsistencies and avoid any confusion as to which data protection standards apply. The Bill will apply to “all general data”, not just areas of EU competence – this is to ensure that businesses have a single standard which they can operate.

The Proposals

Like the GDPR, the Statement introduces new measures for organisations which process personal data. For example, these include:

  • Tougher rules on consent
  • Enhanced rights for individuals
  • Increased powers for the UK Information Commissioner’s Office (“ICO”)

In relation to the ICO’s powers, the Bill will allow the ICO to issue fines of up to £17 million, or 4% of global turnover, which is in line with the GDPR. The Information Commissioner, Elizabeth Denham, has commented on these proposed increased fines, stating she intends to use these powers “proportionately and judiciously” (see the recent ICO blog). She added that it would be “scaremongering” to make early examples of organisations for minor infringements, or for these maximum fines to become the norm. Businesses might take some comfort from these initial views of the ICO.
Continue Reading Government announces proposals for a new Data Protection Bill

The Information Commissioner’s Office (ICO) has published an updated data subject access code of practice (the Code) to reflect developments following two major Court of Appeal judgments published in early 2017: Dawson-Damer and others v Taylor Wessing LLP [2017] EWCA Civ 74 and Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd and Others [2017]

The Queen’s Speech was delivered 21 June 2017, setting out the government’s legislative plans. Key proposals from a data protection perspective include:

  • The introduction of a new Data Protection Bill, which will incorporate the General Data Protection Regulation ((EU) 2016/679) (“GDPR”), and the new Directive which applies to law enforcement data processing into UK law; and
  • A new Digital Charter, to ensure that the United Kingdom is the safest place to be online.

These proposals will cover a two-year period, as the Queen’s Speech has been cancelled for next year to allow both Houses of Parliament more time to discuss Brexit legislation.
Continue Reading The Queen’s Speech 2017: The future for UK data protection regulation

The Court of Justice of the European Union (CJEU) recently gave its preliminary ruling on the interpretation of the legitimate interests condition under Article 7(f) of the Data Protection Directive 95/46/EC (the Directive) in the context of processing by a public authority.

A collision

In 2012, a passenger in a taxi in Latvia suddenly opened the door to get out, and proceeded to damage a passing tram owned by Rīgas satiksme (Rīgas). Rīgas requested the personal details of the passenger (full name, ID number and address) in order to sue for damages so as to repair the tram. It was unknown at this stage that the passenger was a minor. The Latvian police provided the passenger’s full name only, on the basis that Latvian law does not provide for the disclosure of other data to people who are not a party to administrative proceedings leading to sanctions. Rīgas challenged this decision, stating that it required further information to enable it to locate the passenger. This challenge was upheld before later being appealed by the police. Eventually, the Latvian Supreme Court, noting doubts as to the meaning of ‘necessity’ in relation to the interpretation of ‘legitimate interests’ under the Directive, requested an opinion as to whether: (i) the Directive imposed an obligation to disclose personal data to a third party to enable it to bring an action for damages; and (ii) the age of the individual had any bearing as to interpretation.

Continue Reading Legitimate interests: a balancing act

According to a press release dated 16 May 2017, and following the Court of Justice of the European Union’s (CJEU) preliminary ruling in Case C-582/14 dated 19 October 2016 (see our previous blog), the German Federal Supreme Court (Bundesgerichtshof – FSC) confirmed in a judgment of 15 May 2017, case

Google has announced that the EU data protection authorities have reviewed and confirmed its Google Cloud services’ contractual commitments as fully compliant with the EU requirements for transferring personal data to third countries outside the European Economic Area (“EEA”).

Model contract clauses

The review was carried out in line with Working Paper 226 (‘WP 226’).

Just four months after its adoption by the European Commission, the EU-U.S. Privacy Shield is facing its first formal legal challenge.

The challenge comes from the Irish advocacy group Digital Rights Ireland, who is joined by French privacy advocacy group La Quadrature du Net and non-profit internet service provider French Data Network.
Continue Reading EU-US Privacy Shield challenged in the European Court of Justice

The Court of Justice of the European Union (“CJEU”) has ruled that dynamic IP addresses can constitute personal data.

Dynamic IP addresses, registered by a website provider when an individual accesses its website, shall constitute personal data where the operator has the legal means to combine the data with additional data (held by the internet service provider) to identify the data subject.
Continue Reading CJEU says dynamic IP addresses can constitute personal data