Data protection
Does a Facebook Like button on your website make you a data controller?
If the operator of a website embeds a third party plugin (such as the Facebook Like button), does this make it a joint data controller with Facebook?
Read moreICO updates its guidance on data protection impact assessments
When should a data controller conduct a Data Protection Impact Assessment (DPIA)?
Read moreEuropean Data Protection Board launches consultation on the territorial scope of the GDPR
When will processing by a data controller or data processor fall within the territorial remit of the GDPR?
Read moreICO guidance on encryption and use of passwords in online services
How can data controllers and processers improve their security measures?
Read more"Google You Owe Us” class action blocked – Richard Lloyd v Google LLC
Do you need to show relevant damage for a claim under the Data Protection Act 1998 (DPA)? Can a class action succeed if the members of the class cannot be readily ascertained or be said to share the same interest? Put another way, what are the restrictions on bringing an action for damages under the DPA?
Read moreVarious Claimants v WM Morrisons Supermarket PLC
Can a business be held vicariously liable for the actions of an employee who deliberately breaches its data protection policies and data protection law?
Read moreFacebook ordered to reveal who requested deletion of deceased’s profile – Sabados v Facebook Ireland
Where a social media company has completed a request from an unknown person to delete a deceased’s profile and refused to tell the deceased’s partner, can a Norwich Pharmacal order be used to disclose the identity?
Read moreSix month imprisonment in first ICO computer misuse act prosecution
Is the Information Commissioner’s Office (ICO) extending the scope and severity of its enforcement powers?
Read moreBupa fined for systemic data protection failures
What if an employee goes rogue with your personal data? Will you be able to show effective oversight measures including monitoring of employee access to databases?
Read moreEquifax fined £500,000 for data breach of 15m UK customers
Had Equifax taken adequate and effective measures to protect customer data?
Read moreIreland’s Data Protection Commission launches investigation into Facebook’s data breach
On 28 September, Facebook disclosed that hackers had stolen keys that allowed them to access up to 50m user accounts with the potential for a further 40m which may have been compromised. The hack allowed the hackers to use the accounts as their own, reading and writing private messages and posts.
Read moreICO Calls for views on GDPR update to Direct Marketing Guide
What should we expect from the ICO’s updated Direct Marketing Guide?
Read moreWhat if there’s no Brexit deal?
Where does a no deal scenario leave our obligations under EU data protection principles?
Read moreYahoo! fined for failure to implement intra-group processing agreement
With the arrival of the GDPR, the focus on third party data processing agreements and ensuring they have the relevant controls in place has never been more intense. But how much do businesses need to focus on their intra-group processing agreements?
Read moreMedia reporting restricted after Sir Cliff Richard decision
In what instances can journalists name the suspect of a police investigation? Do such suspects have a "reasonable expectation of privacy"?
Read moreEuropean Parliament calls for suspension of Privacy Shield
Is the EU-US Privacy Shield in danger?
Read moreFine for theft of employer’s personal data
Can departing employees be fined for stealing their employer's personal data? Even if the theft is relatively "minor"?
Read moreICO draft guidance: legitimate interests as a lawful basis for processing
The GDPR significantly alters the balance of obligations, responsibilities and liabilities for controllers and processors of data. It mandates that a processor must have a lawful basis for the processing of data. However There are some impactful changes, particularly when looking to rely on legitimate interests as the lawful basis upon which a processor intends to process data.
Read moreAdministrator of Facebook fan page held to be data controller
Is the administrator of a fan page on Facebook a "controller" for the purposes of the Data Protection Directive (95/46/EC) (DPD)?
Read moreUK's data retention powers incompatible with EU Law
Are the UK security services' data retention powers compatible with the new privacy regime under EU Law?
Read moreThe new data protection fee
From 25 May 2018, as part of the revamp by the General Data Protection Regulation (GDPR), the Data Protection (Charges and Information) Regulations 2018 (the 2018 Regulations) came into force. Amongst other things, these regulations change the way the ICO fund their data protection work.
Read moreWP29 revised guidelines: personal data breach notification
When should a data controller or processor notify a personal data breach?
Read moreICO draft guidance: Data Protection Impact Assessments
When and how should a data controller conduct a Data Protection Impact Assessment (DPIA) under the GDPR?
Read moreICO guidance: “consent is not the silver bullet for GDPR compliance”
The ICO reiterated that organisations do not necessarily need to obtain fresh consent from all of their customers in order to comply with GDPR.
Read moreArticle 29 Working Party publishes guidelines on data breach notifications under the GDPR
What data notification procedures should data controllers and processors have in place by 25 May 2018?
Read moreArticle 29 Working Party publishes draft guidelines on transparency under the GDPR
In accordance with the GDPR's new obligation of transparency, what do the WP29 draft guidelines suggest you put in your organisation's privacy policy and other privacy notices?
Read moreICO fines Carphone Warehouse £400,000 following systemic data failures
Need an example of how not to protect your customers' and employees' data? Then, read on!
Read moreICO publishes draft guidance on children and the GDPR
What extra requirements must be met when processing the personal data of a child under the GDPR?
Read moreCourt of Appeal declares the Data Retention and Investigatory Powers Act 2014 unlawful
Is section 1 of the Data Retention and Investigatory Powers Act 2014 (DRIPA) inconsistent with EU law?
Read moreVicarious liability for deliberate data breaches
Can a business be held vicariously liable for the actions of an employee who deliberately breaches its employer's data protection policies and data protection law?
Read moreArticle 29 Working Party publishes guidelines on consent under the GDPR
What exactly are the higher standards of consent under the GDPR?
Read moreArticle 29 Working Party adopts guidelines on Data Protection Impact Assessments
When should a data controller conduct a Data Protection Impact Assessment (DPIA)?
Read moreUpdates to the draft ePrivacy Regulation
On 19 October 2017, the European Parliament approved a revised draft of the ePrivacy Regulation. Though still subject to negotiation, it introduces a number of important changes, and deserves careful study by every online communications business.
Read moreAre Model Contract Clauses (or “Standard Contract Clauses” – SSCs) valid under EU data protection law?
Irish High Court asks CJEU to rule on validity of Model Contract Clauses (Schrems II)
Read moreICO issues TalkTalk monetary penalty notice for £100,000
On 7 August 2017, the Information Commissioner’s Office fined TalkTalk £100,000 after an investigation found that it had failed to take adequate security measures to protect customer data from unauthorised access via web-based portal.
Read moreICO issues draft guidance on contracts between data controllers and data processors
What must be included within a contract between a data controller and a data processor to ensure compliance with the General Data Protection Regulation (GDPR)?
Read moreHow will GDPR affect the world of internet policy and systems of domain name registration?
Data protection - ICANN/WHOIS and the GDPR
Read moreNo ICO notifications but fees continue under GDPR
The Information Commissioner’s Office (ICO) has provided guidance as to how its notificationand fee regime will change when the General Data Protection Regulation (GDPR) comes into force in May 2018.
Read moreICO issues fines for emails asking customers to change marketing preferences
The ICO has fined Moneysupermarket.com and Morrisons Supermarket a total of £90,500 for emails sent to customers who had previously opted out of marketing messages.
Read moreICO fines Boomerang Video Ltd for failure to prevent cyber attack
On 27 June 2017, the Information Commissioner's Office (ICO) fined Boomerang Video Ltd (Boomerang) £60,000 after an investigation found that the SME had failed to take basic steps to stop its website being attacked.
Read moreICO publishes updated Subject Access Code of Practice
How should data controllers respond to subject access requests (SARs)?
Read moreData Protection Working Party adopts Opinion 2/2017 on data processing at work
How do new technologies affect the balance between employers and employees in the debate over legitimate data monitoring interests vs the privacy expectations of individuals?
Read moreGovernment publishes the Data Protection Bill
The UK government published the Data Protection Bill (Bill) on 14 September 2017. The Bill will replace the Data Protection Act 1998 (DPA) and transfer the General Data Protection Regulation (GDPR) into domestic law (with a few derogations, as discussed below). Post-Brexit, the Bill will continue to regulate data protection in the UK.
Read moreICO revised code of practice for dealing with subject access requests
The ICO has recently published a revised Code of Practice on subject access requests (SARs).
Read moreICO guidance on consent under the GDPR – the latest
The Information Commissioner’s Offce (ICO) ran a consultation on the draft guidance on consent under the General Data Protection Regulation (GDPR) this springtime.
Read moreThe march of the SARs: Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74; and Ittihadieh v 5-11 Cheyne Gardens & Ors and Deer v Oxford University [2017] EWCA Civ 121
When can legal professional privilege (LPP) be used to block a subject access request (SAR)? And when can the “disproportionate effort” exemption be used to block a SAR?
Read moreICO issues fines for emails seeking consent to marketing
The ICO has fined Flybe and Honda a total of £83,000 for emails sent to customers to obtain consent to future marketing messages.
Read moreRSA: ICO issues £150,000 fine
The ICO has fined Royal & Sun Alliance (RSA) £150,000 for losing the personal information of nearly 60,000 customers.
Read moreData protection: “Post-Brexit” data transfers and privacy standards
In February 2017, the UK Government published a white paper setting out its approach to the forthcoming negotiations on exiting the European Union, and its vision for a “post-Brexit” settlement.
Read moreData protection - Supervisory authorities one-stop-shop: WP29 guidelines
The final draft of the GDPR enables local regulators to deal with local issues which relate only to their territory.
Read more