The £500,000 fine imposed by the Information Commissioner’s Office on retailer DSG has attracted much publicity as it represented the limit under the pre-GDPR regime. It has attracted less attention for the helpful information to be found in the monetary penalty notice.  This shows that the data breach was possible due to inadequate security, specifically inadequate software patching, absence of a local firewall, inadequate control of permissions and network segregation, and logging and incident response failures.

The Opinion of the Advocate General to the Court of Justice of the European Union states that the use of standard contractual clauses by Facebook and other firms to transfer information abroad is valid.  The decision of the CJEU is expected in 2020 with some optimism, as approximately 80 per cent of its judgments follow such opinions.

This has particular significance in the context of Brexit, as it may be one of the principal mechanisms for transferring data to the UK going forwards, assuming there will be no adequacy decision in the short term.  The UK ceases to be a member of the EU at 23:00 hours GMT on 31 January 2020, though current data protection (and most other) arrangements will continue to apply during the transition period, which will expire on 31 December 2020 unless an extension is sought by 30 June 2020.

Links to both the above documents can be found on, and we also have links to an extensive collection of resources on

‹ Back to Publications