Judgment of the Court of Justice of the European Union in Case C-311/18.
The Court of Justice has invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield. However, of considerable practical significance, it considered that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries is valid.
Successful appeals on two points under the Data Protection Act 1998, holding on the facts that solicitors’ files were not a ‘relevant filing system’ and that legal professional privilege did not apply.
Regulations amending legislation relating to personal data, including GDPR and the Data Protection Act 2018, in anticipation of Brexit.
High Court decision (following Court of Appeal decision) determining (1) whether paper files formed part of a relevant filing system, (2) application of legal professional privilege and waiver of privilege), (3) whether solicitors had carried out reasonable and proportionate searches for the claimants’ personal data under section 7 of the Data Protection Act 1998 and (4) whether the solicitors had breached their obligations under section 7 by redacting or withholding non-exempt data. (Lawtel subscriber link.)
Standard contractual clauses for data transfers between EU and non-EU countries. Note: These predate GDPR
Introduction to the Data Protection Bill (Please note that the Data Protection Act 2018 has received Royal Assent – see link above – and that some changes were made after this note was produced. Nonetheless it may still be a source of useful background information to assist the understanding of the Act.)
Law Society guidance on appointing a Data Protection Officer
A Norwich Pharmacal order requiring disclosure of IP addresses would result in the Applicants becoming "recipients" of personal data but not "controllers", and therefore not subject to the more onerous obligations on "controllers".
ICO guidance on manifestly unfounded and excessive requests
Judgment on lawfulness of sharing of sensitive personal data relating to a 16 year old child, including bail conditions, under an information-sharing agreement between the police and a local business crime reduction partnership. The decision also determined that the parties to the agreement were joint controllers of the data, rather than controller and processor respectively, and held that the defendant had implemented ‘appropriate technical and organisational measures’ by using a secure intranet, which was encrypted and password protected.
Various Claimants v WM Morrisons Supermarket Plc (Rev 1)  EWHC 3113 (QB)
Morrisons found vicariously liable for a data breach by a rogue employee, despite the adequacy of its data security measures.
Morrisons’ unsuccessful appeal against a finding of vicarious liability for a data breach by a rogue employee, despite the adequacy of its data security measures.