Article 29 Working Party Opinion 1/2006
On the application of EU data protection rules to internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime (WP 117). Note: this predates GDPR but may still provide some useful guidance
British Airways: ICO £20m penalty notice for information security breaches
This contains some useful insights, albeit heavily redacted, for managing security in professional firms into the security breaches which gave rise to the loss of personal data. They include failure to use multi-factor authentication, failure to address known Citrix security issues, failure to apply user access management (the principle of least privilege) and failure to implement application whitelisting or blacklisting. Other measures which could have been implemented included penetration testing and logging access to certain files, monitoring of failed log in attempts and monitoring of guest accounts.
Bar Council guidance: US Access: Data Protection Act Guidance
Purpose: To provide guidance for barristers and chambers’ data controllers on the implications of US legislation to one’s data protection obligations where personal information is stored by US-owned companies
Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband e v Planet49 GmbH
The CJEU held that pre-ticked check-boxes authorising the use of cookies do not constitute valid consent under the e-Privacy Directive (whether or not the cookies constitute personal data), and the GDPR standard of consent applies. Information must be provided on the duration of cookies and whether third parties will have access to them.
Civil Procedure Rules
Civil Procedure Rule changes to CPR 35 relating to privacy and data protection claims with effect from 1 October 2019, requiring more detailed pre-action protocol letters, and all claims for data protection and misuse of private information will be required to be brought in the High Court in London.
Campbell v Secretary of State (Information rights - Data protection) [2018] UKUT 372 (AAC)
Appeal relating to data subject access rights did not survive death of the data subject.
Consent
Article 29 Working Party’s final Guidance on Consent
Consent
ICO Guidance on consent
Controller-Processor Agreements
Bar Council guidance: Signing Controller-Processor Agreements with Solicitors’ Firms
Data Protection Commissioner v Facebook Ireland and Maximillian Schrems
Judgment of the Court of Justice of the European Union in Case C-311/18.
The Court of Justice has invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield. However, of considerable practical significance, it considered that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries is valid.
Dawson-Damer v Taylor Wessing LLP [2020] EWCA Civ 352
An appeal to determine two main issues on “joint privilege” and a “relevant filing system” as defined in section 1(1) of the Data Protection Act 1998. It was held for the claimant that the “joint privilege” in documents containing legal advice for beneficiaries of the trust arose under the law of procedure and evidence, rather than the law governing the trust (in this case Bahamian), accordingly the solicitors were not entitled to rely on legal professional privilege. On the second point of appeal for the solicitors, a relevant filing system was said to be one in which the files were a structured set of data, accessible according to specific criteria, and those criteria "related to individuals". In this case, it could not be said that the criteria used to structure the data enabled its easy retrieval. Accordingly, the files were not a “relevant filing system”.
Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019
Regulations amending legislation relating to personal data, including GDPR and the Data Protection Act 2018, in anticipation of Brexit.
Data Protection Act 2018
ICO guidance
Data Protection Bill
Introduction to the Data Protection Bill (Please note that the Data Protection Act 2018 has received Royal Assent – see link above – and that some changes were made after this note was produced. Nonetheless it may still be a source of useful background information to assist the understanding of the Act.)
Data Protection Officer
Law Society guidance on appointing a Data Protection Officer
Elliott v. Pubmatic, Inc. (4:21-cv-01497), California Northern District Court
Claim for damages under UK GDPR in the US courts was dismissed as the UK courts were the appropriate forum.
European Data Protection Board (EDPB) Guidelines 01/2021 on Examples Regarding Data Breach Notification (version for public consultation)
This contains numerous case studies which will be of interest in relation to UK GDPR as well as (EU) GDPR.
European Commission’s evaluation report of the General Data Protection Regulation (GDPR)
Published 24 June 2020
European Data Protection Board annual report 2019
European Data Protection Board annual report 2019. This advises that in 2020, the EDPB will aim to provide guidance on data controllers and processors, data subject rights and the concept of legitimate interest.
EPDB-EDPS Joint Response to the LIBE Committee on the impact of the US Cloud Act on the European legal framework for personal data protection | European Data Protection Board
Advice from the European Data Protection Board and European Data Protection Supervisor on compliance with GDPR when responding to requests by US law enforcement authorities under the US CLOUD Act.
e-Privacy Regulation, revised draft
This includes clarification on consent, in line with GDPR and the Planet 49 judgment.
EU-US Privacy Shield | European Commission
The European Commission has published its second review of the EU-US Privacy Shield. The Commission concludes that the United States continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the Union to organisations in the United States, though some steps have only recently been implemented and developments need to be monitored.
Equifax – ICO Monetary Penalty Notice
The ICO decision notice fining Equifax £500,000 for data breaches contains some important points not only on the technical aspects which gave rise to the breaches but also on the compliance requirements when using standard contractual clauses.
F.F. v Österreichische Datenschutzbehörde, Case C 487/21
Decision of the Court of Justice of the European Union (‘CJEU’), holding that data subject access rights to copies of personal data include a right to copies of extracts from documents or even entire documents or extracts from databases containing those data.
Finjan, Inc. v. Zscaler, Inc.
Californian District Court decision ordering disclosure of emails despite objection based on GDPR.
Green v Group Ltd & Others [2019] EWHC 954 (Ch)
Claim arising from the processing of data by Cambridge Analytica. Joint Administrators were not data controllers and were therefore not personally responsible for compliance with the provisions of the Data Protection Act 1998 in respect of the data processed by the company, including but not limited to Subject Access Requests.
GDPR | ICO
Brexit: The ICO has issued updated guidance as the prospect of a withdrawal with no deal appears increasingly likely.
GDPR
Corrigendum to GDPR
Home office circular: money laundering: the confidentiality and sensitivity of suspicious activity reports (SARs) in the context of disclosure in private civil litigation
Note that this also addresses data subject access requests under UK GDPR
Higinbotham (formerly BWK) v Teekhungam & Anor [2018] EWHC 1880 (QB)
Dismissal of claim for misuse of private information, breach of confidence and breach of the Data Protection Act 1998 as an abuse of process.
International data transfer agreement, addendum and provisions laid before Parliament | ICO
The Information Commissioner’s Office has laid the International data transfer agreement (IDTA), the International data transfer addendum to the European Commission’s standard contractual clauses (Addendum) and a document setting out transitional provisions as to the use of the current standard data protection clauses for international transfers before Parliament. They came into force on 21 March 2022.
ICO Timescales for responding to a subject access request
Revised ICO Guidance on calculating time limits.
ICO Data Protection Audit Report on the Legal Ombudsman (June 2019)
The report contains some potentially useful pointers for law firms and others.
ICO Guide to Data Protection
This covers the Data Protection Act 2018 and the GDPR as it applies in the UK. The guide combines the existing ICO guides to the GDPR and Law Enforcement Processing.
Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd& Ors [2017] EWCA Civ 121
Pre-GDPR appeal. Information is not disqualified from being “personal data” merely because it has been supplied to the data controller by the data subject. A person who processed data as agent for a data controller was not himself a data controller. Proportionality applied and there was no obligation to search for material covered by legal professional privilege. Whether it is reasonable to disclose information about another individual is an evaluative judgement.
ICO Data sharing code of practice
Note: this predates GDPR and the Data Protection Act 2018. The ICO is working on updating the code.
Impact Assessments
ICO guidance on Data Protection Impact Assessments (DPIAs)
ICO guidance on Data Controllers and Data Processors (GDPR)
See ICO guidance: Contracts and liabilities between controllers and processors
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/contracts-and-liabilities-between-controllers-and-processors-multi/
ICO guidance on Data Controllers and Data Processors (Data Protection Act 1998)
Data controllers and data processors: what the difference is and what the governance implications are. Note: this guidance relates to the law pre-GDPR
Lloyd v Google LLC [2021] UKSC 50
Decision of the UK Supreme Court holding that a representative action could not be brought under section 13 of the Data Protection Act 1998 for damage allegedly suffered by a class of Apple iPhone users as a result of unlawful processing by Google of their personal data in breach of the requirements of the Act because (1) the users could establish material damage and (2) it would be necessary, under section 13, to prove what unlawful processing by Google of personal data relating to a given individual occurred.
Lees v Lloyds Bank Plc [2020] EWHC 2249 (Ch)
The judgment identified (obiter) a number of grounds on which it may be possible to decline to respond to a data subject access request (DSAR), including the serving of numerous and repetitive DSARs which is abusive, the real purpose being to obtain documents rather than data, a collateral purpose behind the requests, the fact that the data would be of no use to the claimant, and because litigation in which the claimant was involved had been concluded with no available avenues for appeal.
Lloyd v Google LLC [2018] EWHC 2599 (QB)
Class action against Google dismissed.
Lonsdale v National Westminster Bank Plc [2018] EWHC 1843 (QB)
Disclosure of a Suspicious Activity Report ordered under CPR 31.14 in an action for defamation and breach of contract. Suspicious Activity Reports are subject to qualified, not absolute, privilege. Discussion as to entitlement to receive copies following a Subject Access Request under the Data Protection Act 1998 (pre-GDPR).
Legitimate Interests
ICO Guidance on Legitimate Interests
Law Society
Preparing for the GDPR: A guide for law firms - The Law Society
Marriott International Inc – ICO Monetary Penalty Notice
The ICO decision notice fining Marriott £18.4m for data breaches contains some important points on the technical aspects which gave rise to the breaches and the risks of acquisition of other businesses, in this case Starwood, which may have undiscovered security vulnerabilities.
Multifactor authentication (MFA) issues featured significantly, though these were not taken into account in fixing the penalty due to assurances on which Marriott had relied. Factors considered included insufficient monitoring of privileged accounts, insufficient monitoring of databases, control of critical systems (through whitelisting), and lack of encryption of payment card data and passport numbers.
Marriott’s submission that Article 33 of GDPR requires a data controller to be reasonably certain that a personal data breach has occurred before notifying the ICO was rejected: instead, a data controller must be able reasonably to conclude that it is likely a personal data breach has occurred.
Mircom International Content Management & Consulting Ltd & Ors v Virgin Media Ltd & Anor [2019] EWHC 1827 (Ch)
A Norwich Pharmacal order requiring disclosure of IP addresses would result in the Applicants becoming "recipients" of personal data but not "controllers", and therefore not subject to the more onerous obligations on "controllers".
Manifestly unfounded and excessive requests | ICO
ICO guidance on manifestly unfounded and excessive requests
M, R (on the application of) v The Chief Constable of Sussex Police & Anor [2019] EWHC 975 (Admin) (15 April 2019)
Judgment on lawfulness of sharing of sensitive personal data relating to a 16 year old child, including bail conditions, under an information-sharing agreement between the police and a local business crime reduction partnership. The decision also determined that the parties to the agreement were joint controllers of the data, rather than controller and processor respectively, and held that the defendant had implemented ‘appropriate technical and organisational measures’ by using a secure intranet, which was encrypted and password protected.
Morrisons Supermarket Plc v Various Claimants (Rev 1) [2017] EWHC 3113 (QB)
Various Claimants v WM Morrisons Supermarket Plc (Rev 1) [2017] EWHC 3113 (QB)
Morrisons found vicariously liable for a data breach by a rogue employee, despite the adequacy of its data security measures.
Morrison Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339
Morrisons’ unsuccessful appeal against a finding of vicarious liability for a data breach by a rogue employee, despite the adequacy of its data security measures.
National Cyber Security Centre (NCSC)
GDPR Security Outcomes – joint guidance from the ICO and National Cyber Security Centre describing a set of technical security outcomes that are considered to represent appropriate measures under the GDPR
Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal, Case C-61/19
Advocate General’s opinion on the meaning of “consent” under GDPR and the previous Data Protection Directive (95/46/EC).
Planet 49 case (Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband e v Planet49 GmbH)
The CJEU held that pre-ticked check-boxes authorising the use of cookies do not constitute valid consent under the e-Privacy Directive (whether or not the cookies constitute personal data), and the GDPR standard of consent applies. Information must be provided on the duration of cookies and whether third parties will have access to them.
Privacy Shield and the UK FAQs | Privacy Shield
Brexit: The US Department of Commerce has published guidance on its Frequently Asked Questions page on the application of the Privacy Shield to data transfers from the UK post-Brexit. It addresses both the deal and no-deal positions, and outlines steps which, in the case of no deal, must be taken by 29 March 2019.
Rolfe & Others v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB)
Summary judgment for the defendant solicitors on a claim under GDPR and the Data Protection Act 2018 arising from an email sent to the wrong address. There was no credible case that distress or damage over a de minimis threshold
Rudd v Bridle & Anor [2019] EWHC 893 (QB) (10 April 2019)
Consideration of various issues in relation to a Subject Access Request under the Data Protection Act 1998, including an unsuccessful claim of legal professional privilege and what constitutes ‘personal data’.
Record keeping
ICO template Excel spreadsheets for record keeping (one for data controllers, one for data processors) in accordance with Article 30
Right to be informed
ICO guidance on the right to be informed
Sanso Rondon v LexisNexis Risk Solutions UK Ltd [2021] EWHC 1427 (QB)
A representative appointed under Art. 27 of GDPR was held to have no liability to the claimant for alleged breaches of GDPR in connection with a database providing information for anti-money laundering compliance.
Soriano v Forensic News LLC & Others [2021] EWHC 56 (QB)
Held that the extra-territorial jurisdiction provisions in Art 3 of GDPR did not apply on the facts. The absence of a branch or subsidiary in the UK was by no means determinative but it was relevant that Forensic News had no employees or representatives in this country. The fact that Forensic News had a readership in the UK which was not minimal was of no more than marginal relevance: its journalistic endeavour was not oriented towards the UK in any relevant respect. That the content of the First Defendant's website may be of interest to some UK readers was not germane to the issue under consideration.
Schrems - Data Protection Commissioner v Facebook Ireland and Maximillian Schrems
Judgment of the Court of Justice of the European Union in Case C-311/18.
The Court of Justice has invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield. However, of considerable practical significance, it considered that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries is valid.
Security Outcomes
GDPR Security Outcomes – joint guidance from the ICO and National Cyber Security Centre describing a set of technical security outcomes that are considered to represent appropriate measures under the GDPR
The Data Protection (Adequacy) (United States of America) Regulations 2023
These Regulations specify the United States of America as a country which provides an adequate level of protection of personal data for certain transfers for the purposes of Part 2 of the Data Protection Act 2018 and the UK GDPR.
Transparency
Article 29 Working Party’s Guidance on Transparency
Unabhangiges Landeszentrum fur Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein (Facebook Ireland Ltd and Vertreter des Bundesinteresses beim Bundesverwaltungsgericht intervening) Case C-210/16
The administrator of a fan page hosted on Facebook was held to be a joint controller with Facebook. By creating such a page, it gave Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page, whether or not that person had a Facebook account. (Preliminary ruling in relation to Directive 95/46/EC, so pre-GDPR.)
Various Claimants v WM Morrisons Supermarket Plc (Rev 1) [2017] EWHC 3113 (QB)
Morrisons found vicariously liable for a data breach by a rogue employee, despite the adequacy of its data security measures.
Warren v DSG Retail Ltd [2021] EWHC 2168 (QB)
Claims for breach of confidence, misuse of private information, and common law negligence arising from a data breach were struck out, leaving a claim for breach of the Data Protection Act 1998, in relation to the seventh data protection principle.
WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12
Supreme Court allowed an appeal by WM Morrison Supermarkets, holding that they were not vicariously liable for a data breach committed by a rogue employee.
Wm Morrison Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339
Morrisons’ unsuccessful appeal against a finding of vicarious liability for a data breach by a rogue employee, despite the adequacy of its data security measures.
Xerpla Ltd v. Information Commissioner [2018] UKFTT 2017_0262 (GRC) (14 August 2018)
Consent: Successful appeal against monetary penalty notice imposed by the Information Commissioner relating to direct marketing by electronic communications contrary to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Note: The facts predate the changes to the definition of ‘consent’ introduced by GDPR.
