Data protection
The EECC, the ePD and the GDPR – a complex interplay creating a breach notification nightmare for providers of communications services
What impact will the implementation of the new Directive establishing the European Electronic Communications Code (2018/1972) (EECC) have on the scope and application of the ePrivacy Directive (2002/58/EC) (ePD) for providers of electronic communication services?
Read moreH&M hit with €35.3m fine for GDPR employee breach
How did H&M’s internal data collection processes land it with the second largest fine in data breach history?
Read moreICO publishes guidance on AI decision making
How can companies comply with data regulation when using AI to make decisions affecting individuals?
Read moreEU social media targeting guidelines – call for feedback
Who are the key actors in the targeting of social media users, and what can they learn from the EU's new social media targeting guidelines?
Read moreDMA issues “Seven-Step Ad Tech Guide” in a bid to restore trust in online advertising
What needs to be done by UK businesses actively engaged in the programmatic delivery of digital advertising to ensure they protect the rights of individuals?
Read moreData regulation and oral communications
David Scott v LGBT Foundation Ltd [2020] EWHC 483 (QB) (3 March 2020)
Read moreEuropean Commission and EDPB lay out framework for privacy compliant contact tracing apps
How do we balance the need for contact tracing with data protection regulation?
Read moreCOVID-19 testing and monitoring in the workplace
Can employers test and monitor employees during the COVID-19 pandemic?
Read moreICO outlines priorities and regulatory approach during the coronavirus public health emergency
How has the ICO reshaped its priorities for regulating UK data protection during COVID-19?
Read moreICO issues guidance on artificial intelligence: explaining the “black box”
What steps do businesses need to take to comply with the ICO’s new guidance on artificial intelligence?
Read moreGovernment publishes approach to post-Brexit trade deal with the EU
What is the Government’s approach to a post-Brexit trade deal with the EU?
Read moreWM Morrison Supermarkets plc v Various Claimants – Supreme Court rules on vicarious liability for unlawful disclosure of personal data by rogue employee
Can an employer be held vicariously liable for the actions of a rogue employee leaking data?
Read moreAshley Judith Dawson-Damer v Taylor Wessing LLP – Court of Appeal rules on legal professional privilege and “relevant filing system” in subject access dispute
Do paper files constitute a “relevant filing system” for the purposes of subject access requests (SARs)? Can legal professional privilege (LPP) be used to block a SAR made by a data subject that is owed a duty of “joint privilege” along with the lawyer’s primary client?
Read moreGDPR Codes of Conduct and Certification schemes – the ICO is “open for business”
What is the ICO doing to make it easier for industry specific sectors to comply with GDPR? What is the benefit to businesses in adopting accredited codes of conduct?
Read moreContinuing the free flow of personal data between the EU and the UK post-Brexit: DCMS Explanatory Framework for adequacy discussions
How might the Explanatory Framework recently published by the Department for Digital, Culture, Media & Sport (DCMS) assist with enabling the continued free flow of data between the EU and the UK post-Brexit and how might the UK Government’s approach to the COVID-19 pandemic affect this?
Read moreCookie walls and scrolling – updated EDPB guidance
Are cookie walls permissible? Can scrolling through a website constitute “consent”?
Read moreCJEU's CCTV ruling: guidance on legitimate interests processing
Case C-708/18 TK v Asociaţia de Proprietari bloc M5A-ScaraA EU:C:2019:1064
Read moreEPDB guidelines: Data Protection by Design and by Default
How familiar are you with the obligations in the GDPR to protect personal data by design and default (DPbDD)? And what practical measures can you take to help ensure compliance?
Read moreSchrems II - Advocate General's Opinion
Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd
Read moreICO issues monetary penalty notice against Cathay Pacific for data breach
When is the ICO likely to impose its maximum fine for a data breach?
Read moreICO monetary penalty notice against DSG Retail Ltd for data breach
What factors did the ICO take into account when issuing the maximum £500,000 penalty (under the old Data Protection Act) against DSG for a data security breach relating to its Point of Sale (POS) payment terminals?
Read moreAdtech and the data protection debate - where next?
How has the discussion surrounding the regulation of real-time bidding (RTB) evolved since the publishing of the ICO’s Adtech Update Report last June?
Read moreICO consults on new direct marketing code of practice
What is new about the ICO’s proposed new Direct Marketing Code of Practice (the New Code)?
Read moreMajor finance, retail and media companies targeted in Irish “cookie” sweep
How does the Irish Data Protection Commission (DPC) monitor whether websites are compliant with data protection law?
Read moreICO guidance on the use of cookies and similar technologies
Can implied consent be relied on for the use of cookies? Or, in the words of the ICO’s blog, “what does ‘good’ look like?”
Read moreCJEU rules out opt out consent for cookies
Planet49 GmbH v Bundesverban der Vebraucherzentralen
Read moreStriking the balance between the RTBF and substantial public interest
GC, AF, BH, ED v CNIL Case C-136/17 GC, AF, BH, ED v Commission nationale de l’informatique et des libertés (CNIL)
Read moreCJEU rules on the territorial scope of the “right to be forgotten”
Google LLC v Commission Nationale de l'informatique et des Libertés (CNIL)
Read moreLandmark judgment in representative data protection action
Lloyd v Google
Read moreICO revises guidance on timescales for responding to subject access requests
How long does an organisation have to reply to a data subject access request (DSAR)?
Read moreICO draft Data Sharing Code of Practice
What changes does the Information Commissioner’s Office (ICO) plan to make to the Data Sharing Code of Practice?
Read moreLawfulness of automated facial recognition
R (Edward Bridges) v the Chief Constable of South Wales [2019] EWHC 2341 (Admin)
Read moreECJ rules on Facebook “Like” button
Does a Facebook “Like” button make a website operator a joint data controller?
Read moreNew EDPB guidelines on processing personal data through video devices
How does the GDPR apply to the use of video devices?
Read moreEE fined £100k for sending unsolicited marketing texts
What happens when a customer service message also includes promotional material? Do the electronic marketing rules under the Privacy and Electronic Communications Regulations (PECR) kick in?
Read moreICO issues record fine against British Airways
What did it take for the ICO to issue its largest ever fine against British Airways?
Read moreICO update on Adtech Real Time Bidding Report
What can businesses do to minimise the regulatory risks of processing of personal data in relation to real time bidding (RTB)?
Read moreICO: Age Appropriate Design Code for information society services
What steps does the Information Commissioner’s Office (ICO) require to ensure adequate protection of children online?
Read moreHMRC issued enforcement notice by ICO for use of biometric data
When is consent sufficient for collecting, processing and using biometric data?
Read morePensions company fined for unsolicited emails following inaccurate advice
How far can you avoid culpability for a data marketing data breach on the grounds that you were given faulty legal advice or that a third party conducted the marketing campaign on your behalf?
Read moreNotifying data subjects of processing under the GDPR
What are proportional measures to take when meeting the informational obligation imposed on data controllers?
Read morePPI claims company fined £120,000 by the ICO for spam texts
Will a data controller be held responsible where a third party acting on its behalf breaches data privacy laws?
Read moreEuropean Data Protection Board issue guidelines on contractual processing for online services
When is it appropriate for Information Society Services (ISSs) to process personal data on the basis that it is “necessary for the performance of a contract”?
Read morePre-ticked boxes and cookies consents: Planet49
Is unticking a box sufficient to meet the consent requirements for the installation of cookies? Separately, can you agree to sharing your data with third parties in order to gain entry to a prize draw?
Read moreVideo recordings and the journalistic exemption
Does making a video recording on a digital camera constitute the processing of personal data? Can individuals benefit from the “journalistic exemption”?
Read moreICO guidance on contracts and liabilities between controllers and processors
What are the contractual liabilities and requirements of a data processor and a data controller under the GDPR?
Read moreStay connected and subscribe to our latest insights and views
Subscribe Here