Skip to content
Photo of Rohan Massey

Rohan Massey

Subscribe to Rohan Massey's Posts
Contact:Read more about Rohan Massey

lockA landmark group claim for compensation under data protection laws in the UK between employees and employer has failed. The UK’s Supreme Court has held that a rogue employee’s activities were not sufficiently connected with his employment to make Morrison, his employer, vicariously liable for the data protection breach. If it had been held liable Morrison would have been in line to make compensation payments to nearly 10,000 employees.

The case relates to an incident in 2014 and was brought under the Data Protection Act 1998 (DPA), but it is likely that findings would be the same under the GDPR and the UK Data Protection Act 2018.
Continue Reading UK’s Landmark Group Claim for Compensation Under Data Protection Laws – Morrison’s Found Not Vicariously Liable for Actions of Rogue Employee

Uncertainty is the new normal. UK criminal and regulatory enforcement authorities, like the rest of us, are adjusting to unprecedented levels of business disruption.

This short alert provides signposts to the guidance given by key authorities so far about immediate steps they are taking in response to the outbreak and the difficulties it causes.

We

10_Article29_SS_566044504

As remote working becomes the new normal for office workers and attention focusing on ensuring colleagues, families and friends are healthy and have enough food and supplies to last any period of isolation, workers may be less attentive to cyber threats and more likely to open official looking COVID-19 related emails. Hackers are looking to

Judge gavel with Justice lawyers having team meeting at law firm in background. Notary with client in office

On 8 January 2018, the Information Commissioner launched a public consultation on a Direct Marketing Code of Practice, which she is required by Section 122 of the Data Protection Act 2018 to produce in order to provide practical guidance in relation to the carrying out of direct marketing in accordance with the requirements of the data protection legislation and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Accordingly, like the existing ICO Direct Marketing Guidance, which it will supersede, the proposed code sets out the law and provides examples and good practice recommendations. To a significant extent, the draft code replicates the current guidance, which was updated in 2018 to reference the General Data Protection Regulation (GDPR). When finalized, the Commissioner must take the code into account when considering whether those engaged in personal data processing for “direct marketing purposes” have complied with the GDPR and PECR. The key aspects of the draft code are summarized below, including new guidance on in-app advertising and direct marketing on social media platforms.
Continue Reading UK’s ICO Publishes Draft Direct Marketing Code of Practice

The UK Information Commissioner recently published a consultation paper inviting views on the ICO’s proposal that it should be granted investigation and asset recovery powers under the Proceeds of Crime Act 2002 (“POCA”).

The powers the Information Commissioner is seeking at this time are:

  • To apply to the court for Restraint Orders (under Part 2 of POCA);
  • To apply to the court for Confiscation Orders (under Part 2 of POCA);
  • Cash seizure, detention and forfeiture from premises (under Part 5, Chapter 3 of POCA);
  • Asset seizure and forfeiture from premises (under Part 5, Chapter 3A of POCA);
  • To undertake investigations (including search and seizure warrants) to support the proceedings sought above (under Part 8 of POCA); and
  • Access to information relevant to the investigation of money laundering offences.

The ICO is also seeking relevant authorisation powers that will enable it to exercise the powers referred to above.Continue Reading UK Information Commissioner’s Office Seeks Further Criminal Powers

7_GDPR_one year_SS_1400805215

The Information Commissioner’s Office has published GDPR: One Year On, describing its experiences and giving insights into the impact of the GDPR since 25 May 2018. The document reaffirms the ICO’s risk-based approach to enforcement focussing on GDPR breaches involving highly sensitive information, large groups of individuals and vulnerable individuals. A key message, however, is that there is “still a long way to go to truly embed the GDPR and to fully understand the impact of the new legislation.
Continue Reading GDPR: One Year On

8_UK predictions_SS_1183353586

This article by partner Rohan Massey and associate Edward Machin was published by Law360 on February 25, 2019.

2018 was the year that data protection went mainstream. Having once been a topic that most folks treated with a combination of ignorance and inconvenience — “I have to read another privacy policy?” — by the year’s end the concept of privacy had firmly entered the public consciousness. Widely viewed congressional hearings on the misuse of personal data, a series of high-profile security breaches at Fortune 500 companies and an episode of “60 Minutes” dedicated to how a European law is influencing U.S. legislators all helped privacy and data security rise to the top of the public, corporate and legislative agendas.Continue Reading Five UK Privacy and Data Protection Predictions for 2019

This article by partners Rohan Massey and Mark Szpak and counsel Clare Sellars was published by Law360 on May 26, 2017.

The General Data Protection Regulation (GDPR) is a sweeping privacy and data protection regulation in the European Union (EU) and will be enforced from May 25, 2018, replacing Data Protection Directive 95/46/EC. The GDPR aims to protect both individuals’ fundamental rights to protection of data about them and the free flow of such personal data, as well as to harmonize the existing patchwork of EU member state implementations of the Directive. In doing so, the GDPR significantly expands the application of EU data protection law.

Continue Reading Countdown to Compliance: One Year to Go Until GDPR Enforcement

Ropes & Gray and our platform provider LexBlog each use cookies to personalize content and ads, to provide social media features and to analyze traffic. Each of us also share information about your use of our site with our social media, advertising and analytics partners. If you are happy for us to store these cookies on your device please click ‘Accept Cookies. For more information, please see here and here.

Accept Cookies