There were 887 million reasons why one GDPR story was dominating the press on Friday. But sneaking under the radar was a decision from the English High Court that I reckon should be more interesting to businesses in the UK.

In a nutshell, the High Court rejected a £5,000 claim for distress-related damages brought by an individual whose personal data were involved in a cyber-attack suffered by DSG, a British retailer that operates the Currys PC Worlds and Dixons Travel brands. The claim relied on breach of confidence, misuse of private information, breach of the DPA 1998 and common law negligence, and the judgment is short and easy to digest, so it’s well worth a read.
Continue Reading De-stressing Distress Disputes

GDPRAn interesting article in today’s FT on the need to update the GDPR will not be welcomed by those that toiled with compliance programs, policy updates and the preparation of records of processing less than three years ago.

It is reported that German MEP Axel Voss, a driving force behind the GDPR, recognizes that the GDPR is not sufficiently nuanced for some of today’s challenges including blockchain, facial or voice recognition, text and data mining. The COVID pandemic and the shift to remote working have also created unexpected issues, including the technical challenges of compliance by organizations with a remote  workforce using software that authenticates them for a host of services with a single login or monitors what they do online.
Continue Reading Is the GDPR Outdated and in Need of Replacement?

Since passage of the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”), many states have proposed data protection bills that have floundered in the legislative process. Virginia, previously a dark horse in the race amongst US states to pass data protection legislation, is now poised to take the lead with the Virginia Consumer Data Protection Act (“CDPA”). Unlike bills that have repeatedly stalled in key states like Washington, the CDPA has progressed swiftly and easily in this now “trifecta Blue” Virginia, with the Virginia Senate passing a version of the bill on February 3, less than a week after the House passed a near-identical companion bill. If the governor signs the CDPA into law, the CDPA will take effect January 1, 2023, simultaneously with the CPRA.
Continue Reading Virginia Poised to Join California with Comprehensive Data Protection Framework

GDPROrganizations which fail to implement appropriate technical and organizational security measures to protect personal data and suffer personal data breaches as a result, increasingly may find themselves facing the double whammy of both enforcement action by the UK Information Commissioner’s Office (ICO), (which can include significant financial penalties) and potentially also group-style legal actions brought by data subjects.

British Airways, which suffered a cyber incident that is believed to have started in June 2018 and led to a personal data breach involving almost 500,000 of its customers, has found itself on the receiving end of such an action.Continue Reading UK Group-Style Data Breach Actions Continue

GDPROn 16 October 2020, in a long-awaited decision, the UK Information Commissioner’s Office (ICO) finally announced that it has fined British Airways (BA) £20 million for failing to protect the personal and financial details of over 400,000 customers.  The ICO originally announced in July 2019 its intention to fine BA £183 million in respect of a security breach, meaning that the final amount of the fine was over 90% lower than the original suggested amount.  Notwithstanding this, the BA fine is still the largest fine that the ICO has ever issued.
Continue Reading British Airways Fined £20 Million by ICO for Data Breach

Cyber SecurityThe European Court of Justice this morning issued a significant – and fairly surprising – ruling on international data transfers in the Schrems II case. Standard contractual clauses remain valid, but the Privacy Shield is invalid and cannot be relied on to legitimise transfers of personal data from the EEA to the US.
Continue Reading Privacy Shield Invalid but SCCs Survive… What next for international personal data transfers?

Cyber SecurityIn addition to the adoption by the European Data Protection Board (“EDPB”) of Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak, various other European guidance regarding the use of data and technology in connection with COVID-19 has also been published.
Continue Reading COVID-19 Contact Tracing Apps Essential Requirements and Best Practices

On April 21, the European Data Protection Board (“EDPB”) released guidelines on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak (“Guidelines”).

The Guidelines note that the GDPR includes various provisions which permit health data to be collected and processed for scientific research purposes connected with COVID-19 and also envisages specific derogations to the prohibition on processing certain special categories of personal data, such as health data, where necessary for scientific research purposes.
Continue Reading European Guidelines Adopted on Health Data Processed in the Context of the Covid-19 Outbreak

Article29Recognizing the increasing prevalence of data-driven solutions in combatting COVID-19 and the numerous related privacy concerns, on April 21, the EDPB adopted guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (“Guidelines”).

The Guidelines clarify the conditions and principles for proportionate use of location data and contact tracing tools for two particular purposes: (i) the use of location data to support the response to the pandemic by modelling COVID-19’s spread to calculate the overall effectiveness of confinement measures; and (ii) contact tracing, which aims to notify individuals that they have been in close proximity to an infected individual, to break the contamination links quickly and combat the virus’ spread.
Continue Reading European Guidelines Adopted on Contact Tracing Tools and the Use of Location Data in the Context of the COVID-19 Outbreak