Category Legal update

Legality of Standard Contractual Clauses (SCC’s) hangs in the balance awaiting decision by CJEU

Ireland’s High Court has just ruled today (Tuesday 3 October 2017) that the decision to ban the use of Standard Contractual Clauses (SCC) by social media giants like Facebook, Microsoft and Google to transfer users’ personal data to the US must be initially decided by the Court of Justice of the European Union (CJEU).

Giving her judgment in open court, Irish High Court Judge Caroline Costello said: “I have decided to ask the Court of Justice for a preliminary ruling. European Union law guarantees a high level of protection to EU citizens…they are entitled to an equivalent high level of protection when their data is transferred outside of the European Economic Area.”

This of course looks like a spooky re-run of the Safe Harbor legal action brought by Max Schrems that resulted in the...

Read More

Is processing personal data under ‘legitimate interest’ creepy or cool?

With less than 200 working days left before Regulation 2016/679 (General Data Protection Regulation) kicks in, a new global study published by the Centre for Information Policy Leadership – a privacy and security think tank – claims that organisations in the US, South America, Europe and Asia are confused about the legal basis for processing personal data under the GDPR.

A total of 223 senior managers of multi-national companies (57% Data Controllers, 43% Data Processors) responded to the survey across a wide variety of sectors including financial services, healthcare, pharma, technology and telecoms.

The authors of the study explored the reasons why organisations choose to rely on ‘legitimate interest’ as a basis for processing personal data and the reaction this could have among customer...

Read More

British data protection laws to criminalize breaches of GDPR

The British Government  has just announced (Monday 7 August 2017) that it will incorporate Directive 2016/679 (General Data Protection Regulation) along with specific derogations permitted under the GDPR as well as the Data Protection Law Enforcement Directive (DPLED) into UK law.

The move effectively repeals the current Data Protection Act 1998.

This follows a short consultation period (12 April – 10 May 2017) that called for views and which included 170 submissions from a wide range of professional bodies, legal and consumer groups, local government, technology companies, global organisations and academic institutions (7.1% of all respondents), including Henley Business School.

“Bringing EU law into our domestic law will ensure that we help to prepare the UK for the future after we ha...

Read More

It’s time to press the delete key

One of the most important and fundamental principles of data protection under Regulation 2016/679 (GDPR) is the Principle of Minimisation. Arguably, it’s the one principle can help satisfy the need to manage security, data protection and privacy objectives, especially with respect to the Internet of Things (IoT).

Under Art.5(1)(c), GDPR, the Data Controller must ensure that ‘processing of personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.’ This is about ensuring that staff are only processing personal data in accordance with the purposes and once these have been satisfied, it’s safest to delete this personal data unless other legal grounds exist to hang on to it.

But the Principle of Minimisation is g...

Read More

New Data Protection Act announced in Queen’s Speech to be in alignment with GDPR

The British Government signalled its intention to replace the Data Protection Act 1998 with a new Data Protection Act that will be in alignment with the EU General Data Protection Regulation (GDPR). The Department for Culture, Media and Sport and the Home Office will be the relevant ‘Lead Departments’ overseeing the passage of the Data Protection Bill through Parliament.

“A new law will ensure that the United Kingdom retains its world-class regime protecting personal data”, said Her Majesty the Queen Elizabeth II in her speech to both the House of Commons and the House of Lords on Wednesday 21 June 2017.

The Bill will fulfil a manifesto commitment to ensure the UK has a data protection regime that is fit for the 21st century.

The Bill will ensure that our data protection framework ...

Read More

Digital Economy Act 2017 described as taking ‘baby steps’ into the digital future

The much-criticised Digital Economy Bill has just received the Royal Assent (Thursday 27 April 2017) and is now law in the UK.

The British Government claims that the new Act will do the following:

  • empower consumers and ensure everyone has access to broadband wherever they live, including rural areas which has suffered from a lack of broadband connectivity
  • build a better infrastructure fit for the digital future
  • enable better public services using digital technologies
  • provide important protections for citizens from spam email and nuisance calls and protect children from online pornography.

baby-stepsOn this last point, the NSPCC has already called on the British Government to regulate social media companies such as Facebook and Twitter and to fine these companies if they fail to protect children on...

Read More

‘Team DPO’ set to become the de facto way for monitoring compliance with the GDPR

The professionalsAre you an organisation that’s been on the hunt for a suitably qualified and trained Data Protection Officer (DPO) but have found it impossible to find one? You’re not alone.

There’s a shortage, not just in the UK, but across the European Union, with 12 months to go before the EU General Data Protection Regulation (GDPR) is fully enforceable across all 28 Member States. The role of the DPO is at the heart of the new legal framework for data protection and privacy and facilitating compliance with the provisions of the GDPR. It’s also mandatory to appoint a DPO under Art.37(1), GDPR in three specific circumstances:

  1. Where the personal data processing is carried out by a public authority or body
  2. Where the core activities of the Data Controller, Joint Data Controller, or Data Processor...
Read More

GDPR accelerator – DPIA Lite

ardi-in-action-at-iapp-conference-2016Last week I had the honour of speaking at the IAPP Europe Data Protection Congress 2016 in Brussels that was the biggest gathering of data protection professionals to date on mainland Europe with over 1100 delegates drawn from across Europe, US and the Far East.

My short talk was about sizing the risk and the GDPR accelerator ‘DPIA Lite’ that was devised by our team led by Martin Hickley, Associate, Henley Business School and Director of Data Protection, GO DPO®.

A significant aspect of the EU General Data Protection Regulation (GDPR) is demonstrating and verifying compliance – making it evident to the Supervisory Authority that the organisation is meeting its obligations under the EU Regulation.

There are three key ways in which an organisation can demonstrate that it’s compliant w...

Read More

Are you a Superhero?

Superman…-Saves-the-DayOne of the biggest changes in data protection and privacy to usher in the New Year with a bang is publication of the EU General Data Protection Regulation (GDPR) later this month. And it’s really important that all companies take the necessary steps to protect themselves from becoming liable for personal data breaches under this EU Regulation.

As reported extensively in this blog over the last 12 months, the GDPR will force all organisations to re-wire their thinking as well as their data protection policies and procedures for handling personal data under a fundamental change in European law.

Experience to date shows that effective training is the first line of defence and by far the best way to mitigate against the risks of being landed with a massive fine – which can be as high as €20m...

Read More

Goodbye to ‘Safe Harbor’ as US companies need to start playing by the same rules

not so safe harborThis week the blogosphere went into overdrive with the news that the non-binding legal opinion of the Advocate General of the European Court of Justice claims that EU user data transferred to the US by various technology companies is a violation of current EU data protection and privacy laws.

Even before this opinion, the European Commission was already attempting to re-negotiate the Safe Harbor Agreement with the US. The Advocate General observed: “If the (European) Commission decided to enter into negotiations with United States, that is because it considered beforehand that the level of protection ensured by that third country, under the safe harbour scheme, was no longer adequate.”

And of course, he’s impeccably right in this regard.

The cornerstone of this highly influential leg...

Read More