Tag Archives: Court Decisions (Data Protection)

Nefarious Endeavours and Vicarious Liability for Data Breaches: Round 2 (The Court of Appeal)

The England and Wales Court of Appeal has delivered its judgment in the appeal by Morrisons against a finding by the High Court that it was vicariously liable for breaches of the Data Protection Act 1998 by one of its former employees. I will not set out the facts in much detail and instead direct readers to the blog post that I wrote following the decision of the High Court. It should be noted that all references to the DPA in this blog post are to the Data Protection Act 1998 and not the Data Protection Act 2018. For the sake of this post all that is really necessary to say is that Mr. Skelton, a former employee of Morrisons, was rather disgruntled when his employment with Morrisons came to an end. Before leaving Morrisons’ employment he copied records of over 5,000 employees onto a personal memory stick with the intention of disclosing that personal data on the internet.

Mr Justice Langstaff, who heard the case in the High Court, on his own motion granted Morrisons leave to appeal the vicarious liability issue to the Court of Appeal. Morrisons took the opportunity granted to them by Mr Justice Langstaff and appealed to the Court of Appeal. When the case came before the Court of Appeal there were three grounds of appeal: (1) the Judge ought to have concluded that, in its proper interpretation and having regard to the nature and purposes of the statutory scheme, the DPA excludes the application of vicarious liability; (2) the Judge ought to have concluded that, on its proper interpretation, the DPA excludes the application of causes of action for misuse of private information and breach of confidence and/or the imposition of vicarious liability for breaches of the same; and (3) the Judge was wrong to conclude (a) that the wrongful acts of Mr Skelton occurred during the course of his employment by Morrisons, and, accordingly, (b) that Morrisons was vicariously liable for those wrongful acts.

The Court of Appeal took the first and second grounds of appeal together; they essentially constructed an argument that the DPA provides a comprehensive statutory code which prevents a finding of vicarious liability. The Appellants’ argued that the DPA indicated a position contrary to the common law position that vicarious liability holds good for a wrong comprising a breach of a statutory duty. The Court of Appeal disagreed concluding at paragraph 60 of its judgment that “the concession that the causes of action for misuse of private information and breach of confidentiality are not excluded by the DPA in respect of the wrongful processing of data within the ambit of the DPA, and the complete absence of any provision of the DPA addressing the situation of an employer where an employee data controller breaches the requirements of the DPA, lead inevitably to the conclusion that the Judge was correct to hold that the common law remedy of vicarious liability of the employer in such circumstances (if the common law requirements are otherwise satisfied) was not expressly or impliedly excluded by the DPA.”

In relation to the Appellants’ third ground of appeal, this was also refused by the Court of Appeal. The Court noted, at paragraph 66, that in this “case the claimants’ cause of action in tort against Mr Skelton were already established when he improperly downloaded their data onto his USB stick. At that stage, had any of them been aware of what happened, they could as a matter of law have claimed at least nominal damages and sought and injunction to prevent dissemination of the data.” The Appellants’ Senior Counsel, Anya Proops QC, argued that (relying upon authority from the Supreme Court in a case from the jurisdiction of England and Wales) what Mr. Skelton had done at work in November (that being the downloading of the data) was “past history by the time he distributed the data from his home in January” [para 67].

In essence the Appellants’ Senior Counsel was arguing that the law on vicarious liability only permitted the employer to be liable for the conduct of the employee if the employee was on the job at the time. In essence, Senior Counsel was arguing that the chain of liability ended at the same time as Mr. Skelton’s employment ended. However, that argument did not fair much better in the Court of Appeal than it did in the High Court.

This point which troubled Mr Justice Langatsff in the High Court the most features in ground of appeal three and that is this: the motivation of Mr. Skelton was to cause harm to Morrisons; by finding Morrisons vicariously liable renders the court an accessory in furthering Mr. Skelton’s criminal aims. It appears that it was this point that triggered Mr Justice Langstaff to grant permission to appeal to Morrisons. None of the cases to which the court was referred did the situation arise where the conduct for which the employer was to be held vicariously liable arose out of the employees settled determination to cause harm to the employer. However, it had been held in previous decisions that the motive of the employee was irrelevant in reaching a determination as to whether the employer was vicariously liable. The Appellants’ Senior Counsel argued that “there is an exception to the irrelevance of motive where the motive us, by causing harm to a third party, top cause financial or reputational damage to the employer.” [para 76] The Court of Appeal was, however, unpersuaded. [para 76]

The Appellants’ senior counsel also sought to argue that a finding of vicarious liability in this case would place an enormous burden upon Morrisons and on innocent employers in cases that could come in the future. However, the Court of Appeal was not persuaded by this argument. At paragraph 77 of its judgment the court states “[a]s it happens Mr Skelton’s Nefarious activities involved the data of a very large number of employees although, so far as we are aware, none of them has suffered financial loss. But suppose he had misused the data so as to steal a large sum of money from one employee’s bank account. If Morrisons’ arguments are correct, then (save for any possible claim against the bank) such a victim would have no remedy except against Mr Skelton personally.” The court compared that situation to the one which arose in what was described by the court as “the foundation of the modern law of vicarious liability” [para 76] In that case a solicitor’s clerk dishonestly procured a conveyance in his own favour of the client’s property.

The solution proposed by the Court of Appeal to any burden that might be placed upon employers arising out of data theft incidents was insurance. [para 78].

The appeal was therefore dismissed by the Court of Appeal. It remains to be seen whether this will be the end of this aspect of the proceedings, or whether Morrisons will seek to appeal the matter to the Supreme Court. The level of damages to be awarded is yet to be determined as that matter was split from the issue of liability when the case was before the High Court. Whether we will ever get to see any judicial writings on quantum will depend upon whether that can be agreed between the Claimants and Morrisons.

Application in Scotland
This is, of course, a judgment of the England and Wales Court of Appeal; Scotland has a separate and distinct legal system meaning that English court judgments do not bind Scottish courts, but rather are of persuasive authority – especially when they deal with matters of law which are common across the whole of the UK (such as data protection law).

It should be noted that in Scotland there is no authority on whether breach of confidence is a delict (the Scottish equivalent of tort) or a unique obligation; nor, has there been any authority considering relationship between breach of confidence and “misuse of private information” in relation to Scots law. It has been argued by academics that the Scottish courts would likely follow the English position; however, this is yet to be tested in the law of Scotland (and, for what it’s worth, I agree with the position that the Scottish courts would likely follow the English courts on this matter). Therefore data controllers with a presence in Scotland should be careful when considering the Court of Appeal’s comments in relation to the tort of misuse of private information.

Data Controllers in Scotland should not ignore this judgment for various reasons. Firstly, it may be that although the controller is based in Scotland they may be processing the personal data of data subjects based in England who may, dependent upon the circumstances, be able to bring proceedings in an English court as opposed to a Scottish court. Secondly, it is only a matter of time before claims of this nature come before the English courts. Litigation of this nature has been rare in Scotland for a variety of reasons, but with the advent of Group Proceedings through the Civil Litigation (Expenses and Group Proceedings) (Scotland) Act 2018 it might well become much easier for large groups of data subjects to bring claims against data controllers.

Alistair Sloan

If you would like advice or assistance in connection with Data Protection/Privacy, or if you would like advice and assistance with any other Information Law matter we would be pleased to hear from you. You can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

Information Notices: UKIP -v- Information Commissioner

Last week the Information Commissioner published an update on her investigation into the use of personal data in political campaigning; it received much publicity and I wrote about the report on this blog. In the report it was revealed that the First-Tier Tribunal (Information Rights) (hereafter “FTT”) had dismissed an appeal by the United Kingdom Independence Party (“UKIP”) against an Information Notice served upon it by the Commissioner.

I have previously written on Information Notices more generally (which dealt with them under the Data Protection Act 1998 (”DPA98”), rather than the Data Protection Act 2018(“DPA18”)) and so I don’t propose to set out in any detail what an Information Notice is; however, in brief the Commissioner had the power to compel a person (not just a data controller) to provide her with certain information under section 43 of the DPA98; failure to comply with an Information Notice issued under the DPA98 is a criminal offence.

In my blog post last week I said that I would try and blog when the FTT published its decision in respect of UKIP’s appeal against the Information notice. The FTT has now published its decision in United Kingdom Independence Party (UKIP) –v– The Information Commissioner [pdf]. The background to the Information Notice is set out in the decision, but it appears that the Commissioner’s office wrote to UKIP asking it to provide certain information. UKIP responded, but did so in a very unsatisfactory manner. In particular the answers given were lacking in detail and contradicted information obtained by the Commissioner’s office from the Electoral commission website.  As a result, the Commissioner used her power to compel information from UKIP.

UKIP appealed on the grounds that the Information Notice was “unjust, disproportionate and unnecessary because the UKIP has never suggested it would not comply and that a preferable course of action would have been for the Commissioner to write seeking clarification and specific details.“ [para 13] It seems that the Tribunal issued Directions asking the Commissioner whether she could issue a fresh Information notice because the FTT was not clear on certain matters; however, it was pointed out that this was not open to either the FTT or the Commissioner and that the FTT must allow or dismiss the appeal by UKIP.

The matters upon which the FTT was uncertain were clarified by the Commissioner and ultimately the appeal was dismissed by the FTT. The appeal was considered, at the request of both parties, on the papers alone and therefore no hearing took place. The Tribunal concluded that “the expressed intention of UKIP to provide information and co-operate with the Commissioner is at odds with the information provided by UKIP.” [para 19] UKIP was not arguing that the Notice was not issued “in accordance with the Data Protection Act [1998]” [para 20].

It appears from the FTT’s decision that UKIP later did try to argue that it was not in accordance with the law founding upon the FTT’s own request for clarification; however, the FTT decided that the “notice, of itself, is clear”  and that the reasoning advanced by UKIP did “not provide grounds for allowing this appeal.” [para 25]

The Tribunal also concluded that the appeal had no merit [para 26] before unanimously dismissing the appeal [para 27].

Information Notices are not a common feature of the data protection enforcement landscape. UKIP could seek to appeal the FTT’s decision to dismiss its appeal and whether UKIP seek permission to appeal the decision to the Upper Tribunal remains to be seen. My own view, from the information available in the FTT’s judgment, is that the ultimate conclusion of the FTT was correct; however, the route by which the FTT arrived at that conclusion is unhelpful and may be enough to persuade either the FTT or the Upper Tribunal to grant permission to appeal.

From reading the FTT’s decision it appears that there might have been some confusion on the part of the FTT concerning what its functions were in respect of Information Notices and what the statutory scheme for such a notice was. Whether this was down to the way in which the Commissioner had presented the case on the papers or down to a genuine lack of understanding by the FTT is something that we might never know (especially if there is no appeal by UKIP to the Upper Tribunal)

In terms of the actual decision; it is not at all surprising that the FTT did not take UKIP’s assertion that it would co-operate with the Commissioner at face value when presented with its response to the Commissioner’s more informal request for information from them. It underlines the importance of genuinely engaging with the Commissioner when they are undertaking investigations – they do have certain powers to assist them with their investigation and they do seem willing to use those powers where they feel as though they need to do so.

The framework for Information Notices has changed slightly under the GDPR/DPA18 – it’s no longer a criminal offence to fail to comply with an Information Notice; however, the Commissioner could go to court and obtain an Information Order from the Court where an Information Notice is not complied with. A right of appeal to the FTT continues to exist against Information Notices issued under the DPA18.

Alistair Sloan

If you are facing an investigation by the Information Commissioner in respect of alleged failures to comply with privacy and data protection law, or if you require advice on any other information law matter you can contact Alistair Sloan on 0141 229 0880.  Alternatively you can contact him directly by E-mail.  We also have a dedicated information law twitter account which you can follow.

Compensation for identifiable third parties following a data breach

The subject of data protection has, once again, been visited by the England and Wales Court of Appeal. At the end of last week the Court (Gross LJ, McFarlane LJ and Coulson LJ) gave its judgment in an appeal brought by the Secretary of State for the Home Department and the Home Office against a decision of the England and Wales High Court in which it was found liable to three members of a family following a data breach.

The Factual Background
The facts as found proved by the court at first instance are more fully set out in the judgment of Mitting J ([2016] EWHC 2217 (QB)), but they can be summarised for the purposes of this blog post in the following way.  The case concerns three members of a family TLT, TLU and TLV. TLT and TLU are married (but have different surnames) and TLU is the teenage son of TLT (sharing the same surname). In 2010 the family lawfully arrived in the United Kingdom. They claimed asylum. They were also jointed by an older child who was, in 2010, 17 years of age. Upon turning 18, he applied for asylum in his own right. His application fro asylum was rejected and he was returned to Iran in 2012. TLT and TLU heard from relatives in Iran that upon his return to Iran their son had been detained and tortured and subsequently released after paying a bribe.

On 15th October 2013 the Home Office suffered a data breach when it accidently published more information than it had intended to concerning the family return process. It had intended to publish the statistics contained in the first sheet of a spreadsheet, but not the underlying data that was contained in a second sheet. The error was discovered on 28th October 2013 and the spreadsheet was immediately removed from the internet. It was discovered that by the time the spreadsheet was removed at least one unknown individual had downloaded and saved the spreadsheet.

In November 2014 a person who had downloaded the page and the spreadsheet from the UK Border Agency’s website uploaded the spreadsheet onto a US website; this was later removed on 18 December 2013.

The personal data of TLT was included within the spreadsheet; in particular it included both his forename and surname, his nationality (Iranian), his date of birth and age. It also noted that “assisted return” was being pursued and stated that the removal case type was “Family with Children – Voluntary”. It further acknowledged that asylum had been claimed.

In March 2014, TLU received some communications from a family member in Iran. These communications advised that the Iranian authorities had detained another member of TLU’s family and questioned them about “you”. It was said that the authorities in Iran claimed to have documentation showing that TLT and his family had claimed asylum.

The issues on appeal
There were three issues on appeal:

  • Did the spreadsheet in question contain the private and/or confidential information?
  • Did the spreadsheet contain personal data of which TLU and TLV were the data subjects?
  • Even if the information in the spreadsheet did not contain the personal data of TLU and TLV, are they entitled to damages for the distress they have suffered under section 13 of the Data Protection Act 1998 in any event?

The first issue
This issue amounts to a common law tort in English law. At para 28 of the judgment of the Court of Appeal Gross LJ said that “this issue is short, straightforward and essentially one of fact.” Gross LJ had “no hesitation in concluding that the Home Office’s publication of the spreadsheet misused TLU’s and TLV’s private and confidential information.” [31] TLT was the lead family claimant and the detailed nature of the information concerning TLT as such meant that TLU and TLV “could readily be identified by third parties” and that they “had a reasonable expectation of privacy and confidentiality in respect of their information in the spreadsheet.” [31]

The second Issue
In terms of section 1 of the Data Protection Act 1998, personal data was defined as meaning “data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.” The Data Protection Act 1998 was the domestic vehicle through which the United Kingdom implemented is obligations under Directive 95/46/EC (which has, of course, now been replaced by the General Data Protection Regulation, but is still relevant for the purpose of this case as that was the law in force at the time). Recital 26 of the Directive noted that the “principles of protection” should take account “of all the means likely reasonably to be used either by the controller or by any other person to identify the” data subject.

In the present case, limb (b) of the definition of personal data was met in relation to TLU and TLV. The Home Office had argued that the information contained in row 1101 of the spreadsheet (which concerned TLT) did not “relate to” TLU and TLV. This was rejected by the court with reference to the statutory language. [39]

The Home Office had also sought to rely on Durant v Financial Services Authority as a means of trying to limit the scope of personal data (and therefore its liability) in this case. However, Gross LJ held that Durant, when properly applied, “powerfully reinforces the case for TLU and TLV” [44] and that Auld LJ was simply stating “a broad, practical working assumption.” [42] There was nothing within Durant that enabled the Court to depart from the conclusions that they must reach in light of the decision by the Court of Appeal in Vidal-Hall v Google and the Supreme Court in Common Services Agency v Scottish Information Commissioner

Third Issue
In the circumstances, this issue did not arise and the court felt it best to leave resolution of it “to a case where a decision is required” on it. [48]

Comment
The appeal was therefore dismissed by Gross LJ on all three issues that were raised and McFarlane LJ and Coulson LJ simply agreed adding no further comments of their own.

This is an interesting, but not unexpected, decision from the Court of Appeal which will be binding on all lower courts in England and Wales and will be persuasive in Scotland. It is difficult to find fault with the approach taken by the Court of Appeal or the judge at first instance; indeed, this is very much the view of the Court of Appeal. It does make it clear though that it will be possible for data subjects not directly referred to within the compromised data arising out of a data breach to sue for damages in certain circumstances. The first instance case had become an important case when such situations arose and now that the Court of Appeal has confirmed the approach adopted by the first instance judge it is likely that we will see more claims of this nature being made.

The circumstances in the present case are fairly clear-cut, but not all situations where liability might arise will be as clear-cut. The GDPR is not going to have any real impact upon this position; the definition of personal data essentially adopts the same two-stage test as was to be found within section 1 of the Data Protection Act 1998. Therefore this pre-GDPR case will continue to be instructive in the post-GDPR world we now inhabit.

Alistair Sloan

If you require further information in relation any data protection or privacy law matter then please do contact Alistair Sloan on 0141 229 0880 or by E-mail. You can also follow our dedicated information law account on twitter for news and updates concerning data protection, privacy and freedom of information.

NT1 and NT2: Forgetting past misdemeanors

The so-called ‘right to be forgotten’ (hereafter “RTBF”) is an often trumpeted aspect of the GDPR; it is an important right, but one that is rather more restricted in nature than is understood.  The RTBF is not a new right within he GDPR, but has foundation within current data protection law and practice.  On 13 March 2014, the Grand Chamber of the Court of Justice of the European Union gave its judgment in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (“Google Spain”), which it has popularly been said created a ‘right to be forgotten’.  The court did not, in fact, grant a right to be forgotten; instead, the court required search engines, such as Google, to consider requests from individuals to have links to webpages concerning them de-listed from Google search results in certain circumstances.

Fast forward to 13th April 2018, a little over 4 years since the decision in Google Spain, Mr Justice Warby handed down his judgment in NT1 & NT 2 v Google LLC [2018] EWHC 799 (QB); cases which both concerned the RTBF.  NT1 and NT2 are both businessmen who were convicted of criminal offences.  In respect of NT1, he was involved in a controversial property business in the late 1980s and the early 1990s (while in his thirties).  In the late 1990s, while he was in his 40s, NT1 was prosecuted and convicted, after trial, of a criminal conspiracy connected with those business activities.  He was sentenced to a period of imprisonment and his conviction has since become “spent”.  In addition to the matters for which he was convicted, he was also accused of, but never prosecuted for, a separate conspiracy connected with the same business.  Some of the businesses former staff were eventually convicted in relation to that separate conspiracy.  There was media reporting of these and related matters at that time.  Links to that reporting are made available by Google in its search results.   On 28 June 2014, not long after the CJEU’s decision in Google Spain, NT1 made a de-listing request to Google in respect of six links.  Google agreed to block one link, but not the other 5.  Google stood by its position when NT 1 asked for them to reconsider their decision.  In January 2015, a second de-listing request was made by NT1, this time through his solicitors. Google replied to that de-listing enquiry in April 2015, refusing it.

NT2’s case is quite separate from that of NT1; the two claims were tried separately, but were heard one after the other and involved the same judge and the same representation.  NT2’s case has some similarity in terms of its facts and it raises similar issues of principle to that of NT1.  While in his 40s and sometime in the early 21st century, NT2 was involved in a controversial business which experienced public opposition in relation to its environmental practices.  NT2 pleaded guilty to two charges of conspiracy in connection with that business.  This was “rather more than ten years ago” [para 7].  NT2 received a short prison sentence and spent six weeks in custody before being released; his conviction also became spent.  On 14 April 2015, NT2 made a de-listing request to Google in respect of 8 links.  Google declined to de-list any of the links.

Ultimately, NT2 was successful in obtaining orders requiring Google to de-list while NT1 was unsuccessful.

Journalism, literature and art exemption

Google had, in its defence to these claims, sought to place reliance upon the exemption in section 32 of the Data Protection Act 1998, which relates to “journalism, literature and art”.  Warby J deals with this aspect of Google’s defence to the claims by the claimants in paragraphs 95-102 of the judgment.  Warby J ultimately rejected Google’s reliance upon section 32 holding that the exemption did not apply in the first place; but even if it did, Google would have failed to meet the part of the test which is contained in section 32(1)(b).  Warby J accepted that the EU law concept of journalism was a broad and elastic one which went beyond simply the activities of media undertakings and incorporates other activities which have as their aim the disclosure to the public of information, opinions and ideas. However, Warby J concluded that “the concept [of journalism] is not so elastic that it can be stretched to embrace every activity that has to do with conveying information or opinions. To label all such activity as “journalism” would be to elide the concept of journalism with that of communication.”

In Google Spain the CJEU was sceptical as to whether the exemption in Article 9 of the Directive (which is implemented through section 32 of the Data Protection Act 1998) would apply to an internet search engine such as Google.  Warby J noted that this observation by the CJEU was not integral to its decision in Google Spain; however, concluded that “it is true”.  Internet Search Engines do not, in the view of Wraby J, process personal data “only” for the purposes of journalism, literature or art.

In considering section 32 of the Data Protection Act 1998 Warby J concluded that there is a subjective and an objective element to each of section 32(1)(b) and (c).  In relation to section 32(1)(b) Warby J concluded that the data controller had to have a subjective belief that the publication of the personal data in question would be in the public interest and this belief must be objectively reasonable.  In respect of section 32(1)(c), Warby J considered that the data controller must prove that it had a subjective belief that compliance with the data protection principle(s) engaged would be incompatible with the special purpose and that belief must be one which is objectively reasonable.

Warby J explained in his judgment that if he was wrong in his conclusion that section 32 was not even engaged in this case, that he would have still rejected Google’s reliance upon it concluding that Google would have failed when it came to considering the test in section 32(1)(b).  There was no evidence, Warby J concluded, that “anyone at Google ever gave consideration to the public interest in continued publication of the URLs complained of, at any time before NT1 complained” [para 102]

Schedule 3 of the Data Protection Act 1998

Clearly a great deal of the personal data at issue in these claims, being personal data relating to criminal convictions, is sensitive personal data (see section 2 of the Data Protection Act 1998).  In order for processing of sensitive personal data to be in compliance with the first data protection principle, which requires personal data to be processed fairly and lawfully, the data controller must be able to rely upon one of the conditions in Schedule 3 to the Data Protection Act 1998 (in addition to one of the Schedule 2 conditions).  This is an area where Google had a great deal of difficulty.

Warby J rejected most of the Schedule 3 grounds that Google sought reliance upon (see paras 107-109).  However, in paragraph 110 of his decision, Warby J, decides that condition 5 in Schedule 3 was satisfied: “that “the information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.” In reaching this conclusion, Warby J relies upon the decision of Stephens J in Townsend v Google Inc [2017] NIQB 81.  In Townsend, Stephens J concluded that as a consequence of the principle of open justice, when an offender commits an offence, even in private, he deliberately makes that information public (see para 65 of Townsend).  In NT1 and NT2, Counsel for the Claimants, Hugh Tomlinson QC, takes issue with the conclusions of Stephen J and Counsel’s arguments are set out briefly by Warby J towards the end of paragraph 110.  Warby J concludes that, in his view, that the reasoning of Mr. Tomlinson was not sound.

I must confess that I have a great deal of difficulty with the reasoning of Warby J and Stephens J on this point.  I struggle to see how the commission of an offence by an individual amounts to them taking positive steps to make the information public.  The conclusions of Warby J and Stephens J do not seem to me to fit with the statutory language in the Data Protection Act 1998 nor the language of the Directive which it implements.  Warby J considered that the language in Article 8.2(e) of the Data Protection Directive is “obscure”.  It seems to me that the language of the Directive is the complete antitheses of “obscure” and that section 32 does not adequately implement the requirements of the Directive in this regard.  The only UK jurisdiction yet to grapple with this issue is Scotland.  Neither the Northern Irish nor the English and Welsh court decisions are from appellate level courts.  For the time being we have two first instance courts in two jurisdictions reaching the same conclusion; that will undoubtedly be considered somewhat persuasive by other first instance judges.

The balancing exercise

The court in Google Spain required a balancing exercise to take place between the rights within the European Convention on Human Rights to a private and family life (Article 8) and freedom of expression (Article 10).  Following Google Spain the ‘Article 29 Working Party’ (soon to become the European Data Protection Board) issued guidance on the Google Spain decision.  These guidelines provide helpful assistance, but do not prescribe the factors which are to be taken into consideration; it is acceptable to go beyond the factors in the guidance [para 135].

In respect of NT1, Warby J attached some weight to the conduct of the Claimant post-conviction; in particular, NT1 had caused to be published about him on the internet (by a reputation management company known in the judgment by the fictitious name of ‘cleanup’) misleading statements about his character and integrity:  NT1 had been convicted of a substantial offence of dishonesty and had received a substantial prison sentence for that.  This can be contrasted with NT2 who had not been convicted of an offence of dishonesty, had entered a plea of guilty and had shown remorse.

The contrast is an interesting one because while each case will inevitably turn on its own facts, it shows the kind of issues that the court is likely to take into consideration when balancing the competing Article 8 and 10 rights.

Interaction between the Rehabilitation of Offenders Act and the Data Protection Act 1998

The Rehabilitation of Offenders Act 1974 (“ROA”) differs in Scotland from what is in force in England and Wales; of course, these claims deal with the ROA as it applies in England and Wales.  The differences in the substance of the Act do not, however, affect the principles which are in play when looking at the interaction between the ROA and data protection law.

The ROA creates a, somewhat limited, right to rehabilitation and Warby J concluded that this right to rehabilitation is an aspect of privacy law.  Warby J concluded that “[t]he rights and interests protected include the right to reputation, and the right to respect for family life and private life, including unhindered social interaction with others.” Furthermore, Warby J concluded that “[u]pholding the right [to rehabilitation] also tends to support a public or societal interest in the rehabilitation of offenders.”  Importantly though, the right to rehabilitation is a qualified right.  As with most cases involving rights, the rights of the offender to rehabilitation do come into conflict with the rights of others, in particular their rights to information and freedom of expression.

As a starting point, a person who is party to legal proceedings held in public (such as the accused in a criminal trial) does not have a reasonable expectation of privacy.  However, there may well come a point in time when they can have such an expectation.  The ROA works to prevent the disclosure of certain criminal offences for which a person has been convicted after a specified period of rehabilitation.  It does not, Warby J concluded, mean that in 1974 Parliament legislated for a right to privacy or confidentiality from the point at which the offence became “spent”.

The rehabilitated offender’s right to a family and private life in respect of a spent conviction will normally be a weighty factor against further use of disclosure of that information; however, it is not a conclusive factor.  The “balancing exercise will involve an assessment of the nature and extent of any actual or prospective harm. If the use or disclosure causes, or is likely to cause, serious or substantial interference with private or family life that will tend to add weight to the case for applying the general rule.” [para 166]

Paragraph 166 of Warby J’s judgment is well-worth reading in full for anyone who is involved in balancing exercises of this nature.

At the end of the day, de-indexing (or de-listing) from internet search results does not cause the information to disappear completely.  The effect that it has is to make the information more difficult to find.  It will still be possible for a person, with sufficient determination, to discover and access the information.  In the modern day world we are used to being able to put search terms into Google (and other search engines) and have millions, if not billions, of results returned to us in a fraction of a second.  The search engines have developed algorithms which help to bring the content that is seemingly most relevant to the top of those results with the seemingly least relevant placed at the end of the long list of results.  Information is much more readily available than it was in 1974; some might argue that cases such as NT1 and NT2 simply return the position back to something which more closely resembles 1974.

It is quite probable that we will begin to see cases like NT1 and NT2 arise more frequently.  The qualified right to erasure within the GDPR has attracted a lot of attention and individuals are certainly more aware of ‘the right to be forgotten’.  The GDPR arguably doesn’t take us forward from what was determined in Google Spain, but simply gives it a statutory basis as opposed to one that is derived mostly from case law.  The qualified right to erasure within the GDPR is, as noted above, often overstated and this will inevitably, in the event that people seek to enforce it more frequently, lead to disputes between controllers and data subjects.

Alistair Sloan

Should you require advice or assistance about UK Data Protection and Privacy law then contact Alistair Sloan on 0141 229 0880.  You can also contact him by E-mail.  You can also follow our dedicated Twitter account covering all Information Law matters:  @UKInfoLaw

Information Law Review of 2017

2018 is now upon us and this is a big year in the field of Information Law, the General Data Protection Regulation will at last become applicable in the United Kingdom.  If you are a data controller or a data processor, your preparations for the GDPR should be well under way; however, if you have not yet started to prepare for these regulations then it is not yet too late.  The lesser known brother of the GDPR also kicks in this year, the Law Enforcement Directive, which governs the processing of personal data by law enforcement agencies.

However, before I get stuck into what is coming this year in the field of Information law, I want to take a moment to look back at some of the things that happened in 2017.  At the tail end of 2017 the High Court in England issued its anticipated judgment in the case of Various Claimants v WM Morrisons Supermarket PLC  [2017] EWHC 3113 (QB)This represented a significant development in the data protection field and opens up a much wider range of circumstances in which data subjects can sue a data controller under Section 13 of the Data Protection Act 1998.

In October 2017, the Irish High Court made a reference to the Court of Justice of the European Union at the request of the Irish Data Protection Commissioner seeking a preliminary ruling on “Privacy Shield”, the successor to the Safe Harbour rules which had previously been held to be unlawful by the European Court.

In September 2017, the Grand Chamber of the European Court of Human Rights issued a decision concerning the application of the right to a private and family life contained in Article 8 of the European Court of Human Rights to the monitoring of a person’s communications by their employer.

Also in September 2017, the UK Government published its Data Protection Bill which will replace the Data Protection Act 1998, extends GDPR standards to areas not within the competence of the European Union and implements the Law Enforcement Directive, among other things.

Now looking ahead to 2018, it is possible that we might see a decision from the English Court of Appeal in the Morrisons case referred to above, the judge having granted permission to Morrisons to appeal his findings in relation to vicarious liability.  We may also see claims for compensation being made based upon the Morrisons decision.

In Scotland, we will be expecting to see some more progress made by the Scottish Parliament in its consideration of the Children and Young People (Information Sharing) (Scotland) Bill.  I provided written evidence to the Education and Skills Committee on this Bill last year.  The Committee has had some difficulty in completing its Stage 1 consideration of the Bill and the previous deadline of 22 November 2017 for completion of Stage 1 was removed by the Scottish Parliament.

It is also possible that we will see the Scottish Parliament’s Public Audit and Post-Legislative scrutiny Committee begin to undertake a post-legislative inquiry into the operation of the Freedom of Information (Scotland) Act 2002 (or announce that such an inquiry will take place in due course).  If such an inquiry does take place, it will be the first time that there will have been a complete review of the Scottish FOI Act and how it is operating.

Staying on the subject of Freedom of Information in Scotland, we are likely to see the outcome of the Scottish Information Commissioner’s formal intervention in respect of the Scottish Government’s compliance with the Freedom of Information (Scotland) Act 2002.  We are also likley to see an Order being made under Section 5 of the Freedom of Information (Scotland) Act 2002 designating Registered Social Landlords as scottish public authorities with effect from 1st April 2019.

By the end of 2018 we should also hopefully have a much better idea as to what the UK’s relationship with the European Union will be after it leaves, and in particular what impact this will have on data protection and privacy law in Scotland and the rest of the UK.

There will no doubt be a raft of new court decisions in relation to both Privacy/Data Protection and Freedom of Information over the course of the next 12 months and I will attempt to address the most important and unusual decisions here on the Information Law Blog from Inksters Solicitors.

Alistair Sloan

If you would like advice or assistance with Privacy and Data Protection matters (including GDPR preparation) or with UK and Scottish Freedom of Information requests contact Alistair Sloan on 0345 450 0123 or you can E-mail him.

Nefarious Endeavours and Vicarious Liability for Data Breaches

Last week I highlighted the important decision handed down by Mr Justice Langstaff sitting in the English High Court in the case of Various Claimants v WM Morrisons Supermarket PLC  [2017] EWHC 3113 (QB).  In that blog post I stated that the judgment was lengthy and would take some time to properly read and digest and that I would cover the judgment in much more detail in due course.  It has indeed taken some time to read and digest, but I am now in a position to bring readers a much more in-depth consideration of the judgment.

The facts sitting behind the Morrisons decision are stark.  An employee of the Defendants, Andrew Skelton, ran a business on the side.  His business was connected to the slimming industry and involved him sending a perfectly legal drug, which was in the form of a white powder.  On 20th May 2013, Mr Skelton left a pre-paid package with Morrisons’ mail room which contained this white powder.  While the package was being handled by staff in the mail room it burst open and some of the contents spilled out.  This triggered a process within Morrisons that could have resulted in the mail room being closed; however, that was not necessary.

Mr Skelton was eventually disciplined by Morrisons in connection with this incident.  He had committed no criminal offences in connection with the incident:  the drug was perfectly legal and he had paid for the postage himself.  However, Morrisons decided that his conduct was not in keeping with their values and issued him with a verbal warning.  Mr. Skelton disagreed with this sanction and utilised the company’s internal appeals process to appeal the disciplinary decision; that appeal was unsuccessful.  Mr Skelton took exception to the way in which we was treated and began to embark upon a criminal enterprise which was designed to damage the Defendants.

Mr Skelton was employed as an IT internal auditor within Morrisons.  This meant that he was highly literate in IT and also meant that he had access to personal data.  It is not necessary to go into the facts in much more detail.  It is suffice to say that in the course of his employment with Morrsions, Mr. Skelton lawfully processed personal data which had been extracted from the company’s payroll software.

As part of his nefarious endeavour, Mr. Skelton made a personal copy of the personal data and proceeded to post it onto the internet in January 2014.  By this time, Mr. Skelton had left Morrisons (having resigned).  By March 2014, the fact that vast quantities of personal data from Morrisons’ payroll software had been posted onto the internet had not been discovered.  Mr. Skelton then, anonymously, sent a CD of the personal data to a number of local newspapers including a link to where the personal data had been posted.  One of the local newspapers altered Morrisons to the publication of the personal data and Morrisons took steps to have it removed and to investigate matters.

Ultimately, Mr. Skelton was arrested and charged with various offences under both the Data Protection Act 1998 and the Fraud Act 2006.  He was later convicted and sentenced to a period of imprisonment.  With that context now set out, it is time to turn to the civil claim brought by over 5,000 of the affected data subjects against Morrisons.

The claimants effectively argued two primary positions:  (1) that Morrisons was directly liable for the breach arising out of its own acts and omissions; and (2) alternatively, that Morrisons was vicariously liable in respect of Mr. Skelton’s actions.

In advancing the case for primary liability, Counsel for the Claimants argued that Morrisons was at all material times the data controller of the payroll data which Mr. Skelton had misused for his criminal enterprise.  This argument was repelled by Langstaff J.  Mr Justice Langstaff concluded that by taking it upon himself to decide that he was going to copy the personal data and place it on the internet, Mr. Skelton had put himself into the position of deciding what personal data would be processed and the purposes for which it would be processed.  Mr. Skelton was therefore the data controller, not Morrisons.  It was therefore Mr. Skelton’s actions that were in breach of the Data Protection Principles rather than the actions of Morrisons.

The rejection of the primary liability then brought Mr Justice Langstaff onto the question of secondary liability.  Could Morrisons be held as being vicariously liable for the actions of Mr. Skelton, and if so, were they vicariously liable for the actions of Mr. Skelton?  Mr Justice Langstaff decided that Morrisons could, and indeed were, vicariously liable for the actions of Mr. Skelton in publically disclosing the Claimants’ personal data on the internet.  In reaching this conclusion, Mr Justice Langstaff has seemingly reached two contradictory conclusions:  that Mr. Skelton was acting independently of Morrisons (thus making him a data controller in his own right) while at the same time holding that Mr. Skelton was acting in the course of his employment (thus opening the door for viacarious liability to attach to Morrisons).  These are not necessarily easy to reconcile and as a consequence it may well end up in the Court of Appeal (or indeed, possibly even the Supreme Court) in due course.  Morrisons have, as I previously noted, been granted permission to appeal the vicarious liability finding to the Court of Appeal by Langstaff J.

The Defendants essentially attacked the vicarious liability position using a three pronged approach.  First, they argued, that the statutory scheme of the Data Protection Act 1998 excluded the possibility of there being vicarious liability at common law.  Their second prong was very much based upon the premise of their first:  they argued that if the statute impliedly excluded vicarious liability, it would not be constitutionally possible for the courts to impute such liability into the scheme.  The third prong of their attack was based on Mr. Skelton acting as his own independent data controller.  If he was so acting, the Defendants argued; then he could not also be acting in the course of his employment such as to make Morrisons vicariously liable for his actions.

Langstaff J, in holding that Morrisons were vicariously liable, looked closely at the timeline of events which had occurred.  Mr Justice Langstaff took the view that “what happened was a seamless and continuous sequence of events” [para 183].  The actions of Mr. Skelton as an independent data controller were sufficiently linked to his employment at Morrisons so as to have the result of Morrisons being vicariously liable for his actions as an independent data controller.

It is clear from paragraph 196 of the judgment that Langstaff J was troubled by the conclusions that he had reached.  One point was singled out for particular attention as the one which “most troubled” him; that was that by finding Morrisons as being vicariously liable he had in effect assisted Mr. Skelton in his criminal endeavours.  The ultimate aim of Mr. Skelton’s nefarious activities was to cause harm to Morrisons; a finding of vicarious liability for the distress caused by the data subjects opens up the possibility that each and every single one of those affected will seek compensation from Morrisons.  Even if the payments to each data subject are low; if they end up having to be made to the approximately 10,000 employees who were affected the financial burden to Morrisons is not going to be insignificant.  That will represent a harm caused to Morrisons; perhaps harm that was not envisaged by Mr. Skelton when he started upon his nefarious activities; however, it is a harm that will be suffered by Morrisons arising.   The ultimate aim of Mr. Skelton’s nefarious activities was to cause harm to Morrisons; a finding of vicarious liability for the distress caused by the data subjects opens up the possibility that each and every single one of those affected will seek compensation from Morrisons.  Even if the payments to each data subject are low; if they end up having to be made to the approximately 10,000 employees who were affected the financial burdern to Morrisons is not going to be insignificant.

It remains to be seen whether Morrisons will appeal the judgement; they already have permission to take the matter to the Court of Appeal.  Of course, the judgment of Lansgatff J is not binding upon any court in Scotland; however, it will likely be considered as persuasive authority in both the Sheriff Court and the Court of Session.  Data Controllers in Scotland should pay as much attention to the case as those based in England and Wales.

Alistair Sloan

If you would like to discuss an issue related to data protection, or any other information law matter, then contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

Vicarious Liability in Data Protection Law

This Morning Mr Justice Langstaff, sitting in the High Court of Justice, handed down a judgment in the case of Various Claimants –v- Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB).  In March 2014 the Defenders, Morrisons, revealed that its payroll data for the majority of its staff had been stolen.  The data which had been taken had been published online on a file sharing website earlier that year; it was discovered in March when copies of the data were sent anonymously to three newspapers together with a link to the online published version. The investigation that followed resulted in Andrew Skelton, formerly a senior Manager with the company, being convicted of fraud at Bradford Crown Court in 2015.  Mr Skelton was sentenced to eight years’ imprisonment.

In total around 100,000 of the Defenders’ 120,000 employees were affected by the actions of Mr Skelton.  Of those, 5,518 employees raised proceedings in the High Court claiming compensation for a breach a statutory duty (under the Data Protection act 1998) and also at common law.  The Claimants’ primary position before the court was that the Defenders were directly liable.  However, they argued that, in the alternative, the Defenders were vicariously liable.

In a judgment which is 59 pages long and contains 198 paragraphs, Langstaff J, dismissed the direct liabiality argument; however, found that the Defenders were vicariously liable.  This is an important judgement in the field of privacy and data protection and it is one that employers should certainly be aware of.  The court has found a data controller liable to the claimants arising out of a criminal enterprise by one of their employees.  It is certainly worthy of much fuller analysis and I will provide such an analysis on this blog in due course; however, it is a lengthy judgment and it will take some time to properly read and digest.

It should be noted that this may not be the end of this litigation; Morrisons have been given permission by Langstaff J to appeal the finding on vicarious liability to the Court of Appeal if they so wish.  We await to see whether Morrisons decide to appeal the decision.

Alistair Sloan

If you would like advice or assistance in connection with Data Protection/Privacy, or if you would like advice and assistance with any other Information Law matter we would be pleased to hear from you. You can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

Data Protection/Privacy Enforcement: October 2017

Continuing the regular monthly look at Data Protection and Privacy enforcement taken by the Information Commissioner, this blog post reviews the enforcement action published during October 2017.

Key Points

  • When seeking consent for the purposes of direct marketing, be clear and precise in the language that you use.
  • When buying-in lists of contact details for the purpose of Direct Marketing you are responsible for ensuring that the there is valid consent in place so carry out your own due-diligence.
  • You are responsible for the direct marketing calls made by your agent as you are the instigator of the calls
  • If you have access to personal data as part of your job, do not access it unless you have a valid reason to do so in connection with your employment.

Enforcement Action published by ICO in October 2017

Xerpla Limited

Xerpla Limited was served with a Monetary Penalty Notice [pdf] in the amount of £50,000 after the Information Commissioner found that they had sent more than 1 million unsolicited direct marketing communications by electronic mail.  The Information Commissioner considered that Xerpla was not clear or specific enough about who subscribers were agreeing to receive marketing from.

Vanquis Bank Limited

Vanquis Bank Limited were served with an Monetary Penalty Notice [pdf] in the amount of £75,00 and an Enforcement Notice [pdf] after the Information Commissioner found that they had sent text messages and E-mails marketing credit cards without consent.

The Lead Experts Limited

The Lead Experts Limited were served with a Monetary Penalty Notice [pdf] in the amount of £70,000 and an Enforcement Notice [pdf] after the Information Commissioner found that they had instigated automated marketing calls to telephone subscribers without the subscriber’s consent.

Prosecutions

A former employee of Kent and Medway NHS and Social Care Partnership Trust was fined £300, ordered to pay prosecution costs of £364.08 and a victim surcharge of £30 after pleading guilty to an offence under the Data Protection Act 1998.  The defendant had accessed the health records of a single patient 279 times over a three-week period in October and November 2015, viewing the files up to 50 times in a day.  The patient was known to the defendant, but she had no valid lawful reason to access the records and did so without her employer’s consent.

Alistair Sloan

If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send me an E-mail directly.

Data Protection/Privacy Enforcement: September 2017

Following on from last month’s post looking at the Data Protection/Privacy Enforcement taken in August 2017, it is now time to review what data protection/privacy enforcement the ICO publicised during September 2017.

Key Points

The key points from the enforcement action publicised by the ICO during the course of September are:

  • Ensure that where your organisation undertakes direct marketing by telephone, you do not make calls to numbers which are listed on the Telephone Preference Service; unless you have been given consent to make such calls.
  • Before you engage in a marketing campaign by making automated telephone calls, ensure that you have consent from the subscribers to the numbers that you intend to call, whether the numbers are registered with the telephone Preference Service or not.
  • Generally you require the consent of the recipient before you can send marketing materials by electronic means (including text messages and E-mail).
  • It is important that all employees (including agency and temporary staff) have an adequate level of data protection training for their job role and that there is in place ongoing refresher training on a regular basis.
  • If you are an employee and have access to personal data as part of your job role, do not make use of that access for any purposes not required as part of your employment; including for personal purposes.  Also, don’t forward personal data to your personal E-mail, for any reason, unless your employer has agreed to it first.

Enforcement Action published by ICO in August 2017

True Telecom Limited

True Telecom Limited were served with a Monetary Penalty Notice [pdf] in the amount of £85,000 and an Enforcement Notice [pdf] after the Commissioner had found that True Telecom was responsible for 201 unsolicited telephone calls for the purposes of direct marketing made to numbers registered with the Telephone Preference Service, contrary to the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Cab Guru Limited

Cab Guru Limited were served with a Monetary Penalty Notice [pdf] in the amount of £45,000 after the Commissioner found that it had instigated the transmission of more than 350,000 text messages for the purposes of direct marketing without having the consent of the intended recipient to do so, contrary to the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Your Money Rights Limited

Your Money Rights Limited were served with a Monetary Penalty Notice [pdf] in the amount of £350,000 after the Commissioner found that it had instigated more than 146,000,000 automated marketing calls without having the consent of the subscribers to the number(s), contrary to the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Easy Leads Limited

Easy Leads Limited were served with a Monetary Penalty Notice [pdf] in the amount of £208,000 and an Enforcement Notice [pdf] after the Commissioner found that the company had instigated more than 16,500,000 automated marketing telephone calls without having the consent of the subscribers to the numbers, contrary to the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Dyfed Powys Police

The Chief Constable of Dyfed Powys Police signed an undertaking [pdf] to ensure compliance with the seventh data protection principle after a number of breach incidents occurred which highlighted that many of the force’s police officers had received no data protection training and that there was no refresher training in place either.  The Commissioner did not take formal enforcement action against Dyfed Powys Police on the basis of remedial actions which had already been taken by the controller.

Prosecutions

A former employee of The University Hospitals of North Midlands NHS Trust was prosecuted at North Staffordshire Magistrates’ Court for an offence under Section 55 of the Data Protection Act 1998. The former employee accessed the sensitive medical records of colleagues as well as people she knew that lived in her locality, without the consent of the data controller. The defendant entered a plea of guilty and was fined £700, ordered to pay costs of £364.08 and a Victim Surcharge in the amount of £70.

A former employee of Leicester City Council was convicted of an offence under Section 55 of the Data Protection Act 1998 at Nuneaton Magistrates’ Court after he unlawfully obtained personal data.  The defendant emailed personal data relating to 349 individuals, which included sensitive personal data of service users of the Adult Social Care Department, to his personal email address without his employers’ consent.  He was fined £160, ordered to pay £364.08 prosecution costs and a victim surcharge in the amount of £20.

Alistair Sloan

If you require advice and assistance in connection with any of the issues above, or any other Information Law matter, please do contact Alistair on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send me an E-mail directly.

Ireland: High Court to refer Privacy Shield to the Court of Justice of the European Union

One of the primary requirements of the European Data Protection Framework is that personal data of European citizens must not be transferred to a country which is outside of the European Economic Area unless the country to which the personal data is to be transferred “ensures an adequate level of protection”; this is provided for within Article 25 of the 1995 Data Protection Directive and is given effect to in the UK in the form of the eighth data protection principle in Schedule 1 to the Data Protection Act 1998.

The United States of America has, for some time, been a somewhat contentious destination for personal data of European citizens.  The European Commission and the United States Government sought to assist the flow of personal data between the EU and the US through a scheme called “Safe Harbour”.  This scheme was challenged and in 2015 the Court of Justice of the European Union held that the European Commission’s decision in respect of the “safe harbour” scheme was invalid.

The Court of Justice’s decision on safe harbour came following a request for a preliminary ruling by the Irish High Court.  This followed a complaint to the Irish Data Protection Commissioner by an Austrian citizen, Max Schrems, in respect of Facebook.  Under Facebook’s terms and conditions all of its users in Europe have a relationship with ‘Facebook Ireland’ and as such, it falls to the Irish Data Protection Commissioner to regulate the use of personal data by Facebook.

Following that decision the European Commission and the US negotiated a new scheme, known as “Privacy Shield”.   There has been much debate about whether privacy shield is itself adequate and a challenge, also by Max Schrems, is underway.  The Irish Data Protection Commissioner sought from the Irish High Court a reference to the Court of Justice of the European Union and today the Irish High Court has agreed to make the reference.

The Irish Data Protection Commissioner has, the court decided, identified a number of “well founded concerns” and that the introduction of the Privacy Shield Ombudsman mechanism does not “eliminate” those concerns.

Although this is an Irish case, the outcome of a decision from the Court of Justice of of the European Union could have profound consequences for data controller’s right across the European Union.  In the event that the Court invalidates the privacy shield agreement, data controllers who are reliant upon it will find themselves in a situation where their compliance with data protection laws will be in doubt.

The exact questions which will be referred to the Court of Justice of the European Union by the Irish High Court are yet to be determined and the judge in the case will be addressed by parties on this issue in due course.

This is certainly a case that data controllers (and indeed data subjects) should keep a close eye on.  Data controllers who transfer personal data from the EU to the United States of America should think about reviewing their transfers and assessing whether they would continue to be permitted, within the context of the EU data protection framework, in the event that privacy shield is invalidated by the Court of Justice of the European Union in due course.

Alistair Sloan

If you would like advice or assistance on a data protection/privacy matter, or any other information law matter, then you can contact Alistair Sloan on 0345 0345 450 0123.  Alternatively, you can send him an E-mail.