Latest Articles

The UK Parliament has today, 15th January 2019, rejected the Government’s Brexit withdrawal agreement with the EU. This turn of events, which was widely anticipated, increases the prospect of a no deal Brexit, i.e. a break-up without a divorce settlement. According to law, the UK will leave the EU from 11pm GMT on 29th March 2019 with no deal unless Parliament has accepted the withdrawal agreement, or a modified version of it, or a new…
Just because 25 May 2018 has passed does not mean that data protection compliance has ended! The Data Protection Act 2018 (“DPA”) works with the GDPR, and introduces additional requirements that businesses will need to watch out for; there are however a number of derogations that are intended to better accommodate business needs.…
On 19th September 2018, the Information Commission Officer (“ICO”) fined credit reference agency Equifax Limited £500,000 for breaching the Data Protection Act 1998 (“DPA”). Finding that Equifax Limited failed to protect the personal data of up to 15 million UK individuals, the ICO awarded the maximum penalty for a breach under the DPA. The ICO found that of the eight data protection principles established in the DPA, Equifax breached five. The finding considered how Equifax…
What’s New? On 5 September 2018, the EU Commission commenced proceedings to adopt an Adequacy Decision in relation to Japan’s protection of personal data by issuing a draft ‘Commission Implementing Decision’. This is an important step towards the culmination of discussions between the EU and Japan that were initiated in January 2017, with the aim of permitting the free flow of personal data between the parties. These discussions were part of the broader free trade…
The European Parliament plenary adopted on 5 July 2018 the LIBE Committee’s Motion for Resolution on the EU-US Privacy Shield (‘Privacy Shield) indicating the general Parliament’s position towards its functioning. The non-binding resolution calls for the suspension of the Privacy Shield unless the US demonstrates compliance with its requirements by 1 September 2018.  As per our previous post, the European Parliament considers that the personal data protection provided by the Privacy Shield is not adequate. …
On 12 December 2017, Article 29 Working Party (WP29) published its long-awaited draft guidelines on consent under the GDPR. The guidelines build on WP29’s ‘Opinion on the definition of consent’, adopted in July 2011. As with the draft guidance on transparency, published the same day, WP29 invites comments to be submitted by 23 January 2018. The guidelines state that generally, in order to use consent as an appropriate lawful basis the data subject should…
Nearly a year ago, on 10 January 2017, the EU Commission released the proposed ePrivacy Regulation (ePR). The three main areas covered by the legislation are the use of electronic communications data by telecommunications operators and other specified entities, the use of tracking applications, and unsolicited direct marketing communications. The ePR aims to ensure a coherent, up-to-date framework capable of balancing economic interests and privacy rights of natural persons reflected in the Article 7 of…
The Article 29 Working Party has adopted Guidelines on Data Protection Impact Assessments (DPIAs), following its consultation on a draft version published in April 2017.  The final version provides additional guidance in a number of areas without materially changing the position. Further guidance is provided on the trigger for mandatory DPIAs – whether the processing is likely to result in a “high risk to the rights and freedoms of natural persons.” Additional emphasis is placed…
What is the GDPR? The General Data Protection Regulation (GDPR) is an EU regulation designed to strengthen and harmonise data protection rules for processing data of all individuals within the EU and covers the transfer of such personal data outside the EU. One of the aims of the new legislation is to give control back to individuals over their personal data by establishing new rights for individuals in relation to their data and imposing more stringent obligations…