Latest Articles

An attempt to bring legal action against Google for its alleged tracking of an estimated 4.4 million iPhone users in 2011 and 2012 has been blocked by the UK High Court (the court). Campaign group “Google You Owe Us” brought the claim as a representative action on behalf of the affected individuals (the class) in 2017. It is thought to be the UK’s first mass legal action of its kind. The case Google You Owe…
The European Parliament has published a non-binding resolution on distributed ledger technologies and blockchains (blockchain technologies). What is distributed ledger technology? Best known as the technology behind bitcoin and other crypto-currencies, distributed ledger technology is, in its simplest form, a ledger of digital information maintained in decentralised form across a large network of computers. The information making up the ledger is secured using cryptography and can be accessed using keys and cryptographic signatures. Cyber-attacks are…
Earlier this month, the Information Commissioner’s Office (ICO) published security guidance in its guide to the General Data Protection Regulation (GDPR). The guidance focuses specifically on encryption and passwords. It suggests points to be considered during implementation and offers some helpful “dos and don’ts”. Encryption Article 32 of the GDPR specifies encryption as an example of an appropriate technical and organisational measure. The guidance states four things that should be considered when implementing encryption: The…
On 22 October 2018, the supermarket chain Morrisons lost its appeal to the High Court ruling that it is liable for a data breach that resulted in thousands of its employees’ personal data being posted online. The Court of Appeal’s (CoA) judgment can be found here. Over 5,000 Morrisons’ employees brought a class action in the High Court after a company employee, Andrew Skelton, stole personal data, which included payroll information of almost 100,000…
The European Data Protection Supervisor (EDPS) published an Opinion on 5 October 2018 regarding the European Commission’s legislative package “A New Deal for Consumers”. In the Opinion, the EDPS calls for closer alignment between consumer and data protection rules in the EU. Background The Commission’s package, adopted earlier this year, includes two legislative proposals: (1) a Directive on better enforcement and modernisation of EU consumer protection rules; and (2) a Directive on representative…
The UK government has launched a Code of Practice (CoP) for the Internet of Things (IoT) security. This is aimed at improving baseline security and ensuring that devices that process personal data are General Data Protection Regulation (GDPR) compliant, as well as advancing an industry-wide ‘security by design’ approach. The CoP provides outcome-focused practical steps for IoT manufacturers and industry stakeholders to improve the security of their products. To achieve this, it has specifically identified…
The UK government launched its Smart Data Review on 28 September 2018 (Review). The Review will look at how technology, such as online comparison tools and open banking, can be used to make it easier for consumers to get good deals on essential services and put an end to consumers paying unjustifiable ‘loyalty penalties’ for staying with their service providers rather than switching. Background to the Review The government’s Modernising Consumer Markets green paper highlighted…
On 13 September 2018, the European Court of Human Rights (ECtHR) issued a much anticipated judgment in Big Brother Watch and others v. United Kingdom (Applications nos. 58170/13, 62322/14 and 24960/15) [2018] ECHR 722. This judgment, the first mass electronic surveillance case against the UK, addressed the proportionality of bulk interception of communications. This ruling comes at the end of a lengthy challenge to Britain’s spying powers, initially revealed by Edward Snowden in 2013.…
On 26 September 2018 the Information Commissioner’s Office (ICO) began formal enforcement action against 34 organisations that have failed to pay their data protection fees. Notices of intent have been served on both private and public sector organisations, including the NHS, government organisations, and businesses in recruitment, finance and accountancy. They have until 17 October 2018 to respond. Those who fail to pay could face a maximum fine of £4,350. Data protection fees were introduced…
On 12 September 2018, complaints were filed with the UK Information Commissioner’s Office and the Irish Data Protection Commissioner regarding the “wide scale and systemic breaches of the data protection regime” by Google and others in the online advertising industry (the Complaints). The Complaints The Complaints were submitted by Brave, an ad blocking web browser, together with the Open Rights Group and Michael Veale, a researcher at University College London. They focus on the real…