Case Law: Lloyd v Google LLC, Landmark judgment in representative data protection action – Aidan Wills

9 10 2019

The Court of Appeal has handed down judgment in Lloyd v Google LLC [2019] EWCA Civ 1599, a decision with significant implications for data protection law and practice. Brought on behalf of an estimated 4.4 million iPhone users, this representative claim concerns Google’s gathering and exploitation of browser generated information (“BGI”) on Apple’s Safari browser. Read the rest of this entry »





ECJ confirms territorial limitations of ‘the right to be forgotten’ – Iain Wilson and Elisabeth Mason

3 10 2019

On 24 September 2019, whilst the country was focused on the United Kingdom Supreme Court as it ruled that the prorogation of the UK parliament was unlawful, the Court of Justice of the European Union (CJEU or ECJ), handed down judgment in Google LLC, successor in law to Google Inc. v Commission nationale de l’informatique et des libertés (CNIL), C‑507/17, effectively a sequel to the landmark data protection ‘Google Spain’ decision in May 2014. Read the rest of this entry »





Duchess of Sussex sues Mail on Sunday in privacy, copyright and data protection over leaked letter

2 10 2019

It has been announced that the Duchess of Sussex, Meaghan Markle, is suing the Mail on Sunday for misuse of private information, infringement of copyright and breach of the Data Protection Act 2018.  The claim arises out of the publication by the newspaper in February 2019 of extensive extracts from a private letter written by the Duchess to her estranged father. Read the rest of this entry »





The Right To Be Forgotten back in the CJEU: Court Judgments on the territorial scope of de-referencing; and sensitive personal data – Ian Helme

27 09 2019

Following on from the Advocate General Opinions published on 10 January (which I wrote about here), yesterday the Court of Justice released its decisions in two cases concerning internet search engines and the right to be forgotten. Read the rest of this entry »





United States: The legal basis of $170m fine on Google for YouTube’s infringement of children’s privacy – Eoin O’Dell

19 09 2019

The media was recently full of stories that Google had been “Fined $170 Million for Violating Children’s Privacy on YouTube” (that’s a headline from the New York Times; see also, for example, NPR | BBC | RTÉ | Silicon Republic). In this post, I want to sketch the legal background to, and consequences of, this fine; and, at the end, I will say a few words about the equivalent position in Europe. Read the rest of this entry »





Voice command data and privacy protection, Part II: Apple’s Siri – Suneet Sharma

13 09 2019

Apple recently released a statement on its development of automated assistant Siri’s privacy protections. The result is a move towards doing everything right in safeguarding consumer privacy. When compared to Amazon’s protections for its Alexa service market shifts and best practice become clear, making for better adherence to the seven data protection principles underpinning the GDPR. Read the rest of this entry »





Round up of the Media Law Cases in the 2018-2019 legal year: Six libel and privacy trials – Nataly Tedone

11 09 2019

The legal year in England and Wales ended on 31 July 2019.  The High Court, the Court of Appeal and the Supreme Court are now on vacation until Michaelmas Term begins on 1 October 2019. Our Table of Media Law cases records 57 judgments in media law cases this legal year. Read the rest of this entry »





Case Law: R (Bridges) v Chief Constable of South Wales Police: The use of facial recognition software by the police is lawful –  Suneet Sharma

6 09 2019

On 4 September 2019 the Administrative Court (Haddon-Cave LJ and Swift J) handed down judgment in the case of R (Bridges) v Chief Constable of the South Wales Police [2019] EWHC 2341 (Admin).  The Court held that it was lawful for the police to use automated facial recognition software (“AFR”). Read the rest of this entry »





Learning from the British Airways and Marriott International fines: What does the GDPR standard of “Appropriate Technical and Organisational Measures” actually mean? Part 2 – Ashley Hurst and Nina Lazic

30 08 2019

The first part of this article detailed the baseline technical measures that companies should be taking in order to remain GDPR compliant. Alongside these technical measures, it is equally important to ensure that robust organisational measures are in place. Read the rest of this entry »





Learning from the British Airways and Marriott International fines: What does the GDPR standard of “Appropriate Technical and Organisational Measures” actually mean? Part 1 – Ashley Hurst and Nina Lazic

29 08 2019

In July 2019, the sea-change in data protection enforcement became abundantly clear when, in the space of two days, the Information Commissioner’s Office (ICO) announced its intention to fine British Airways £183.39 million and Marriott International £99.3 million in relation to their high profile data breaches. Read the rest of this entry »