February 2017

Effective January 19, 2017,  an update to the Federal Acquisition Regulation (FAR) will require certain contractors that provide services to the federal government to train their employees on privacy.  New contracts into which the federal government enters with contractors will include privacy training requirements. In addition, the rule requires contractors to flow down privacy training requirements to their subcontractors.

The rule applies to contractors that:

  1. Handle Personally Identifiable Information;
  2. Have access to a system of records; or
  3. Design, develop, maintain or operate a system of records.

Under the UK Data Protection Act 1998 (“DPA“), data subjects have rights to obtain copies of their personal information through a data subject access request (“DSAR“). Data subjects frequently use DSARs to obtain information in the context of non-data protection disputes with data controllers. There has been much controversy over this practice, particularly as the £10 maximum fee the data controller may charge dwarfs the cost of complying with the request.

On 16 February 2017. In Dawson-Damer v. Taylor Wessing LLP, [2017] EWCA Civ 74, the English Court of Appeal ordered a law firm, Taylor Wessing LLP (“TW“), to comply with the Appellants’ DSARs. The Court’s order unanimously overturned the first instance decision that held that a data controller could refuse to respond to a DSAR on the basis that it would be costly or time consuming to do so, or because the data subject has made the DSAR in furtherance of litigation.

In this post we cover the key issues considered by the Court of Appeal, namely:

  • the extent of the DPA’s legal professional privilege exemption;
  • what amounts to “disproportionate effort” under the DPA; and
  • whether the court can use its discretion not to compel compliance with a DSAR made in furtherance of litigation.

The Eighth Circuit Court of Appeals last week reversed the district court’s approval of a settlement and settlement class in the consolidated consumer class action arising from Target Corporation’s 2013 security incident.  This decision provided a new perspective on a persistent dilemma in the evolving law of data breaches:  how to handle data breach victims whose data was compromised but not misused, and therefore they cannot show concrete monetary harm.  Here, that issue has at least temporarily derailed a multi-million settlement of the last major lawsuit arising out of Target’s high-profile incident.