Tag archives: UK

Parenting support club Bounty fined in ‘unprecedented’ data breach

Norton Rose Fulbright - Data Protection Report blog

On 12 April, the Information Commissioners Office (ICO) fined Bounty, a pregnancy and parent support club, £400,000 for illegally sharing personal data belonging to more than 14 million people. As the contravention took place just before the General Data Protection Regulation (GDPR) came into force, the fine was issued under the Data Protection Act 1998 (DPA).… Continue Reading

Lloyd v Google – putting the brakes on English data breach litigation?

Norton Rose Fulbright - Data Protection Report blog

A judgment handed down today by the English High Court will be welcomed by UK data controllers. Lloyd v Google [2018] EWHC 2599 represents a corollary to recent case law expanding the circumstances in which litigation may be brought in relation to breaches of data protection legislation.

Most notably, the case:

  1. reinforces the need for “damage” to be proven by claimants before compensation can be obtained in these circumstances; and
  2. makes clear that the courts will not permit representative claims to be brought on behalf of a potentially large population of claimants without close scrutiny of the basis of those
Continue Reading

UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK

Data Protection Report - Norton Rose Fulbright

The UK NIS Regulations (implementing the NIS Directive) come into force in the UK today (10 May 2018). These Regulations have received limited press attention, in part due to the emphasis that has been placed on GDPR implementation. However, the NIS Regulations represent a significant change in the legal environment relating to cybersecurity in the UK.… Continue Reading

UK Information Commissioner Publishes Draft GDPR Consent Guidance

Data Protection Report - Norton Rose Fulbright

On March 2, 2017, the UK Information Commissioner’s Office (ICO) published its draft General Data Protection Regulation (GDPR) consent guidance, and called for comments on the guidance. The consultation is open until March 31, 2017. The ICO will issue final guidance in May 2017.

The guidance is detailed, and references the various GDPR Articles and recitals and previous Article 29 Working Party opinions on which it is based. The guidance is also conservative and keen to emphasize the heightened consent requirements that the GDPR mandates (over and above the current data protection law), particularly in the … Continue Reading

Damages for Emotional Distress for Privacy Claims to Stay in the UK

Data Protection Report - Norton Rose Fulbright

On June 30, 2016, Google withdrew its appeal from the UK Supreme Court in the landmark case of Google v. Vidal-Hall after the parties reached a settlement. In the ruling on appeal, the Court of Appeal had ruled that damages for emotional distress, without any pecuniary loss, may be awarded under the Data Protection Act 1998 (the “Act”). With the appeal withdrawn, this ruling will remain valid. Therefore, companies that operate in the UK may wish to consider this ruling when conducting risk analyses and responding to litigation.… Continue Reading

Brexit: The Continued Application of the GDPR

Data Protection Report - Norton Rose Fulbright

On Friday, June 24, the UK electorate voted through a referendum to leave the European Union by a 52% majority. The mechanics of leaving the European Union will be complex, given that the referendum question did not spell out what relationship the UK would have with the EU once it has left, and there is widespread disagreement within the UK government around how and when the United Kingdom’s separation from the European Union should be implemented. One question is what effect Brexit will have on the continued application of the EU General Data Protection Regulation (GDPR) in the … Continue Reading

UAE copyright law protects privacy of photography subjects

Data Protection Report - Norton Rose Fulbright

While the Duke of Cambridge’s request for global media to respect the privacy of his son, Prince George, has started a debate over the extent to which individuals in the UK can rely on legal measures to prevent the publication of intrusive photographs, the position is somewhat clearer in the United Arab Emirates with specific provisions of the UAE Copyright Law granting protection to persons who appear in photographs.… Continue Reading

EU focuses on authority of SAs to enforce “One Stop Shop,” proposes a replacement for WP29

Data Protection Report - Norton Rose Fulbright

This is Part 3 of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation. In Part 1 we examined why there is a need for a One Stop Shop, and what it is. In Part 2 we examined the concept of main establishment and the position of entities without an EU establishment. In this Part we consider the scope of authority (i.e., “competency”) of supervisory authorities (SAs), the cooperation obligations in relation to SAs and the functions of the European Data Protection Board (EDPB).

Competency of supervisory authorities

Please note that the Continue Reading

UK Court of Appeal Establishes Data Protection Rights in Privacy Case

Data Protection Report - Norton Rose Fulbright

A recent English Court of Appeal judgment could significantly broaden the circumstances in which data protection litigation can be brought – and damages can be awarded – under English law.


Vidal-Hall et al v Google ([2015] EWCA Civ 311) involves claims brought by three individual users against Google. The users alleged that Google collected private information about their internet usage (“Browser-Generated Information”) via their web browser, Apple Safari, without their knowledge or consent.

The users argued that, by the automatic use of cookies in a work-around to the default privacy setting, Google was able to obtain and record Browser-Generated … Continue Reading

Importance of data privacy and transparency in the UK highlighed by Investigatory Powers Tribunal decision

Data Protection Report - Norton Rose Fulbright

A recent landmark ruling from the UK’s Investigatory Powers Tribunal has highlighted the growing importance the UK courts place on data privacy and transparency. It is the first occasion that the Investigatory Powers Tribunal has upheld part of a complaint against the intelligence agencies since it was set up in 2000.

On February 6, 2015 the Investigatory Powers Tribunal, a special forum for investigating and resolving complaints relating to the use of covert techniques by public authorities, released a second judgment in the case of Liberty v The Secretary of State for Foreign and Commonwealth Affairs[1]. The case … Continue Reading