UpData Newsletter – December 2021

In this Issue

The contentious data space has been dominated by the Supreme Court judgment in Lloyd v Google – and rightly so. This decision has shaped the future of data protection claims and will have a lasting impact on class-action representations.

Whilst Lloyd v Google might have stolen the spotlight, we have also seen a number of other interesting developments in the world of contentious data. In this edition we consider the impact of ransomware attacks (and how the GCHQ plans to tackle this criminal activity) and reflect on some key developments in the United Kingdom’s evolving data protection landscape.

We also return to the topic of GDPR breaches after the Irish Data Protection Commission fined WhatsApp €225m and the Luxembourg data protection regulator fined Amazon nearly €750m. As some European authorities begin to adopt a strict, cross-border approach towards GDPR enforcement, there could be an increasing belief that the legislation is growing “teeth”.

The last week has seen two interesting fines from the ICO, against Clearview AI Inc and the Cabinet Office. We will be looking at those fines on UpData very shortly.

Recent Updates

Lloyd v Google: closing floodgates and opening doors?

The Supreme Court unanimously allowed the appeal in the case of Lloyd v Google. The Supreme Court has held that there is no entitlement to damages for the mere loss of control of data and prevented representative actions to bring such claims. This is a positive outcome for data controllers of all sizes and will have significant impact on claims in this area going forward. You can hear our team’s instant reactions to the judgment in a short six minute video here and read our article on the key takeaways from this decision here.

High Court rules there is no liability for a de minimis data breach

The recent High Court judgment in Rolfe & Ors v Veale Wasbrough Vizards LLP is welcome guidance for data controllers on the approach the High Court will take in claims concerning a one-off data breach. Our article considers this judgment in further detail.

National Cyber Security Centre’s CEO comments about ransomware

Ransomware is now the "most immediate danger to … UK businesses." Lindy Cameron, CEO of The National Cyber Security Centre issued this warning to businesses in a Chatham House speech in early October 2021. As ransomware and spyware become more accessible, companies also grow vulnerable to a wider range of threats, as the entry point into cyber exploitation has been lowered. We consider Lindy Cameron’s comments in greater depth here.

GCHQ to deploy offensive cyber operations to deter cybercrime

In early November the head of GCHQ said in a speech to the Cipher Brief annual threat conference that the number of ransomware attacks against British institutions had doubled in the past 12 months. GCHQ has signalled that its campaign against international cyber criminals will escalate. In our article here, we consider these comments in the wider global context.

Ireland’s balance between Big Tech and data privacy

As the European headquarters to many US Big Tech companies, Ireland arguably shoulders the responsibility for upholding EU privacy rules and ensuring GDPR compliance. Yet, pre August 2021, the DPC had failed to take any significant action for a breach of the GDPR, receiving criticism from both privacy campaigners and fellow EU nations. So, was the DPC’s record-breaking €225m fine against WhatsApp in August 2021 an attempt to appease its European counterparts? We take a look at the DPC’s decision and consider this question in our article, here.

The UK GDPR – A New Regulatory Regime

On 19 November 2021, the UK’s Department for Digital, Culture, Media and Sport (DCMS) consultation “Data: A new direction” on potential revisions to the UK’s data protection regime, closed. In our article here, we explore how DCMS has referenced data protection laws in foreign jurisdictions including Canada, New Zealand and Singapore, to develop some of these proposals. Some key areas of interest, particularly to private sector organisations, regarding these proposed reforms include: (i) electronic marketing; (ii) data transfers and barriers to trade; and, (iii) the reform of the ICO.

DIFC is a top priority for UK data transfer “adequacy” status

A (data) “adequacy” assessment is a process through which two states agree that they share sufficiently high standards of protection for personal data transfers. As the UK is no longer part of the European Union, it is able to independently grant “adequacy” status to other countries in relation to personal data transfers with the UK. Our article discusses the current process between DCMS and the Dubai International Financial Centre (DIFC) to grant DIFC adequacy status, and the impact this status will have on the international flow of data in the Middle East.

Get in touch

We are available to speak via email, phone, video conference and in person so please do feel free to reach out to us if you would like to discuss any of the topics covered in this newsletter, or any other issues you are facing.