Legal News

Parish v Wikimedia Foundation Inc [2024] EWHC 2301 ( KB) What are the practical implications of this case? This decision offers a concise, practical roadmap to the settled principles governing permission to serve proceedings beyond the jurisdiction. In doing so, the court offered structured guidance of direct use to practitioners. The judgment addresses, sequentially, all three requirements a claimant must satisfy to obtain permission to serve out, noting that the ‘ Forum Test’ was recast by DA 2013, s 9. More significantly, it is a pointed reminder of the obligation to provide full and frank disclosure of material matters on a without notice application, and the repercussions of neglecting that duty. Of particular interest is the court’s treatment of DA 2013, s 8, and whether two iterations of a Wikipedia page were materially alike. Despite stylistic differences, the defendant persuaded the court that the...

Illiquidx Ltd v Altana Wealth Ltd and others [2024] EWHC 2191 ( Ch) What are the practical implications of this case? This ruling underscores for all practitioners the need to pin down, with accuracy, the precise scope of the 'confidential information' their client wishes to shield. It contains takeaways for both transactional and disputes lawyers: from settling the language of a non-disclosure agreement ( NDA) to setting out, with particularity, the confidential material in issue and the ways said material is alleged to have been misused. Pitching an over expansive tranche of information as 'confidential' risks a strike-out for abuse of process. By contrast, failing to identify the relevant categories of 'confidential' information at the start, then attempting to widen those categories mid-proceedings, will almost certainly attract robust opposition from a defendant. Here, the claimant was criticised for a succession of amendments since...

Lindenapotheke , Case C-21/23 Background Both the claimant and the defendant in the principal proceedings operate pharmacies. The defendant additionally possesses a mail-order licence and promotes its product range, including medicines restricted to pharmacy supply, on the Amazon Marketplace platform, which permits sellers to offer goods straight to consumers. The claimant applied for an injunction to stop the defendant from distributing pharmacy-only pharmaceuticals through that online marketplace. In the claimant’s view, this mode of sale constitutes an unfair commercial practice, as it breaches a statutory provision within the meaning of Section 3a of the German Act Against Unfair Competition ( Gesetz gegen den unlauteren Wettbewerb, or UWG). The District Court upheld the action. The Higher Regional Court dismissed the defendant’s appeal, holding that selling pharmacy-only medicines via Amazon Marketplace contravenes the UWG because this method of distribution entails processing health data within the scope of Article 9(1) of the EU...

In this issue: Data Protection Daily and weekly news alerts New and updated content Data Protection ICO launches new data protection audit framework The Information Commissioner’s Office ( ICO) has unveiled a new audit framework to help organisations gauge compliance with data protection laws. Comprising nine toolkits across themes including accountability, cyber security and personal data breach management, it enables organisations to pinpoint where enhancements are needed. By adopting the framework, organisations can strengthen their data protection measures and embed a culture of compliance, ultimately reinforcing trust with the public. See: LNB News 07/10/2024 19. EDPB issues guidelines on personal data processing under Article 6(1)(f) of EU GDPR The European Data Protection Board ( EDPB) has approved Guidelines 1/2024 on processing personal data based on Article 6(1)(f) of the EU General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDPR)......

In this issue: Assimilated law procedures halted as part of UK- EU ‘re-set’ Cybersecurity e Privacy Lex Talk® Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Assimilated law procedures halted as part of UK- EU ‘re-set’ The government paused the commencement of section 6 of the Retained EU Law ( Revocation and Reform) Act 2023 last week, as part of the work on a UK‑ EU ‘reset’. See: LNB News 30/09/2024 27. Cybersecurity DSIT confirms introduction of Cyber Security and Resilience Bill into Parliament in 2025. The Department for Science, Innovation and Technology ( DSIT) has stated that the Cyber Security and Resilience Bill will be brought before Parliament in 2025. This confirmation follows the Bill’s announcement in the July 2024 King’s Speech. The Bill will aim......

In this issue: Cybersecurity Public sector information Daily and weekly news alerts New and updated content Cybersecurity UN backs Pact for the Future with Global Digital Compact The United Nations ( UN) has approved the Pact for the Future, together with its annex, the Global Digital Compact, marking the first worldwide accord to oversee international rules for artificial intelligence ( AI)......

In this issue: Data protection Cybersecurity Daily and weekly news alerts New and updated content Data protection ICO responds to Meta’s announcement on utilising user data for AI training The Information Commissioner’s Office ( ICO) has commented on Meta’s plan to restart using Facebook and Instagram user information to train generative AI, after Meta paused in June 2024 at the ICO’s request. Meta has revised its approach by streamlining how people can object to processing and by lengthening the period for submitting objections. The ICO restated that organisations must be transparent about personal data use, put suitable safeguards in place, and provide a straightforward route to object. The ICO has not provided regulatory approval for the processing, so Meta remains responsible for meeting and evidencing compliance. See: LNB News 16/09/2024 31. Commission to consult on SCCs for...

Background to the Dutch DPA’s investigation As is often the case, the AP’s scrutiny of Uber’s processing first arose following complaints from data subjects themselves. The French human rights organisation Ligue des droits de l'homme et du citoyen ( LDH) submitted two collective complaints in June 2020 and September 2021 respectively to the French DPA, the Commission Nationale de l' Informatique et des Libertés ( CNIL), on behalf of 172 Uber drivers, specifically highlighting difficulties enforcing data subject rights and third‑country data transfers. As Uber’s EU headquarters are in the Netherlands, the CNIL formally referred the matter to the AP. In April 2021, the AP notified Uber that it had begun an official investigation. What processing was at issue? During the proceedings, the AP reviewed and assessed transfers of sensitive personal data of Uber drivers between Uber BV ( UBV) and Uber...

In this issue: Data protection Daily and weekly news alerts New and updated content Data protection European Commission publishes Data Act FAQs The European Commission has released Frequently Asked Questions ( FAQs) on the Data Act, outlining rules for data access and use to improve data availability and stimulate innovation, all while ensuring fairness......

In this issue: Data protection Lex Talk®Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Data protection DSIT consults on changing data protection fees payable to ICO The Department for Science, Innovation and Technology ( DSIT) has launched a consultation on plans to revise the data protection fees that data controllers must pay to the Information Commissioner’s Office ( ICO). The intention behind the proposed changes is to secure the financial resources needed for the ICO to discharge its functions—covering the delivery of guidance, advice and organisational support—and to reach full cost recovery in line with HM Treasury’s principles on managing public money. The consultation runs until 26 September 2024. See: LNB News 30/08/2024 18......

In this issue: Data protection e Privacy Daily and weekly news alerts New and updated content Data protection ICO opens consultation on data protection compliance in generative AI supply chain The Information Commissioner’s Office ( ICO) has opened a new consultation considering how responsibility for data protection compliance should be apportioned throughout the generative artificial intelligence ( AI) supply chain. This is chapter five in its consultation series on generative AI and data protection, first commenced on 15 January 2024. It responds to the recommendation for ICO guidance on assigning accountability within AI as a Service arrangements, and sets out illustrative examples of processing operations. The consultation is scheduled to end on 18 September 2024. See: LNB News 21/08/2024 25......

Pattinson v Winsor [2024] EWHC 1910 ( KB) What are the practical implications of this case? The ruling offers a clear recap of the principles for assessing whether behaviour amounts to harassment. It emphasises that communications need not be addressed to the claimant for there to be a targeted course of conduct. It also confirms that repeated, focused messaging can still be harassing even where the allegations contain a kernel of truth—though here the judge viewed the allegations against the claimant as groundless. Notably, the decision further clarifies that the Part 7 route is the proper procedure where the relief sought includes restraining publication by any means, even if the complained-of conduct is not itself a publication... What was the background? Factual background The claimant is a District Judge (in the Magistrate’s Court) and the defendant’s brother-in-law. The dispute emerged from...

Farley v Paymaster (1836) Ltd, trading as Equiniti [2024] EWCA Civ 781 What are the practical implications of this case? By recognising that a person can suffer distress from non-compliant processing without needing to prove that a third party accessed or read their personal data, this judgment expands the scope for individuals to seek compensation for infringements of their data protection rights arising from a data breach involving their information. Claimants pursuing compensation for data breaches must be able to establish financial loss or distress resulting from the breach (section 13 of the Data Protection Act 2018 and Article 82 of Assimilated Regulation ( EU) 2016/679, the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 (the UK GDPR)). The Court of Appeal confirmed that distress may stem from processing that contravenes UK data protection law, irrespective of whether the personal data was...

Meta Platforms in talks with UK watchdogs over ad‑free subscription model Meta Platforms, the social‑media heavyweight behind Facebook, Instagram and Threads, is in discussions with the UK’s privacy and competition regulators about introducing a paid, no‑advertisements subscription, MLex has learnt. The company aims to win support for the rollout and avoid the difficulties it faced in the EU after unveiling a ‘consent or pay’ approach there in 2023. A Meta representative told MLex the firm is working constructively with the Information Commissioner’s Office on its subscriptions service and expects to provide further details in due course. There is understood to be no confirmed timetable for concluding the process. The initiative follows an ICO public consultation on its assessment of the pay‑or‑consent model, where people either opt for a free service funded by personalised advertising or pay a fee to remove adverts. The regulator has...

In this issue: Data protection Cybersecurity Daily and weekly news alerts New and updated content Latest Q& A Data protection X suspends processing of personal data of EU and EEA users to train AI tool The Irish Data Protection Commission ( DPC) has reached a formal deal with X, under which the platform must temporarily halt the handling of personal data contained in the public posts of X users located in the EU and the EEA across both regions from 7 May to 1 August 2024, when intended to train its artificial intelligence ( AI) system, ‘ Grok’......

More organisations across the UK look set to come under stricter cyber security oversight with the proposed Cyber Security and Resilience Bill. A string of cyber incidents (not always criminal breaches) has struck the Electoral Commission, the Ministry of Defence, the private pathology provider Synnovis and, most widely, the repercussions of Crowd Strike’s failed cyber security update. Enquiries remain in progress, notably for Synnovis. Together, these episodes—and the scant outline of the new Bill—prompt fresh scrutiny of how cyber security is regulated in the UK. UK Cyber Security and Resilience Bill In July 2024, at the opening of Parliament, the new government unveiled its Cyber Security and Resilience Bill. But what is it seeking to deliver? With current rules ‘now [having] been superseded in the EU’, the UK appears intent on closing the gap. The framework must be refreshed ‘to ensure that our...

In this issue: Data protection Confidential information Daily and weekly news alerts New and updated content Data protection ICO publishes progress update and call for evidence on Children’s Code Strategy The Information Commissioner’s Office ( ICO) has issued a progress update on its Children’s Code Strategy and is inviting stakeholders to share their views on aspects of the Strategy as part of its call for evidence. The ICO has also urged 11 social media and video-sharing platforms to enhance children’s privacy practices, following its ongoing review of social media platforms ( SMPs) and video sharing platforms ( VSPs) within the Strategy. The ICO has questioned the 11 platforms on matters such as default privacy settings, geolocation and age assurance, and asked them to explain how their approaches align with the Children’s Code, in response to concerns identified during the review. The ICO...

In this issue: Data protection Reputation management Public sector information Lex Talk®Information Law: a Lexis®Nexis community Daily and weekly news alerts Data protection ICO issues reprimand to the Electoral Commission following 2021 cyberattacks The Information Commissioner’s Office ( ICO) has reprimanded the Electoral Commission under Article 58(2)(b) of the UK General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR), following an August 2021 breach. Attackers gained entry to the Commission’s Microsoft Exchange Server holding personal data for about 40 million people. Their unauthorised access continued until October 2022, with repeated intrusions unnoticed due to inadequate security, including failure to apply the latest security updates and weak password policies. See: LNB News 31/07/2024 92. European Commission releases 2nd report on EU GDPR application On 25 July 2024, the European Commission published its second report on the application of the EU’s General Data...

They concern EU government institutions, pursuant to EU Regulation 2018/1725. That Regulation sets the rules for safeguarding personal data within EU government institutions, bodies, offices and agencies, and empowers the supervisor as the institutions’ independent data protection authority. While these guidelines are limited to EU governmental entities, they shed light on how the supervisor may handle generative AI in the future. Given the recently adopted EU Artificial Intelligence Act, due to take effect over the coming years, and the accelerating global shift towards AI regulation, the guidelines hint at what might become the next stage of AI oversight in Europe, the UK, the US and elsewhere. For clarity, generative AI denotes advances in computer deep learning models built to deliver a broad and general spectrum of outputs, able to perform a variety of tasks and uses, such as producing text, images or audio. The most...

In this issue: Data protection Cybersecurity e Privacy Reputation management Daily and weekly news alerts New and updated content Data protection ICO issues reprimand to Chelmer Valley High School for breaching UK GDPR The Information Commissioner’s Office ( ICO) has delivered a reprimand, relying on Article 58(2)(b) of the UK General Data Protection Regulation, Retained Regulation ( EU) 2016/679 ( UK GDPR), to Chelmer Valley High School for violating Article 35(1) of the UK GDPR. Before deploying facial recognition for cashless canteen transactions, the school failed to carry out a Data Protection Impact Assessment ( DPIA), so the risks to children’s data were not assessed in advance. It had also not validly secured consent to handle pupils’ biometric data. The ICO further set out steps the school should take to remedy the breaches identified in the reprimand and to achieve...