"Data Breaches… Armageddon…" – as announced by the Three Horsemen

"Data breaches... Armageddon..." - Morrisons v Various Claimants, [2018] EWCA Civ 2339 at para 78. Caveat: I confess at the outset that this quotation, though technically accurate, fails truly to reflect the tenor of the Court of Appeal's judgment. But are the consequences for employers so different? Not so clear. Bear with me while I try to dig myself out of this hole. To recapitulate, circa 100,000 employees of Morrisons (a UK supermarket chain) suffered a data breach when one of their ...

Read More

Brexit-proofing software – without programming for specific dates, jurisdictions, etc

"Abstract: Simple methods to inoculate data protection (or any other) multi-jurisdictional software from Brexit and similar events, before their possibility can be known or even contemplated. International software blues A general problem for lawyers - and for all their clients dealing with multiple jurisdictions - is how to ensure seamless transition of processes and systems (IT and otherwise) between different jurisdictions, in which different legal systems apply and unpredictable new rules can come into effect at any moment and, in the case...

Read More

GDPR engagement of 30+ additional jurisdictions – automated pleadings

Abstract: (1) The GDPR arguably, either directly or indirectly, could engage in a relatively straightforward fashion circa 30 jurisdictions apart from EU and EEA nations; plus some special jurisdictions such as places in northwest Africa, as implied by the Polisario jurisprudence. Pleadings for several such jurisdictional scenarios are explained. (2) My post on Brexit-proofing software contained an example of how jurisdictions might be embedded into a legal architecture artefact. That same example is reused to demonstrate how such pleadings can be...

Read More

GDPR, IP addresses, and classification – theory and practice

IP addresses can determine jurisdiction - as classically exploited by private and public surveillance agencies, BigTech, other data brokers, and just about any web site owner. This is well known. As is the fact that such tracking information is key to everyone's commercial efforts to destroy net neutrality and undermine the web. But what does this mean for GDPR compliance? Can it be exploited for classifying individuals' jurisdiction? Should it? What are the pros and cons? Theory (law) I note in passing...

Read More

GDPR: Can children prevent schools from disclosing grades to parents?

"Can I sue my school for telling my grades to my parents via a website, with the European GDPR law?" This is a question asked of me on Quora some time ago by an "interested" data-subject! Normally I pass on such questions, but this hits a nerve. If you just take out the text “via a website”, we have a more general question I get asked by school and university controllers. It’s therefore also one I sometimes work through in appropriate...

Read More

GDPR: must controllers declare legal bases to processors?

ABSTRACT: must Controllers inform processors of the legal bases of processing? Prima facie no: but from a legal and business-strategic perspective the answer is very, very much more complex.

Read More

Confessions of a GDPR architect

ABSTRACT: A list of current and future "how-to" posts on practical enterprise-specific GDPR compliance using public domain objects, with optional technology anyone can build.

Read More

GDPR: what are the lawful bases under which data can be processed?

ABSTRACT: Each of the Article 6(1) bases interacts with other Articles and other laws in different ways, and have different hypothetical consequences. For the layperson these interactions/consequences are not always obvious.

Read More

GDPR: can it impact financial regulation of foreign takeovers?

ABSTRACT: Supervisors are interested in GDPR risks. Financial regulators are interested in financial risks. Often the latter may be derivative of the former. An obvious question arises: at what point might financial regulators become interested in data protection risks? Background: I was asked a question which for various conduct reasons I can't possibly answer in the terms asked. That said, given its resonance with similar issues I've observed in the UK and other contexts, I've reformulated it to something so generic...

Read More

Test-Datasets and EU Liability – mixed law/IT

Here is a modified version of a question I'm about to answer on Quora. Warning: as it says on the tin, this post is both law and IT. Don't say you weren't warned... Can copies of postcode, gender and age data be used in testing without violating the Data Protection Act or the GDPR? Such questions are becoming more and more frequent, as people begin to panic with the realization that two decades of previously unlawful behavior is now going to get...

Read More

Brexit: the gift that keeps on giving… And they thought it was all over!

The Three Knights are riding to the rescue! Or... is it.. the Three Stooges, or perhaps Sanchos, tilting at the windmills that seem to be spinning ever more rapidly? (yes, the GDPR does have a little dog in this race. But later...) As for my initial view? A plague on both their houses. The Three Knights do a good job, as does Professor Elliot in pointing out weaknesses. However, some of the good Professor's key points seem a trifle theoretical and, if that is right,...

Read More

Data protection damages awards for distress in the UK jurisdictions up 5,000% pre-GDPR?

Masochists, who ipso facto and ex officio collectively may approach 100% of my audience, will be aware of my flogging Vidal-Hall v Google (lower court judgment) to death on Linkedin and elsewhere. However, after 37 months it may be time for a quick overview of Vidal-Hall's impact on subsequent cases. The contagion has just spread to Scotland. Bottom line: data protection distress awards in England/Wales and Scotland alike are up by circa 4-5,000% in three years. Before Tugendhat J struck down s.13(2) Data Protection Act 1998 in Vidal-Hall, courts could only...

Read More

GDPR Data Protection Officers (DPOs) – submission to Article 29 Working Party

SR Submission to WP29 - 16-EN wp243 DRAFT DPO Guidance

Read More

Please note: All facts and opinions set out in the posts in this blog, including but not limited to spoken content and attachments/links, are provided for informational purposes only as a non-legal service to the public, and do not constitute legal advice or a substitute for legal counsel, and do not create any lawyer-client relationship, nor do they constitute advertising or provision of a legal service, nor are they the opinion of this web site or of its owner.

GDPR360 does not offer legal services of any kind. Stuart Ritchie is a co-founder of GDPR360 but does not speak in that capacity or in the capacity of a lawyer, nor do other contributors speak in any legal capacity or as representative of GDPR360. Stuart Ritchie’s conflicts are declared elsewhere on this site.