European Union: Data Protection Update - April 2018

Last Updated: 14 May 2018
Article by Jonathan Kirsop and Alison Llewellyn

Welcome to the April 2018 edition of our Data Protection bulletin, our monthly update on key developments in data protection law.

Data protection

The Information Commissioner's keynote speech at the IAPP Europe Data Protection Intensive 2018

In her speech at the IAPP Europe Data Protection Intensive 2018, Elizabeth Denham, the current Information Commissioner, discussed how the Information Commissioner's Office (the "ICO") is preparing for the GDPR; its powers; its focus on technology; its future in Europe; and, ultimately, how it will increase public trust and confidence.

The Commissioner stated that in the wake of the Cambridge Analytica-Facebook scandal, there is an international opportunity for focus on data protection, and highlighted that debates about data protection are taking place at government level around the world, effecting global change.

In relation to the Cambridge Analytica-Facebook scandal, the Commissioner did not give any details about the ongoing investigations other than to say that the ICO's report will describe the realities of data-driven political campaigning and their investigation will be thorough, independent and focussed. The findings and conclusions will be made public and the ICO will provide a further update in due course.

Under the GDPR, which comes into force on 25 May 2018, the Commissioner will have the power to audit all those who hold, use and share personal data. However, the Commissioner raised concerns about the ICO's ability to keep up with technological advances in relation to how personal data is being used and managed. She is in intense consultation with the UK Government to ensure that, as part of the Data Protection Bill, the ICO has the ability to move more quickly to obtain the information they need to carry out investigations in the public interest (i.e. a streamlined warrant process).

In preparation for the GDPR, the ICO is increasing its body of staff from 520 to 700; increasing its budget to £38 million a year; and developing a suite of resources on its website.

According to the Commissioner, the ICO has no intention of changing its proportionate and pragmatic approach after 25 May and will not be issuing huge fines as a default approach under the GDPR. The Commissioner did note, however, that hefty fines will be levied on those organisations that persistently, deliberately or negligently flout the law. The Commissioner recommends that companies endeavour to report to, and engage with, the ICO and that voluntary compliance is always its preferred route.

The Article 29 Working Party ("WP29") issues revised guidelines on consent and transparency in the GDPR

The WP29 has issued its final guidelines on two key issues under the GDPR; consent and transparency.

Please click here to see our summary of the guidelines on Consent and click here to see our summary of the guidelines on Transparency.

See here for the WP29's guidelines on Consent.

See here for the WP29's guidelines on Transparency.

High Court Judgment on the 'Right to be Forgotten' in NT1 and NT2 v Google and the Information Commissioner

The High Court has given its judgment in two claims that concern the "right to be forgotten" or the right to be delisted. In NT1 and NT2 v Google and the Information Commissioner, Warby J had to consider claims concerning the right to be forgotten (or what he said was more accurately described as the right to have personal information "delisted" or "de-indexed" by the operators of internet search engines).

The claimants, known only as NT1 and NT2, were both businessmen with previous criminal convictions. NT1 was convicted of conspiracy to account falsely in the late 1990s; whereas NT2 was convicted more than 10 years ago of conspiracy to intercept communications. NT1 was jailed for four years, while NT2 was jailed for six months.

Both men demanded that Google remove search results mentioning the cases for which they were convicted. Google refused their requests and the men took the company to the High Court.

NT2 succeeded in his claim and the court made a delisting order, although the judge did not award any damages to be paid to NT2. NT1, on the other hand, was not successful.

Warby J said his key conclusion in relation to NT2's claim was that "the crime and punishment information has become out of date, irrelevant and of no sufficient legitimate interest to users of Google search to justify its continued availability". According to Warby J, it is likely that we will see more of these claims in the future, particularly following the success of NT2's claim.

A Google spokesperson said: "We work hard to comply with the right to be forgotten, but we take great care not to remove search results that are in the public interest and will defend the public's right to access lawful information. We are pleased that the court recognised our efforts in this area, and we will respect the judgments they have made in this case."

The judgment provides useful guidance to those making a delisting request of Google. This is a relatively straightforward process which can usually be achieved without going to court.

See here for the judgment.

The WP29 issues a statement on encryption of personal data

On 11 April 2018, the WP29 published a statement on encryption (ePrivacy) and its role in protecting the personal data of individuals in the EU.

The statement focusses on three key messages:

  • The availability of strong and trusted encryption is necessary to ensure the secure, free flow of data between citizens, businesses and governments. End-to-end encryption ensures strong confidentiality and integrity when data is transferred between devices.
  • Encryption should remain standardised, strong and efficient. This would not be the case if encryption providers were compelled to include "backdoors" or provide "master keys" in their software allowing law enforcement agencies to decrypt and have access to the plain text data of suspected criminals.
  • Law enforcement agencies already have access to data via their existing legal powers. The focus should be on agencies exercising their existing powers and improving their capabilities to interpret existing data when investigating and prosecuting criminals.

See here for the WP29's statement.

13 EU member states commit to delivering cross-border access to genomic information

The European Commission has published a press release, announcing that 13 EU member states (including the UK) have signed a declaration delivering cross-border access to their genomic information. This increased sharing of genomic data is expected to improve understanding and prevention of disease, allowing for more personalised treatments (and targeted drug prescription).

Under the declaration, the signatories will work together on exercising the secure and authorised access to genetic data and other relevant data that is stored nationally and regionally. Specifically, the declaration foresees:

  • Consolidating infrastructure and expertise to enable one million genomes to be accessible in the EU by 2022;
  • Leveraging and maximising investments, particularly those in sequencing, bio banking and data infrastructure, which have already been made by EU member states at national and EU level; and
  • Providing a sufficient scale for "new clinically impactful research".

The Commission will support the initiative in setting up a mechanism for public authorities to coordinate ongoing genomic medicine schemes. This mechanism will set out the terms and conditions for secure access to genomic data and how that data can be used and also the technical specifications for cross-border access and exchange.

See here for the press release.

MPs raise "serious concerns" over NHS Digital stewardship of data

A group of UK MPs said it had "serious concerns" over the ability of the senior leadership of NHS Digital to understand and protect health and social care data.

The House of Commons Health and Social Care Committee (the "Committee") has delivered a report into the memorandum of understanding (the "MoU") prepared on data-sharing between NHS Digital and the Home Office which said that NHS Digital, which supplies information and data to the health service, was failing to uphold patients' interests.

The Committee received a number of representations expressing concern over the practices of data-sharing governed by the MoU. These included the incompatibility between the disclosure of information about people in contact with health services and the obligations of confidentiality assumed to apply to that information. There were also concerns that the sharing of patients' addresses with other government departments would become accepted as normal practice.

MPs have stated that they have serious concerns about the government policy on the confidentiality of data collected for health and social care purposes. The Committee has recommended that NHS Digital suspends its participation in the MoU until the NHS Code of Confidentiality is reviewed. According to the Committee the data held for the purposes of health and care should only be shared for law enforcement purposes in the case of serious crime. The NHS policy and practice in relation to patient data continues to be the subject of parliamentary criticism.

Cyber security

UK launched a cyber-attack on Islamic State

The UK has used a cyber-attack to hinder Islamic State's ability to co-ordinate attacks and suppress its propaganda. The attack was launched by the Government Communications Headquarters ("GCHQ") in collaboration with the Ministry of Defence. The operation was described by the GCHQ director, Jeremy Fleming, as the "first time the UK has systematically and persistently degraded an adversary's online efforts as part of a wider military campaign".

According to Fleming, these operations were aimed at disrupting services or a specific online activity, deterring an individual or group, or destroying equipment and networks used by the Islamic State.

It may be that in the future we will see more offensive cyber operations backed by nations. However, the legal issues surrounding these operations are complicated and it remains to be seen how these attacks will be utilised in the future.

Company obtains cyber injunction under the protection of anonymity

In the recent case of PML v Persons Unknown (see here for the judgment) a UK company has obtained an interim non-disclosure order under the protection of anonymity after it sustained a major cyber-attack. The company applied for, and was granted, anonymity by the court.

Earlier this year, an anonymous hacker unlawfully obtained access to a UK company's computer systems, stealing a large amount of information which was then hosted on a password protected website. The hacker then sent an email to directors of the company, informing them of the attack, providing login and password details for the website and demanding a substantial ransom in bitcoin, failing which the stolen information would be published in order to destroy the company. The hacker attached various confidential documents belonging to the company to these emails, by which it was established that the attack appeared to be genuine.

An injunction for non-disclosure was granted in this case because the company was likely to be able to demonstrate at trial that publication of the stolen confidential documents would not be allowed on the basis of the circumstances in which the defendant came to be in possession of the relevant documents and information (i.e. by computer hacking). After granting of the injunction, the defendant failed to engage in the proceedings. In fact, the defendant continued to threaten and make attempts to publish the confidential information in breach of the order (via an online forum and a cloud-based computer file transfer service). The defendant also failed to deliver up the confidential information in breach of the injunction.

This decision may be helpful for companies who suffer a cyber-attack at the hands of an anonymous hacker, but who are nervous about taking legal action for fear that it could lead to wider public attention of the attack and its details. It appears from the judgment that victims of blackmail (individuals as well as companies) are arguably entitled to protection via anonymity. Such an anonymity order will also be very useful for companies who wish to s a hacker going to the press and causing reputational harm.

Yahoo! cyber breach settlement gives shareholders cause for cheer

A U.S. data breach class action has settled for $80 million. The action concerned two significant data breaches, the first in 2013 involving over one billion user accounts, while the second in 2014 involved over 500 million accounts. The breaches weren't revealed until late 2016. The action was brought on behalf of "all those who purchased or otherwise acquired Yahoo common shares traded on the NASDAQ during the Class Period and were damaged upon the revelation of the alleged corrective disclosures." Unlike most cyber-breach related class actions, the class members were not the users whose private information was hacked, but rather the shareholders of Yahoo who saw the company's share price fall following news of the breach.

The $80 million settlement sum is significantly more than most recent breach-based class and derivative action settlement. This is the first significant class action in the US where the basis of the claim was the failure to disclose cyber breaches.

ICO enforcement

Royal Mail fined £12,000

The Royal Mail Group Limited has been fined £12,000 by the ICO after it sent more than 300,000 nuisance emails to people who had opted out of receiving them. The emails advertised lower prices for parcels and Royal Mail claimed that they were communicating a "service" rather than marketing materials. However, the ICO found that the emails constituted marketing and Royal Mail had breached Regulation 22 of the Privacy and Electronic Communications Regulations ("PECR").

Kensington and Chelsea council fined £120,000

The Royal Borough of Kensington and Chelsea has been fined £120,000 by the ICO after it unlawfully identified 943 people who owned vacant properties in the borough. In the aftermath of the Grenfell Tower Fire, names and addresses of the owners of unoccupied homes in the borough were sent to three journalists who had requested statistical information under the Freedom of Information Act 2000. According to the ICO the contravention of data protection legislation was serious both in terms of the council's deficiencies and the impact such deficiencies had on the affected data subjects.

The Energy Saving Centre Ltd fined £250,000

The Energy Saving Centre Ltd has been fined £250,000 for unsolicited calls for direct marketing purposes to subscribers who had registered with the Telephone Preference Service ("TPS") in contravention of PECR. Bradford-based Energy Saving Centre Ltd, which offers services such as replacement windows and doors and guttering, made seven million calls over a seven month period without screening them against the TPS register and at least 34,000 of these calls were made to TPS subscribers. The information used to make the calls was bought from another company and the firm failed to check it against the TPS register. Energy Saving Centre has also been issued with an enforcement notice ordering it to s illegal marketing.

Approved Green Energy Solutions fined £150,000

In a separate case, Mr Alex Goldthorpe t/a Approved Green Energy Solutions has been fined £150,000 for making over 300,000 unsolicited calls for direct marketing purposes to subscribers who had registered with the TPS in contravention of PECR. The information used to make the calls was bought from another company and the firm failed to check it against the TPS register.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Topics
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions