ARTICLE
30 December 2015

Data Protection – No Grace For Violators

MC
Marks & Clerk

Contributor

Marks & Clerk is one of the UK’s foremost firms of Patent and Trade Mark Attorneys. Our attorneys and solicitors are wired directly into the UK’s leading business and innovation economies. Alongside this we have offices in 9 international locations covering the EU, Canada and Asia, meaning we offer clients the best possible service locally, nationally and internationally.
The Data Protection Act (along with related regulations) governs how personal data is treated. Two recent cases have highlighted the importance of this issue.
United Kingdom Privacy

The Data Protection Act (along with related regulations) governs how personal data is treated. Two recent cases have highlighted the importance of this issue.

Firstly, in September an HIV clinic which is part of the Chelsea and Westminster NHS Trust sent a group email to hundreds of patients, CC not BCC. As a result, it disclosed the personal data of each patient on the list to all the others. The fact that this included sensitive personal data in the form of actual or possible medical conditions made the breach all the more serious.

Misuse of personal data therefore gives rise to serious legal, ethical and commercial implications and any organisation getting it wrong and storing or transferring such data in breach of the rules can face severe financial penalties. In the UK, over the last year, the Information Commissioner's Office imposed fines of over £1 million and secured ten criminal convictions for unlawfully obtaining or disclosing personal data.

As this embarrassing episode illustrates, since most organisations hold personal data, whether it be on employees, patients, customers, suppliers or other personnel, they ignore this legislation at their peril.

The second development has not given rise to the same level of personal distress but has more far reaching ramifications. In October the European Court of Justice (ECJ) issued a landmark ruling. EU data protection laws (which the UK regime is based on) preclude EU citizens’ data from being exported to countries outside the EU without adequate levels of protection. Under the Safe Harbour agreement, US companies could circumvent this requirement, as long as they met key data protection criteria. However, the ECJ has now turned this principle on its head by ruling that, since data sent to the USA is potentially vulnerable to surveillance by the US intelligence community, the Safe Harbour regime may not offer an adequate level of protection. Numerous companies whose business model depended on the seamless transfer of personal data across the Atlantic now face a real problem.

In particular, while the USA and EU thrash out the terms of “Safe Harbour 2.0”, which may take some months, it looks unlikely that any sort of grace period will apply. Anyone transferring personal data to the US would therefore be well advised to ensure that an adequate level of protection is reflected in its procedures and contracts, so that, if necessary, it can demonstrate that it is complying with the spirit of the law, as it were, even if the law in question is in a state of limbo.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More