Court of Justice of the EU (CJEU)

The European Commission (the “Commission”) published today its draft adequacy decision for the US (the “Draft Decision”). This paves the way for an institutionalized personal data transfer mechanism across the Atlantic to emerge (and already raises the prospects of it being under scrutiny again).

If your pre- holidays’ workload (that also includes the transition of your old SCCs to the new ones, another transfer duty, does not allow you to read the full 134-page Draft Decision, here is a little tour of what you need to know before it becomes final (and this might still take some time).
Continue Reading Third Time Lucky or Schrems III? The European Union Data Pact with the US Moves One Step Closer (To Be Challenged – Again)

Over the last couple of years, the High Court has been sceptical of low-value compensation claims for minor data breaches (see our previous articles here and here). Such scepticism is illustrated by the High Court:

  1. criticising the “kitchen sink” approach adopted by claimants who bring overly complex claims with multiple causes of action and narrowing the scope of claims by dismissing misuse of private information and breach of confidence claims as in Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), Johnson v Eastlight Community Homes Ltd [2021] EWHC 3069 (QB) and William Stadler v Currys Group Limited [2022] EWHC 160 (QB);
  2. transferring straightforward, low-value data breach claims to the County Court as the most appropriate court to hear the claim as in Warren v DSG Retail Ltd, Johnson v Eastlight Community Homes Ltd, Ashley v Amplifon Limited [2021] EWHC 2921 and William Stadler v Currys Group Limited; and
  3. condemning data breach claims for damages when there is little to no harm or the harm claimed has no prospect of meeting the de minimis threshold for receiving damages as in Rolfe v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB).

A recently published case in England and the Opinion of EU Advocate General, Campos Sanchez-Bordona, on UI v Österreichische Post AG in October 2022 have given further support to the approach of the High Court, although the traffic has not been all one way as the High Court decision in Driver v Crown Prosecution Service [2022] EWCH 2500 (KB) departed slightly from this emerging line of judicial thinking.

We take a closer look at these three cases below and provide you with some key takeaways.Continue Reading English Courts’ Stance on Low-Value Data Breach Claims Continues to Harden, But There May be Hiccups Along the Way

Burn After Reading is a black comedy spy movie by the Coen brothers. It could also be an extreme encapsulation of the core of data retention rules applicable to communications providers: data should only be kept for as long as:

  • There is an administrative need to keep it to carry out your business or support functions (e.g. billing); or
  • It is required to demonstrate compliance for audit purposes or for legislative requirements (e.g. in case of an order to intercept communications for law enforcement).

Continue Reading Burn After Reading… Data Retention Compliance