A&L Goodbody (LexBlog United Kingdom)

On 1 January 2021, the Trade and Co-operation Agreement (TCA) came into force and the general principles of EU law, existing EU treaties and EU free movement rights ceased to apply in the UK, after the transition period set out in the Withdrawal Agreement ended on 31 December 2020. Under the European Union (Withdrawal) Act...

The EU Commission looks set to adopt two adequacy decisions in favour of the UK, which will allow businesses to continue to freely transfer personal data from the EU/EEA to the UK.  On 19 February 2021, the EU Commission published two draft adequacy decisions permitting transfers of personal data to the UK under the GDPR, and...

On 24 December 2020, the EU and UK reached a consensus on the Trade and Cooperation Agreement (the Agreement). The agreement allows personal data to continue to flow freely from the EU/EEA to the UK for up to 6 months after 1 January 2021, or until an adequacy decision is adopted (whichever is earlier). This...

The Government has published its legislation programme for Autumn 2020. The programme includes: 30 priority Bills; 50 Bills that are expected to undergo pre-legislative scrutiny; 87 Bills where preparatory work is underway, and 14 Bills which are currently before the Oireachtas. Key Bills of relevance to the data protection, commercial and technology sector include: Priority...

In a landmark case, the UK Supreme Court has ruled that supermarket chain Morrisons is not vicariously liable for a deliberate data breach committed by a former rogue employee. The decision shows that an employer is unlikely to be liable for a malicious data breach committed by an employee, where his/her wrongful conduct is not...

The UK government has published its initial consultation response on the Online Harms White Paper (see our previous post here). The new regulatory framework proposes introducing a ‘duty of care’ on online services in respect of harmful content. The government’s initial response reports on the findings from the public consultation, and provides an indication of...

The UK Information Commissioner’s Office (ICO) has amended its guidance on the time limit for responding to a subject access request (SAR). Under Article 12 GDPR, a data controller must respond to a SAR “without undue delay and in any event within one month of receipt of the request.” This can be extended by a...

In the past two days, the UK Information Commissioner’s Office (ICO) has issued (potential) GDPR fines of £183.39m and £99.2m on British Airways (BA) and Marriott International Inc., respectively. These are the first fines to be issued by the ICO under the GDPR, and the biggest fines issued by an EU Data Protection Authority (DPA)...

The Information Commissioner’s Office (ICO) has launched a consultation on a code of practice for online services to ensure they adequately safeguard children’s personal data. This follows on from the UK consultation for new online safety laws (discussed here). The Irish government has also recently launched guidance in relation to online safety (discussed here). The...

The UK Supreme Court has granted supermarket chain Morrisons permission to appeal against a landmark UK Court of Appeal ruling that found it vicariously liable for a deliberate data breach carried out by a former employee (previously discussed here). Mr Skelton, an internal auditor at Morrisons, maliciously disclosed his co-workers’ personal data (including payroll data)...

The UK has published an Online Harms White Paper, setting out its proposals for new online safety laws. Like the Irish Government’s proposals (discussed here), the UK proposals aim to make online platforms more responsible for users’ online safety, especially children and other vulnerable groups. The new laws will apply to any company that allows users...

The EDPB has published information notes on Data Transfers under the GDPR in the Event of a No-Deal Brexit, and on BCRs for Companies Which Have ICO as BCR Lead Supervisory Authority to help organisations prepare for a no-deal Brexit. The information notes build on guidance already issued by the UK ICO and Irish Data...

The Government has published its Legislation Programme for Spring 2019. Preparing for Brexit is the central feature of the Spring Legislation Programme (which covers the period January-March 2019). The Brexit omnibus bill, the Miscellaneous Provisions (Withdrawal of the United Kingdom from the European Union on 29 March 2019) Bill, is the primary item in the Spring...

The Data Protection Commission (DPC) has issued guidance in relation to the transfer of personal data to and from the UK in the event of a ‘no deal’ Brexit. The DPC’s guidance is in line with the ‘no deal’ Brexit guidance published on 13 December 2018 by the UK Government (supplementing its September 2018 Technical Note) and...

The UK Court of Appeal has dismissed an appeal against the High Court’s decision that Morrisons is vicariously liable to 5,000 employees for misuse of their personal data by a rogue employee. The decision is causing shockwaves amongst businesses, as it shows that a company may be held vicariously liable for a data breach caused...

On 12 September 2018, the UK Deputy Information Commissioner, James Dipple-Johnstone, made a speech to the CBI Cyber Security: Business Insight Conference in which he discussed recent data breach reporting trends in the UK. The Deputy Commissioner noted that since the GDPR came into effect on 25 May 2018, the ICO has received approximately 500 calls per week to...

The Scottish Courts have given an interesting decision in relation to IT contracts, relating to the allocation of delivery risk between supplier and customer and the importance of doing what it says in the contract. In David MacBrayne Limited v Atos IT Services (UK) Limited (2018), Atos, a supplier, had entered into an agreement with...

The European Commission (EC) has issued a notice reminding stakeholders that due to the UK’s intention to leave the EU, they will be considered a ‘third country’ for the purposes of data transfers from 10 March 2019 (available here). Data transfers to third countries outside the EEA are prohibited unless the European Commission has issued...

The UK Information Commissioner’s Office (ICO) is consulting on draft GDPR guidance on contracts and liabilities between controllers and processors. The guidance seeks to help organisations understand what must be included in contracts under the GDPR, and the new responsibilities and liabilities of processors. The GDPR sets out the minimum mandatory terms which must now be...

The General Data Protection Regulation (GDPR) will automatically come into force across the EU on 25 May 2018. As the deadline fast approaches, Member States are busy progressing their draft implementing legislation. Article 23 of the GDPR provides Member States with discretion over how certain provisions will apply. These proposed derogations to the GDPR have...

The UK Information Commissioner’s Office (the ICO) has ruled that Virgin Trains East Coast (Virgin) did not break data protection law when it published CCTV images of the UK’s Labour party leader, Jeremy Corbyn. Virgin released the footage last year following Mr Corbyn’s comments that a Virgin train he was travelling on from London to...

The UK Court of Appeal has clarified the scope of the disproportionate effort exemption, and the relevance of motive, when responding to Data Subject Access Requests (DSARs).  The decisions are interesting as the scope of the disproportionate effort exemption has caused considerable confusion in both the UK and Ireland.  Neither the English nor Irish Data...

In an earlier blog, we outlined that the UK confirmed its intention to ratify the International Agreement on a Unified Patent Court. In December 2016, the UK government proceeded to sign the Protocol on Privileges and Immunities of the Unified Patent Court.  The Protocol provides EU privileges and immunities to the judges of the Unified Patent...

The UK has confirmed today that it intends to ratify the International Agreement on a Unified Patent Court. The Minister of State for Energy and Intellectual Property, Baroness Neville-Rolfe, reportedly made the statement at a meeting of the EU Competitive Council. There has been much commentary on the political and legal challenges the UK would face...

Following the Brexit Referendum and the uncertainty now surrounding the future of data flows between the UK and the remaining EEA States, the UK Information Commissioner’s Office has published an update on its blog: “GDPR still relevant for the UK“. The update emphasises the importance of the GDPR to many organisations in the UK and notes:...

It is not clear that there will be any immediate significant legal implications for Irish occupational pension schemes of the UK exiting the EU. However, the effect on the investment market and the continued uncertainty around Brexit is likely to have more immediate and significant consequences for Irish defined benefit schemes and their sponsoring employers....

The High Court in the UK has again endorsed the use of predictive coding, ruling it as being the most appropriate and proportionate approach to disclosure despite disagreement between the parties surrounding its use. In a previous blog, we outlined how the UK High Court in the Pyrrho case ruled that predictive coding was appropriate to...

The Information Commissioner’s Office (ICO) in the UK has published guidance for organisations providing WiFi services to their staff and customers.  The guidance considers how WiFi operators can use location and other analytics information in a manner that complies with data protection laws. As the core data protection principles in the UK and Irish Data...

The High Court in the UK has fully endorsed the use of predictive coding in discharging a parties obligation regarding electronic disclosure. Master Matthews, in Pyrrho Investments and others v MWB Property and others [2016] EWHC 256 (Ch), noted in this case that “there were no factors of any weight” to point in the direction of...

The High Court has refused an application by the Irish Times for injunctions restraining the Times of London from using the words “The Times Irish Edition” in its forthcoming digital Irish edition of the newspaper. The new digital publication will be sold as a part of a subscription package with the Sunday Times and will...