A lamppost with a sticker on it. The sticker states 'big data is watching you'.
A Bite to match its Bark? – What Amazon’s fine means for its Data Subjects

In a landmark case, Amazon has been fined $886m by Luxembourg’s National Commission for Data Protection (CNPD) for serious breaches of the General Data Protection Regulation (GDPR). Whilst the scale of the fine suggest that the GDPR is finally matching the promises of its inception, the circumstance of its reporting still leaves the consumer facing an uphill battle to hold illegal privacy practices to account.

Read article
Someone signing a document.
Draft UK Adequacy Decision Published

The EU has recently published a draft UK adequacy decision. This is the first step in the UK achieving adequacy status in the eyes of the EU-GDPR. This is positive news for UK and EU businesses, but the decision must still be approved by the European Data Protection Board.

Read article
A photo of a swimming pool and deck chairs by the sea.
Marriott Hotel: Data Breach

Marriot International has been fined a total of £18.4 million (a reduction from the original £99 million) for its negligence in safeguarding customer personal data that it is responsible for. This breach is interesting, as the breach initially occurred in 2014 (before the GDPR came into effect) and the breach occurred under a different business group 'Starwood Hotels Group' which was acquired by Marriott after the breach occurred.

Read article
Grafitti of a surveillance camera on a concrete wall with the text 'for your safety & our curiosity'.
Court Decision on European Mass Surveillance and the Consequences for Brexit

As a member of the European Union, member states are obliged to abide by some of the strictest privacy laws in the world. Today, UK, French and Belgian national governments all use some form of mass surveillance. In recent years, privacy groups have taken claims to EU courts arguing that this surveillance is illegal. The national governments disagree. The CJEU refuted the claims that mass surveillance is outside their jurisdiction and issued a ruling on the 6th October 2020.

Read article
Photo of a shop window with a sign stating that the shop is closed due to covid-19.
Data Protection Guidance for Test and Trace Schemes

Since the easing of lockdown, during the summer of 2020, many organisations have implemented new measures so that they can re-open safely to the public. For most businesses, this included collecting customers’ and visitors’ personal information to support the UK Government’s approved contact tracing scheme.

Read article
A computer screen in a dark room. The screen shows a man looking through binoculars. The binocular lens' have the facebook logo photoshopped in.
A Timeline of US Mass Surveillance, International Privacy Agreements, and a Disgruntled Austrian

On the 16th July 2020, the CJEU came to a decision on the Schrems II case. The decision invalidated a major EU-US privacy agreement that previously allowed personal data to freely flow between the EU and the US. This court case is the latest chapter in an ongoing saga of privacy activists, commercial selling of ‘big data’ and revelations made by whistle blower Edward Snowden. This article gives a brief timeline of the events leading up to this case.

Read article
A person working at a laptop.
Is your use of website cookies currently lawful?

If you have not reviewed your cookie policy since October of 2019, it may not be. Many large corporations appear to be ignorant of a ruling (case C-673/17 - Planet49) that was made by the Court of Justice of the European Union (CJEU). The ruling clarifies how cookies should be managed and the subsequent impact on cookie statements. Indeed, many corporations appear to be breaking the law, even 7 months after the ruling.

Read article
A computer screen with a collection of coding related text.
Have I been Pwnd? A Database of Data Breaches

The GDPR was introduced to provide EU citizens with greater protections and control over their personal data. It achieved this by introducing new rights for individuals and by imposing stricter data protection requirements on organisations. But what happens if your personal data was part of a data breach before the GDPR was introduced?

Read article
Two people shaking hands
Data Sharing Agreements: What is the Best Practice?

The ICO states that ‘…whenever a controller uses a processor, there must be a written contract (or other legal act) in place...’ The GDPR sets out what needs to be included in the contract. But what happens if you are a controller sharing data with another controller? You need a Data Sharing Agreement.

Read article
A judge's hammer and gavel.
Are Privacy Notices Just About the GDPR?

Every company has been focused on ensuring their privacy notices are compliant for GDPR, however there could be a blind spot. The GDPR may be the strongest privacy regulation in the world, but it isn’t the only one. For example, when your website uses cookies, your organisation must ensure that the Privacy and Electronic Communications…

Read article