Europe’s highest court has decided that Internet intermediaries can be ordered to remove illegal content on a global basis.

What’s the background?

The Court of Justice of the European Union (CJEU) held in Glawischnig-Piesczek, C-18/18 that online platforms, such as Facebook, can be ordered to remove “identical and, in certain circumstances, equivalent” comments that have been previously declared by national courts to be illegal and that such orders can be effected on a worldwide basis.


Continue Reading

In a landmark ruling last week, the Court of Justice of the European Union (CJEU) has held that Google is not required to carry out a de-referencing (effectively, the “right to be forgotten”) on non-EU versions of its search engine.

The case was brought by Google on appeal, having received an initial fine of €100,000 from the French data protection regulator, CNIL, back in 2016 after it had ruled that Google’s self-imposed restriction to only de-reference on European versions of its search engine (as opposed to its global platforms) was unlawful.


Continue Reading

Thousands of European and US companies will have been relieved by the recent announcement that the EU-US Privacy Shield (the framework for regulating transatlantic exchanges of personal data) is secure for another year.

However, it may be premature to rejoice: the EU Commission’s review highlighted two key issues:

  1. the continued reluctance by the US to institute fundamental safeguards for individuals’ personal data; and
  2. the imminent need to appoint an independent ombudsman.

Coupled with the impending European court ruling in Schrems II – is the Privacy Shield’s demise only a matter of time?


Continue Reading

Data-driven technologies, particularly artificial intelligence and other complex algorithms, have the potential to enhance patient care and catalyse medical breakthroughs. However, these technologies are heavily reliant on data, which poses challenges in ensuring that patient information is handled in a safe, secure and legally compliant way.
Continue Reading

A recent judgment of the European Court makes it clear that in many circumstances more than one party may be a joint data controller. Whilst the judgment pre-dates the GDPR, its consideration of what constitutes ‘control’ and ‘joint control’ remains good law under the GDPR. The judgment means that parties who may have considered themselves ‘data processors’ in the past should review whether they are in fact ‘joint data controllers’ with others.
Continue Reading

On 13 September 2017, the Commission issued a proposal for a Regulation to strengthen the role of the EU Agency for Network and Information Security (ENISA) by:

  • granting it a permanent mandate;
  • clarifying its role as the information hub of the EU for cybersecurity; and
  • tasking it with the responsibility of proactively contributing to policy in the area of network information and security.

The proposal also introduces EU-wide cybersecurity certification schemes for ICT products and services, which will be prepared by ENISA. This aims to address current market fragmentation and provide a comprehensive set of cybersecurity rules, technical requirements, standards and procedures.
Continue Reading

The UK Government has released a “Future Partnership” paper setting out its vision for UK-EU data flows post-Brexit. In particular, the paper anticipates seeking an early UK-EU agreement that each area’s data protection laws provide equivalent protection, which would allow data to continue to flow between the EU, the UK and other third countries post-Brexit. 
Continue Reading

With holiday season upon us, earlier this week Matt Hancock, the UK Government’s Digital Minister, announced proposals for a new UK data protection law. Previously covered on this blog here and here, little new of substance was announced, but in a slow news week, the announcement garnered significant UK media coverage and attention. 
Continue Reading

Following the Government’s decision to include a revised data protection law in the Queen’s Speech last month, the House of Lords EU Home Affairs Sub-Committee reviewed the potential implications on national security, stability and public safety of the UK exiting the European Union without an agreement to ensure there is unhindered data flow between the two sides. The Committee issued a stark warning that it was “struck by the lack of detail” on how the Government would ensure that the UK data protection regime continues to allow data transfer with the European Union in a post-Brexit world.

Continue Reading

A revised data protection law forms part of the new government’s legislative agenda for the UK. Key points in the Queen’s Speech on 21 June 2017 were that a new UK Data Protection Bill (the Bill) will replace the current Data Protection Act 1998; the new Bill will implement the EU General Data Protection Regulation (GDPR) in the UK (a fact that the party manifestos were silent on before the election); and the government intends to put the UK in the best position to maintain data sharing across the EU and internationally. These points remained unchallenged in the subsequent parliamentary debates, and the government’s express intention to implement the GDPR through national law in the UK was welcomed by many businesses.
Continue Reading