Welcome to the October & November edition of our UK & EU data protection bulletin.
Highlights this month are:
1. Coverage of 3 important CJEU cases. There has been no escaping Schrems, but the other two cases have received less coverage.
o Weltimmo looks at just how "established" you have to be in a member state to be subject to its data protection laws (answer - not very much!).
o Bara confirms that there is no free pass for public taxation and health agencies who want to exchange personal data - they must comply with the Directive's rules on transparency of processing.
2. The Article 29 Working Party Opinion on the draft C-SIG Cloud Computing Code of Conduct, recommending that the Code needs to do more around specificity of processing location, security and rights to audit.
3. The Law Enforcement Agencies Directive - the Council of Ministers reaches a common position, reworking the Directive to give more flexibility to the authorities. The Common Position has already been criticised by the EDPS.
4. In the UK:
o Publication of the draft Investigatory Powers Bill - a consultation on this is now underway;
o A series of interesting privacy cases, ranging from publication of photos about Paul Weller's children (unlawful) through to sharing of data about patients who owe money for NHS treatment (lawful, as, unlike the Bara case, patients had been given notice and this was underpinned by legislation); and
o A significant upsurge of direct marketing related enforcement - a mix of enforcement notices and monetary penalties against those making phone calls, automated calls and spam texts - including enforcement action against companies buying in lists who could not demonstrate that the prospects had actually given consent. For those who buy-in lists, a review of procedures should be swiftly undertaken.
View Bulletin >