UK & EU Data Protection Bulletin: June 2019 Highlights

By Ruth Boardman, Ariane Mole, Elizabeth Upton


Welcome to the latest edition of our newsletter covering developments from June.

Particular highlights include:
  • ICO's Update Report on Adtech and Real Time Bidding
  • ECJ case confirming that Gmail and other OTT services are currently excluded from the scope of the application of the ePrivacy Directive (although note that its scope will be expanded in any event in 2020)
  • The Regulation on the Free Flow of non personal Data became directly applicable in the EU on 29 May. The European Commission has also issued guidance on this regulation and its interplay with GDPR.
  • Criminal prosecutions for individuals unlawfully obtaining personal data.

View the full bulletin >>

UK and EU Data protection podcast

To listen to our podcast, click here >>


GDPR one year on

On 20 May the ICO published its paper to share reflections and learnings of the first year of GDPR implementation.

Click here to

Project explAIn interim report

The ICO and the Alan Turing released their interim report on Project explAIn. This collaboration aims at creating practical guidance to assist organisations with explaining artificial intelligence decisions to affected individuals.

Click here to

ICO Update Report on Adtech and Real Time Bidding

On 20 June the ICO published an update report on her office’s review of adtech and real time binding which is a form of auctioned online advertising.

Click here to

UK cases

Green v Group Ltd & others [2019] EWHC 954 (Ch)

This case relates to a claim arising from the processing of data by the group of companies informally known as 'Cambridge Analytica'. The High Court considered whether the administrators of the company were data controllers and personally responsible for compliance with the DPA 1998 in respect of processing by the company which had been put into administration including but not limited to compliance with subject access requests.

Click here to

Dawson Damer v Taylor Wessing [2019] EWHC 1258

This High Court decision provides important clarifications on the definition of relevant filing system, the legal professional privilege exemption and reasonable and proportionate searches.

Click here to

Advertising Standards Authority Limited v Robert Neil Whyte Mitchell [2019] EWHC 1469

This case relates to an application by the ASA for an injunction to prevent an unintended recipient of an email from using, publishing, communicating or disclosing any part of the email or its attachments on the grounds that the contents were confidential and in part legally privileged. As Mr Justice Warby puts it “just about everyone who uses email will have had an experience similar to the one that led to this application”.

Click here to

Other UK News

DMCS consultation about public concerns around data protection (deadline 14 July):

On 10 June 2019, the Department for Digital, Culture, Media and Sport (DCMS) announced an open call for evidence for the government's intended National Data Strategy (NDS). The stated aims of the NDS are that it will empower government and the economy through the use of data, and ensure public trust in its use.

Click here to

BEIS consultation about going beyond GDPR data portability (deadline 6 August 2019):

On 11 June 2019, the Department for Business, Energy and Industrial Strategy (BEIS) published a consultation on proposals following its Smart Data Review. The Smart Data Review has explored how government can accelerate the development and use of new data-driven technologies and services to improve consumer outcomes. In particular, it considered how such technologies can foster innovation and facilitate switching and data portability in regulated and digital markets.

Click here to


EDPB holds 11th plenary session; adopts new guidance

On 4th June 2019, the European Data Protection Board (EDPB) held its most recent plenary meeting, adopting new guidance that will be of interest to organisations looking to benefit from the GDPR’s provisions on Codes of Conduct and Certification schemes.

Click here to

EU cases

On June 13, the ECJ confirmed in the Gmail case that email services like Gmail do not fall under the definition of an “electronic communications service pursuant to Framework Directive 2002/21/EC as modified by Directive 2009/140/EC. The judgment provides the ECJ’s view on a question that has been subject of a dispute with the German national regulator which originated back in 2012.

Click here to

Other EU news

New EU Regulation on non-personal data.

EU Regulation 2018/1807 on a framework for the free flow of non-personal data in the European Union (the “Non-personal Data Regulation" or "FFD") became directly applicable in all EU Member States on 29 May 2019. The main purpose of the FFD Regulation is to allow mobility of non-personal data across borders and ensure the freedom to provide data processing services within the EU, which are sometimes restricted by national legal requirements to locate data in a specific territory.

Click here to

CNIL fine to real estate company amounts to 1% of its annual turnover

Sergic, a real estate company allowing individuals to upload any supporting documentation through their website was fined €400,000 by the CNIL (the French data protection authority) on 28 May for (i) failure to implement appropriate security measures and (ii) retention of personal data for longer than is necessary.

Click here to

International news

Tunisia becomes the 30th signatory to the Council of Europe's Protocol amending Convention 1081 ("Convention 108+").

Convention 108+ aims to modernise and improve Convention 108. Many of the changes correspond to changes to the EU's data protection regime brought in by the GDPR.

Click here to

Morrocco is the sixth country in the African region and 55th State party to accede to Convention 108.

Morocco also signed-up to the Council of Europe's Additional Protocol to Convention 108. The Additional Protocol sets out requirements relating to supervisory authorities and transborder flows of personal data to recipients which are not party to Convention 108 (the "Additional Protocol").

Click here to

UK Enforcement

Highlights This month we have seen a number of prosecutions for unlawfully obtaining data under the DPA 1998 as well as monetary penalties under PECR and an enforcement notice for failing to respond to a large number of subject access requests.

Click here to