Tag Archives: General Data Protection Regulation (GDPR)

New Special Issue of Communications Law: Information control in an ominous global environment

Communications Law JournalThe Information Law and Policy Centre is pleased to announce the publication of a special issue of the Communications Law journal based on papers submitted for our annual workshop last November. The journal articles are available via direct subscription, through the Lexis Library (IALS member link) and (coming soon) Westlaw.

In the following editorial for the special issue, Dr Judith Townend, Lecturer in Media and Information Law, University of Sussex, (the outgoing Director of the ILPC, Institute of Advanced Legal Studies) and Dr Paul Wragg, Associate Professor of Law, University of Leeds discuss the challenges of information control in an ominous global environment.

This special issue of Communications Law celebrates the first anniversary of the Information Law and Policy Centre (ILPC) at the Institute of Advanced Legal Studies. It features three contributions from leading commentators who participated in the ILPC’s annual conference ‘Restricted and redacted: where now for human rights and digital information control?‘, which was held on 9 November 2016 and sponsored by Bloomsbury Professional.

The workshop considered the myriad ways in which data protection laws touch upon fundamental rights, from internet intermediary liability, investigatory and surveillance powers, media regulation, whistle-blower protection, to ‘anti-extremism’ policy. We were delighted with the response to our call for papers. The conference benefited from a number of provocative and insightful papers, from academics including Professor Gavin Phillipson, Professor Ellen P Goodman, Professor Perry Keller and Professor David Rolph as well as Rosemary Jay, Mélanie Dulong de Rosnay, Federica Giovanella and Allison Holmes, whose papers are published in this edition.

The date of the conference, by happenstance, gave extra piquancy to the significance of our theme. News of Donald J Trump’s election triumph spoke to (and continues to speak to) an ominous and radically changed global environment in which fundamental rights protection takes centre stage. But as Trump’s presidency already shows, those rights have become impoverished in the rush to promote nationalism in all its ugly forms.

In the UK, the popularism that threatens to rise above all other domestic values marks a similar threat, in which executive decision-making is not only championed but also provokes popular dissent when threatened by judicial oversight. The Daily Mail’s claim that High Court justices were ‘enemies of the people’ when they sought to restrict the exercise of unvarnished executive power reminds us that fundamental rights are seriously undervalued.

Perhaps we should not be surprised at these events and their potential impact on communication law. In February 2015, at the ILPC’s inaugural conference Dr Daithí Mac Síthigh delivered a powerful paper in which he noted the rise of this phenomena in the government’s thinking on information law and policy under the Coalition Government 2010-15. In his view, following an ‘initial urgency’ of libertarianism, the mood changed to one of internet regulation or re-regulation. Such a response to perceived disorder, though not unusual, was ‘remarkable’ given how the measures in this field adopted during these final stages of the last government had been ‘characterised by the extension of State power in a whole range of areas.’ We should also note the demise of liberalism in popular thought. That much criticised notion which underpins all fundamental rights seems universally disclaimed as something weak and sinister. All of this speaks to a worrisome future in which the fate of the Human Rights Act remains undecided.

Concerns like these animate the papers in this special issue. The contribution from leading data protection practitioner Rosemary Jay, Senior Consultant Attorney at Hunton & Williams and author of Sweet & Maxwell’s Data Protection Law & Practice, is entitled ‘Heads and shoulders, knees and toes (and eyes and ears and mouth and nose…)’. Her paper discusses the rise of biometric data and restrictions on its use generated by the General Data Protection Regulation. As she notes, sensitive personal data arising from biometric data might be more easily shared, leading to loss of individual autonomy. It is not hard to imagine the impact unrestricted data access would have – the prospective employer who offers the job to someone else because of concerns about an applicant’s cholesterol levels; the partner who leaves after discovering a family history of mental ill heath; the bank that refuses a mortgage because of drinking habits. As Jay concludes, consent will play a major role in regulating this area.

In their paper, Federica Giovanella and Mélanie Dulong de Rosnay discuss community networks, a grassroots alternative to commercial internet service providers. They discuss the liability issues arising from open wireless local access networks after the landmark Court of Justice of the EU decision in McFadden v Sony Music Entertainment Germany GmbH. As they conclude, the decision could prompt greater regulation of, and political involvement in, the distribution of materials through these networks which may well represent another threat to fundamental rights.

Finally, Allison M Holmes reflects on the impact of fundamental rights caused by the status imposed on communication service providers. As Holmes argues, privacy and other human rights are threatened because CSPs are not treated as public actors when retaining communications data. As she says, this status ought to change and she argues convincingly on how that may be achieved.

Information Law and Policy Centre’s annual workshop highlights new challenges in balancing competing human rights

dsc_0892  dsc_0896  dsc_0898

Our annual workshop and lecture – held earlier this month – brought together a wide range of legal academics, lawyers, policy-makers and interested parties to discuss the future of human rights and digital information control.

A number of key themes emerged in our panel sessions including the tensions present in balancing Article 8 and Article 10 rights; the new algorithmic and informational power of commercial actors; the challenges for law enforcement; the liability of online intermediaries; and future technological developments.

The following write up of the event offers a very brief summary report of each panel and of Rosemary Jay’s evening lecture.

Morning Session

Panel A: Social media, online privacy and shaming

Helen James and Emma Nottingham (University of Winchester) began the panel by presenting their research (with Marion Oswald) into the legal and ethical issues raised by the depiction of young children in broadcast TV programmes such as The Secret Life of 4, 5 and 6 Year Olds. They were also concerned with the live-tweeting which accompanied these programmes, noting that very abusive tweets could be directed towards children taking part in the programmes.

Continue reading

What is the impact of Brexit on data protection and the GDPR?

A consensus already appears to be emerging among legal commentators that many UK organisations will need to comply with the provisions of the European Union’s General Data Protection Regulation regardless of the progress of the UK’s path to Brexit.

The GDPR was due to be adopted by the UK in May 2018 after a long process of EU legislative reform. As soon as the UK officially leaves the EU, in theory it is possible that the GDPR could be ignored – data protection is already written into UK law in the Data Protection Act 1998. In practice, however, if the UK continued to be part of the European Economic Area then the UK would have to abide by GDPR.

Moreover, as Andrew Cormack points out, any organisation outside the EU that wishes to process the data of “data subjects who are in the Union” will also have to abide by GDPR (Article 3(2)). This would be relevant to a number of UK organisations who need to process the data of EU clients, customers, students etc.

Further, any EU organisation sending personal data to the UK as a non-member state would no longer be able to guarantee that there was “adequate protection” of data in the UK, unless the UK sought to obtain a declaration to the contrary.

The position of the UK vis-à-vis GDPR was summarised by the ICO in a statement published in response to the referendum result:

“If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”

It is likely, therefore, that elements of the GDPR will be incorporated into UK law however Brexit progresses. Both Anya Proops QC and Eduardo Ustaran argue that any UK business which provides services into the EU will need to understand and comply with GDPR.

Brendan Van Alsenoy: I tweet therefore I am … subject to data protection law?

In this guest blog post, Brendan Van Alsenoy – legal researcher at the Centre for IT and IP Law, University of Leuven – analyses the scope of the personal use exemption under the new EU General Data Protection Regulation (GDPR).

A note with regard to the relevance of the GDPR to the UK: this post was written before the EU referendum result on 24th June. For the ICO’s statement on the potential regulatory implications of a UK exit from the EU please see this link.

The blog post was originally posted on the CiTiP blog at KU Leuven. It is based on a draft paper included in the CiTiP Working Paper Series. You can follow the CiTiP on Twitter here.


In less than 30 years, individuals have transcended their role as passive “data subjects” to become actively involved in the creation, distribution and consumption of personal data. Unless an exemption or derogation applies, individuals are – at least in theory – subject to data protection law.

The evolving role of the individual

We use information and communication technologies every day. Mobile devices tell us where to eat, who to meet and how to get there. We share pictures, post videos and tweet reviews. We google everything and everyone.

With all these processing capabilities at our fingertips, the question can be asked: are we subject to EU data protection law?

Continue reading