1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

What does BREXIT mean for data protection?

On 23 June 2016, the UK is holding a referendum as to whether to stay in the European Union or leave it. But what does a BREXIT (a British Exit from the EU) mean for data protection?

Most of the UK law on data protection comes from the EU. The UK Data Protection Act 1998 and the Privacy and Electronic Communications Regulations both implement overarching EU law. So you might think this is like “unplugging” the source of data privacy law and therefore switching it off? But UK data protection law, in fact, pre-dates the European data protection directives. In fact, the UK was a signatory to the 1981 Convention (the forerunner of modern data protection law). Enough history!

What could happen in theory?

The UK parliament could reduce (or repeal) the Data Protection Act. The Courts could decide to no longer follow EU case law. Most importantly, the UK could choose not to implement the General Data Protection Regulation (GDPR). This, as we all know, is a wholesale upgrade to EU data protection law. GDPR includes new penalties of up to 4% of worldwide turnover, new legal duties to notify of data breaches and requirements to implement an accountability framework of policies and procedures.

What will happen in practice?

The UK could leave the EU and join the European Economic Area. In this case, it would be legally obliged to maintain data protection law on an equivalent footing to the EU. So all the current law would stay. GDPR would also be a requirement.

Theoretically, the UK could go out on its own. However this would make it a non-adequate jurisdiction for international data transfers. This means it cannot receive personal data freely from the EU. It could ask the EU for an “adequacy decision” but its anyone’s guess as to how long that would take. It could be a difficult negotiation (…think about the recent story of Snowden, Schrems and the proposed Privacy Shield, which is still being worked on).

No doubt there would be huge pressure on the UK to fall into line (dare I say it) with EU-style data protection law anyway. Otherwise, this could be a significant drag on international trade.

Finally, there is the practical argument that we actually need data protection law to underpin consumer trust in the digital economy. So let’s not trash it.

For what it’s worth, the ICO say that the UK needs clear and effective data protection law regardless of whether it remains in the EU. They don’t expect to be packing their bags.

Whatever the uncertainty on a possible UK exit, the issue will, at least, be resolved in a little over 7 days.

What does BREXIT mean for data protection?

Office of the Privacy Commissioner announces first investigation under the address harvesting provisions

Today, the Office of the Privacy Commissioner (OPC) announced its report of findings against Compu-Finder, a Quebec-based company that offers face-to-face professional training courses.

The OPC alleges Compu-Finder used address harvesting programs to search and collect e-mails on the internet. This marks the first investigation by the OPC involving its address harvesting provisions under the Personal Information and Electronic Documents Act (PIPEDA). The OPC concluded that Compu-Finder did use e-mail addresses of individuals to send e-mails promoting its business activities, without the consent of the individuals concerned. Compu-Finder was unable to demonstrate it had the appropriate consent for the collection and use for many of the e-mail addresses. Further, the OPC found Compu-Finder lacked basic privacy knowledge of its obligations and failed in demonstrating accountability and openness of its privacy practices.

This investigation also debuts the OPC’s compliance agreement power since the tool was added by the Digital Privacy Act on June 18, 2015. The compliance agreement between the Privacy Commissioner of Canada and Compu-Finder lists over ten remedial measures imposed on Compu-Finder. Some of the following measures that Compu-Finder has agreed to implement, include:

  • collect and use only e-mail addresses with proper consent;
  • destroy all e-mail addresses in its possessions which were collected without obtaining consent;
  • refrain from collecting any electronic addresses of individuals through the use of a harvesting computer program;
  • develop and implement a privacy program; and
  • obtain a third-party audit of its privacy program.

Compu-Finder is also under investigation by the Canadian Radio-television and Telecommunications Commission (CRTC). The CRTC issued a Notice of Violation against Compu-Finder pursuant to Canada’s Anti-Spam Legislation (CASL) on March 5, 2016.  The OPC acknowledged the CRTC shared investigative information with the OPC pursuant to CASL and a Memorandum of Understanding between the two agencies.

The CRTC’s proceedings against Compu-Finder are still on going.

You can read the full report of findings and compliance agreement online  here.

Office of the Privacy Commissioner announces first investigation under the address harvesting provisions

Supreme Court rules technical statutory violations do not establish standing without actual injury

In a decision that will impact a consumer’s standing to bring a claim under a number of federal statutes that allow for significant statutory penalties, such as the Video Privacy Protection Act, the Stored Communications Act, and others, the Supreme Court held in Spokeo v. Robins, 578 U.S. ___, 2016 WL 2842447 (May 16, 2016), that “Article III standing requires a concrete injury even in the context of a statutory violation.”  Accordingly, the Court found that the plaintiff “could not, for example, allege a bare procedural violation, divorced from any concrete harm, and satisfy the injury-in-fact requirement of Article III.”

The plaintiff had alleged that Spokeo, a “people search engine,” had violated the Fair Credit Reporting Act (“FCRA”) by including false facts about him in its search results, and brought a putative class action in the Central District of California.  The district court found that Robins had not pled an injury-in-fact as required by Article III.  The Court of Appeals for the Ninth Circuit disagreed, finding that the “violation of a statutory right is usually sufficient injury in fact to confer standing.”

But the Supreme Court reversed, finding that the Ninth Circuit “elided” the “concreteness” requirement of injury in fact, which requires analysis of the nature of the violation – not the bald assertion that a violation occurred. The Court explained that  “[a] ‘concrete’ injury must be ‘de facto’; that is, it must actually exist. . . . When we have used the adjective ‘concrete,’ we have meant to convey the usual meaning of the term—‘real,’ and not ‘abstract.’” The Court emphasized that a plaintiff does not “automatically satisf[y] the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right” and that a plaintiff “cannot satisfy the demands of Article III by alleging a bare procedural violation.”

The Supreme Court then remanded for determination of whether the falsities alleged in the case “entail a degree of risk” of harm “sufficient to meet the concreteness requirement.”  In dicta, the Court noted that dissemination of certain false information, like an incorrect zip code, for example, would clearly not satisfy the test for a concrete injury.

The decision will be particularly impactful to class actions brought under statutes like the FCRA, as it will make class certification difficult in the absence of uniform violations that would clearly create harm.

Supreme Court rules technical statutory violations do not establish standing without actual injury


The General Data Protection Regulation (GDPR) has been approved by the European Parliament today. The Parliament did not make any amendments or proposals to the European Council’s final text which was published last week.

A very happy Jan Philipp Albrecht declared this vote as a “huge step forward” for the fundamental rights of individuals in the new digital economy.

So what’s next: There is one final (small) hurdle of administration before the GDPR is in effect. The text of the GDPR needs to be published in the Official Journal and will then take effect twenty days from this publication. The two year “transition” period will then be triggered, which means that the new law will enter into force around mid 2018.

The final text can be found here.


Why less means more for PPPs & data – Keys to collecting the right information in Canada

PPP projects have the potential to generate huge amounts of data. In the context of a tolled highway project, for instance, a PPP contract may require the private operator to collect, in real time, information regarding weather and traffic conditions, toll collections, vehicle types, license plate information, and power usage, to name but a few. Depending on the PPP contract, some or all of this information will end up in one or more reports that the private operator will be required to deliver to the public authority periodically.

The effect, if any, of this information on the PPP contract entered into between the public authority and the private operator will vary between projects and jurisdictions.

Some of this information will have a direct and relatively straightforward impact on the obligations of the public authority and private operator. For instance, in circumstances where demand risk is allocated to the private sector, payments to the private operator can be linked with the number of project users. A private operator can also be placed in default where reports are not delivered on time or do not contain required information and/or analysis.

In this article, Dentons’ Lampros Stougiannos and Maria Kourelis address certain issues surrounding data within PPP contracts. They will examine this from the perspective of the public authority involved in the procurement of a PPP project which must, prior to tendering a project, consider the type of information that is required to be collected and the effect this information will have on the project being procured.

Read the complete article Why less means more for PPPs & data, as originally printed in Handshake, with permission from the World Bank Group.

Why less means more for PPPs & data – Keys to collecting the right information in Canada