Almost all the legislation governing this area at UK and EU level is either in the process of being revised or is being reviewed to decide whether changes are necessary. We have also seen some important decisions this year (in addition to the Safe Harbor one) and some interesting regulatory guidance. For more on what to expect next year, read our Download article.

The General Data Protection Regulation

We have seen real progress on the EU GDPR this year and next year looks as though it will be the year it is finally agreed. The Ministers in the Justice Council agreed their proposed amendments to the draft in June and trilogues between the Council, the European Parliament and the Commission began shortly after that. In the meantime, the Article 29 Working Party, the European Data Protection Supervisor and various Member State regulators including theICO, have commented on the proposals. It now remains to agree the final version. Rumour has it that it will be published on 28 January 2016, designated ‘Data Protection Day’ but this may be wishful thinking. We are currently expecting to have a pretty good idea of what the GDPRwill contain in the early stages of 2016. For more detail on progress with the GDPR, see here.

Freedom of Information

In July 2015, the government launched a cross-party review of the Freedom of Information Act 2000 (FOIA). On seeing the composition of the Independent Commission on Freedom of Information, the media complained of a “stitch up” and are hugely concerned that rights under the FOIA will be curtailed. The Commission published a call for evidence which focused on the balance struck by the FOIA between the need for transparency and protection of sensitive information which closed at the end of November 2015. In response, the ICO has broadly said that, at least as far as his own areas of competence go, no change is necessary.

Draft Investigatory Powers Bill

As we reported in November 2015, the government published the draft Investigatory Powers Bill (DIP). This is intended to overhaul RIPA, take the place of ‘stop gap’ provisions introduced following the striking down of the Data Retention Directive by the CJEU, and consolidate the legal framework.

DIP covers interception of communications (i.e. of the contents of communications in the course of transmission); acquisition of communications data (data relating to “who, where, when, how and with whom” of a communication but not of its contents); and equipment interference to obtain data (in other words, hacking).

There has been a mixed reaction to the Bill. A number of politicians (including Labour’s Andy Burnham) have said it is proportionate, particularly as some of the more controversial elements such as a ban on encryption were dropped. Privacy campaigners, much of the media and some politicians are very much against the new proposals and businesses are also concerned about the new requirements.

Beyond the privacy implications for individuals, telecoms operators and internet service providers are likely to be most affected from a commercial perspective and the government has committed to helping fund the cost of increased data retention requirements, estimated to be around £175m over the next decade.

It remains to be seen, however, whether the Bill passes and, whether it survives more or less in its current form. Its progress through Parliament next year is likely to be difficult given its controversial nature. While many of the powers proposed are not new, the (relatively) greater level of transparency will lead to greater scrutiny and the controversial new elements like the requirement for communications providers to retain data on web histories, are also likely to be hotly debated. The recent horrific attacks in Paris which came shortly after DIP was published may well serve to strengthen the government’s position that the powers provided for in DIPare necessary to keep the country safe.

In the meantime, a referral has been made to the CJEU by the Court of Appeal further to a High Court ruling that s1 DRIPA is unlawful. Whether DIP will come in before the CJEU rules on this issue remains to be seen.

Prevention of enforced subject access requests

S56 of the Data Protection Act 1998 finally came into force on 10 March 2015. This was the last section of the Act to come into force. It makes it a criminal offence for an employer or prospective employer to force its employees or job applicants to obtain a copy of their criminal records by means of a subject access request and then supply it to the employer in connection with their recruitment or continuing employment. It also prevents any person from requiring another person to make this kind of subject access request as a pre-condition to supplying them with goods or services. The point of this is to prevent details of spent convictions being released and to ensure that these sorts of criminal records searches are carried out under the criminal records disclosure regime operated by the Disclosure and Barring Service.

Amendment of PECR to make imposing fines for nuisance calls and texts easier

In April 2016, changes announced by the government made it easier for action to be taken against companies sending nuisance marketing calls and texts. The government removed the requirement for the ICO to prove a company has caused “substantial damage or substantial distress” from the Privacy and Electronic Communications Regulations (PECR), effectively making it easier to impose fines. The ICO still needs to show that there has been a serious breach of PECR which was either deliberate or which was caused by actions which the party in breach knew would be likely to cause a breach and failed to act to prevent it.

PECR was also amended to allow providers of mobile electronic communications services to store traffic and location data to operate or test a public emergency system. Retention periods will be limited unless the data is anonymised.

Vidal Hall v Google Inc.

This concerned an application heard by the Court of Appeal to serve outside the jurisdiction. It was held that that damages can be awarded for distress alone (whether or not there has been financial loss). It also confirmed that there was a serious issue to be tried in this case in relation to tracking and collection of personal information without consent, and that there is a strong case to answer that browser generated information is personal data, even when it does not directly identify an individual. You can read more about this here.


Released in the midst of the Safe Harbor storm, this CJEU judgment was somewhat overlooked but is of interest because it deals with the question of what constitutes an “establishment” for the purposes of data protection law enforcement. It expands on the wide interpretation discussed in last year’s Google Spain judgment and is important, at least until the new GDPR is in place, and possibly beyond. See here for more.

Regulator guidance and opinions

Regulators have been busy as usual, both at a national and international level. Of particular interest have been the Article 29 Working Party (WP) Opinion on Heath Data in apps, and the European data Protection Supervisor Opinion on m-health, reflecting that this is a growing area of scrutiny. The WP Opinions on BCRs for data processors and on drones are also significant.