Dear reader, This post was originally published on 14 October 2018, and subsequently deleted on 24 October 2019, after an interested party contacted me and asked that any reference to them in my blog post be removed. I chose to delete the post in its entirety
The GDPR has been in force for less than two weeks, but Europeans have already started to contact companies left, right and centre to exercise their newly enshrined statutory “right to be forgotten.” However, this right is not absolute, and only applies in certain circumstances. Let’s
Facebook may believe that dubious data collection and security practices justify a more connected audience: the incoming General Data Protection Regulations say differently. Once again, data privacy is in the headlines. But this time, it isn't a credit agency or department store that has fallen short
All human beings have three lives: public, private, and secret. ― Gabriel García MárquezThe European Union's Court of Justice decision in Google Spain v Agencia Española de Protección de Datos, Mario Costeja González ("Google Spain") confirmed the “right to be forgotten” for European citizens. This right is further enshrined in the upcoming General Data Protection Regulations (GDPR). Accordingly, European data protection law grants individuals a qualified right to have personal data relating to them removed from search engines. This right is however considered by some to be a uniquely European phenomena, which resulted from one unusual CJEU judgement. Now, two upcoming cases against Google will be the first time in which the "right to be forgotten" will be considered by the English Courts. Two unnamed claimants, known only as NT1 and NT2, are bringing a companion case against Google to enforce their right to be forgotten. (NT1 v Google and NT2 v Google,  EWHC 67 (QB) (Rev 3))
Silent Witness is a BBC crime drama about a team of forensic pathology experts and their investigations into various crimes – it's a bit like American hit shows Bones and Law & Order. In a recent episode, a cyber hacker steals the files of 30,000 patients from a hospital, and then extorts the hospital for payment. As medical secrets are leaked, several murders are tied to the data breach. In addition to the criminal investigations, boardroom drama ensues when the hospital chief is questioned about the (apparently awful) cyber security firm he selected. It was at this point that I turned to my husband in disbelief and said, "where on Earth is the hospital's data protection officer!?" Of course, television dramas are entitled their artistic licence. I'm not sure data protection officers make for enthralling plot devices, if I'm honest. But shows like this demonstrate just how mainstream data breaches, cyber security and hacking personal data have become. In fact, many non-lawyers are now familiar with at least some concept of data protection legislation. With just four months to go until the new General Data Protection Regulations ("GDPR") come into effect and replace the Data Protection Act 1998, here is a reminder as to when a private organisation is required by law to have a data protection officer ("DPO").