The ICO has issued an enforcement notice which provides valuable insights into its approach to the use of biometrics in the workplace, and the lawfulness of employee monitoring activities more broadly.

On 23 February 2024, the Information Commissioner’s Office (“ICO”) ordered Serco Leisure Operating Limited (“Serco”), an operator of leisure facilities, to stop using facial

Continue Reading UK: Enforcement Against the Use of Biometrics in the Workplace

Authors: James Clark and Verena Grentzenberg

The Court of Justice of the European Union (CJEU) has delivered an important judgment on the scope and interpretation of the ‘automated decision-making’ framework under the GDPR.  It is a decision that could have significant implications for service providers who use algorithms to produce automated scores, profiles

Continue Reading EU: Significant new CJEU decision on automated decision-making

The European Data Protection Board has published new guidelines (14 November 2023) on the scope of Article 5(3) of the e-Privacy Directive – i.e., the so-called ‘cookie rule’.  

These guidelines apply a maximalist interpretation to the cookie rule, meaning that a wide variety of technologies other than traditional cookies are, in the opinion of the

Continue Reading EU: New EDPB guidelines on the scope of the ‘cookie rule’


A UK court has reversed a fine imposed on the provider of a facial image database service, Clearview AI, on the basis that the (UK) GDPR did not apply to the processing of personal data by the company. In so doing, the court has provided helpful judicial interpretation of both the territorial and material scope

Continue Reading Clearview AI -v- Information Commissioner

What is the European Health Data Space?

On 3 May 2022, the EU Commission published a draft Regulation on the European Health Data Space (“HDS”).  The Regulation is the first sector-specific proposal in the Commission’s “European Strategy for Data”, which aims at creating a ‘single market for data’.  In so doing, the Commission
Continue Reading The European Health Data Space – 5 Things You Need to Know

What has happened?

The European Union has today announced ‘agreement in principle’ with the United States on a new data transfer framework, intended to replace the Privacy Shield framework that was struck down in the 2020 Schrems II decision of the Court of Justice of the European Union.

The agreement was announced in a joint
Continue Reading Privacy Shield 2.0? EU and US announce potential new data transfer framework

Experiencing a global pandemic has provided us with many examples of the importance of scientific research to our lives.  Meanwhile, a sometimes popular (mis)conception is that data protection laws – and particularly the GDPR – are a barrier to the effective use of personal data for research. Consequently, new guidance from the UK’s Information Commissioner’s
Continue Reading UK: New guidance on processing personal data for scientific research purposes