Latest Posts
Protect Your Organisation from GDPR Fines
The General Data Protection Regulation (GDPR) is a comprehensive privacy law that was implemented by the European Union (EU) in 2018. Its purpose is to protect the personal data of EU citizens by establishing strict rules for the collection, processing, and storage of personal information by organisations.
The GDPR applies not only to organisations based in the EU but also to any organisation that processes the personal data of EU citizens, regardless of where the organisation is located. Non-compliance with GDPR can result in significant fines and penalties.
What is the latest on GDPR fines?
According to recent research, supervising authorities across Europe have markedly increased the level of fines issued to companies found in breach of the GDPR. Latest figures show:
- In the year ending March 2022, data protection supervisory authorities across Europe issued fines of around EUR 1.581 billion (GDP 1.403) (+1.319 billion in comparison to the 2021 figures.
- A total number of 1,031 fines (+505 in comparison to 2021) were issued in the year ending March 2022.
- In relation to the number of fines and average sum of fines issued, the most common compliance breach was due to “insufficient legal basis for data processing”. The second and third most reported and fined breaches were caused by “insufficient technical and organisational measures to ensure information security” and “insufficient fulfilment of data subject’s rights”.
These figures show that GDPR enforcement is here to stay and regulators are increasing the number of investigated cases and penalty levels year on year. No business can afford to be complacent when it comes to implementing GDPR policies and procedures.
Find out more in our post Five Ways To Protect Your Company from a GDPR fine
What sectors received the most GDPR fines?
The following sectors received the highest number of GDPR fines:
- Industry and Commerce
- Media
- Telecoms
- Broadcasting
- Transportation
- Energy
It is imperative to note that this does not mean these sectors are necessarily shirking their data protection and privacy compliance obligations, rather it is an indication that these industries are the most exposed in terms of GDPR-related risk. Although the average fines levied in the Transportation and Energy sectors were high, the number of fines issued was relatively low. This signifies that although breaches in this sector are relatively rare, when they occur they are serious and thus attract large penalties.
What are the most common types of GDPR breaches leading to fines?
The top areas of GDPR non-compliance leading to fines were:
- Insufficient legal basis for data processing
- Inadequate technical and organisational measures to ensure information security
- Non-compliance with general data processing principles
- Insufficient fulfilment of data subjects’ rights
- Unsatisfactory fulfilment of information obligations
- Insufficient cooperation with supervisory authority
- Inadequate fulfilment of data breach notification obligations
- Non-appointment of data protection officer
- Insufficient data processing agreement
This shows that many companies are still unsure of what constitutes a lawful basis for processing personal data. The lawful foundations for processing data are set out in Article 6 of the GDPR and at least one of the following must be present whenever personal data is processed:
- Consent
- Contract
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
If none of the above apply to your reason for processing personal data, the processing is unlawful and therefore a breach of Article 6.
Wrapping up
The data is clear – all companies, especially those in high-risk sectors such as advertising, technology, telecommunications, and general communications (for example direct marketing) need to implement consistent, proactive training programmes to ensure all employees understand what is required for GDPR compliance. As supervising authorities become more confident with enforcing data protection and privacy regulations, the scope for fines and reputational damage leading to a loss of consumer trust will continue to increase.
To find out how we can assist you on all matters relating to GDPR and data protection law, please contact Ann-Maree Blake to make an appointment.
Not to be Overlooked! How the Tate Modern Lost Neighbours’ Nuisance Claim
The Tate Modern (“Tate”) welcomes millions of visitors each year and is one of the most visited attractions in the UK. It has been involved in a legal battle with the residents of neighbouring apartments for the past six years.
Last week, the Supreme Court handed down judgement in Fearn and Others v The Board of Trustees of the Tate Gallery. The case is of interest as the Court disagreed with the two lower courts’ ruling and found that the Tate had violated privacy and nuisance law.
This article provides the main aspects of the dispute and, most importantly, how it may impact developers in their future projects.
Background
The Tate’s neighbours claimed that the use of a 360° public viewing platform unreasonably interfered with their enjoyment and constituted a nuisance.
The High Court initially considered the scope of private nuisance and the Human Rights Act and determined that (i) the use of the viewing platform was reasonable and (ii) whilst intrusive viewing could potentially give rise to a claim in nuisance, the intrusion was not a nuisance because the claimants had glass walls and did not take steps to protect their privacy.
Although the Court of Appeal found the reasoning flawed, it nevertheless decided that this was more a privacy matter and ‘overlooking’, no matter how oppressive, could not constitute an actionable nuisance. The neighbours appealed to the Supreme Court.
The Decision
The Supreme Court held (by a 3-2 majority) that Tate has violated privacy and nuisance laws:‘this is a straightforward case of nuisance’ and visual intrusion can amount to nuisance. The Court found that there was substantial interference with the ordinary use and enjoyment of the apartment owners’ properties.
From a factual perspective, the Court found:
- The neighbours’ living areas were under constant observation from the Tate’s viewing gallery for much of the day, every day of the week, – ‘much like being on display in a zoo’;
- The number of spectators amounts to hundreds of thousands each year;
- Visitors frequently took photographs of the interiors of the properties and sometimes posted them on social media;
- The above points would reasonably be regarded by a homeowner as a material intrusion into the privacy of their living accommodation.
The Court however did not decide on the appropriate remedy for this nuisance and this element will be reconsidered by the High Court, if the parties are unable to reach a settlement.
The Future
At first blush, this decision could cause concern to developers who may fear for their future property development plans; like interferences with rights of light, might it require them to compensate those who could be affected? Indeed, the Court recognised that not only is there the potential for more claims as technology evolves (it is becoming easier to place neighbours under constant observation), but that it is not a defence to argue that a claimant can take reasonable steps to avoid the consequences of the nuisance (like putting up curtains).
However, we consider some comfort can be taken from the Court’s ratification of established principles and that the primary test for nuisance is whether land is being used for a common and ordinary purpose. The Tate’s viewing gallery failed this test, but it is doubtful that ‘ordinary’ residential and/or commercial developments (that merely overlook neighbouring land) would.
Notwithstanding this, the decision is a reminder that the categories of nuisance are not limited and that the law has the ability to protect privacy in the home. For this reason, property owners and developers should carefully consider the effect of future projects and may wish to obtain advice on the available options.
If you require advice on property-related issues, or any other type of dispute, then please contact our Dispute Resolution team.
Please note – this article does not constitute legal advice.
Retrieving Stolen Crypto In The UK Has Never Been Easier
The legal grey zones in cryptocurrencies have been an underlying concern for investors and the public. The struggle to regulate cryptocurrencies exposes crypto owners to risk of theft by cybercriminals, with a record of approximately $3 billion worth of cryptocurrency being stolen in 2022.
With over 2 million people in the UK who are possessing and using cryptocurrency, the UK legal system is trying to catch up. Crypto theft victims can now seek to recover their lost assets through the legal proceedings via the civil courts.In this article, we will discuss the recent two High Court cases demonstrating the ability of the Courts in England and Wales to flexibly apply the law to issues arising out of crypto asset transactions.
If You Can Trace Back Your Crypto You Can Keep It
In Jones v Persons Unknown [2022] EWHC 2543 (Comm), the Claimant had been fraudulently convinced to transfer 89.61616088 in Bitcoins to a fake crypto-investment platform. His Bitcoins were traced to a wallet associated with the company Huobi, a Seychelles-based cryptocurrency exchange. A worldwide freezing injunction was obtained against the persons unknown and a proprietary injunction against Huobi.
Due to the complexity of the Defendants in this case, it is helpful to set out who they are individually:
- First Defendant (Persons Unknown)- the people or companies who fraudulently obtained access to the Claimant’s bitcoin accounts between 22 January 2019 and 10 January 2020 and conducted the transactions which transferred the cryptocurrencies held in those accounts to other accounts.
- Second Defendant (Persons Unknown) – The people or companies who own or control the accounts into which the Bitcoin was transferred for less than full value.
- Third Defendant (Persons Unknown) – The people or companies who are innocent receivers who have no reasonable grounds for thinking that what has appeared in their account belonged to the Claimant)
- Fourth Defendant – Huobi Global Limited
The Court was asked to decide on the following:
- An application for a summary judgement against the First, Second, and Fourth Defendants.
- An order for delivery-up of Bitcoin from the Fourth Defendant.
- Maintenance of the interim proprietary and non-proprietary injunctions, and a final proprietary injunction preventing the disposal of the Claimant’s Bitcoin.
- The service of an out-of-jurisdiction order on the First, Second, and Fourth Defendants.
- Permission for service to the First, Second, and Fourth Defendants by an air-drop of a non-fungible token into the Fourth Defendant’s wallet.
The High Court ruled that the Claimant was entitled to judgement against the fraudsters for deceit and unjust enrichment. Therefore, he was eligible to have the Bitcoin, or its value equivalent, returned. In addition, Huobi was declared a constructive trustee in respect of the fraudulently transferred Bitcoin and so the Claimant was entitled to an order for the delivery-up of his Bitcoin by Huobi.
How Disclosure Application Can Help Identify Thieves
In LMN v Bitflyer Holdings Inc [2022] EWHC 2954 (Comm), the hackers transferred millions of dollars’ worth of cryptocurrency from the Claimant’s computer systems in 2020. An expert traced the cryptocurrency transfer through 26 recipient exchange addresses and discovered that these exchanges were all operated by one of the Defendants or companies belonging to the same group. Furthermore, the exchanges were located in several foreign jurisdictions.
In order to further trace the misappropriated cryptocurrency, the Claimant required ‘Know Your Client’ and other anti-money laundering information from the various exchanges and third parties.
The Court granted the information orders sought by the Claimant, relying on two strands of case law authority, namely;
- Norwich Pharmacal Co v Comrs of Customs and Excise [1974] AC 133
- Bankers Trust Co v Shapira [1980] 1 WLR 1274.
The latter’s jurisdiction arises when there is robust evidence that the Claimant’s property has been misappropriated. Norwich Pharmacal “allowed a claimant to seek disclosure from an “involved” third party who had information enabling the claimant to identify a wrongdoer so as to be in a position to bring an action against the wrongdoer where otherwise he would not be able to do so” [para 18].
In addition, Bitflyer Holdings is one of the first decisions in which the Court has granted permission to serve proceedings outside the jurisdiction under the new Gateway for Information Orders (GIO). These orders were introduced in October 2022 to facilitate the making of Norwich Pharmacal and Bankers Trust applications against Defendants overseas. GIO apply where there is an application for disclosure in order to obtain information regarding the true identity of a potential Defendant and/or what has become of the Claimant’s property, with a view to issuing proceedings that are intended to be commenced in England and Wales.
What These Decisions Mean For Cryptocurrency Litigants
Both these decisions are incredibly important in the Wild West environment of cryptocurrency. One of the advantages of trading in cryptocurrency is the elevated level of anonymity it provides. The other side of this is that fraudsters, money launderers, and other shady characters are drawn to cryptocurrency like moths to a flame. These decisions highlight that English Courts are not only willing to treat cryptocurrency as a form of property and to make orders aimed at assisting the recovery of stolen cryptocurrency, but they are also alive to the fact that the law must move quickly to protect Claimants’ rights, especially when Parliament may be slower to legislate. Ultimately, these decisions confirm both that England and Wales is a favourable jurisdiction for those conducting business that involves crypto assets and that, should fraud take place, there are strategies available to seek a recovery.
Quastels LLP has the expertise to protect and recover your digital assets. For legal advice on protecting your digital assets, please call +44 (0)20 7908 2525.