Location

Data Protection

Profession Category: Data Protection

Data protection

In today’s digital world, data protection is a critical concern for all businesses. Ensuring compliance with data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, is essential to safeguarding your business, protecting customers and clients, and avoiding costly penalties.

At Blaser Mills, our data protection experts are here to help you navigate the complexities of data protection law, ensuring your business remains compliant and secure.

To speak to our data protection team, call Colin Smith on 020 3814 2020 or email commercial@blasermills.co.uk. Alternatively, fill in our contact form.

About us

Our team of data protection specialists has extensive experience advising businesses of all sizes on data protection and privacy issues. We understand the intricate legal requirements of data protection laws and the significant impact they can have on your operations. Whether you process large volumes of personal data or you are simply handling customer data and employee information in the course of running your business, we provide clear, practical advice to help you manage your data responsibly and legally.


Our team works closely with you to understand your business needs and develop tailored solutions that protect your data while supporting your business objectives. We are committed to providing high-quality legal services that ensure your business is not only compliant but also prepared for future challenges in the evolving landscape of data protection.

Why choose us?

It goes without saying that our data protection lawyers provide the technical mastery our clients rightly demand with a comprehensive knowledge of the relevant legislation, regulations and guidance.

Our core data protection services include:

  • GDPR compliance
  • Data protection impact assessments and data audits
  • Data processing and data sharing agreements
  • Privacy notices
  • Data protection policies and procedures
  • Advising and training employers on data protection
  • Assisting with subject access requests made by employees

However, we don’t treat data protection in isolation but as one piece of the jigsaw (albeit an important one) in helping clients to protect and exploit data as the highly valuable resource that it is. Our lawyers combine their regulatory expertise with a deep understanding of intellectual property rights and contract law to deliver an integrated commercial service to clients.

Who we help

All businesses process personal data (information that relates to an identified or identifiable individual) – holding, organising, sharing and transferring such data all amounts to processing – and are required to comply with data protection laws. 

Some organisations have a greater risk profile because they handle large volumes of personal data or process categories of data that are sensitive, e.g. individuals’ financial data. Special categories of personal data – including racial/ethnic original, genetic, biometric and health data – receive additional protection under the UK GDPR and require particularly careful handling.

There are specific legal requirements in relation to:

  • Cross border data transfers
  • Direct marketing, privacy and electronic communications
  • Use of AI in processing data

We advise clients across the full range of data protection needs. Whether your requirements are straightforward or complex, we are here to help.

Get in touch

To speak to our data protection team, call Colin Smith on 020 3814 2020 or email commercial@blasermills.co.uk. Alternatively, fill in our contact form.

Colin Smith

Colin is a Partner and head of the Commercial contracts team.

Colin specialises in the review, preparation and negotiation of commercial contracts, helping clients to manage risk in their key relationships with customers, suppliers and commercial partners. A Blaser Mills Partner for over 20 years, Colin combines a high level of technical expertise with providing practical and pragmatic advice. This approach reflects his experiences in industry before he became a lawyer, a career that included 6 years in brand management with Proctor & Gamble.

He advises across a wide range of industry sectors, including manufacturing and distribution, IT/technology, renewable energy, motorsport, health care and professional services.

Colin’s clients include tech start-ups, established family businesses, household brands and global corporations. Much of Colin’s work has a strong international focus and he has extensive experience of negotiating complex cross-border agreements.

Specialisms include franchising and data protection. Colin trained with one of the UK’s leading franchise lawyers at the outset of his legal career and has been at the forefront of steering clients through the introduction of the GDPR and the impact of Brexit on data privacy and direct marketing.

Colin is recommended in The Legal 500 UK guide.

The UK-US Data Bridge – What has it changed?

Posted on by fluroltd

The 12th October 2023 saw the introduction of the UK-US Data Bridge (‘the Data Bridge’), transforming the way both nations handle the flow of information across their borders.

Pre-Data Bridge

Before the Data Bridge, the lawful transfer of personal data from an organisation based in the UK to a counterpart in the US was governed by complex regulations, specifically the EU-US Privacy Shield (‘the Privacy Shield’), the EU General Data Protection Regulation (‘UK GDPR’) and the UK General Data Protection Regulation (‘UK GDPR’).

EU-US Privacy Shield

From July 2016 until July 2020, the Privacy Shield partially governed the exchange of personal data between the US and EU (and then the UK, post-Brexit) for commercial purposes. Its purpose was to enable US organisations to easily receive personal data from EU entities under EU privacy laws, which intended to protect EU citizens. After concerns about the US government surveillance practices and their impact on the privacy of EU citizens’ personal data, the Privacy Shield was invalidated by the European Court of Justice in 2020, creating uncertainty in the transatlantic data-sharing network.

Alternative Data Transfer Mechanisms

By removing the Privacy Shield, UK organisations wishing to transfer personal data to the US had to rely on alternative data transfer mechanisms such as Standard Contractual Clauses (‘SCCs’) and Binding Corporate Rules (‘BCRs’).

Most UK organisations relied on SCCs to lawfully transfer personal data to the US following the demise of the Privacy Shield. However, SCCs were only deemed a lawful mechanism if the data exporter also carried out a potentially complex transfer impact assessment to consider whether the protection for UK data subjects under the UK data protection regime would be undermined by US laws.

In March 2022, the International Data Transfer Agreements (IDTAs) superseded the EU SCCs in the UK after the UK GDPR replaced the EU GDPR in January 2021. IDTAs operate in a similar way to SCCs and therefore, need to be accompanied by a transfer risk assessment to ensure that the transfer adequately protects the rights of UK data subjects.

EU-US Data Privacy Framework

On 25th March 2022, the US and EU announced the EU-US Data Privacy Framework (‘DPF’) which provided a mechanism for personal data to transfer safely from the EU to US organisations participating in the DPF, without the need for additional data protection safeguards. This came into force on 10th July 2023 after the European Commission’s decision that the US ensures an adequate level of protection for personal data transferred under the new framework.

UK-US Data Bridge

The Data Bridge is the UK extension to the DPF, allowing personal data to be transferred from the UK to organisations in the US which are participating in the DPF, with no further safeguards necessary. However, any transfer under the UK extension must be made to a DPF-certified US organisation which has opted into the UK extension. Additionally, any data transferred by this method which is ordinarily covered by the UK GDPR will be subject to the principles of the DPF.

To self-certify, eligible US organisations must agree with the DPF principles, which provide data protections for personal data transferred from the EU. Following this, they must make a public commitment to comply via a published privacy policy. The principles impose commitments in relation to data protection and set out requirements on how an organisation collects, processes, and discloses personal data.

Certain categories of personal data that are treated as ‘special category’ data under the UK GDPR are no considered ‘sensitive’ information under the DPF unless they have been identified as sensitive by the transferring organisation. The categories that must be expressly flagged as sensitive are:

  • Biometric data;
  • Data concerning sexual orientation;
  • Genetic data; and
  • Criminal offence data.

The following rights are not protected under the DPF but are provided for the in the UK GDPR:

  • The right to be forgotten under the UK GDPR;
  • The rights under the UK GDPR relating to decisions based solely on automated processing; and
  • The unconditional right to withdraw consent to data processing.

Before relying on the Data Bridge as a valid transfer mechanism, UK businesses should ensure that all pre-transfer requirements and considerations are satisfied and made.

Benefits

  • Legal clarity – the Data Bridge provides a clear legal framework for data transfers, reducing uncertainty for businesses and individuals in both the UK and US.
  • Enhanced security – agreement prioritises data security, ensuring that personal data remains safe during transit and storage.
  • Reduced compliance costs – administrative obligations under the Data Bridge are much reduced compared to those under alternative compliance measures. The Data Bridge therefore represents a more cost-effective means for businesses to operate in the UK and US.
  • Swift dispute resolution – Data Bridge includes mechanisms for swift resolution of data-related disputes, reducing the need for lengthy legal battles and associated costs. 

Challenges

  • Data privacy – it has been suggested that the agreement may no go far enough in safeguarding data privacy – it is crucial for governments and businesses to strike the right balance between data and individual privacy rights.
  • Security risks – as data sharing becomes more streamlined, there is always the risk of increased exposure to security threats.
  • Regulatory compatibility – Data Bridge must work in harmony with existing data protection regulations like the UK GDPR and US Privacy Act to ensure a seamless and compliant data-sharing environment.

If your business requires advice on its compliance with the Data Bridge, our data protection lawyers can help. For further information please contact James Simpson 01494 478689  on or email jfs@blasermills.co.uk.

This article is not intended to constitute legal advice and you should not take, or refrain from taking, any action based on the information which it contains. Always seek the services of a professional legal adviser.

Catch Me If You Can: Service of Proceedings by NFT – An Update

Posted on by fluroltd

A New Standard for Crypto Asset Disputes?

In D’Aloia v Person Unknown & Others [2022] EWHC 1723 (Ch), the High Court, for the first time, granted permission for proceedings to be served by non-fungible token (“NFT”) and email. In our article

Catch Me If You Can: Service of Proceedings by NFT – Blaser Mills Law we noted that it remained unsettled law whether service by NFT alone would be permissible.

In the recent case of Osbourne v Persons Unknown and another [2023] EWHC 39 (KB), the High Court has now clarified the position and, for the first time, permitted service of proceedings by NFT alone. 

The Decision in Osbourne

Osbourne concerned a claim brought in relation to the hacking of a digital wallet containing two NFTS, representing unique digital works of art, which were transferred out of the claimant’s wallet. The claimant instructed a digital forensic investigator to trace the NFTs, each of which had been transferred multiple times through various intermediary wallets.

One NFT had ultimately been transferred to an identifiable individual in South Africa, for whom an email address had been obtained (“the Identified Defendant”). However, the second NFT had been transferred to a wallet of a person unknown (“the Unidentified Defendant”).

The Court granted the claimant permission to serve proceedings on the Unidentified Defendant exclusively by NFT, on the basis that there was no other method available to the claimant. In line with the principles established D’Aloia the claimant was given permission to serve proceedings by both NFT and email on the Identified Defendant.

The Court further granted permission for the documents which were to be served via NFT, to be redacted, to protect private data, on the basis that they would be publicly accessible on the blockchain, on the proviso that the Defendants would be given unredacted versions.

Jurisdictional Gateways

In considering the jurisdictional gateways of Practice Direction 6B (as contained in the Civil Procedure Rules) in determining the application for service out, the Court noted the difficulties in applying gateways 11 and 15 to cases involving crypto-asset hacking and made the following observations:-

  1. Gateway 11 (claim relating to property within the jurisdiction) and gateway 15(b) (constructive trust, where the claim relates to assets within the jurisdiction): the Court raised two queries (i) whether England and Wales remained the situs of the NFTs in circumstances where they had been transferred to the wallet of person(s) unknown, who may have been domiciled outside the jurisdiction and (ii) when the NFT has to be located in the jurisdiction of England and Wales for these gateways to apply? It was suggested that the NFT, would need to have been within the jurisdiction when the application for permission to serve out is made, rather than when the cause of action arose. However, ultimately, the Court found that these were issues to be determined in due course in a  contested and fully argued case.
  • Gateway 15(a) (constructive trust where the claim arises out of acts committed or events occurring within the jurisdiction): there is a question of construction of gateway 15(a) and specifically, which acts or events need to occur or be committed in England and Wales for the gateway to apply. This was again not determined and will, no doubt, be the subject of further litigation.
  • Gateway 15 (claim against the defendant as constructive trustee where the claim is governed by English law): this was the gateway that was applied in these circumstances. It was strongly arguable that the constructive trust that was created when NFTs were transferred from the claimant’s wallet was governed by English law and consequently, that the question of whether the Identified Defendant and Unidentified Defendant in turn became constructive trustees when they received the NFTS, was also governed by English law.

Comment

The High Court continues to show a willingness to modernise legal mechanisms established long before the development of crypto assets, to ensure that England remains a key legal centre for disputes of this nature. The Court’s approach to the jurisdictional gateways considered in this case, demonstrates that this framework may also be ripe for modernisation in the face of an ever-changing technological landscape.

Whilst it has now been established that exclusive service by NFT is permissible in circumstances where there is no other method available to a claimant, it is yet to be seen whether the Court would permit exclusive service by NFT where other means of service are available to a claimant. Indeed, in this case, the Identified Claimant was served by NFT and email.

In the short term, at least,  it seems unlikely that the Court would look to expand the scope of exclusive service by NFT further, to permit exclusive service of NFT in any circumstances.

However, if crypto assets become more mainstream because, for example, stable coins gain widespread acceptance, then we would anticipate the use of service by NFT becoming widespread or even the norm for claims involving that type of asset.

If you require any further information or advice please get in touch with Nick Scott on nxs@blasermills.co.uk.

Catch Me If You Can: Service of Proceedings by NFT

Posted on by fluroltd

In the landmark decision of D’Aloia v Person Unknown & Others [2022] EWHC 1723 (Ch), the English High Court has, for the first time, granted permission for proceedings to be served by non-fungible token (“NFT”).

The case was brought by the victim of a scam who had been conned into transferring cryptocurrency to wallets operated by fraudsters, whose identities were unknown. The claimant sought, amongst other things, permission to effect alternative service of proceedings on the persons unknown by (i) email, which is now considered relatively mainstream and has generally been permitted for a number of decades and (ii) NFT in the form of an ‘airdrop’ into the wallets used to perpetrate the fraud, which would embed the service in the blockchain. 

The Court granted alternative service of the proceedings by email and NFT. In respect of service by NFT, Mr Justice Trower went as far as saying “There can be no objection to it; rather it is likely to lead to a greater prospect of those who are behind the [fraud] being put on notice of the making of this order, and the commencement of these proceedings”.

It remains unsettled whether service by NFT alone would be permissible. Whilst the Court was not asked to consider this issue, Mr Justice Trower did note that “I do not think it is appropriate… to make an order for service by alternative means in circumstances in which it would be sufficient, without serving by email as well.” However, given that in most instances a fraud would have been preceded by some form of correspondence/contact, there will likely be rare instances where a postal address or email address for service is unavailable, even if the identity of those behind the address is unknown.

It is notable that this decision was preceded by a judgment of the New York Court which permitted service of a freezing notice by NFT against an unknown defendant in a case concerning the theft of cryptocurrency.

D’Aloia is one of a number of decisions over the course of the last two years, in which the English High Court has shown a willingness to embrace crypto assets and modernise legal mechanisms established long before the development of this technology to ensure that England remains a key legal centre for disputes of this nature (for example see our articles: Crypto Assets – No Longer a Safe Haven for Fraudsters, Crypto Currencies: Too Volatile to Provide Security).

It will be interesting to see how the use of NFTs in legal proceedings evolves, given the benefits associated with blockchain recognition as referred to the Court in this case. For example, we could foresee a particular benefit in NFTs being incorporated into the electronic signing of Court related documents.

 If you require any further information or advice please get in touch with Nick Scott on nxs@blasermills.co.uk.

Becky Cooper

Becky is a Senior Associate in the Corporate, Commercial contracts and Intellectual Property team.

Becky advises clients on a broad range of commercial law matters, with particular expertise assisting clients in respect of solely non-contentious Intellectual Property issues. She advises clients from a range of industries on how to contractually protect, exploit and licence their intellectual property, including software.

She has extensive experience drafting and advising upon a wide range of commercial contracts, including business terms, distribution and reseller agreements, sub-contracts and SaaS agreements.

Becky also has experience in advising on Financial Conduct Authority (FCA) regulatory matters and has previously worked as a regulator at the London Stock Exchange