Natalie Farmer

Subscribe to Natalie Farmer's Posts

The UK Supreme Court, in a unanimous decision delivered on April 1,[1] has overturned the decision of the Court of Appeal which had found that Morrisons Supermarkets plc (“Morrisons”) could be held vicariously liable for the unauthorized actions of an employee who had deliberately leaked the personal data of thousands of Morrisons’ employees online. In its judgment, the Supreme Court explained that the Court of Appeal had “misunderstood the principles governing vicarious liability”.[2] For more information on the background of this case and the High Court and Court of Appeal judgments, please see our article here. The full text of the Supreme Court judgment can be read here.
Continue Reading Relief for Employers as Supreme Court Rules no Liability in Morrisons Data Breach Case

On February 19, 2020 the European Data Protection Board (“EDPB”) published its second statement on privacy in the context of corporate transactions.

The statement, the full text of which can be read here, highlights the existence of concerns related to the combination and accumulation of sensitive personal data and the possibility that such combinations could result in a high level of risk to the fundamental rights to privacy and  the protection of personal data.
Continue Reading EDPB Publishes Statement on Privacy Implications of M&A Transactions

The UK Information Commissioner’s Office (“ICO”) issued its first penalty notice under the GDPR in December 2019.  Despite publishing notices of its intention to fine Marriott and British Airways in July 2019, the ICO has not yet taken its final enforcement action in these cases (and it is understood that the ICO has granted an extension for representations by the companies, until March 2020).  The £275,000 fine levied on Doorstep Dispensaree, a pharmaceutical company that provides various prescription medicines to care homes in the UK, therefore provides the first insight into the ICO’s approach to administrative fines under the GDPR (as further described below).
Continue Reading UK ICO Finally Issues GDPR Fine

The European Commission (the “EC”) has published (see link here) slides from its Task Force for Relations with the United Kingdom regarding the future relationship with the UK, in connection with personal data protection. The slides discuss a possible “adequacy” decision for the UK’s data protection regime, to be delivered by the EC by the end of the “transition period” which, under the draft Agreement on the Withdrawal of the UK from the EU (the “Withdrawal Agreement”), is currently envisaged to be December 31, 2020.

The slides were used for internal “preparatory discussions” and were presented on January 10, 2020 to the European Council’s Ad hoc Working Party on Article 50. The slides are not binding and are stated as being for “presentational and information purposes only”.
Continue Reading European Commission Provides Further Hints at Post-Brexit Adequacy Decision for the UK

While the EU General Data Protection Regulation 2016/679 (the “GDPR”) has grabbed headlines due to its extraterritorial reach and administrative fining regime (which permits fines for non-compliance up to the higher of €20 million or 4% of global, annual turnover),[1] a recent decision in the Northern District of California – Finjan v. Zscaler (“Finjan”)[2] – suggests that U.S. Courts won’t view the EU data protection legislation as an absolute obstacle to domestic discovery.  Finjan, as the first post-GDPR ruling of its kind, suggests that it will be business as usual navigating between U.S. civil discovery and EU law, at least from the U.S. courts’ perspective.
Continue Reading Can the GDPR Tip the Scales in U.S. Discovery – Finjan v. Zscaler

On 9 July, the UK Information Commissioner’s Office (“ICO”) issued a notice of its intention to fine Marriott International, Inc. (“Marriott”) £99,200,396 for alleged infringements of the EU General Data Protection Regulation ( “GDPR”) in connection with a cybersecurity incident notified to the ICO by Marriott in November 2018. The ICO’s public statement followed Marriott’s disclosure of the ICO’s intention to the US Securities and Exchange Commission (“SEC”) and comes just one day after the ICO published its notice of intention to fine British Airways £183.4 million (see our previous blog post here). The proposed fines, if enforced by the ICO, will be the two highest fines levied under the GDPR, to date.
Continue Reading UK Regulator Intends to Fine Marriott £99 Million for Personal Data Breach, Spotlighting M&A Cybersecurity Diligence

On June 24th, Senators Mark Warner (D-VA) and Josh Hawley (R-MO) introduced a bill that would require large technology companies to regularly disclose to their users and the Securities and Exchange Commission (SEC) the value of the user data they collect and monetize.  The bipartisan bill, cited as the Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data (DASHBOARD) Act, is intended to capture major online platforms such as Amazon, Facebook, Google and Twitter that offer “free” services to users while monetizing user data through targeted advertising.
Continue Reading The DASHBOARD Act – Proposed New Law Would Force Large Technology Companies to Disclose the Value of Users’ Data

The UK Information Commissioner’s Office (“ICO”) has issued a notice of intention to fine British Airways following an extensive investigation into the British Airways cybersecurity incident (notified by British Airways to the ICO in September 2018).  The fine of £183.4 million relates to various alleged infringements of the EU General Data Protection Regulation (“GDPR”).
Continue Reading UK Data Protection Regulator Issues Notice of Intention to Fine British Airways £183.4 Million for Personal Data Breach

On 31 May 2019, the Supreme Court of Ireland dismissed Facebook’s appeal of the Irish High Court decision to refer questions regarding, among other things, the adequacy of the EU-U.S. Privacy Shield and the European Commission’s Standard Contractual Clauses to the Court of Justice of the EU (the “CJEU”). The CJEU will hear the case (C-311/18) on 9 July 2019.
Continue Reading Data Transfer Mechanisms to be Reviewed by CJEU After Irish Supreme Court Dismisses Facebook Appeal

On 12 February 2019, the European Data Protection Board (“EDPB”)[1] adopted its first opinion on an “administrative arrangement,” which provides a new mechanism for the transfer of personal data between European Union (“EU”) financial supervisory authorities and securities agencies and their non-EU counterparts.

Under the EU’s General Data Protection Regulation 2016/679 (“GDPR”), personal data cannot be transferred from the European Economic Area (“EEA”) to a third country unless the European Commission has decided that such third country is “adequate” from a data protection laws perspective, or “appropriate safeguards” are in place to ensure that the treatment of personal data in the hands of the recipient reflects the GDPR’s high standards. Article 46 of the GDPR provides for various safeguarding options, including the possibility of “provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.[2] No such “administrative arrangements” have been approved by the EDPB until now.
Continue Reading EDPB Issues First Opinion on Administrative Arrangements Under the GDPR for Cross-Border Data Flows Between EU and Non-EU Securities Agencies