In July 2019, the UK Information Commissioner’s Office (“ICO”) issued two notices of intent (“NOIs”) to fine British Airways (“BA”) and Marriott International Inc. (“Marriott”) for violations of the EU General Data Protection Regulation (“GDPR”), both related to high-profile personal data breaches. The NOIs proposed staggering fines of £183.39 million and £99.2 million, respectively, which would have constituted the largest penalties levied under the GDPR to date. More than a year later, the UK ICO finally issued the long-awaited penalty notices in relation to both investigations, imposing in both cases fines that, while still significant, were greatly reduced from what had initially been indicated – £20 million in the case of BA (a massive reduction of more than £163 million), and £18.4 million in the case of Marriott (an equally surprising reduction of more than £79 million).
Continue Reading UK ICO Data Breach Fines – What Can We Learn From British Airways and Marriott?

Main Takeaways

Recommendations 01/2020 of the European Data Protection Board (the “EDPB”) on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (the “Recommendations”)[1] attempt to provide a step-by-step roadmap to help EU data exporters transfer personal data outside the EU to third countries in a manner consistent with the judgment of the Court of Justice of the European Union (the “CJEU”) handed down on July 16, 2020, in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (“Schrems II”, further described in Section 1 below).[2] The Recommendations were published on November 11, 2020 and can be relied upon immediately, even though they are subject to public consultation, with comments being due prior to December 21, 2020.
Continue Reading Recommendations of the EDPB Further to the CJEU’s Schrems II Judgment: One Step Forward, Two Steps Back?

On May 4, 2020 the European Data Protection Board (“EDPB”) updated the guidelines on consent under the EU General Data Protection Regulation 2016/679 (the “GDPR”). The guidelines were originally published by the Article 29 Working Party on April 10, 2018 and later endorsed by the EDPB.[1] The full text of the updated EDPB guidelines can be read here.
Continue Reading Cookie Walls and Scrolling Don’t Make the Grade – EDPB Clarifies Guidance on Consent Under GDPR

On April 28, 2020, the Belgian data protection authority (the Gegevensbeschermingsautoriteit / Autorité de protection des données, the “Belgian DPA”), handed down a decision imposing a €50,000 fine on Proximus, Belgium’s largest telecommunications operator, on the ground that Proximus had failed to protect its data protection officer (“DPO”) from conflicts

As many organisations adjust their business operations as a result of the COVID-19 pandemic, network and data security are in the spotlight.  The significant increase in remote working, brings unique challenges and organisations must remain mindful of their legal obligations to keep personal data secure.  In particular, the EU General Data Protection Regulation (“GDPR”) imposes a general obligation upon data controllers and processors to ensure the security of data processing against accidental or unlawful loss, damage, destruction, alteration or disclosure.

Controllers and processors must have in place appropriate technical and organisational measures to ensure a level of security for personal data that is commensurate to the risk associated with data processing.  This is not a static analysis, but something to be kept under review as circumstances change.  The mass shift to remote working has inevitably changed the risk profile of certain data processing activities.  Set out below is a summary of important considerations from a data security standpoint, taking into account the GDPR’s requirements as well as guidance from data protection supervisory authorities in the UK, France, Belgium, Germany and Italy.
Continue Reading COVID-19 Remote Working – GDPR Data Security Checklist

On February 19, 2020 the European Data Protection Board (“EDPB”) published its second statement on privacy in the context of corporate transactions.

The statement, the full text of which can be read here, highlights the existence of concerns related to the combination and accumulation of sensitive personal data and the possibility that such combinations could result in a high level of risk to the fundamental rights to privacy and  the protection of personal data.
Continue Reading EDPB Publishes Statement on Privacy Implications of M&A Transactions

In 2019, boards and senior management across a range of industries continued to cite cybersecurity as one of the most significant risks facing their companies.

At the same time, comprehensive data privacy regulation became a new reality in the United States as many companies implemented major revisions to their privacy policies and data systems to

The UK Information Commissioner’s Office (“ICO”) issued its first penalty notice under the GDPR in December 2019.  Despite publishing notices of its intention to fine Marriott and British Airways in July 2019, the ICO has not yet taken its final enforcement action in these cases (and it is understood that the ICO has granted an extension for representations by the companies, until March 2020).  The £275,000 fine levied on Doorstep Dispensaree, a pharmaceutical company that provides various prescription medicines to care homes in the UK, therefore provides the first insight into the ICO’s approach to administrative fines under the GDPR (as further described below).
Continue Reading UK ICO Finally Issues GDPR Fine

The European Commission (the “EC”) has published (see link here) slides from its Task Force for Relations with the United Kingdom regarding the future relationship with the UK, in connection with personal data protection. The slides discuss a possible “adequacy” decision for the UK’s data protection regime, to be delivered by the EC by the end of the “transition period” which, under the draft Agreement on the Withdrawal of the UK from the EU (the “Withdrawal Agreement”), is currently envisaged to be December 31, 2020.

The slides were used for internal “preparatory discussions” and were presented on January 10, 2020 to the European Council’s Ad hoc Working Party on Article 50. The slides are not binding and are stated as being for “presentational and information purposes only”.
Continue Reading European Commission Provides Further Hints at Post-Brexit Adequacy Decision for the UK

On November 21, 2019, the French data protection authority (the “Commission Nationale de l’Informatique et des Libertés” or “CNIL”) imposed a €500,000 fine on Futura Internationale, a midsized French company, for serious infringements of the EU General Data Protection Regulation (the “GDPR”) in connection with cold calling campaigns.[1]
Continue Reading French Regulator Fines Futura Internationale €500,000 for Infringements of the GDPR in Connection With Telephone Advertising Campaigns