Today, after over two years of detailed negotiations, President Joe Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the “Order”) outlining steps the U.S. will take to implement its commitments under the European Union-U.S. Data Privacy Framework, originally announced by President Biden and European Commission President Ursula von der Leyen in March of 2022 (as previously discussed here).[1]
Continue Reading President Biden Signs Executive Order on New EU-US Data Privacy Framework
California Refuses to “Kid Around” on Children’s Privacy With Enactment of the California Age Appropriate Design Code
Determined to maintain its position as a pioneer for consumer privacy rights, California is again among the first to take action to tackle issues of children’s safety and privacy online with the enactment of the California Age-Appropriate Design Code (the “Code”), which was signed into law by Governor Gavin Newsom on September 15, 2022. Once effective on July 1, 2024, the Code would, among other things, prescribe rules that require businesses to design their online products and services with children’s privacy in mind and identify and mitigate any risks of material detriment to children that arise from businesses’ online data practices.
Continue Reading California Refuses to “Kid Around” on Children’s Privacy With Enactment of the California Age Appropriate Design Code
UK’s Data Protection and Digital Information Bill: An Uncertain Direction
On September 5, 2022, following the election of the new UK Prime Minister, the UK Government decided not to proceed with the second reading and other motions relating to the Data Protection and Digital Information Bill (the “Bill”), which was due to have taken place on the same day. According to the Leader of the House of Commons, this Bill was pulled as “to allow Ministers to consider the legislation further”.
Continue Reading UK’s Data Protection and Digital Information Bill: An Uncertain Direction
The New Commission SCCs for Data Transfers under GDPR – More Questions than Answers?
The past few years have brought monumental changes to how we handle international data transfers from the EU. Schrems I, GDPR, Schrems II, Brexit and now the new Standard Contractual Clauses, published in June, 2021.
Here we share our views on improvements and challenges this modernised version of the SCCs has brought and how it…
The Centennial State Claims a New Number: Colorado to Become Third State in the U.S. to Enact Comprehensive “Privacy Act”
Colorado is set to become the third state in the nation to enact comprehensive privacy legislation with the passing of SB 21-190, more commonly known as the Colorado Privacy Act (“ColoPA” or the “Act”). Governor Jared Polis is expected to sign the ColoPA into law in the coming days, after which…
ADGM enacts new Data protection Regulations 2021
On 11 February 2021, the Abu Dhabi Global Market (“ADGM”), Abu Dhabi’s financial free zone, enacted the new Data Protection Regulations 2021 (the “Regulations”), replacing the Data Protection Regulations 2015 in their entirety and bringing the ADGM regime closer to the European Union’s data protection regime under the General Data Protection Regulation (“GDPR”).
Our alert memo, published at the end of 2020 following the ADGM’s opening of a public consultation period on the draft Data Protection Regulations 2020 (the “Draft Regulations”), provides an overview of the key features of the Draft Regulations, areas of overlap with the GDPR, as well as certain proposed departures from the GDPR that will need to be monitored by organisations doing business in both the ADGM and the European Union.
The Regulations are applicable to those processing personal data where a controller or processor has been established in the ADGM, regardless of whether the processing actually takes place in the ADGM or not.
We set out below an update to our alert memo, highlighting the few notable additions/amendments to the Draft Regulations as compared with the final Regulations published on 11 February 2021.Continue Reading ADGM enacts new Data protection Regulations 2021
Ready to Pounce: Regulators Are Intensifying GDPR Enforcement
After what appears to be a period of relative leniency in 2018/19, enforcement actions for violations of the EU General Data Protection Regulation (“GDPR”) have since intensified. In 2020, according to publically available information, supervisory authorities across the EU and the UK Information Commissioner’s Office (“ICO”) have issued over EUR 170 million worth of fines combined[1], with six of the top ten individual fines imposed being issued in 2020[2].
Continue Reading Ready to Pounce: Regulators Are Intensifying GDPR Enforcement
UK ICO Data Breach Fines – What Can We Learn From British Airways and Marriott?
In July 2019, the UK Information Commissioner’s Office (“ICO”) issued two notices of intent (“NOIs”) to fine British Airways (“BA”) and Marriott International Inc. (“Marriott”) for violations of the EU General Data Protection Regulation (“GDPR”), both related to high-profile personal data breaches. The NOIs proposed staggering fines of £183.39 million and £99.2 million, respectively, which would have constituted the largest penalties levied under the GDPR to date. More than a year later, the UK ICO finally issued the long-awaited penalty notices in relation to both investigations, imposing in both cases fines that, while still significant, were greatly reduced from what had initially been indicated – £20 million in the case of BA (a massive reduction of more than £163 million), and £18.4 million in the case of Marriott (an equally surprising reduction of more than £79 million).
Continue Reading UK ICO Data Breach Fines – What Can We Learn From British Airways and Marriott?
Recommendations of the EDPB Further to the CJEU’s Schrems II Judgment: One Step Forward, Two Steps Back?
Main Takeaways
Recommendations 01/2020 of the European Data Protection Board (the “EDPB”) on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (the “Recommendations”)[1] attempt to provide a step-by-step roadmap to help EU data exporters transfer personal data outside the EU to third countries in a manner consistent with the judgment of the Court of Justice of the European Union (the “CJEU”) handed down on July 16, 2020, in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (“Schrems II”, further described in Section 1 below).[2] The Recommendations were published on November 11, 2020 and can be relied upon immediately, even though they are subject to public consultation, with comments being due prior to December 21, 2020.
Continue Reading Recommendations of the EDPB Further to the CJEU’s Schrems II Judgment: One Step Forward, Two Steps Back?
Schrems II: The CJEU Declares EU-U.S. Privacy Shield Invalid, Upholds the SCCs And Calls On 27 Supervisory Authorities to Ensure Their Compliance
In a highly-anticipated landmark judgment handed down on July 16, 2020, the Court of Justice of the European Union (the “CJEU”) in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (“Schrems II”, summarised in part 3. below and the full text of which can be accessed here) has:
- invalidated the European Commission Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Data Protection Shield (the “EU-US Privacy Shield”) for transfer of personal data from the EU to entities certified under the mechanism located in the United States;
- upheld the European Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established outside the EU (the “SCCs”); and
- reminded that a transfer of data based on SCCs may be challenged before the competent supervisory authority, which has to “suspend or prohibit”, on a case-by-case basis, any such transfer when, in its view, the SCCs “are not or cannot be complied with.”