In the latest of a recent string of judicial rebukes, the Supreme Court’s unanimous decision in Axon Enterprise, Inc. v. FTC  offers the targets of Federal Trade Commission (“FTC”) and other agencies’ administrative proceedings a path to quicker judicial relief.  Historically, courts have been reluctant to permit immediate challenges to investigations and adjudications without forcing the targets to wait for the resolution of all agency proceedings.  While aptly referred to as the doctrine of “exhaustion,” the result, as Justice Gorsuch observed, is that “agencies sometimes use this as leverage to extract settlement terms they could not lawfully obtain any other way.”  The Court’s decision in Axon not only deprives the FTC of a potential source of leverage, but it also increases the likelihood that companies faced with investigations may turn to the courts for relief at an earlier stage.  The decision comes at a time when the FTC’s powers and attempts to exercise those powers have been called into question by the bar, members of Congress, and by courts.

Continue Reading Unanimous Supreme Court limits FTC and other agencies’ investigative power

On 4 April 2023, the Personal Information Protection Commission of Japan (PPC) and European Commissioner for Justice issued a joint Press Statement on the conclusion of the first review of the Japan-EU Mutual Adequacy Decision. Both sides reiterated the importance of cooperation in the data protection regulation sphere that is becoming increasingly complex to navigate.

Continue Reading EU may expand the scope of the adequacy decision for Japan following its first review

Amidst growing public attention on artificial intelligence (AI), the UK government recently published its white paper detailing its “pro-innovation” approach to AI. Other developments, showing the UK’s continued focus on this area, are also outlined below.

Continue Reading A “light touch” approach to AI regulation in the UK

On 13 March 2023, the Information Commissioner’s Office (‘ICO’) published new guidance, ‘Privacy in the product design lifecycle’, to help technology professionals, such as UX designers, product managers and software engineers, keep data protection considerations at the forefront of their products and services. The guidance describes how to tackle privacy issues arising at each stage of the design and development process, as summarised below.

Continue Reading Takeaways from ICO’s “Privacy in the product design lifecycle” guidance

The Critical Entities Resilience Directive (‘CER’) entered into force on 16 January 2023, replacing the 2008 European Critical Infrastructure Directive. The new rules are aiming to strengthen the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage. The CER Directive introduces new obligations on entities providing essential services and extends to more sectors compared to its predecessor, meaning more companies will fall within the scope of the new rules.

Which sectors does CER cover?

Whilst the 2008 Directive covered only energy and transport, CER extends to nine new sectors: banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space, and food. This means that companies operating within those sectors need to stay alert and assess whether the new rules apply to them.

Who does CER apply to?

CER applies when:

  • The entity provides one or more essential services;
  • The entity operates and has its critical infrastructure located in the EU;
  • Incident would have a significant disruptive effect on the provision of essential services.

It is important to note that essential entities that fall under the EU’s Second Network and Information Systems Directive (“NIS2”) scope are within the scope of CER as entities providing essential services.

Who will identify critical entities?

The Member States will identify the relevant critical entities and notify them within one month of identification. The identification will be based on a risk assessment carried out by the Member States. The assessment must be completed by 17 January 2026.

The assessment will take various factors into account such as natural and man-made risks, public health emergencies, and terrorist threats. Member States will consider various criteria to determine what constitutes a significant disruptive effect including the number of users of the service, market share, cross-border impact, and the impact of potential incidents.

In relation to the identified critical entities, Member States will also be able to conduct on-site inspections, audits, and issue penalties, which are to be determined by 17 October 2024.

What obligations will critical entities have?

Once identified, the critical entity must review its business and identify the relevant risks and measures to ensure resilience within nine months of notification and then update every four years. The risk assessment should account for all the relevant natural and man-made risks, which could lead to an incident, including those of a cross-sectoral or cross-border nature.

The critical entities will be under an obligation to implement appropriate and proportionate technical, security and organisational measures to ensure their resilience in, amongst all, preventing incidents, ensuring adequate physical protection of premises or responding and mitigating the consequences of incidents. The measures also include training personnel. Finally, the critical entities will also have to notify the competent authority of incidents that significantly disrupt (or have a potential to disrupt) the provision of an essential service, taking into consideration various factors. The notification will have to be made without undue delay and no later than 24 hours after becoming aware.

On 8 March 2023, the UK government presented a new version of the UK Data Protection and Digital Information Bill No.2. As with the previous bill, the new bill aims to alleviate the burden of compliance with the UK GDPR and its implementing UK Data Protection Act (2018) for organisations in the UK.

Continue Reading UK Data Protection Bill No.2 – What is changed?

The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (‘LIBE Committee’) and the European Data Protection Board (‘EDPB’) have recently issued opinions on the European Commission’s draft US adequacy decision (‘Draft Adequacy Decision‘) for the EU-US Data Privacy Framework (‘Framework‘). Both believe there is more work to be done and additional measures to be taken to achieve equivalent protection. This dampens expectations that the data transfers to US companies self-registered under the Framework are within reach.

LIBE Committee calls for Draft Adequacy Decision to be scrapped

On 14 February 2023, the LIBE Committee found that the Framework does not result in equivalent protection for personal data in the US, and has called on the Commission not to grant an adequacy decision for the Framework on this basis.  Some of the shortcomings identified by the LIBE Committee include:

  • US intelligence activities need only be proportionate to the ‘validated intelligence priority’, which will be interpreted under US law.  The US interpretation of proportionality is far broader than in the EU, meaning that there is still a very broad justification for systemic surveillance by US intelligence agencies on EU data subjects.
  • Executive Order 14086 (‘Executive Order‘) does not prohibit the bulk collection of data by intelligence agencies (including the content of communications), and the list of legitimate national security objectives can be expanded by the US President in secret.
  • The proposed Data Protection Review Court’s (‘DPRC’) decisions will be classified, meaning that data subjects would be denied their rights to access/rectify their data.  The DPRC is also part of the executive branch rather than the judiciary, meaning it is not independent and impartial within the meaning of Article 47 of the EU Charter of Fundamental Rights.
  • There is still no federal data protection law in the US, and the Executive Order is subject to unilateral amendment by subsequent US Presidents.

The EDPB says the Framework needs more work

On 28 February 2023, the EDPB issued its opinion on the Framework. It noted that equivalence as required under the GDPR did not mean that the US had to enact identical data protection laws. It welcomed the establishment of the DPRC and found sufficient safeguards in place to show its independence.

However, it did express concerns in relation to:

  • The continued use of bulk collection of personal data under the Executive Order.
  • The secrecy of DPRC decisions and its standard response to data subjects without exceptions.
  • The inability of the courts of general jurisdiction in the US to apply the Executive Order, so despite them being listed in the Executive Order they cannot serve as a recourse mechanism.
  • The lack of controls on onward transfers may undermine the level of protection in place with the original recipient in the US.
  • The broad number and scope of exemptions from adherence to the principles set out in the Framework.
  • The practical application of the principles of necessity and proportionality set out in the Executive Order and limited ability to monitor their application due to the classified nature of the reports by oversight bodies.

The EDPB recommended that the adequacy decision should be conditional upon the adoption of the policies and procedures set out in the Executive Order by all US intelligence services.

Next steps

The Draft Adequacy Decision will now need to pass through a committee composed of representatives of EU Member States and be subjected to scrutiny from the European Parliament. Despite the criticisms of the Framework, the expectation is that the Commission will take a pragmatic view to permit EU-US data transfers to further business interests between the nations. The draft adequacy decision already has mechanisms for an emergency repeal procedure in case the Executive Order removes the agreed protections. On the current timeline, the optimistic prediction is that adoption may occur in the summer 2023.

If you can remember as far back as December 2021, we published a blog post announcing that the European Data Protection Board (EDPB) published draft guidelines on the interplay between the territorial scope of the GDPR and the international transfer requirements. Following what must have been an extensive consultation, we are pleased to report that those guidelines were finally finalised on 14 February 2023 (here) and, are even more pleased to report that they contain some very useful illustrations to help you make sense of the concept of international data transfers.

Continue Reading The EDPB makes its mind up about transfers

2022 was another busy year in privacy and data protection. We have seen major new developments at both the EU and the UK level, in terms of new legislation taking effect, changes to the data transfer regime, analytics cookies coming under regulatory spotlight from various EU data protection authorities, and substantial fines issued for breaches of data protection law.

Regulations surrounding privacy and data continue to develop at a rapid pace. Emerging technologies have changed the manner in which personal data is collected and used. These technologies and developments present new challenges for companies and consumers alike. As a result, 2023 could be an exciting and a busy year for privacy and data.

We asked some of our Tech & Data team members in the field to get their opinions on what is likely to happen in privacy and data in 2023:

Continue Reading EU and UK privacy and data predictions for 2023

The European Union’s Second Network and Information Systems Directive (“NIS2”) entered into force on 16 January 2023, and replaces the NIS 1 Directive.  NIS2 aims to “improve the resilience and incident response capacities of both the public and private sector and the EU as a whole”. In addition to the EU’s NIS2 update, the UK has also recently expanded its Network and Information Systems Regulations, and further details can be found in our blog here.  The revised directive aims to remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in different member states. To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations, and provides for remedies and sanctions to ensure enforcement.

Continue Reading NIS2 toughens up EU’s cyber security obligations