The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (‘LIBE Committee’) and the European Data Protection Board (‘EDPB’) have recently issued opinions on the European Commission’s draft US adequacy decision (‘Draft Adequacy Decision‘) for the EU-US Data Privacy Framework (‘Framework‘). Both believe there is more
NIS2 toughens up EU’s cyber security obligations
The European Union’s Second Network and Information Systems Directive (“NIS2”) entered into force on 16 January 2023, and replaces the NIS 1 Directive. NIS2 aims to “improve the resilience and incident response capacities of both the public and private sector and the EU as a whole”. In addition to the EU’s NIS2 update, the UK has also recently expanded its Network and Information Systems Regulations, and further details can be found in our blog here. The revised directive aims to remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in different member states. To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations, and provides for remedies and sanctions to ensure enforcement.
Continue Reading NIS2 toughens up EU’s cyber security obligations
A sigh of relief? EU-US data transfers
At the end of 2022, the European Commission published its draft adequacy decision on the EU-US transfers of personal data. The draft contains an assessment of the US legal framework around state surveillance. Once in place, EU data transfers to the US under the new Data Privacy Framework (“EU-US DPF”) will be free. However, there are still some steps to take.
ICO provides an alternative to the EDPB transfer impact assessment
On 17 November 2022, the UK Information Commissioner’s Office issued updated guidance on international personal data transfers. The guidance is to be used for transfers of personal data from the UK to third countries. The ICO added a template transfer risk assessment (TRA) to the guidance, which is required when organisations rely on a transfer tool under Article 46 of the UK GDPR, e.g. the ICO’s International Data Transfer Agreement (the UK version of the EU SCCs); the Addendum to the EU SCCs, or the Binding Corporate Rules. The requirement to carry out transfer impact assessments stems from Article 46(1) of the UK GDPR, which states that the transfer mechanisms can be used “on condition that enforceable data subject rights and effective legal remedies for data subjects are available” confirmed by the CJEU’s Schrems II judgement.
The ICO’s TRA offers an alternative approach to the EDPB’s transfer impact assessments (TIA), to assist data exporters with carrying out their analysis to check that that protections under the transfer tool are not undermined by the laws and practices of the recipient third country.
Continue Reading ICO provides an alternative to the EDPB transfer impact assessment
UK Government grants South Korea a data adequacy status
On 24 November 2022, the Data Protection (Adequacy) (Republic of Korea) Regulations were laid before the UK parliament for approval. The Regulations are due to come into force on 19 December 2022. From then onwards, transfers of personal data to South Korea by organisations in the UK may be made without the need to put UK International Data Transfer Agreements (UK versions of the Standard Contractual Clauses) or other transfer tools in place with recipients of personal data in South Korea.
Continue Reading UK Government grants South Korea a data adequacy status
ICO expects large organisations to make financial investments to maintain their security standards
A recent £4.4m fine imposed by the ICO in October 2022 reveals its views on the responsibility of the parent company, senior management, and financial investments in organisations’ security standards to prevent cyber attacks.
Does the UK-U.S. agreement under the U.S. CLOUD Act affect UK’s adequacy under the GDPR?
On October 3, 2022, the UK-U.S. agreement on Access to Electronic Data for the Purpose of Countering Serious Crime (the UK-U.S. Agreement) came into force. The UK and the U.S. governments signed the UK-U.S. Agreement on October 3, 2019 under the U.S. Clarifying Lawful Overseas Use of Data Act 2018 (“CLOUD Act”). The U.S. government is negotiating similar agreements with the governments of Canada, Australia and New Zealand, but notably, not with the European Union.
Government releases proposals to reform UK data protection laws
On 17 June 2022, in response to its consultation in 2021 on the same topic (which we wrote about here), the UK government published more detailed proposals to reform data protection laws in the UK. The response to the consultation can be found here. The intention of the reforms is to achieve greater personal data use enabling economic growth by removing barriers and reducing obstacles for organisations whilst maintaining high standards of personal data protection and EU adequacy.
Continue Reading Government releases proposals to reform UK data protection laws
ICO enforcement actions in Q1 2022
In Q1 2022, the UK’s Information Commissioner’s Office (ICO) issued 26 enforcement actions. There were 15 monetary penalties issued, ranging between £2k – £200k, and 11 enforcement notices. The majority of the fines and enforcement notices related to unsolicited marketing activities, two related to data subject rights infringements, and one related to a failure to ensure adequate security around personal data. The last related to a ransomware attack and despite the controller being subjected to a malicious cybercrime, it was penalised for a failure to address known vulnerabilities and to prevent the ransomware attack in time.
The fourth anniversary of the GDPR: How the GDPR has had a domino effect
Four years ago, the General Data Protection Regulation (“GDPR”) came into force in the EU. Since then, the GDPR has had a domino effect, as many countries in the world have used it as a model to shape their own rules on the handling of personal data. Given the rapid changes in data protection legislation around the world, legal and compliance teams of multinational organisations are under pressure to keep up with such developments as they continuously adapt their compliance programs in response.
Continue Reading The fourth anniversary of the GDPR: How the GDPR has had a domino effect