On 12 September 2023, the UK Information Commissioner and the Chief Executive of the National Cyber Security Centre (NCSC), signed a joint Memorandum of Understanding (MoU), which establishes how the NCSC and the Information Commissioner’s Office (ICO) will cooperate. The NCSC is the technical authority in the UK that provides standards and guidance to organisations on cyber security. The ICO is responsible for providing guidance and enforcement of the data protection rules in the UK, including the obligation of organisations to apply security measures around personal data.
AI, a Double-Edged Sword: Recommendations from the Committee’s Interim Report on AI
The House of Commons Committee on Science, Innovation and Technology (the Committee), embarked on an inquiry in October 2022 to assess the impact of artificial intelligence (AI) on various sectors, AI regulation, and the UK Government’s AI governance proposals. The resulting interim report, published on 31 August 2023, offers valuable insights, particularly from a legal standpoint, on the challenges and approaches related to AI governance in the UK.
Continue Reading AI, a Double-Edged Sword: Recommendations from the Committee’s Interim Report on AI
The Entangled Web of Deceptive Design: ICO and CMA Investigate Harmful Website Practices
On 9 August 2023, the Information Commissioner’s Office (ICO) and the Competition and Markets Authority (CMA) published a joint position paper on Harmful Design in Digital Markets (Harmful Designs Paper) that urges businesses to stop using harmful website designs that exploit customers by encouraging them to provide more personal data than necessary. The regulators are
Three lessons from ICO’s quarterly enforcement report
The Information Commissioner’s Office (ICO) has published a report on reprimands issued in the second quarter of the year, from April to June 2023. The recent reprimands by ICO shed light on areas of data protection where organizations across the public and private sectors have fallen foul of the UK GDPR and are instructive as to how organisations can improve their practices. Our blog focuses on three key lessons gleaned from these reprimands.
Continue Reading Three lessons from ICO’s quarterly enforcement report
Navigating the Path to Compliance: Takeaways from the New Draft Security Regulations for Connected Devices
The UK Department for Culture, Media and Sport published draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (Draft Security Regulations). These regulations fall under the Product Security and Telecommunications Infrastructure Act 2022 (PSTIA) which come into effect on 29 April 2024 and which you can read about in our earlier blog. Part 1 of the PSTIA establishes a regulatory framework that imposes security requirements on manufacturers, importers, and distributors of these products. The Draft Security Regulations outline the specific security requirements for manufacturers.
Third Time’s a Charm: European Commission adopts EU-U.S. Data Privacy Framework
Background
The European Commission (EC) issued the long-awaited adequacy decision for the new EU-U.S. Data Privacy Framework (Framework) on July 10, 2023. The Court of Justice of the European Union (CJEU) had previously invalidated both the U.S.-EU Safe Harbor in 2015, and the U.S.-EU Privacy Shield in 2020 after challenges by Austrian privacy activist Max Schrems (CJEU decisions known as Schrems I and Schrems II, respectively). Following those decisions President Biden signed Executive Order 14086 on “Enhancing Safeguards for United States Signals Intelligence Activities”, which introduced new binding safeguards. Our previous client alert discussed how the draft adequacy decision, including in relation to this this Executive Order, addressed concerns raised in Schrems II.
Continue Reading Third Time’s a Charm: European Commission adopts EU-U.S. Data Privacy Framework
Convention 108+: The Council of Europe Releases Model Contractual Clauses for Global Data Transfers
On June 27, 2023, the Council of Europe (“CoE”) announced the adoption of its first module of the Model Contractual Clauses (“MCCs”) for cross-border data transfers based on the Protocol amending the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108+). These model clauses aim to regulate data flows between data controllers and are recommended for adoption by competent authorities.
Guidance on Privacy-Enhancing Technologies for Data Protection Compliance: Key Considerations for Organizations
On 19 June 2023, the Information Commissioner’s Office (ICO) has released new Guidance on Privacy-Enhancing Technologies (PETs) for Data Protection Compliance. This guidance is designed to assist data protection officers (DPOs) and individuals responsible for managing large-scale personal data sets across diverse sectors, including finance, healthcare and research.
From Smartphones to Alarm Systems: UK Mandates Minimum Security for Connected Devices
The UK’s new Product Security and Telecommunications Infrastructure Act 2022 will take effect on 29 April 2024, and will require manufacturers to implement minimum-security standards on all consumer products with internet or network connectivity, such as smartphones, smart meters, CCTV cameras, smart speakers, games consoles, smart doorbells, and medical devices and wearables before they can be made available for purchase.
Cookies and international data transfers: Key takeaways from the EDPB 101 Task Force report
The EDPB 101 Task Force published a report summarizing its assessment on international data transfers in connection with the use of tracking and analytics cookies (Tracking Cookie). The report is available here. The 101 Task Force comprises of representatives of the supervisory authorities in the EU (SA) and was created back in 2020, in response to the 101 complaints filed by NYOB, a data privacy activism group, regarding data transfers in connection with the use of Tracking Cookies.