Photo of Cynthia O’Donoghue

Following the recent adoption of a new draft EU cybersecurity directive (we wrote about it here), the UK government has now also launched a consultation on its proposal to reform the existing UK cybersecurity legislation  (see consultation here).

A recap of the current UK cybersecurity law: NIS Regulations

One of the key pieces of cybersecurity legislation in the UK is the Network and Information Systems Regulations 2018 (NIS Regulations), which implemented the EU Cybersecurity Directive 2016 prior to Brexit.

Under the NIS Regulations, businesses who provide certain essential services (referred to as operators of essential services, or OES) and relevant digital service providers (RDSP) are required to register with the relevant competent authorities; meet a baseline level of cybersecurity requirements; and report any incident which has a significant impact on the continuity of the essential services.

Continue Reading Cybersecurity 2.0: the UK follows suit with the EU in launching cybersecurity law reform

The UK’s data protection regulator, the Information Commissioner’s Office (‘ICO’), has released draft guidance on the research provisions within the UK’s General Data Protection Regulation (‘UK GDPR’) and Data Protection Act (‘DPA’). The guidance is out for public consultation until 22 April 2022.
Continue Reading What does the ICO tell us about using data for research purposes?

On 7 February 2022, the UK Information Commissioner’s Office (ICO) announced that it had launched a consultation on Chapter 3 of its draft guidance on anonymisation, pseudonymisation, and privacy enhancing technologies (PET).
Continue Reading ICO launches consultation on Chapter 3 of updated guidance on anonymisation, pseudonymisation and PET

In a judgment handed down by the UK Court of Appeal on 21 December 2021 ([2021] EWCA Civ 1952, available here), Walter Soriano, the claimant, was granted his cross-appeal, giving him permission to serve Forensic News LLC and four other defendants in the United States with proceedings under the General Data Protection Regulation (GDPR). The appeal came from the High Court, which had previously refused such permission on the basis that the claimant could not demonstrate that the claim satisfied the test for serving claims outside the jurisdiction. The reason given by the High Court was that the processing of the claimant’s personal data did not fall within the territorial scope of the GDPR. The Court of Appeal therefore revisited the GDPR’s territorial scope as part of this appeal and decided the claimant had an arguable case and could therefore serve the claim outside the jurisdiction.
Continue Reading UK’s Court of Appeal assesses territorial scope of GDPR

During the autumn of 2021, the European Parliament adopted a draft cybersecurity directive, the revised ‘Directive on security of network and information systems’ (commonly referred to as ‘NIS2’). When it moved to the Council, additional changes were made; one was to extend the time for Member States to transpose it into national law from 18 months to two years.

Continue Reading Cybersecurity 2.0: European Parliament adopts new draft directive

On 17 December 2021, the European Commission (the Commission) adopted an adequacy decision for South Korea. This means that free transfers of personal data from the European Economic Area (EEA) to private and public entities in South Korea will be permitted from that date onwards (including remote access from South Korea).

Continue Reading South Korea granted adequacy decision

The European Data Protection Board (EDPB) recently adopted Guidelines 05/2021 (the Guidelines) on the interplay between what it means to be outside the European Economic Area (EEA) but directly applicable to the General Data Protection Regulation (GDPR) and what constitutes an international transfer under Chapter V of the GDPR.

The Guidelines set out a ‘cumulative’ definition providing a three-step assessment, and each step of the definition needs to be satisfied before a transfer is deemed to be a transfer of personal data. The guidance seeks to address the questions raised by the European Commission (EC) when it issued the standard contractual clauses (SCCs) earlier this year. The main question is whether personal data processed by a company outside the EEA but subject to the GDPR is a transfer or not.

The Guidelines seek to settle that question that such movements of personal data are not transfers. Instead, the Guidelines state the controllers or processors of such personal data, due to their being subject to the GDPR, must apply Chapter V to the personal data they transfer to a third country as if they were located in the EEA. What can be deemed a ‘geographic’ transfer rather than a legal one separately subject to Chapter V. The Guidelines, however, are open for a consultation period, so the question does not have a definitive answer yet.

Continue Reading GDPR: Is it a transfer? Is it not a transfer? It’s EDPB guidance on Chapter V

In one of the most highly anticipated judgments in recent years, the UK Supreme Court has unanimously rejected a class-action style compensation claim under the Data Protection Act 1998. The Supreme Court decision was handed down as a result of a claim raised against Google LLC (Google) by Richard Lloyd on behalf of four million data subjects.

Continue Reading Lloyd v. Google: Supreme Court rejects compensation claim

On 7 September 2021, the High Court granted a defendant’s application for summary judgment in a claim for compensation brought by three data subjects resulting from a data breach suffered by the defendant, on the basis that the breach was ‘trivial’ (here).

The case

The case related to a single email (with attachments) sent by the defendant, a firm of solicitors. The defendant, who represents a school to whom the claimants, a set of parents, owed outstanding school fees, had been instructed to write to the claimants with a demand for payment. The email consisted of a letter and a copy of the statement of account.

Due to one letter difference in one of the email addresses, the correspondence was sent to an unintended recipient. The unintended recipient responded promptly, indicating that they thought the email was not intended for them. The defendant then responded promptly, asking the unintended recipient to delete the email, which they agreed to do. The recipient was unknown to the claimants personally.

The email contained the claimants’ names, address and the amount of school fees owed, as well as reference to proposed legal action, but it did not contain any financial information in the form of bank or card details, or information about the income or financial position of the claimants.

The claim brought by the claimants was for, amongst other things, compensation for non-material damage (i.e., distress) under article 82 of the General Data Protection Regulation ((EU) 2016/679) (GDPR) and section 169 of the Data Protection Act 2018. This was based on (i) the claimants having suffered “lost sleep”, (ii) the breach having “made them feel ill” and (iii) extensive time having been spent by the claimants dealing with the issue.

Continue Reading ‘Trivial’ data breach claim dismissed by High Court

On 18 October 2021, the European Commission (the Commission) launched a public consultation on adapting the civil liability rules for the digital age, with a specific focus on challenges arising from the adoption of artificial intelligence (AI).

The consultation builds on the Commission’s inception impact assessment roadmap (IIA) on this topic and is part of the Commission’s wider effort to modernise EU regulations for the digital age.

Why the civil liabilities rules need to change

While Product Liability Directive 85/374/EEC (Directive) sets out rules aimed to ensure that injured parties are compensated for damage caused by defective products, the Commission has previously noted in a report in 2018 and the IIA that the Directive is no longer fit for the digital age. Challenges include:

  • Whether and how intangible digital elements such as software can be classified as products
  • The lack of clarity on who should be liable for defects after products are put into circulation
  • Significant obstacles for injured parties to obtain compensation, especially given the difficulties in establishing causal links where the behaviours of AI systems are partially or wholly opaque


Continue Reading Civil liability rules in the digital age: EC launches consultation