On 22 March 2022, the European Commission (“EC”) adopted two new proposals for a Cybersecurity Regulation and an Information Security Regulation (available here and here). These regulations aim to set common priorities and frameworks in order to further strengthen inter-institutional co-operation, minimise risk exposure and further strengthen the EU security culture.
Continue Reading European Commission adopts two proposals for cybersecurity and information security regulations
Cybersecurity 2.0: the UK follows suit with the EU in launching cybersecurity law reform
Following the recent adoption of a new draft EU cybersecurity directive (we wrote about it here), the UK government has now also launched a consultation on its proposal to reform the existing UK cybersecurity legislation (see consultation here).
A recap of the current UK cybersecurity law: NIS Regulations
One of the key pieces of cybersecurity legislation in the UK is the Network and Information Systems Regulations 2018 (NIS Regulations), which implemented the EU Cybersecurity Directive 2016 prior to Brexit.
Under the NIS Regulations, businesses who provide certain essential services (referred to as operators of essential services, or OES) and relevant digital service providers (RDSP) are required to register with the relevant competent authorities; meet a baseline level of cybersecurity requirements; and report any incident which has a significant impact on the continuity of the essential services.
What does the ICO tell us about using data for research purposes?
The UK’s data protection regulator, the Information Commissioner’s Office (‘ICO’), has released draft guidance on the research provisions within the UK’s General Data Protection Regulation (‘UK GDPR’) and Data Protection Act (‘DPA’). The guidance is out for public consultation until 22 April 2022.
Continue Reading What does the ICO tell us about using data for research purposes?
Cookie fines in France in January 2022: is it the beginning of a “Cookie Gate”?
In January 2022, several decisions by the French data protection regulator (“CNIL”) were published regarding the implementation of French cookie requirements, sending out a strong signal to website operators targeting French users. On 6 January 2022, the CNIL issued fines totalling 150 million euros and 60 million euros, to Google and Facebook respectively, for violations of the cookie laws in France. Both fines related to the method by which, and the lack of ease in which, users can reject the use of cookies, specifically on the following websites: google.fr, youtube.com and facebook.com. Some might see this as a controversial move by the CNIL, given that the method for opposing cookies has not strictly been written into law.
Then, on 28 January 2022, the French Supreme Administrative Court (French Council of State or “Conseil d’Etat”) upheld a 100 million euro fine imposed by the CNIL on Google on March 2020, also on the topic of cookie rules. The Council of State confirmed the fine, highlighting the fact that seven cookies were automatically dropped on the users’ terminal, four of which were used for advertising purposes, whereas users were not directly and explicitly informed of either the purposes of these cookies, or how to opt-out of the use of cookies.
Continue Reading Cookie fines in France in January 2022: is it the beginning of a “Cookie Gate”?
UK’s Court of Appeal assesses territorial scope of GDPR
In a judgment handed down by the UK Court of Appeal on 21 December 2021 ([2021] EWCA Civ 1952, available here), Walter Soriano, the claimant, was granted his cross-appeal, giving him permission to serve Forensic News LLC and four other defendants in the United States with proceedings under the General Data Protection Regulation (GDPR). The appeal came from the High Court, which had previously refused such permission on the basis that the claimant could not demonstrate that the claim satisfied the test for serving claims outside the jurisdiction. The reason given by the High Court was that the processing of the claimant’s personal data did not fall within the territorial scope of the GDPR. The Court of Appeal therefore revisited the GDPR’s territorial scope as part of this appeal and decided the claimant had an arguable case and could therefore serve the claim outside the jurisdiction.
Continue Reading UK’s Court of Appeal assesses territorial scope of GDPR
Lloyd v. Google: Supreme Court rejects compensation claim
In one of the most highly anticipated judgments in recent years, the UK Supreme Court has unanimously rejected a class-action style compensation claim under the Data Protection Act 1998. The Supreme Court decision was handed down as a result of a claim raised against Google LLC (Google) by Richard Lloyd on behalf of four million data subjects.
Continue Reading Lloyd v. Google: Supreme Court rejects compensation claim
‘Trivial’ data breach claim dismissed by High Court
On 7 September 2021, the High Court granted a defendant’s application for summary judgment in a claim for compensation brought by three data subjects resulting from a data breach suffered by the defendant, on the basis that the breach was ‘trivial’ (here).
The case
The case related to a single email (with attachments) sent by the defendant, a firm of solicitors. The defendant, who represents a school to whom the claimants, a set of parents, owed outstanding school fees, had been instructed to write to the claimants with a demand for payment. The email consisted of a letter and a copy of the statement of account.
Due to one letter difference in one of the email addresses, the correspondence was sent to an unintended recipient. The unintended recipient responded promptly, indicating that they thought the email was not intended for them. The defendant then responded promptly, asking the unintended recipient to delete the email, which they agreed to do. The recipient was unknown to the claimants personally.
The email contained the claimants’ names, address and the amount of school fees owed, as well as reference to proposed legal action, but it did not contain any financial information in the form of bank or card details, or information about the income or financial position of the claimants.
The claim brought by the claimants was for, amongst other things, compensation for non-material damage (i.e., distress) under article 82 of the General Data Protection Regulation ((EU) 2016/679) (GDPR) and section 169 of the Data Protection Act 2018. This was based on (i) the claimants having suffered “lost sleep”, (ii) the breach having “made them feel ill” and (iii) extensive time having been spent by the claimants dealing with the issue.
Continue Reading ‘Trivial’ data breach claim dismissed by High Court
The UK’s ICO launches public consultation on new Standard Contractual Clauses
In our previous post here we discussed the ICO’s announcement that it is working on new Standard Contractual Clauses (SCCs) to facilitate transfers of personal data outside the UK. The new UK SCCs will be known as the UK’s International Data Transfer Agreement (IDTA).
The ICO has now launched the public consultation on its IDTA and accompanying guidance (available here). The consultation is open for feedback until 5pm on 7 October 2021.
Purpose of the IDTA
The IDTA will replace the current UK SCCs. The ICO has already made it clear that any transfers to third countries will need to take into account the Schrems II decision and apply supplementary measures, where required. The IDTA is a contract which organisations will be able to use when making a ‘restricted transfer’. The ICO is also consulting on how to define a ‘restricted transfer’ in light of the UK GDPR. In particular, the ICO is consulting on whether to keep its current guidance that says a restricted transfer only takes place where the importer’s processing of the personal data is not subject to UK GDPR. Recognising the complexity of international transfers for businesses, the ICO Executive Director of Regulatory Strategy, Steve Wood, has said that the new guidance is designed to be accessible and to support the full range of organisations, from SMEs to multi-national companies.
Continue Reading The UK’s ICO launches public consultation on new Standard Contractual Clauses
UK adequacy decision for European data transfers
On the 28th June 2021, the European Commission (Commission) adopted two adequacy decisions for the UK; one covering the GDPR and the other the Law Enforcement Directive (LED). Such decisions demonstrate that the Commission believes the UK ensures an ‘essentially equivalent’ level of protection to that within the EU. The implication of these decisions is that personal data can now flow freely from the EU to the UK, effective immediately.
Background
On the 19th February, the Commission published two draft adequacy decisions and launched the procedure for their adoption, which we previously wrote about here. Since then, the Commission has carefully assessed the UK’s laws and practices on personal data protection, including access to data by public authorities in the UK. The European Data Protection Board gave its opinion on the draft decisions in support of the Commission’s findings, which we also blogged about here, before finally receiving the ‘green light’ from the EU Member states’ representatives.
The Commission’s 93-page GDPR decision assesses the legal framework for the UK in detail even referencing laws such as the Magna Carta and Bill of Rights, and states ‘As the UK GDPR is based on EU legislation, the data protection rules in the United Kingdom in many aspects closely mirror the corresponding rules applicable within the European Union.’ They conclude that ‘the Commission considers that the UK GDPR and the DPA 2018 ensure a level of protection for personal data transferred from the European Union that is essentially equivalent to the one guaranteed by Regulation (EU) 2016/679.’
Continue Reading UK adequacy decision for European data transfers
The ICO publishes first chapter of its new draft guidance on anonymisation, pseudonymisation and privacy enhancing technologies
The UK’s data protection authority, the Information Commissioner’s Office (ICO), is calling for views on the first chapter of its anonymisation, pseudonymisation and privacy enhancing technologies guidance, available in draft here.
The guidance will help organisations to identify the issues they need to consider in order to use anonymisation techniques effectively. The guidance will sit alongside the ICO’s data sharing code of practice, which provides guidance on how to lawfully share personal data, and offers organisations an alternative way of using or sharing data through anonymisation.
The first chapter introduces and defines anonymisation and pseudonymisation, and places the concepts within the framework of data protection law in the UK.
Continue Reading The ICO publishes first chapter of its new draft guidance on anonymisation, pseudonymisation and privacy enhancing technologies