On August 18, 2023, the Fourth Circuit decertified approximately 20 million putative class action claims arising out of a 2018 data breach involving Marriott Hotels. See here. The Fourth Circuit reversed the district court’s certification and required it to consider in the first instance whether all of the putative plaintiffs waived their claims by signing class action waivers when they registered to be part of the Starwood Preferred Guest Program (“SPG”). The SPG waiver specifically stated that “Any disputes arising out of or related to the SPG Program or the[] SPG Program Terms will be handled individually without any class action ….”
Data & Cyber Security
SEC Issues Final Cybersecurity Rules Enhancing and Modifying Disclosure Requirements: Companies will want to Measure Twice and Cut Once
On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) adopted new rules specifying enhanced disclosure regarding cybersecurity risk management, strategy governance, and incident disclosure. The SEC first proposed new cybersecurity rules back in March 2022. The agency’s comments to the final rule suggest greater disclosure and improved consistency of disclosures will benefit investors. Several of the key aspects of the final rules are outlined below, and ultimately will probably be navigable for organizations with meaningful incident response and evaluation experience as well as robust risk management programs which already include and evaluate cybersecurity.…

ECJ Allows National Competition Authorities to Consider Non-Competition Law Violations in Dominance Abuse Cases
Please click here to access the source post from our Global Regulatory Enforcement Law Blog.
In this blog, the authors delve into a significant decision by the German Federal Cartel Office (FCO) four years ago, accusing a major technology company of abusive behavior due to alleged violations of the General Data Protection Regulation (GDPR). Recently…
Convention 108+: The Council of Europe Releases Model Contractual Clauses for Global Data Transfers
On June 27, 2023, the Council of Europe (“CoE”) announced the adoption of its first module of the Model Contractual Clauses (“MCCs”) for cross-border data transfers based on the Protocol amending the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108+). These model clauses aim to regulate data flows between data controllers and are recommended for adoption by competent authorities.…
ENISA Releases Comprehensive Framework for Ensuring Cybersecurity in the Lifecycle of AI Systems
On 7 June 2023, the European Union Agency for Cybersecurity (ENISA) released a report Multilayer Framework for Good Cybersecurity Practices for AI (“Framework”) in response to the evolving landscape of artificial intelligence (AI) and the associated cybersecurity challenges. The publication aims to establish a robust framework that promotes cybersecurity practices throughout the entire lifecycle of AI, ranging from conceptualization to decommissioning. This blog summarises the main features of the Framework.…
Critical Entities Resilience Directive (CER) – broader scope and more stringent obligations
The Critical Entities Resilience Directive (‘CER’) entered into force on 16 January 2023, replacing the 2008 European Critical Infrastructure Directive. The new rules are aiming to strengthen the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage. The CER Directive introduces new obligations on entities providing…
NIS2 toughens up EU’s cyber security obligations
The European Union’s Second Network and Information Systems Directive (“NIS2”) entered into force on 16 January 2023, and replaces the NIS 1 Directive. NIS2 aims to “improve the resilience and incident response capacities of both the public and private sector and the EU as a whole”. In addition to the EU’s NIS2 update, the UK has also recently expanded its Network and Information Systems Regulations, and further details can be found in our blog here. The revised directive aims to remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in different member states. To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations, and provides for remedies and sanctions to ensure enforcement.…
Continue Reading NIS2 toughens up EU’s cyber security obligations
UK expands scope of NIS Regulations
The UK Network and Information Systems (NIS) Regulations 2018 will be strengthened in an effort to protect essential and digital services. On 30th November 2022, the UK government published its response to the public consultation on proposals to improve the UK’s cyber resilience. As the UK is no longer bound by EU legislation, it will not be implementing the NIS 2 Directive, recently adopted by European Parliament and Council. However, the frequency and scale of cyber incidents and consequent increased risk of severe damage has prompted change to UK cyber laws as well. …
A sigh of relief? EU-US data transfers
At the end of 2022, the European Commission published its draft adequacy decision on the EU-US transfers of personal data. The draft contains an assessment of the US legal framework around state surveillance. Once in place, EU data transfers to the US under the new Data Privacy Framework (“EU-US DPF”) will be free. However, there are still some steps to take.…
UK Government grants South Korea a data adequacy status
On 24 November 2022, the Data Protection (Adequacy) (Republic of Korea) Regulations were laid before the UK parliament for approval. The Regulations are due to come into force on 19 December 2022. From then onwards, transfers of personal data to South Korea by organisations in the UK may be made without the need to put UK International Data Transfer Agreements (UK versions of the Standard Contractual Clauses) or other transfer tools in place with recipients of personal data in South Korea.…
Continue Reading UK Government grants South Korea a data adequacy status