Privacy & Data Protection

If you can remember as far back as December 2021, we published a blog post announcing that the European Data Protection Board (EDPB) published draft guidelines on the interplay between the territorial scope of the GDPR and the international transfer requirements. Following what must have been an extensive consultation, we are pleased to report that those guidelines were finally finalised on 14 February 2023 (here) and, are even more pleased to report that they contain some very useful illustrations to help you make sense of the concept of international data transfers.

Continue Reading The EDPB makes its mind up about transfers

2022 was another busy year in privacy and data protection. We have seen major new developments at both the EU and the UK level, in terms of new legislation taking effect, changes to the data transfer regime, analytics cookies coming under regulatory spotlight from various EU data protection authorities, and substantial fines issued for breaches of data protection law.

Regulations surrounding privacy and data continue to develop at a rapid pace. Emerging technologies have changed the manner in which personal data is collected and used. These technologies and developments present new challenges for companies and consumers alike. As a result, 2023 could be an exciting and a busy year for privacy and data.

We asked some of our Tech & Data team members in the field to get their opinions on what is likely to happen in privacy and data in 2023:

Continue Reading EU and UK privacy and data predictions for 2023

The European Union’s Second Network and Information Systems Directive (“NIS2”) entered into force on 16 January 2023, and replaces the NIS 1 Directive.  NIS2 aims to “improve the resilience and incident response capacities of both the public and private sector and the EU as a whole”. In addition to the EU’s NIS2 update, the UK has also recently expanded its Network and Information Systems Regulations, and further details can be found in our blog here.  The revised directive aims to remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in different member states. To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations, and provides for remedies and sanctions to ensure enforcement.

Continue Reading NIS2 toughens up EU’s cyber security obligations

The Court of Justice of the European Union (“CJEU”) issued a judgment on the 9th of February 2023 (docket no. C-453/21), which addresses the question of the dismissal of a Data Protection Officer (“DPO”) and the interpretation of Article 38 of the EU GDPR.

Continue Reading CJEU rules on DPO conflicts of interest under the GDPR

The winter 2023 edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

Continue Reading Get your update on IT & data protection law in our newsletter (Winter 2023 edition)

The UK Network and Information Systems (NIS) Regulations 2018 will be strengthened in an effort to protect essential and digital services. On 30th November 2022, the UK government published its response to the public consultation on proposals to improve the UK’s cyber resilience. As the UK is no longer bound by EU legislation, it will not be implementing the NIS 2 Directive, recently adopted by European Parliament and Council. However, the frequency and scale of cyber incidents and consequent increased risk of severe damage has prompted change to UK cyber laws as well. 

Continue Reading UK expands scope of NIS Regulations

At the end of 2022, the European Commission published its draft adequacy decision on the EU-US transfers of personal data. The draft contains an assessment of the US legal framework around state surveillance. Once in place, EU data transfers to the US under the new Data Privacy Framework (“EU-US DPF”) will be free. However, there are still some steps to take.

Continue Reading A sigh of relief? EU-US data transfers

On 17 November 2022, the UK Information Commissioner’s Office issued updated guidance on international personal data transfers.  The guidance is to be used for transfers of personal data from the UK to third countries. The ICO added a template transfer risk assessment (TRA) to the guidance, which is required when organisations rely on a  transfer tool under Article 46 of the UK GDPR, e.g. the ICO’s International Data Transfer Agreement (the UK version of the EU SCCs); the Addendum to the EU SCCs, or the Binding Corporate Rules. The requirement to carry out transfer impact assessments stems from Article 46(1) of the UK GDPR, which states that the transfer mechanisms can be used “on condition that enforceable data subject rights and effective legal remedies for data subjects are available” confirmed by the CJEU’s Schrems II judgement.

The ICO’s TRA offers an alternative approach to the  EDPB’s transfer impact assessments (TIA),  to assist data exporters with carrying out their analysis to check that that protections under the transfer tool are not undermined by the laws and practices of the recipient third country.

Continue Reading ICO provides an alternative to the EDPB transfer impact assessment

On 28 September 2022, the European Commission published the proposed AI Liability Directive. The Directive joins the Artificial Intelligence (AI) Act (which we wrote about here) as the latest addition to the EU’s AI focused legislation. Whilst the AI Act proposes rules that seek to reduce risks to safety, the liability rules will apply where such a risk materialises and damage occurs.

In a European enterprise survey, 33% of companies considering adopting AI quoted ‘liability for potential damages’ as a major external challenge. The proposed Directive hopes to tackle this challenge by establishing EU-wide rules to ensure consumers obtain the same level of protection as they would if they issued a claim for damages from using any other product.

Continue Reading What happens when AI goes wrong? The proposed EU AI Liability Directive

A recent £4.4m fine imposed by the ICO in October 2022 reveals its views on the responsibility of the parent company, senior management, and financial investments in organisations’ security standards to prevent cyber attacks.

Continue Reading ICO expects large organisations to make financial investments to maintain their security standards