After Germany became the last EU member state to transpose Article 5(3) of the Directive 2002/58/EC, amended by Directive 2009/136/EC (ePrivacy Directive) into national law, the use of cookies in the EU must meet one of the following requirements: The user’s consent, or The cookie must be strictly necessary in order to provide the service … Continue Reading
During its 51st plenary session on 7th July 2021, the European Data Protection Board (EDPB) adopted guidelines on codes of conduct as tools for transfers (CoC Guidelines). The CoC Guidelines are available here. The CoC Guidelines support and complement the previous EDPB Guidelines on CoCs published in 2019 (2019 Guidelines) that established the general framework … Continue Reading
As a result of the COVID-19 pandemic, many more organisations have moved their business operations online. From a cybersecurity and privacy perspective, this brings hackers and criminals greater opportunities to try to infiltrate the increased amount of devices and even deploy ransomware attacks. This is where malware is installed to block access to the user’s … Continue Reading
The European Commission’s (EC) International Standard Contractual Clauses (SCCs), which we previously discussed here, contain extensive third party beneficiary rights. The EC’s decision made clear that with these new international transfer SCCs, the parties can decide for themselves which EU Member State law will govern their SCCs, provided that the Member State’s laws allowed for … Continue Reading
Catch up on our Tech Law Talks podcast series for practical observations on technology and data legal trends, from product and technology development to operational and compliance issues that practitioners encounter every day. What’s new in data protection in the EU It has been a busy few weeks in the EU for all things data … Continue Reading
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted Joint Opinion 5/2021 on the proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Joint Opinion). The Joint Opinion follows the European Commission’s (Commission) Proposal for a Regulation of the European … Continue Reading
The European Data Protection Board (EDPB) adopted final Recommendations on Supplementary Measures (Recommendations) for data transfers to third countries, published in response to the CJEU ruling in Schrems II. The Recommendations contain a six-step methodology to assess transfers of personal data from the EEA to those countries outside the EEA that have not been approved … Continue Reading
On the 22nd of June 2021, the Department of Health and Social Care (DHSC) published its draft strategy ‘Data saves lives’ on the use of data within the health and social care sector, available here. In the draft strategy, the DHSC set out its plans to use data to improve the health and care of … Continue Reading
On the 28th June 2021, the European Commission (Commission) adopted two adequacy decisions for the UK; one covering the GDPR and the other the Law Enforcement Directive (LED). Such decisions demonstrate that the Commission believes the UK ensures an ‘essentially equivalent’ level of protection to that within the EU. The implication of these decisions is … Continue Reading
There is news for social media network providers operating in the European Union regarding prevention of hate speech and crimes: Austria enacted a law against hate and crime on social networks, the Communication Platform Act (KoPl-G). Following the German Network Enforcement Act (NetzDG), both laws are intended to make the deletion procedure simpler, more transparent … Continue Reading
Colorado’s recently passed privacy act, the Colorado Privacy Act (CPA), is scheduled to take effect on July 1, 2023, if signed into law by Governor Jared Polis. While the CPA is a comprehensive privacy act which provides certain rights to consumers regarding their personal data, it does not include a private right of action. It … Continue Reading
On March 31, 2021, the Texas legislature passed House Bill 3746 (HB 3746), an update to the state’s breach notification statute. HB 3746 is expected to be signed into law by the Texas governor and become effective on September 1, 2021. The bill makes two primary changes to Texas’ current breach notification statute. First, the … Continue Reading
The Spring 2021 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released: English version German version In this edition we cover the following topics: New cookie rules in Germany will apply as of December 1, 2021 German data protection authorities conduct coordinated audits on international data transfers … Continue Reading
The UK’s data protection authority, the Information Commissioner’s Office (ICO), is calling for views on the first chapter of its anonymisation, pseudonymisation and privacy enhancing technologies guidance, available in draft here. The guidance will help organisations to identify the issues they need to consider in order to use anonymisation techniques effectively. The guidance will sit … Continue Reading
In Bellingham, Alex v. Reed, Michael [2021] SGHC 125 (Alex v. Reed) The Singapore High Court considered the loss or damage needed for a private action to be brought against an organisation for a breach of the PDPA. In particular, the court found that a mere loss of control over personal data, or emotional distress over such loss of control, was insufficient. Our recent client alert details the case and … Continue Reading
On 19 May 2021, the European Data Protection Board (EDPB) adopted Recommendations on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions, available here. Scope of the recommendations The recommendations specifically address online providers of goods and services who store credit card data to facilitate … Continue Reading
City A.M. has interviewed Howard Womersley Smith, an expert Fintech and Data lawyer and partner in Reed Smith’s Technology & Data London team, on London’s current startup FinTech scene. Sitting down with Womersley Smith, City AM reflected on a range of London Fintechs urging the Financial Conduct Authority (FCA) to break banks’ dominance over the … Continue Reading
The EU General Data Protection Regulation (GDPR) came into effect on 25 May 2018. It became one of the leading pieces of legislation in the world to offer the highest levels of protection to the personal data of individuals. Many countries followed suit to raise the bar in how organisations handle personal data. The trend … Continue Reading
In its Schrems II decision (which we reported on here) the Court of Justice of the European Union (CJEU) found that the Privacy Shield framework, which had been used to facilitate data transfers from the EU to the US, did not adequately protect the personal data of EU users. The use of standard contractual clauses … Continue Reading
On 14th May 2021, the Irish High Court (High Court) dismissed a legal challenge brought against the Irish Data Protection Commission (DPC) concerning its inquiry and a preliminary draft decision to suspend the EU-U.S. data transfers of personal data of an applicant organisation. Background These proceedings follow on from Schrems II decision of the Court … Continue Reading
Catch up on our Tech Law Talks podcast series for practical observations on technology and data legal trends. We cover product and technology development to operational and compliance issues that technology practitioners encounter every day. On this channel, we host regular discussions about the legal and business issues around data protection, privacy and security; data risk … Continue Reading
In response to a number of recent high-profile cyber attacks aimed at federal agencies, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity (EO) on May 12, 2021. The EO which created a new Cyber Safety Review Board to review major cyber incidents and requires information and communications technology (ICT) service providers entering into contracts … Continue Reading
Earlier this year, following its public consultation, the European Data Protection Board (EDPB) approved its guidelines on the processing of personal data in the context of connected vehicles and mobility related applications (here). Why are these guidelines needed? In the guidelines, the EDPB notes that “vehicles are becoming massive data hubs” and “connected vehicles are … Continue Reading
The UK National Institute for Health and Care Excellence (NICE), along with the Care Quality Commission (CQC), Health Research Authority (HRA) and Medicines and Healthcare products Regulatory Agency (MHRA) have partnered to promote the use of artificial intelligence (AI) in health and care. The agencies are calling this initiative the “Multi-Agency Advisory Service for AI … Continue Reading
