A recent £4.4m fine imposed by the ICO in October 2022 reveals its views on the responsibility of the parent company, senior management, and financial investments in organisations’ security standards to prevent cyber attacks.
Get your Update on IT & Data Protection Law in our Newsletter (Fall 2022 Edition)
The Fall 2022 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:
English version
Continue Reading Get your Update on IT & Data Protection Law in our Newsletter (Fall 2022 Edition)
‘Mere upset’ insufficient for compensation under the GDPR
On 6 October 2022, the Advocate General (Campos Sánchez-Bordona) issued his opinion in UI v Österreichische Post AG on the interpretation of the rules on civil liability under the GDPR .
He concluded that a data subject must have suffered harm in order to claim compensation, and that breach of the GDPR alone was not sufficient. There is also a distinction to be drawn between mere upset (which does not give rise to a right for compensation) and non-material damage (which does).
Continue Reading ‘Mere upset’ insufficient for compensation under the GDPR
Transatlantic Data Flows – Chapter 3: The EU-U.S. Data Protection Framework: A Summary of the U.S. Executive Order issued on Oct. 9 and its immediate and future effects
At a Glance:
On Oct. 7, 2022, U.S. President Joe Biden issued Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ (“Executive Order” or “EO”). It is described by the U.S. as “a durable and reliable legal foundation” and “that the new ’robust’ commitments contained in the executive order ’fully addresses’ the issues raised in the [EU] Court of Justice’s decision on Privacy Shield” (the “Schrems II ruling”). This Executive Order will form the basis for a new EU-U.S. Data Privacy Framework, aka Safe Harbor Framework v3 or Privacy Shield 2.0.
The issuance of the EO was a central part of the agreement in principle reached between the EU and the U.S. to address the issues raised in the Schrems II ruling. While most of the world waited for this Executive Order, we now all wait for the EU’s response as to whether or not this EO, once its requirements are implemented, suffices to lift the U.S. to an adequate level of data protection within the meaning of Art. 45 GDPR. Even before full implementation of the procedural aspects of the EO, the Executive Order will have a positive impact on data transfers given that the surveillance must be conducted in a proportionate manner that takes into account the impact to privacy and civil liberties of all persons, assuming the EU will be designated as a “qualifying state” by the U.S. Attorney General under the EO.
ICO issues guidance on responding to subject access requests
On 26 September 2022, the UK Information Commissioner’s Office (“ICO”) issued a blog post addressing compliance with data subject access requests (“DSARs”).
A DSAR is a written request by an individual to an organisation asking for access to the personal information it holds on them. This is a legal right everyone in the UK has and can be exercised at any time for free (in most circumstances).
Continue Reading ICO issues guidance on responding to subject access requests
A conversation with New York Attorney General, Letitia James
In the October edition of IAPP’s Privacy Advisor, Divonne Smoyer, Hubert Zanczak, and Stuart Cobb speak to New York State Attorney General, Letitia James, about her view of consumer privacy, her work to date in enforcing existing laws and her thoughts about the future of privacy in New York and the country.
Irish DPC fines Instagram a record €405 million
Meta-owned Instagram has been fined €405 million by the Irish Data Protection Commission (DPC) for violations of the EU General Data Protection Regulation (GDPR), following a two year investigation into how the social media platform handles children’s data. This is the largest fine imposed by the DPC to date. Below, we highlight some of the key issues arising in the case.
Continue Reading Irish DPC fines Instagram a record €405 million
UK government announces its proposals for regulating AI
On 18 July 2022, the United Kingdom (UK) government set out its new proposals for regulating the use of artificial intelligence (AI) technologies while promoting innovation, boosting public trust, and protecting data. The proposals reflect a less centralised and more risk-based approach than in the EU’s draft AI Act.
The proposals coincide with the introduction to Parliament of the Data Protection and Digital Information Bill, which includes measures to use AI responsibly while reducing compliance burdens on businesses to boost the economy.
Continue Reading UK government announces its proposals for regulating AI
Get your Update on IT & Data Protection Law in our Newsletter (Summer 2022 Edition)
The Summer 2022 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:
Continue Reading Get your Update on IT & Data Protection Law in our Newsletter (Summer 2022 Edition)
CJEU rules on interpretation of EU GDPR special categories of data
Background
On 1 August 2022, the Court of Justice of the European Union (“CJEU”) issued a decision (“Decision”) clarifying how the indirect disclosure of sexual orientation data is protected as special category data under Article 9 of the EU General Data Protection Regulation (“GDPR”). “Special Category Data” is defined within Article 9(1) of the GDPR and includes (for example) a data subject’s racial or ethnic origin or data concerning a natural person’s sex life or sexual orientation. The processing of such sensitive personal data is expressly prohibited, unless the processing is exempted from the prohibition in the sense of Article 9(2) GDPR.
Continue Reading CJEU rules on interpretation of EU GDPR special categories of data