In one of the most highly anticipated judgments in recent years, the UK Supreme Court has unanimously rejected a class-action style compensation claim under the Data Protection Act 1998. The Supreme Court decision was handed down as a result of a claim raised against Google LLC (Google) by Richard Lloyd on behalf of four million … Continue Reading
The Federal Trade Commission (FTC or Commission) has issued a final rule clarifying its data security requirements for certain covered financial institutions. The new rule, which amends the Safeguards Rule originally promulgated in 2002 under the Gramm-Leach-Bliley Act (GLBA), outlines specific criteria to be incorporated as part of GLBA-covered financial institutions’ information security programs. The … Continue Reading
On 18 October 2021, the European Commission (the Commission) launched a public consultation on adapting the civil liability rules for the digital age, with a specific focus on challenges arising from the adoption of artificial intelligence (AI). The consultation builds on the Commission’s inception impact assessment roadmap (IIA) on this topic and is part of … Continue Reading
On 13 October 2021, the European Data Protection Board (EDPB) adopted the final version of its Guidelines (10/20) on restrictions of data subject rights under article 23 of the General Data Protection Regulation ((EU) 2016/679) (GDPR) (the Guidelines) during its forty-third plenary session. The adoption comes after a public consultation on the EDPB’s draft guidelines, which … Continue Reading
On October 6, 2021, the Department of Justice (DOJ) announced the launch of its new Civil Cyber-Fraud Initiative that emphasizes accountability for conduct that could increase cybersecurity threats to the government. This initiative supports the Biden administration’s goals and efforts to improve U.S. cybersecurity generally. Those who do business with the government or receive federal … Continue Reading
In July 2021, the European Commission (the Commission) adopted three proposals for regulations and one proposal for a directive of the European Parliament and of the Council in relation to reforms to the EU’s anti-money laundering (AML) and counter-terrorist financing (CTF) regime. The proposals serve to implement aspects of the Commission’s May 2020 action plan … Continue Reading
Last week, the Federal Trade Commission (FTC) announced in a Statement of the Commission On Breaches by Health Apps and Other Connected Devices (Policy Statement) that the FTC will begin enforcement of its Health Breach Notification Rule (Rule) issued in 2009. The Rule was issued by the FTC to regulate certain businesses that handle health … Continue Reading
On September 17, 2021, the Illinois Court of Appeals for the First District ruled that some BIPA claims are subject to a five year statute of limitations, while others must be brought within one year. In Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563, the appellate court accepted a certified question from … Continue Reading
California’s new enforcement agency, the Consumer Privacy Protection Agency (CPPA), recently held a meeting of its Board of Directors (Board), where they discussed the possible need to extend the July 1, 2022 CPRA rulemaking deadline and estimated that the updated privacy law, which takes effect in 2023, may require doubling the existing body of CCPA … Continue Reading
On 10 September 2021, the Department for Digital, Culture, Media & Sport (DCMS) launched a public consultation on its proposed reforms to the UK’s data protection regime, with a view to assessing the case for legislative change. The consultation comes as the first step in the government’s plans to deliver on ‘Mission 2’ of its … Continue Reading
During the thirtieth meeting of the Standing Committee of the Thirteenth National People’s Congress of the People’s Republic of China on August 20, 2021, they finally passed the long-awaited Personal Information Protection Law (PIPL), which will come into force on November 1, 2021. Our recent client alert, the first in a series which we will … Continue Reading
Controllers and processors can demonstrate their compliance with the GDPR by adhering to approved data protection certification mechanisms established by data protection authorities. The ICO has approved such certification mechanism for three UK GDPR certification schemes, in the following areas: IT asset disposal – the Asset Disposal and Information Security Alliance (ADISA) have developed a … Continue Reading
In a recent Q&A with Ohio Attorney General (AG) Dave Yost published in the IAPP Privacy Advisor, the first term AG discusses how he continued Ohio’s role as a vigorous enforcer of consumer protection and privacy laws, with a lengthy track record of looking out for the needs of the government, business and consumers equally. … Continue Reading
The ICO has announced plans to replace its existing employment practices guidance with a more user-friendly online resource. The new resource will be divided into specific topics such as recruitment and selection, employment records, monitoring of workers, and information about workers’ health. In particular, the new guidance aims to: Address the changes in data protection … Continue Reading
The English High Court delivered an important judgement earlier this year in Sanso Rondon v LexisNexis Risk Solutions UK Ltd [2021] EWHC 1427 (QB). You can read the judgment here. Where an organisation based outside the EU is subject to the EU General Data Protection Regulation (GDPR) either because they sell goods or services to, … Continue Reading
In preparation for the California Privacy Rights Act (CPRA), effective January 1, 2023, the California AG Rob Bonta has been actively enforcing the California Consumer Privacy Act (CCPA) and providing updated guidance for consumers and businesses. The AG recently held a press conference to discuss enforcement proceedings brought by his office over the last year … Continue Reading
Reed Smith announced the launch of DaTA Transfer Pathway, an innovative new automated data transfer tool designed to assist organisations comply with recent changes in EU case law and EU data protection guidelines. Stemming from the Court of Justice of the European Union’s (CJEU) Schrems II decision relating to EU-US data transfers and in light … Continue Reading
In our previous post here we discussed the ICO’s announcement that it is working on new Standard Contractual Clauses (SCCs) to facilitate transfers of personal data outside the UK. The new UK SCCs will be known as the UK’s International Data Transfer Agreement (IDTA). The ICO has now launched the public consultation on its IDTA … Continue Reading
The Summer 2021 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released: English version German version In this edition we cover the following topics: Update on international data transfers State Labour Court of Baden-Württemberg: No claim for damages for transferring personal data to the United States on … Continue Reading
Last September the Singapore High Court heard a case relating to Singapore’s Personal Data Protection Act (PDPA). An individual had left his former employer, an investment company, to join a competitor firm. At this new firm, he sent an email to a client of his former employer’s, another individual, whom he had come to know … Continue Reading
After Germany became the last EU member state to transpose Article 5(3) of the Directive 2002/58/EC, amended by Directive 2009/136/EC (ePrivacy Directive) into national law, the use of cookies in the EU must meet one of the following requirements: The user’s consent, or The cookie must be strictly necessary in order to provide the service … Continue Reading
During its 51st plenary session on 7th July 2021, the European Data Protection Board (EDPB) adopted guidelines on codes of conduct as tools for transfers (CoC Guidelines). The CoC Guidelines are available here. The CoC Guidelines support and complement the previous EDPB Guidelines on CoCs published in 2019 (2019 Guidelines) that established the general framework … Continue Reading
As a result of the COVID-19 pandemic, many more organisations have moved their business operations online. From a cybersecurity and privacy perspective, this brings hackers and criminals greater opportunities to try to infiltrate the increased amount of devices and even deploy ransomware attacks. This is where malware is installed to block access to the user’s … Continue Reading
The European Commission’s (EC) International Standard Contractual Clauses (SCCs), which we previously discussed here, contain extensive third party beneficiary rights. The EC’s decision made clear that with these new international transfer SCCs, the parties can decide for themselves which EU Member State law will govern their SCCs, provided that the Member State’s laws allowed for … Continue Reading
