Privacy & Data Protection

A recent £4.4m fine imposed by the ICO in October 2022 reveals its views on the responsibility of the parent company, senior management, and financial investments in organisations’ security standards to prevent cyber attacks.

Continue Reading ICO expects large organisations to make financial investments to maintain their security standards

On 6 October 2022, the Advocate General (Campos Sánchez-Bordona) issued his opinion in UI v Österreichische Post AG on the interpretation of the rules on civil liability under the GDPR .

He concluded that a data subject must have suffered harm in order to claim compensation, and that breach of the GDPR alone was not sufficient.  There is also a distinction to be drawn between mere upset (which does not give rise to a right for compensation) and non-material damage (which does).

Continue Reading ‘Mere upset’ insufficient for compensation under the GDPR

At a Glance:

On Oct. 7, 2022, U.S. President Joe Biden issued Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ (“Executive Order” or “EO”). It is described by the U.S. as “a durable and reliable legal foundation” and “that the new ’robust’ commitments contained in the executive order ’fully addresses’ the issues raised in the [EU] Court of Justice’s decision on Privacy Shield” (the “Schrems II ruling”). This Executive Order will form the basis for a new EU-U.S. Data Privacy Framework, aka Safe Harbor Framework v3 or Privacy Shield 2.0.

The issuance of the EO was a central part of the agreement in principle reached between the EU and the U.S. to address the issues raised in the Schrems II ruling.  While most of the world waited for this Executive Order, we now all wait for the EU’s response as to whether or not this EO, once its requirements are implemented, suffices to lift the U.S. to an adequate level of data protection within the meaning of Art. 45 GDPR. Even before full implementation of the procedural aspects of the EO, the Executive Order will have a positive impact on data transfers given that the surveillance must be conducted in a proportionate manner that takes into account the impact to privacy and civil liberties of all persons, assuming the EU will be designated as a “qualifying state” by the U.S. Attorney General under the EO.

Continue Reading Transatlantic Data Flows – Chapter 3: The EU-U.S. Data Protection Framework: A Summary of the U.S. Executive Order issued on Oct. 9 and its immediate and future effects

On 26 September 2022, the UK Information Commissioner’s Office (“ICO”) issued a blog post addressing compliance with data subject access requests (“DSARs”).

A DSAR is a written request by an individual to an organisation asking for access to the personal information it holds on them. This is a legal right everyone in the UK has and can be exercised at any time for free (in most circumstances).

Continue Reading ICO issues guidance on responding to subject access requests

Meta-owned Instagram has been fined €405 million by the Irish Data Protection Commission (DPC) for violations of the EU General Data Protection Regulation (GDPR), following a two year investigation into how the social media platform handles children’s data. This is the largest fine imposed by the DPC to date. Below, we highlight some of the key issues arising in the case.

Continue Reading Irish DPC fines Instagram a record €405 million

On 18 July 2022, the United Kingdom (UK) government set out its new proposals for regulating the use of artificial intelligence (AI) technologies while promoting innovation, boosting public trust, and protecting data. The proposals reflect a less centralised and more risk-based approach than in the EU’s draft AI Act.

The proposals coincide with the introduction to Parliament of the Data Protection and Digital Information Bill, which includes measures to use AI responsibly while reducing compliance burdens on businesses to boost the economy.

Continue Reading UK government announces its proposals for regulating AI

The Summer 2022 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

Continue Reading Get your Update on IT & Data Protection Law in our Newsletter (Summer 2022 Edition)

Background

On 1 August 2022, the Court of Justice of the European Union (“CJEU”) issued a decision (“Decision”) clarifying how the indirect disclosure of sexual orientation data is protected as special category data under Article 9 of the EU General Data Protection Regulation (“GDPR”). “Special Category Data” is defined within Article 9(1) of the GDPR and includes (for example) a data subject’s racial or ethnic origin or data concerning a natural person’s sex life or sexual orientation. The processing of such sensitive personal data is expressly prohibited, unless the processing is exempted from the prohibition in the sense of Article 9(2) GDPR.

Continue Reading CJEU rules on interpretation of EU GDPR special categories of data