Privacy & Data Protection

Further to the joint announcement in June by UK Secretary of State for Science, Innovation, and Technology and the US Commerce Secretary of their intention to create a UK-US data bridge (please see our blog for further details), the UK government has passed a Regulation establishing a UK-US data bridge. The data bridge comes in the form of an extension to the EU-US Data Bridge Privacy Framework (the DPF) and will come into force on 12 October.Continue Reading UK government announces a UK data bridge with the US

On 11 September 2023, the UK’s Department for Science, Innovation, and Technology (DSIT), published the draft Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 (DP Regulations), which seek to amend the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018).Continue Reading DSIT publishes draft amendments to the UK GDPR and DPA 2018

On 12 September 2023, the UK Information Commissioner and the Chief Executive of the National Cyber Security Centre (NCSC), signed a joint Memorandum of Understanding (MoU), which establishes how the NCSC and the Information Commissioner’s Office (ICO) will cooperate. The NCSC is the technical authority in the UK that provides standards and guidance to organisations on cyber security. The ICO is responsible for providing guidance and enforcement of the data protection rules in the UK, including the obligation of organisations to apply security measures around personal data.Continue Reading Boosting digital resilience – The UK Information Commissioner and NCSC CEO sign Memorandum of Understanding

On August 18, 2023, the Fourth Circuit decertified approximately 20 million putative class action claims arising out of a 2018 data breach involving Marriott Hotels. See here. The Fourth Circuit reversed the district court’s certification and required it to consider in the first instance whether all of the putative plaintiffs waived their claims by signing class action waivers when they registered to be part of the Starwood Preferred Guest Program (“SPG”). The SPG waiver specifically stated that “Any disputes arising out of or related to the SPG Program or the[] SPG Program Terms will be handled individually without any class action ….”Continue Reading Fourth Circuit Decision Highlights Class Action Waivers for Data Breaches are Alive and Well

On 9 August 2023, the Information Commissioner’s Office (ICO) and the Competition and Markets Authority (CMA) published a joint position paper on Harmful Design in Digital Markets (Harmful Designs Paper) that urges businesses to stop using harmful website designs that exploit customers by encouraging them to provide more personal data than necessary. The regulators are

The Summer 2023 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version
German versionContinue Reading Get your Update on IT & Data Protection Law in our Germany Newsletter (Summer 2023 Edition)

Please click here to access the source post from our Global Regulatory Enforcement Law Blog.

In this blog, the authors delve into a significant decision by the German Federal Cartel Office (FCO) four years ago, accusing a major technology company of abusive behavior due to alleged violations of the General Data Protection Regulation (GDPR). Recently

Background

The European Commission (EC) issued the long-awaited adequacy decision for the new EU-U.S. Data Privacy Framework (Framework) on July 10, 2023. The Court of Justice of the European Union (CJEU) had previously invalidated both the U.S.-EU Safe Harbor in 2015, and the U.S.-EU Privacy Shield in 2020 after challenges by Austrian privacy activist Max Schrems (CJEU decisions known as Schrems I and Schrems II, respectively). Following those decisions President Biden signed Executive Order 14086 on “Enhancing Safeguards for United States Signals Intelligence Activities”, which introduced new binding safeguards. Our previous client alert discussed how the draft adequacy decision, including in relation to this this Executive Order, addressed concerns raised in Schrems II.Continue Reading Third Time’s a Charm: European Commission adopts EU-U.S. Data Privacy Framework

On June 27, 2023, the Council of Europe (“CoE”) announced the adoption of its first module of the Model Contractual Clauses (“MCCs”) for cross-border data transfers based on the Protocol amending the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108+). These model clauses aim to regulate data flows between data controllers and are recommended for adoption by competent authorities.Continue Reading Convention 108+: The Council of Europe Releases Model Contractual Clauses for Global Data Transfers

On 7 June 2023, the European Union Agency for Cybersecurity (ENISA) released a report Multilayer Framework for Good Cybersecurity Practices for AI (“Framework”) in response to the evolving landscape of artificial intelligence (AI) and the associated cybersecurity challenges. The publication aims to establish a robust framework that promotes cybersecurity practices throughout the entire lifecycle of AI, ranging from conceptualization to decommissioning. This blog summarises the main features of the Framework.Continue Reading ENISA Releases Comprehensive Framework for Ensuring Cybersecurity in the Lifecycle of AI Systems