Get your Update on IT & Data Protection Law in our Newsletter (Winter 2022 Edition)

Photo of Dr. Andreas SplittgerberPhoto of Sven SchonhofenBy Dr. Andreas Splittgerber and Sven Schonhofen on Posted in Cookies, Tracking & Online Behavioral Advertising, In the Courts, Privacy & Data Protection, Regulatory

The Winter 2022 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

Continue Reading

Cybersecurity 2.0: the UK follows suit with the EU in launching cybersecurity law reform

Photo of Cynthia O’DonoghuePhoto of Sarah O'BrienPhoto of Yunzhe ZhangBy Cynthia O’Donoghue, Sarah O'Brien and Yunzhe Zhang on Posted in Data & Cyber Security

Following the recent adoption of a new draft EU cybersecurity directive (we wrote about it here), the UK government has now also launched a consultation on its proposal to reform the existing UK cybersecurity legislation  (see consultation here).

A recap of the current UK cybersecurity law: NIS Regulations

One of the key pieces of cybersecurity legislation in the UK is the Network and Information Systems Regulations 2018 (NIS Regulations), which implemented the EU Cybersecurity Directive 2016 prior to Brexit.

Under the NIS Regulations, businesses who provide certain essential services (referred to as operators of essential services, or OES) and relevant digital service providers (RDSP) are required to register with the relevant competent authorities; meet a baseline level of cybersecurity requirements; and report any incident which has a significant impact on the continuity of the essential services.

Continue Reading

What does the ICO tell us about using data for research purposes?

Photo of Cynthia O’DonoghuePhoto of Sarah O'BrienBy Cynthia O’Donoghue and Sarah O'Brien on Posted in Privacy & Data Protection

The UK’s data protection regulator, the Information Commissioner’s Office (‘ICO’), has released draft guidance on the research provisions within the UK’s General Data Protection Regulation (‘UK GDPR’) and Data Protection Act (‘DPA’). The guidance is out for public consultation until 22 April 2022.

Continue Reading

SEC proposes cybersecurity rules for registered funds and investment advisers

Photo of Gerard StegmaierPhoto of Howard Womersley SmithPhoto of Kile MarksPhoto of Eric ManskiBy Gerard Stegmaier, Howard Womersley Smith, Kile Marks and Eric Manski on Posted in Data & Cyber Security, Regulatory

The Securities and Exchange Commission (SEC) is proposing new rules to require registered funds (RFs) and investment advisers (RIAs) to implement comprehensive cybersecurity programs. Under the proposed rules, the SEC seeks to accomplish four main objectives, requiring RFs and RIAs to:

  • Maintain and implement cybersecurity policies and procedures;
  • Adopt new recordkeeping standards;
  • Report significant cybersecurity incidents to the commission; and
  • Disclose cybersecurity risks and incidents to clients and investors.

Continue Reading

Maryland and California Propose Biometric Privacy Legislation that Would Include Illinois-Like Private Rights of Action

Photo of Gerard StegmaierPhoto of Sarah BrunoPhoto of Mark QuistPhoto of Stuart CobbBy Gerard Stegmaier, Sarah Bruno, Mark Quist, Hubert Zanczak and Stuart Cobb on Posted in Privacy & Data Protection

Maryland and California look to join the list of states that not only regulate biometric data but provide consumers with the opportunity to seek hefty statutory damages and attorney’s fees from offending businesses. Similar to Illinois’ oft-litigated Biometric Information Privacy Act (“BIPA”), both bills would also (i) require written consent prior to the collection of biometric information; (ii) impose BIPA-like security measures, and (iii) mandate specific retention criteria, as described below.

Continue Reading

So you have got BCRs? You may still need to use the new EU SCCs

Photo of Christian LeuthnerPhoto of Asélle IbraimovaBy Christian Leuthner and Asélle Ibraimova on Posted in Global Data Transfers

The arrival of the new EU Standard Contractual Clauses (“EU SCCs”) for international transfers in June 2021 was widely awaited to better understand the new requirements to assess the third-country laws for government access to data prior to using the SCCs following the Court of Justice of the European Union’s (“CJEU”) decision on Schrems II. As a value add, the EU SCCs were updated to reflect the GDPR requirements and also enabled organisations to cover a wider range of data flows than their previous versions due to the addition of ‘processor-to-processor’ and ‘processor-to-controller’ scenarios. Binding Corporate Rules (“BCRs”), another transfer tool available under the EU General Data Protection Regulation (“GDPR”), have not yet been updated to reflect the same flexibility in reflecting the diversity of data flows and presently appear to be limited in use in comparison. It is expected that the European Data Protection Board (“EDPB”) will publish updated BCR requirements in 2022.

Continue Reading

Chinese data security laws increasingly create roadblocks for litigants seeking discovery in U.S. courts

Photo of Gerard StegmaierPhoto of Michael J. LowellPhoto of Mark QuistPhoto of Cindy ShenPhoto of Eric ManskiPhoto of Stuart CobbBy Gerard Stegmaier, Michael J. Lowell, Mark Quist, Cindy Shen, Eric Manski and Stuart Cobb on Posted in In the Courts, Privacy & Data Protection

Two Chinese information security laws, the Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”), are creating difficulties for parties involved in litigation in the United States seeking discovery materials stored in China.

Both the DSL and the PIPL require data processors to obtain approval from the Chinese government before transferring any data stored in China to a foreign court or law enforcement authority, or otherwise face significant penalties such as fines in the millions of dollars.

Litigants in the U.S. should be aware that the DSL and PIPL may impose significant costs and delays in the discovery process, and may be used to avoid turning over certain materials.

Continue Reading

Cookie fines in France in January 2022: is it the beginning of a “Cookie Gate”?

Photo of Daniel KadarPhoto of Laetitia GaillardPhoto of Sarah O'BrienBy Daniel Kadar, Laetitia Gaillard and Sarah O'Brien on Posted in Privacy & Data Protection

In January 2022, several decisions by the French data protection regulator (“CNIL”) were published regarding the implementation of French cookie requirements, sending out a strong signal to website operators targeting French users. On 6 January 2022, the CNIL issued fines totalling 150 million euros and 60 million euros, to Google and Facebook respectively, for violations of the cookie laws in France. Both fines related to the method by which, and the lack of ease in which, users can reject the use of cookies, specifically on the following websites: google.fr, youtube.com and facebook.com. Some might see this as a controversial move by the CNIL, given that the method for opposing cookies has not strictly been written into law.

Then, on 28 January 2022, the French Supreme Administrative Court (French Council of State or “Conseil d’Etat”) upheld a 100 million euro fine imposed by the CNIL on Google on March 2020, also on the topic of cookie rules. The Council of State confirmed the fine, highlighting the fact that seven cookies were automatically dropped on the users’ terminal, four of which were used for advertising purposes, whereas users were not directly and explicitly informed of either the purposes of these cookies, or how to opt-out of the use of cookies.

Continue Reading

ICO launches consultation on Chapter 3 of updated guidance on anonymisation, pseudonymisation and PET

Photo of Cynthia O’DonoghuePhoto of Angelika BialowasBy Cynthia O’Donoghue and Angelika Bialowas on Posted in Privacy & Data Protection

On 7 February 2022, the UK Information Commissioner’s Office (ICO) announced that it had launched a consultation on Chapter 3 of its draft guidance on anonymisation, pseudonymisation, and privacy enhancing technologies (PET).

Continue Reading

Germany’s Federal Constitutional Court provides guidance for assessing claims against hate speech on social media

Photo of Dr. Alexander HardinghausPhoto of Dr. Philipp SüssPhoto of Sebastian BitterBy Dr. Alexander Hardinghaus, Dr. Philipp Süss and Sebastian Bitter on Posted in In the Courts, Social, Mobile, Analytics & Cloud (SMAC)

In a recent decision of December 19, 2021, case no. 1 BvR 1073/20 (published with an official press release dated February 2, 2022), the German Federal Constitutional Court (Bundesverfassungsgericht – BVerfG) set aside several judgments of the Berlin civil courts. The Berlin civil courts had denied the plaintiff, who alleges she was exposed to hate speech on a social network, the right to demand from the operator of the social network access to customer data, i.e., the full names of the users who had posted the content that the plaintiff considered to be hate speech. In the view of the BVerfG, the Berlin courts had failed to properly balance the parties’ interests and thereby had violated the plaintiff’s fundamental rights.

Continue Reading

LexBlog