Please click here to access the source post from our Global Regulatory Enforcement Law Blog.

In this blog, the authors delve into a significant decision by the German Federal Cartel Office (FCO) four years ago, accusing a major technology company of abusive behavior due to alleged violations of the General Data Protection Regulation (GDPR). Recently, the European Court of Justice (ECJ) upheld the FCO’s decision, affirming that a GDPR breach can be considered part of a dominance abuse case depending on the specific circumstances (decision of 4 July 2023, C-252/21).

The FCO’s intervention targeted the company’s data gathering and processing practices, with claims that users were denied the option to opt-out of personalized advertising. Deeming this an exploitative abuse of the company’s dominant market position under German competition law, the FCO ordered changes to the company’s terms and conditions. Following an appeal by the technology company to the Higher Regional Court of Düsseldorf, the case is ongoing, and the ECJ’s recent ruling clarified that competition authorities can legitimately consider GDPR violations while examining cases of abuse of dominance, particularly in the digital economy where access to personal data significantly impacts competition dynamics. The ECJ emphasized the importance of cooperation between competition authorities and GDPR supervisory bodies to ensure consistent enforcement and effective application of data protection regulations in competition law. This ruling strengthens the FCO’s position in enforcing competition law within the digital landscape and sheds light on the intricate relationship between competition law and data protection regulations in addressing dominance abuse cases in the modern era.

The Information Commissioner’s Office (ICO) has published a report on reprimands issued in the second quarter of the year, from April to June 2023. The recent reprimands by ICO shed light on areas of data protection where organizations across the public and private sectors have fallen foul of the UK GDPR and are instructive as to how organisations can improve their practices. Our blog focuses on three key lessons gleaned from these reprimands.

Continue Reading Three lessons from ICO’s quarterly enforcement report

The UK Department for Culture, Media and Sport published draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (Draft Security Regulations). These regulations fall under the Product Security and Telecommunications Infrastructure Act 2022 (PSTIA) which come into effect on 29 April 2024 and which you can read about in our earlier blog. Part 1 of the PSTIA establishes a regulatory framework that imposes security requirements on manufacturers, importers, and distributors of these products. The Draft Security Regulations outline the specific security requirements for manufacturers.

Continue Reading Navigating the Path to Compliance: Takeaways from the New Draft Security Regulations for Connected Devices

Background

The European Commission (EC) issued the long-awaited adequacy decision for the new EU-U.S. Data Privacy Framework (Framework) on July 10, 2023. The Court of Justice of the European Union (CJEU) had previously invalidated both the U.S.-EU Safe Harbor in 2015, and the U.S.-EU Privacy Shield in 2020 after challenges by Austrian privacy activist Max Schrems (CJEU decisions known as Schrems I and Schrems II, respectively). Following those decisions President Biden signed Executive Order 14086 on “Enhancing Safeguards for United States Signals Intelligence Activities”, which introduced new binding safeguards. Our previous client alert discussed how the draft adequacy decision, including in relation to this this Executive Order, addressed concerns raised in Schrems II.

Continue Reading Third Time’s a Charm: European Commission adopts EU-U.S. Data Privacy Framework

On June 27, 2023, the Council of Europe (“CoE”) announced the adoption of its first module of the Model Contractual Clauses (“MCCs”) for cross-border data transfers based on the Protocol amending the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108+). These model clauses aim to regulate data flows between data controllers and are recommended for adoption by competent authorities.

Continue Reading Convention 108+: The Council of Europe Releases Model Contractual Clauses for Global Data Transfers

On 7 June 2023, the European Union Agency for Cybersecurity (ENISA) released a report Multilayer Framework for Good Cybersecurity Practices for AI (“Framework”) in response to the evolving landscape of artificial intelligence (AI) and the associated cybersecurity challenges. The publication aims to establish a robust framework that promotes cybersecurity practices throughout the entire lifecycle of AI, ranging from conceptualization to decommissioning. This blog summarises the main features of the Framework.

Continue Reading ENISA Releases Comprehensive Framework for Ensuring Cybersecurity in the Lifecycle of AI Systems

On 19 June 2023, the Information Commissioner’s Office (ICO) has released new Guidance on Privacy-Enhancing Technologies (PETs) for Data Protection Compliance. This guidance is designed to assist data protection officers (DPOs) and individuals responsible for managing large-scale personal data sets across diverse sectors, including finance, healthcare and research.

Continue Reading Guidance on Privacy-Enhancing Technologies for Data Protection Compliance: Key Considerations for Organizations

On 8 June 2023, the UK Secretary of State for Science, Innovation, and Technology, and US Commerce Secretary jointly announced the intention to establish a UK-US data bridge.
The proposed data bridge between the UK and the US would build upon the EU-US Data Privacy Framework (DPF) as the UK Extension allowing free transfers of personal data from the UK to organisations in the US certified under the EU-US DPF. It is contingent on the UK’s assessment of US data protection laws and practices, as well as the US designation of the UK as a qualifying state.

Safeguarding Data: Transfer Mechanisms in the UK-US Context

Currently, businesses wanting to transfer personal data from the UK need to navigate between layers of legal and regulatory requirements. Following Brexit, the UK introduced the GDPR as domestic law (UK GDPR) but added its own data transfer mechanisms. Transfers of personal data from the UK to a third country need to comply with safeguards set out in Article 46 of the UK GDPR. This can be achieved, among other options, by incorporating the International Data Transfer Agreement (a UK version of the Standard Contractual Clauses) into commercial agreements or as a standalone agreement. If organisations are already signing the EU Standard Contractual Clauses (SCCs) and the UK is one of the territories the personal data is transferred from, a UK Addendum to the EU SCCs can be used for efficiency.

Additionally, Binding Corporate Rules (BCRs) are another mechanism for multinational organizations to transfer personal data within their corporate group globally. Post-Brexit, BCRs need to be approved by the Information Commissioner’s Office (ICO) to facilitate data transfers between from the UK entities, unless the ICO acted as a lead authority for BCRs approved pre-Brexit.

Organisations also need to complete a Transfer Risk Assessment (TRA) for transfers from the UK or EU, which is required to evaluate local laws of the third country in connection to government access to personal data.

The proposed UK-US data bridge aims to simplify data transfers from the UK for those US organisations that will sign up to the EU-US DPF.

Whilst the large volume of transatlantic data flows signifies an urgency for a UK-US data bridge, it is still at a very early stage and clarity is needed regarding the scope, criteria and requirements for participating organisations.

What’s next?

The EU-US DPF remains under scrutiny by the European Parliament. The UK-US data bridge is dependent on the development of negotiations on the EU-US DPF, expected to be finalized in summer 2023. Both the UK and US aim to finalize the agreement in 2023.

The UK’s new Product Security and Telecommunications Infrastructure Act 2022 will take effect on 29 April 2024, and will require manufacturers to implement minimum-security standards on all consumer products with internet or network connectivity, such as smartphones, smart meters, CCTV cameras, smart speakers, games consoles, smart doorbells, and medical devices and wearables before they can be made available for purchase.

Continue Reading From Smartphones to Alarm Systems: UK Mandates Minimum Security for Connected Devices

The EDPB 101 Task Force published a report summarizing its assessment on international data transfers in connection with the use of tracking and analytics cookies (Tracking Cookie). The report is available here. The 101 Task Force comprises of representatives of the supervisory authorities in the EU (SA) and was created back in 2020, in response to the 101 complaints filed by NYOB, a data privacy activism group, regarding data transfers in connection with the use of Tracking Cookies.

Continue Reading Cookies and international data transfers: Key takeaways from the EDPB 101 Task Force report