Get your Update on IT & Data Protection Law in our Newsletter (Winter 2022 Edition)

The Winter 2022 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

Continue Reading

Cybersecurity 2.0: the UK follows suit with the EU in launching cybersecurity law reform

Following the recent adoption of a new draft EU cybersecurity directive (we wrote about it here), the UK government has now also launched a consultation on its proposal to reform the existing UK cybersecurity legislation  (see consultation here).

A recap of the current UK cybersecurity law: NIS Regulations

One of the key pieces of cybersecurity legislation in the UK is the Network and Information Systems Regulations 2018 (NIS Regulations), which implemented the EU Cybersecurity Directive 2016 prior to Brexit.

Under the NIS Regulations, businesses who provide certain essential services (referred to as operators of essential services, or OES) and relevant digital service providers (RDSP) are required to register with the relevant competent authorities; meet a baseline level of cybersecurity requirements; and report any incident which has a significant impact on the continuity of the essential services.

Continue Reading

What does the ICO tell us about using data for research purposes?

The UK’s data protection regulator, the Information Commissioner’s Office (‘ICO’), has released draft guidance on the research provisions within the UK’s General Data Protection Regulation (‘UK GDPR’) and Data Protection Act (‘DPA’). The guidance is out for public consultation until 22 April 2022.

Continue Reading

SEC proposes cybersecurity rules for registered funds and investment advisers

The Securities and Exchange Commission (SEC) is proposing new rules to require registered funds (RFs) and investment advisers (RIAs) to implement comprehensive cybersecurity programs. Under the proposed rules, the SEC seeks to accomplish four main objectives, requiring RFs and RIAs to:

  • Maintain and implement cybersecurity policies and procedures;
  • Adopt new recordkeeping standards;
  • Report significant cybersecurity incidents to the commission; and
  • Disclose cybersecurity risks and incidents to clients and investors.

Continue Reading

Maryland and California Propose Biometric Privacy Legislation that Would Include Illinois-Like Private Rights of Action

Maryland and California look to join the list of states that not only regulate biometric data but provide consumers with the opportunity to seek hefty statutory damages and attorney’s fees from offending businesses. Similar to Illinois’ oft-litigated Biometric Information Privacy Act (“BIPA”), both bills would also (i) require written consent prior to the collection of biometric information; (ii) impose BIPA-like security measures, and (iii) mandate specific retention criteria, as described below.

Continue Reading

So you have got BCRs? You may still need to use the new EU SCCs

The arrival of the new EU Standard Contractual Clauses (“EU SCCs”) for international transfers in June 2021 was widely awaited to better understand the new requirements to assess the third-country laws for government access to data prior to using the SCCs following the Court of Justice of the European Union’s (“CJEU”) decision on Schrems II. As a value add, the EU SCCs were updated to reflect the GDPR requirements and also enabled organisations to cover a wider range of data flows than their previous versions due to the addition of ‘processor-to-processor’ and ‘processor-to-controller’ scenarios. Binding Corporate Rules (“BCRs”), another transfer tool available under the EU General Data Protection Regulation (“GDPR”), have not yet been updated to reflect the same flexibility in reflecting the diversity of data flows and presently appear to be limited in use in comparison. It is expected that the European Data Protection Board (“EDPB”) will publish updated BCR requirements in 2022.

Continue Reading

Chinese data security laws increasingly create roadblocks for litigants seeking discovery in U.S. courts

Two Chinese information security laws, the Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”), are creating difficulties for parties involved in litigation in the United States seeking discovery materials stored in China.

Both the DSL and the PIPL require data processors to obtain approval from the Chinese government before transferring any data stored in China to a foreign court or law enforcement authority, or otherwise face significant penalties such as fines in the millions of dollars.

Litigants in the U.S. should be aware that the DSL and PIPL may impose significant costs and delays in the discovery process, and may be used to avoid turning over certain materials.

Continue Reading

Cookie fines in France in January 2022: is it the beginning of a “Cookie Gate”?

In January 2022, several decisions by the French data protection regulator (“CNIL”) were published regarding the implementation of French cookie requirements, sending out a strong signal to website operators targeting French users. On 6 January 2022, the CNIL issued fines totalling 150 million euros and 60 million euros, to Google and Facebook respectively, for violations of the cookie laws in France. Both fines related to the method by which, and the lack of ease in which, users can reject the use of cookies, specifically on the following websites: google.fr, youtube.com and facebook.com. Some might see this as a controversial move by the CNIL, given that the method for opposing cookies has not strictly been written into law.

Then, on 28 January 2022, the French Supreme Administrative Court (French Council of State or “Conseil d’Etat”) upheld a 100 million euro fine imposed by the CNIL on Google on March 2020, also on the topic of cookie rules. The Council of State confirmed the fine, highlighting the fact that seven cookies were automatically dropped on the users’ terminal, four of which were used for advertising purposes, whereas users were not directly and explicitly informed of either the purposes of these cookies, or how to opt-out of the use of cookies.

Continue Reading

ICO launches consultation on Chapter 3 of updated guidance on anonymisation, pseudonymisation and PET

On 7 February 2022, the UK Information Commissioner’s Office (ICO) announced that it had launched a consultation on Chapter 3 of its draft guidance on anonymisation, pseudonymisation, and privacy enhancing technologies (PET).

Continue Reading

Germany’s Federal Constitutional Court provides guidance for assessing claims against hate speech on social media

In a recent decision of December 19, 2021, case no. 1 BvR 1073/20 (published with an official press release dated February 2, 2022), the German Federal Constitutional Court (Bundesverfassungsgericht – BVerfG) set aside several judgments of the Berlin civil courts. The Berlin civil courts had denied the plaintiff, who alleges she was exposed to hate speech on a social network, the right to demand from the operator of the social network access to customer data, i.e., the full names of the users who had posted the content that the plaintiff considered to be hate speech. In the view of the BVerfG, the Berlin courts had failed to properly balance the parties’ interests and thereby had violated the plaintiff’s fundamental rights.

Continue Reading

LexBlog