Storing credit card details for future purchases – EDPB recommends online retailers do so only with consent

On 19 May 2021, the European Data Protection Board (EDPB) adopted Recommendations on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions, available here.

Scope of the recommendations

The recommendations specifically address online providers of goods and services who store credit card data to facilitate future purchases once an individual has provided their credit card data to conclude a transaction online.

The recommendations do not apply to payment institutions operating in online stores or public authorities. They also do not apply where credit card data is stored for a different purpose, for example to comply with a legal obligation or to establish a recurring payment.

Why are these recommendations needed?

As the digital economy and e-commerce continue to develop, the risks of using credit card data online also continue to increase. In addition to ever-present payment fraud risks, there is also an increased risk of credit card data security breaches where the credit card data is stored. Controllers must therefore act to reduce the risk of unlawful processing of this data.

Continue Reading

City A.M. interviews Howard Womersley Smith on London’s start up Fintech scene

City A.M. has interviewed Howard Womersley Smith, an expert Fintech and Data lawyer and partner in Reed Smith’s Technology & Data London team, on London’s current startup FinTech scene.

Sitting down with Womersley Smith, City AM reflected on a range of London Fintechs urging the Financial Conduct Authority (FCA) to break banks’ dominance over the use of consumer data. Womersley Smith sided with Fintechs and has long been saying that the startup scene needs exactly that to properly thrive in 2021. Fintechs have argued that the end of banks dominance would increase competition in the savings, credit, mortgages and pensions markets. However, Womersley Smith believes that we are some way off true portable banking. However, he noted that there is another factor in play, that of trust where banking with a household name provides an element of comfort for consumers which is difficult for challengers to compete with. Continue Reading

Three years on from the implementation of the EU GDPR – Reed Smith tools and solutions to help with compliance

The EU General Data Protection Regulation (GDPR) came into effect on 25 May 2018. It became one of the leading pieces of legislation in the world to offer the highest levels of protection to the personal data of individuals. Many countries followed suit to raise the bar in how organisations handle personal data. The trend continues with China and India next in line to adopt legislation with similar levels of protection which may result in half of the global population enjoying rights similar to what the GDPR offers. The GDPR has definitely had a domino effect.

Organisations continue to take steps towards compliance as this is a reiterative exercise. We also continue to develop new ways of supporting our clients and have built tools and solutions to help clients to be efficient in their GDPR compliance efforts:

  • GDPR toolkit. A toolkit of accountability documents to help organisations meet their GDPR requirements.
  • Datarologie. An innovative service providing a one-stop shop for privacy compliance needs combining technology solutions and consultancy services. The comprehensive offering includes data subject rights management; a tracking tool for personal data breach preparation and response, auditing and benchmarking; outsourced Data Protection Officer services; GDPR representative services in the UK and the EU, as well as the provision of legal advice.
  • Data Transfer Impact Assessment tool. This tool allows organizations to automate and create (1) a risk assessment for data transfers to third countries, whether controller to controller or controller to processor, and (2) automated drafting of a data processing agreement and standard contractual clauses (SCCs). This will become an all-in-one tool to deal with data transfers and cut down on contract review time. This tool should be ready in time when the final EU SCCs are published by the European Commission. This tool will be updated with the new SCCs once issued by the European Commission, which is expected to happen in a number of weeks.
  • GDPR Assessment. An assessment methodology to check GDPR compliance, including compliance with the accountability principle.

Please do not hesitate to contact our team for further information or to discuss your data protection needs. Happy GDPR Anniversary!

European Commission urged to produce clear guidelines on data transfers with the U.S.

In its Schrems II decision (which we reported on here) the Court of Justice of the European Union (CJEU) found that the Privacy Shield framework, which had been used to facilitate data transfers from the EU to the US, did not adequately protect the personal data of EU users. The use of standard contractual clauses (SCCs) for such transfers of personal data to a third country was validated by the ruling, provided that the recipient country’s level of data protection was verified by the EU based entity prior to the data transfer.

Why are these guidelines needed?

In a draft report adopted on Tuesday 19 May 2021 the Civil Liberties Committee has urged the European Commission to assess the impact of this decision on data transfers with the US. The Civil Liberties Committee suggests, and is probably aware, that businesses may struggle to assess the data protection regimes of third countries themselves. The MEPs have therefore called for clear guidelines so companies can make data transfers that can be made GDPR-compliant, acknowledging that certainty and stability is key for businesses.

The report recommends collaboration between the European Commission and the European Data Protection Board (EDPB) to ensure the guidelines are fit for purpose given recent CJEU rulings.

Potential enforcement proceedings against Ireland

MEPs have also called on the European Commission to begin infringement procedures against Ireland for failing to effectively enforce the GDPR. The Irish Data Protection Commission (DPC)’s decision to initiate the Schrems court case instead of triggering enforcement procedures under the GDPR, along with the DPC’s long processing times, were both held to be disappointing by the Civil Liberties Committee.

The draft resolution will be debated in a future plenary session and put to the vote by the full House. While collaboration between the EC and EDPB to issue clear guidelines for businesses sounds appealing, we can only hope that the guidelines are pragmatic as well.


DPC’s authority to inquire into the EU-U.S. data transfers confirmed by the Irish High Court

On 14th May 2021, the Irish High Court (High Court) dismissed a legal challenge brought against the Irish Data Protection Commission (DPC) concerning its inquiry and a preliminary draft decision to suspend the EU-U.S. data transfers of personal data of an applicant organisation.


These proceedings follow on from Schrems II decision of the Court of Justice of the European Union (CJEU) in July 2020, which upheld the use of Standard Contractual Clauses (SCCs’) for data transfers to third countries. The decision clarified the obligation of the controllers and processors to evaluate their ability to comply with the SCCs in the light of local laws applicable to them before relying on the SCCs and to take supplementary measures to eliminate any risk of non-compliance.

The DPC initiated its ‘own-volition’ inquiry into the applicant organisation’s EU-U.S. data transfers and adopted the preliminary draft decision, suspending personal data flows to the US due to lack of adequate level of protection for personal data transferred to the US and failure to implement supplementary measures by the applicant organisation. The DPC allocated a period of 21-days to the applicant organisation to make submissions to the DPC measures it plans to take to make data transfers possible. The applicant organisation filed judicial review proceedings on a number of grounds. The court rejected the submission by the DPC that the PDD and its procedures were not amenable to judicial review and reviewed each of the grounds that were raised. Continue Reading

Get the latest updates on our Tech Law Talks podcast

Catch up on our Tech Law Talks podcast series for practical observations on technology and data legal trends. We cover product and technology development to operational and compliance issues that technology practitioners encounter every day.

On this channel, we host regular discussions about the legal and business issues around data protection, privacy and security; data risk management; technology transactions; intellectual property; social media; and other types of information technology.

Banks navigate changing computer incident notification rules

Proposed cybersecurity rules from the OCC, FDIC and FRB affect banking organizations and bank service providers. In this panel discussion, three lawyers from Reed Smith’s Tech & Data practice – partner Anthony Diana, counsel Catherine Castaldo and associate Trevor Satnick – discuss specific impacts and describe what business leaders have to do to prepare. (7 mins)

EU: Navigating marketing communications in Europe

Leading Tech & Data lawyers Andy Splittgerber and Christian Leuthner discuss marketing consent in Europe in relation to data protection and spamming laws. Andy and Christian will guide you through the various issues involved and what you need to know. (13 mins)

EU: Cookies, tracking technologies and data protection

Join two of our Munich-based data protection team, Ramona Kimmich and Andy Splittgerber, as they outline the legal situation on the use of cookies in Germany and the EU. They discuss the current status of the EU ePrivacy Regulation and of Germany’s cookie law (TTDSG) and provide insight into the changes organizations operating websites in the EU need to make in 2021, if they want to use tracking technologies in compliance with data protection rules. (20 mins)

Technology transaction trends 2021

Sarah Bruno and LiLing Poh discuss recent trends as organizations invest more in technology through the acquisition of new platforms or programs, and through partnerships with vendors, to bring products to market. (20 mins)

EU: GDPR and Fines – First experiences and defence strategies

Join members of our tech and data team, Andy Splittgerber and Christian Leuthner, as they discuss the first fines levied under the EU’s data protection law three years after the EU General Data Protection Regulation went live. They take a look at recent developments and describe situations where it may be worth challenging the data privacy enforcers. Andy and Christian give valuable tips on what to do if the data protection authorities knock on your door. (7 mins)

Executive Order for cybersecurity creates new requirements for government contractors

In response to a number of recent high-profile cyber attacks aimed at federal agencies, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity (EO) on May 12, 2021. The EO which created a new Cyber Safety Review Board to review major cyber incidents and requires information and communications technology (ICT) service providers entering into contracts with the government to report data breaches. Agencies are mandated to provide their recommendations to the FAR Council within 60 days of the order, after which the FAR Council will make its proposed changes to the Federal Acquisition Regulations (FAR) within another 90 days. Contractors should act swiftly to review and provided comments proposed changes to as they are published and to ensure that any concerns about complying with the new requirements are presented to those tasked with implementing this EO.

Our recent client alert summarizes the new Executive Order and provides recommendations for entities that will be impacted by these sweeping new requirements.

Recent report signals NIST may publish IoT cybersecurity standards

Although regulators seem to think all too often that cybersecurity is an after-thought for internet-connected device manufacturers, the National Institute of Standards and Technology (NIST) recognizes that as the Internet of Things (IoT) grows, so do cybersecurity risks. In March 2021, NIST published several key takeaways from a recent workshop that provide helpful guidance for IoT manufacturers so that they can be more pro-active in securing IoT devices.

Continue Reading

Processing personal data in the context of connected vehicles

Earlier this year, following its public consultation, the European Data Protection Board (EDPB) approved its guidelines on the processing of personal data in the context of connected vehicles and mobility related applications (here).

Why are these guidelines needed?

In the guidelines, the EDPB notes that “vehicles are becoming massive data hubs” and “connected vehicles are generating increasing amounts of data, most of which can be considered personal data since they will relate to drivers or passengers”. Interestingly, the EDPB is also of the opinion that “[e]ven if the data collected by a connected car are not directly linked to a name, but to technical aspects and features of the vehicle, it will concern the driver or the passengers of the car.” To illustrate this latter point, the EDPB lists the following types of data that would fall within this category: speed, distance travelled, engine coolant temperature, engine RPM and tyre pressure. This is a broad interpretation of what constitutes ‘personal data’ under the General Data Protection Regulation (GDPR).

Some of the risks of processing personal data in the context of connected vehicles include:

  1. Not adequately informing all data subjects that their personal data is being processed. More often, it is only the driver or owner who is provided with the required transparency information;
  2. Ensuring that a data subject’s consent qualifies as valid consent under the GDPR – consent needs to be considered in the context of personal data processing under the GDPR and in relation to the ePrivacy Regulations as it is likely that information will be stored or accessed in terminal equipment;
  3. Legitimately handling any additional processing of personal data not contemplated by the initial collection e.g. for the purposes of law enforcement;
  4. Collecting excessive amounts of personal data due to the vehicle manufacturer’s desire to use such data to develop new functionality; and
  5. The increased security risks due to the number of different types of technology used in connected vehicles (e.g. wi-fi, USB, RFID).

Continue Reading

NICE AI: A health data opportunity

The UK National Institute for Health and Care Excellence (NICE), along with the Care Quality Commission (CQC), Health Research Authority (HRA) and Medicines and Healthcare products Regulatory Agency (MHRA) have partnered to promote the use of artificial intelligence (AI) in health and care. The agencies are calling this initiative the “Multi-Agency Advisory Service for AI and data-driven technology”.

The project will be funded by the NHS AI Lab and NICE, CQC, HRA, and MHRA will work together with the aim of improving care quality for all by ensuring that the use of AI and other data-driven innovations meet high standards in safety, effectiveness and data governance. The Multi-Agency Advisory Service for AI will also address standards for individuals to get access in health and care by providing direction on regulation, evaluation and adoption.

The project will seek to make pathways easier to follow and set clearer expectations related to the challenges faced when developing, commissioning or adopting AI technologies. The Multi-Agency Advisory Service for AI will work together to research, develop and test a service, and will seek support and input from stakeholders and future service users.

The project expects to provide the service in two key areas:

  • Developers of AI and data-driven technologies use in health and social care; and
  • Adopters of AI and data-driven technologies,

each of whom may benefit from assistance with regulatory issues and are looking to gain knowledge to efficiently adopt and deploy the best AI and data-driven technologies related to health and care.

The best part is that the agencies are looking for organisations to get involved.  It’s possible to register to get involved in user research or testing.