Privacy and Data Protection

Subscribe to Privacy and Data Protection

The Information Commissioner’s Office (ICO) has published a report on reprimands issued in the second quarter of the year, from April to June 2023. The recent reprimands by ICO shed light on areas of data protection where organizations across the public and private sectors have fallen foul of the UK GDPR and are instructive as to how organisations can improve their practices. Our blog focuses on three key lessons gleaned from these reprimands.

Continue Reading Three lessons from ICO’s quarterly enforcement report

Background

The European Commission (EC) issued the long-awaited adequacy decision for the new EU-U.S. Data Privacy Framework (Framework) on July 10, 2023. The Court of Justice of the European Union (CJEU) had previously invalidated both the U.S.-EU Safe Harbor in 2015, and the U.S.-EU Privacy Shield in 2020 after challenges by Austrian privacy activist Max Schrems (CJEU decisions known as Schrems I and Schrems II, respectively). Following those decisions President Biden signed Executive Order 14086 on “Enhancing Safeguards for United States Signals Intelligence Activities”, which introduced new binding safeguards. Our previous client alert discussed how the draft adequacy decision, including in relation to this this Executive Order, addressed concerns raised in Schrems II.

Continue Reading Third Time’s a Charm: European Commission adopts EU-U.S. Data Privacy Framework

The EDPB 101 Task Force published a report summarizing its assessment on international data transfers in connection with the use of tracking and analytics cookies (Tracking Cookie). The report is available here. The 101 Task Force comprises of representatives of the supervisory authorities in the EU (SA) and was created back in 2020, in response to the 101 complaints filed by NYOB, a data privacy activism group, regarding data transfers in connection with the use of Tracking Cookies.

Continue Reading Cookies and international data transfers: Key takeaways from the EDPB 101 Task Force report

On 13 April 2023, the EU’s Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee) passed a resolution to stop the debate over the draft adequacy decision stating that the new EU-US Data Privacy Framework (DPF) and the Executive Order on Enhancing Safeguards for US Signals Intelligence Activities issued by the US President do not provide sufficient privacy safeguards. The DPF was originally predicted to pass in early 2023 but putting a resolution to Parliament’s vote suggests looming delays.

Continue Reading EU-US data transfers: LIBE Committee to stop debate over adequacy decision due to concerns over insufficient privacy safeguards

In the latest of a recent string of judicial rebukes, the Supreme Court’s unanimous decision in Axon Enterprise, Inc. v. FTC  offers the targets of Federal Trade Commission (“FTC”) and other agencies’ administrative proceedings a path to quicker judicial relief.  Historically, courts have been reluctant to permit immediate challenges to investigations and adjudications without forcing the targets to wait for the resolution of all agency proceedings.  While aptly referred to as the doctrine of “exhaustion,” the result, as Justice Gorsuch observed, is that “agencies sometimes use this as leverage to extract settlement terms they could not lawfully obtain any other way.”  The Court’s decision in Axon not only deprives the FTC of a potential source of leverage, but it also increases the likelihood that companies faced with investigations may turn to the courts for relief at an earlier stage.  The decision comes at a time when the FTC’s powers and attempts to exercise those powers have been called into question by the bar, members of Congress, and by courts.

Continue Reading Unanimous Supreme Court limits FTC and other agencies’ investigative power

On 4 April 2023, the Personal Information Protection Commission of Japan (PPC) and European Commissioner for Justice issued a joint Press Statement on the conclusion of the first review of the Japan-EU Mutual Adequacy Decision. Both sides reiterated the importance of cooperation in the data protection regulation sphere that is becoming increasingly complex to navigate.

Continue Reading EU may expand the scope of the adequacy decision for Japan following its first review

On 13 March 2023, the Information Commissioner’s Office (‘ICO’) published new guidance, ‘Privacy in the product design lifecycle’, to help technology professionals, such as UX designers, product managers and software engineers, keep data protection considerations at the forefront of their products and services. The guidance describes how to tackle privacy issues arising at each stage of the design and development process, as summarised below.

Continue Reading Takeaways from ICO’s “Privacy in the product design lifecycle” guidance

The Critical Entities Resilience Directive (‘CER’) entered into force on 16 January 2023, replacing the 2008 European Critical Infrastructure Directive. The new rules are aiming to strengthen the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage. The CER Directive introduces new obligations on entities providing

On 8 March 2023, the UK government presented a new version of the UK Data Protection and Digital Information Bill No.2. As with the previous bill, the new bill aims to alleviate the burden of compliance with the UK GDPR and its implementing UK Data Protection Act (2018) for organisations in the UK.

Continue Reading UK Data Protection Bill No.2 – What is changed?

The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (‘LIBE Committee’) and the European Data Protection Board (‘EDPB’) have recently issued opinions on the European Commission’s draft US adequacy decision (‘Draft Adequacy Decision‘) for the EU-US Data Privacy Framework (‘Framework‘). Both believe there is more