On 8 January 2025, the European General Court (the Court) ruled on the lawfulness of transferring personal data to countries outside the European Union (EU), in particular the United States (case T‑354/22). The judgment (Judgment) caused a stir among both businesses and data protection experts. This blog post gives you an overview of the most
Clearview AI Inc., successfully appeals £7.5 million fine from the ICO but the ICO is fighting back!
On 17 October 2023, the First-Tier Tribunal of the General Regulatory Chamber – Information Rights (the Tribunal) handed down its decision in Clearview AI Inc v The Information Commissioner [2023] UKFTT 819, overturning the £7.5 million fine levied on Clearview AI Inc. (Clearview) by the ICO last year.Continue Reading Clearview AI Inc., successfully appeals £7.5 million fine from the ICO but the ICO is fighting back!
UK-US data bridge: Advancing Data Flows and Privacy
On 8 June 2023, the UK Secretary of State for Science, Innovation, and Technology, and US Commerce Secretary jointly announced the intention to establish a UK-US data bridge.
The proposed data bridge between the UK and the US would build upon the EU-US Data Privacy Framework (DPF) as the UK Extension allowing free transfers of
A “light touch” approach to AI regulation in the UK
Amidst growing public attention on artificial intelligence (AI), the UK government recently published its white paper detailing its “pro-innovation” approach to AI. Other developments, showing the UK’s continued focus on this area, are also outlined below.Continue Reading A “light touch” approach to AI regulation in the UK
CJEU rules on DPO conflicts of interest under the GDPR
The Court of Justice of the European Union (“CJEU”) issued a judgment on the 9th of February 2023 (docket no. C-453/21), which addresses the question of the dismissal of a Data Protection Officer (“DPO”) and the interpretation of Article 38 of the EU GDPR.Continue Reading CJEU rules on DPO conflicts of interest under the GDPR
UK expands scope of NIS Regulations
The UK Network and Information Systems (NIS) Regulations 2018 will be strengthened in an effort to protect essential and digital services. On 30th November 2022, the UK government published its response to the public consultation on proposals to improve the UK’s cyber resilience. As the UK is no longer bound by EU legislation, it will not be implementing the NIS 2 Directive, recently adopted by European Parliament and Council. However, the frequency and scale of cyber incidents and consequent increased risk of severe damage has prompted change to UK cyber laws as well. Continue Reading UK expands scope of NIS Regulations
UK government announces its proposals for regulating AI
On 18 July 2022, the United Kingdom (UK) government set out its new proposals for regulating the use of artificial intelligence (AI) technologies while promoting innovation, boosting public trust, and protecting data. The proposals reflect a less centralised and more risk-based approach than in the EU’s draft AI Act.
The proposals coincide with the introduction to Parliament of the Data Protection and Digital Information Bill, which includes measures to use AI responsibly while reducing compliance burdens on businesses to boost the economy. Continue Reading UK government announces its proposals for regulating AI
CJEU rules on interpretation of EU GDPR special categories of data
Background
On 1 August 2022, the Court of Justice of the European Union (“CJEU”) issued a decision (“Decision”) clarifying how the indirect disclosure of sexual orientation data is protected as special category data under Article 9 of the EU General Data Protection Regulation (“GDPR”). “Special Category Data” is defined within Article 9(1) of the GDPR and includes (for example) a data subject’s racial or ethnic origin or data concerning a natural person’s sex life or sexual orientation. The processing of such sensitive personal data is expressly prohibited, unless the processing is exempted from the prohibition in the sense of Article 9(2) GDPR.Continue Reading CJEU rules on interpretation of EU GDPR special categories of data
Department for Digital, Culture, Media and Sport launches consultation on app security
On 4 May 2022, the Department for Digital, Culture, Media and Sport (DCMS) launched a consultation (available here) to request views from the tech industry on potential interventions to enhance security and privacy requirements for firms running app stores and developers making apps.Continue Reading Department for Digital, Culture, Media and Sport launches consultation on app security
New guidelines on personal data breach notifications
Following a consultation in January 2021, the European Data Protection Board (EDPB) has published its finalised guidelines on examples of personal data breaches and whether they are notifiable. These guidelines supplement previous guidance on personal data breach notification: the Opinion on Personal Data Breach Notification (Opinion 03/2014) and the general Guidelines on Personal Data Breach Notification under the GDPR (WP 250), both issued by the EDPB’s predecessor, the Article 29 Working Party.
The new guidelines offer welcome clarification on when notifications are required given that some data protection authorities and commentators have acknowledged over-reporting.
In this article we recap on the key takeaways from the finalised guidelines, focussing on key changes made since the January 2021 consultation, and exploring the challenges of managing data breach notifications in multiple jurisdictions.Continue Reading New guidelines on personal data breach notifications