Regulatory

Subscribe to Regulatory

The EDPB 101 Task Force published a report summarizing its assessment on international data transfers in connection with the use of tracking and analytics cookies (Tracking Cookie). The report is available here. The 101 Task Force comprises of representatives of the supervisory authorities in the EU (SA) and was created back in 2020, in response to the 101 complaints filed by NYOB, a data privacy activism group, regarding data transfers in connection with the use of Tracking Cookies.

Continue Reading Cookies and international data transfers: Key takeaways from the EDPB 101 Task Force report

On 13 April 2023, the EU’s Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee) passed a resolution to stop the debate over the draft adequacy decision stating that the new EU-US Data Privacy Framework (DPF) and the Executive Order on Enhancing Safeguards for US Signals Intelligence Activities issued by the US President do not provide sufficient privacy safeguards. The DPF was originally predicted to pass in early 2023 but putting a resolution to Parliament’s vote suggests looming delays.

Continue Reading EU-US data transfers: LIBE Committee to stop debate over adequacy decision due to concerns over insufficient privacy safeguards

In the latest of a recent string of judicial rebukes, the Supreme Court’s unanimous decision in Axon Enterprise, Inc. v. FTC  offers the targets of Federal Trade Commission (“FTC”) and other agencies’ administrative proceedings a path to quicker judicial relief.  Historically, courts have been reluctant to permit immediate challenges to investigations and adjudications without forcing the targets to wait for the resolution of all agency proceedings.  While aptly referred to as the doctrine of “exhaustion,” the result, as Justice Gorsuch observed, is that “agencies sometimes use this as leverage to extract settlement terms they could not lawfully obtain any other way.”  The Court’s decision in Axon not only deprives the FTC of a potential source of leverage, but it also increases the likelihood that companies faced with investigations may turn to the courts for relief at an earlier stage.  The decision comes at a time when the FTC’s powers and attempts to exercise those powers have been called into question by the bar, members of Congress, and by courts.

Continue Reading Unanimous Supreme Court limits FTC and other agencies’ investigative power

On 4 April 2023, the Personal Information Protection Commission of Japan (PPC) and European Commissioner for Justice issued a joint Press Statement on the conclusion of the first review of the Japan-EU Mutual Adequacy Decision. Both sides reiterated the importance of cooperation in the data protection regulation sphere that is becoming increasingly complex to navigate.

Continue Reading EU may expand the scope of the adequacy decision for Japan following its first review

On 13 March 2023, the Information Commissioner’s Office (‘ICO’) published new guidance, ‘Privacy in the product design lifecycle’, to help technology professionals, such as UX designers, product managers and software engineers, keep data protection considerations at the forefront of their products and services. The guidance describes how to tackle privacy issues arising at each stage of the design and development process, as summarised below.

Continue Reading Takeaways from ICO’s “Privacy in the product design lifecycle” guidance

The Critical Entities Resilience Directive (‘CER’) entered into force on 16 January 2023, replacing the 2008 European Critical Infrastructure Directive. The new rules are aiming to strengthen the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage. The CER Directive introduces new obligations on entities providing

On 8 March 2023, the UK government presented a new version of the UK Data Protection and Digital Information Bill No.2. As with the previous bill, the new bill aims to alleviate the burden of compliance with the UK GDPR and its implementing UK Data Protection Act (2018) for organisations in the UK.

Continue Reading UK Data Protection Bill No.2 – What is changed?

The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (‘LIBE Committee’) and the European Data Protection Board (‘EDPB’) have recently issued opinions on the European Commission’s draft US adequacy decision (‘Draft Adequacy Decision‘) for the EU-US Data Privacy Framework (‘Framework‘). Both believe there is more

The European Union’s Second Network and Information Systems Directive (“NIS2”) entered into force on 16 January 2023, and replaces the NIS 1 Directive.  NIS2 aims to “improve the resilience and incident response capacities of both the public and private sector and the EU as a whole”. In addition to the EU’s NIS2 update, the UK has also recently expanded its Network and Information Systems Regulations, and further details can be found in our blog here.  The revised directive aims to remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in different member states. To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations, and provides for remedies and sanctions to ensure enforcement.

Continue Reading NIS2 toughens up EU’s cyber security obligations