As a result of the COVID-19 pandemic, many more organisations have moved their business operations online.  From a cybersecurity and privacy perspective, this brings hackers and criminals greater opportunities to try to infiltrate the increased amount of devices and even deploy ransomware attacks. This is where malware is installed to block access to the user’s data by locking the computer or encrypting the data until the demanded ransom is paid. In some cases, the attackers also threaten to disclose the stolen data if the ransom is not paid.

Ransom attacks are on the rise, with the ICO reporting an increase from 13 ransomware incidents per month to 42 at its 2021 conference. In the U.S., the recent Kaseya ransomware attack affected nearly 200 companies, while the recent pipeline attack disrupted fuel supplies to the East Coast for several days, leading to fuel shortages.

According to a global survey conducted by Sophos, the average total cost of recovery from a ransomware attack has more than doubled, increasing from $761,106 in 2020 to $1.85 million in 2021. These remediation costs include business downtime, lost orders and operational costs. The average ransom paid is $170,404, yet only 8 per cent of organisations managed to recover all of their data after paying a ransom.

In 2020 and so far this year in 2021, the manufacturing, government, education, services and healthcare industries have been particularly hard hit by ransomware attacks. However, no industry is immune from such attacks and ransomware attacks are featured across all industries, including utilities, technology, logistics, transportation, finance and retail.

Continue Reading Ransomware is on the rise – what to do if you are faced with a cyber attack

On 14th May 2021, the Irish High Court (High Court) dismissed a legal challenge brought against the Irish Data Protection Commission (DPC) concerning its inquiry and a preliminary draft decision to suspend the EU-U.S. data transfers of personal data of an applicant organisation.

Background

These proceedings follow on from Schrems II decision of the Court of Justice of the European Union (CJEU) in July 2020, which upheld the use of Standard Contractual Clauses (SCCs’) for data transfers to third countries. The decision clarified the obligation of the controllers and processors to evaluate their ability to comply with the SCCs in the light of local laws applicable to them before relying on the SCCs and to take supplementary measures to eliminate any risk of non-compliance.

The DPC initiated its ‘own-volition’ inquiry into the applicant organisation’s EU-U.S. data transfers and adopted the preliminary draft decision, suspending personal data flows to the US due to lack of adequate level of protection for personal data transferred to the US and failure to implement supplementary measures by the applicant organisation. The DPC allocated a period of 21-days to the applicant organisation to make submissions to the DPC measures it plans to take to make data transfers possible. The applicant organisation filed judicial review proceedings on a number of grounds. The court rejected the submission by the DPC that the PDD and its procedures were not amenable to judicial review and reviewed each of the grounds that were raised.
Continue Reading DPC’s authority to inquire into the EU-U.S. data transfers confirmed by the Irish High Court

Recent cases have highlighted the continued tensions between the GDPR and U.S. demands for discovery in the context of U.S. litigation and investigations. This issue can present a real concern for companies operating on both sides of the pond seeking to comply with obligations on either side. Whilst the GDPR provides EU citizens with valuable protections on the processing and cross-border transfer of their data, it is not an automatic shield from the demands of U.S. state or federal laws that require the preservation, collection, and potential disclosure of any documentation relevant to a matter – regardless of where it originates or to whom it relates.

The process of U.S. discovery that requires the transfer of potential evidence originating or stored in the EU to the U.S. will often trigger obligations under the GDPR where it involves the processing and cross-border transfer of personal data. While previous cases have shown U.S. courts to be reluctant to allow foreign laws to be a barrier to U.S. discovery, two recent cases have provided insight on the U.S. courts’ approach when dealing with the GDPR in this context.
Continue Reading GDPR vs. U.S. discovery: The conflict continues

On 5 July 2018, the European Parliament demanded in a resolution that the European Commission suspends its EU-U.S. Privacy Shield unless the U.S. administration introduces adequate data protection safeguards by 1 September 2018. The Privacy Shield agreement is aimed at facilitating data transfers of EU personal data to the United States. The non-binding resolution was passed 303 to 223 votes, with 29 abstentions, and calls on the European Commission to suspend the data-sharing deal unless the United States is fully compliant by September 1.

Issue

The European Parliament admonishes the United States for failing to ensure effective ‘adequate protection’ of the transfer of EU personal data to the United States.

The European Parliament critiques that the U.S. administration has been slow to meet requirements set forth by the General Data Protection Regulation (GDPR), which specifies that special data sharing arrangements with countries outside the EU can only remain in place if those countries have independent authorities that properly oversee how Europeans’ data is handled once it moves abroad. The United States has failed to appoint members to the U.S. Privacy Civil Liberties Oversight Board (PCLOB), or to appoint a permanent Ombudsman to chair the PCLOB.

Continue Reading European Parliament calls for suspension of EU to U.S. data transfers under the Privacy Shield

The EU-U.S. data protection Umbrella Agreement consists of a framework of principles and safeguards for trans-Atlantic transfers of personal data (such as criminal records, names and addresses) in relation to the prevention, detection, investigation and prosecution of criminal offences, including terrorism. The agreement seeks to satisfy two core objectives: first, to ensure a high level of data protection, and second, to promote greater cooperation between EU and U.S. law enforcement. On 29 April, the European Commission published a proposal on signing the Agreement on behalf of the EU.
Continue Reading European Commission Publishes Proposal for Signing the EU-U.S. Umbrella Agreement

On 13 April, the Article 29 Data Protection Working Party (‘WP29’) published its opinion on whether the proposed Privacy Shield programme, which is intended to replace the now-invalid Safe Harbor pact for facilitating trans-Atlantic data flows, achieved an adequate level of protection. The WP29 acknowledged that many of the shortcomings of Safe Harbor have been addressed; however, they stated that “some key principles as outlined in European law are not reflected [in the Privacy Shield],” and went on to identify “strong concerns” and make a number of suggested improvements. The WP29’s opinion is not binding and it does not halt the process in the EU of formally approving the Privacy Shield, although, at the very least, the opinion will be grist to the mill for the Privacy Shield’s detractors.

Concerns identified: In its press release, WP29 calls on the European Commission to resolve its concerns to “ensure that the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU”. Specific concerns raised were: (1) lack of obligation on Privacy Shield organisations to delete data if no longer necessary (i.e., lack of detail on data retention); (2) the U.S. administration does not exclude the possibility of continued massive and indiscriminate collection of data; and (3) the Ombudsman role may lack sufficient powers to function effectively as an additional redress mechanism.

As well as these, the WP29 suggested that restraints on onward transfers by Privacy Shield organisations should be strengthened and clarified, particularly in relation to scope, purpose limitation and transfers to agents.
Continue Reading Privacy Shield does not achieve adequacy of protection under current regime, say EU Data Protection Authorities

This post was also written by Nick Tyler and Regis Stafford.

The American Bar Association (ABA) this week passed an important resolution urging all courts in the U.S. to:

“consider and respect…the data protection and privacy laws of any…foreign sovereign, and the interests of any person who is subject to, or benefits from such laws,