Global Privacy & Security Compliance Law Blog

CJEU Invalidates EU-US Privacy Shield

Posted in Legislative & Regulatory Developments, Privacy

A ruling by the EU’s top court invalidates the key mechanism for transferring personal data from the EU to the US and imposes additional conditions for use of the standard contractual clauses.

By Gail E. Crawford, Fiona M. Maclean, Michael H. RubinUlrich Wuermeling, Calum Docherty, and Amy Smyth

On 16 July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield, one of the key mechanisms for lawfully transferring personal data from the European Union to the United States. At the same time, the CJEU ruled that the standard contractual clauses (Model Clauses) remain valid but can only be used under strict conditions.

This post provides an initial analysis of the judgment and proposes some immediate next steps for businesses to ensure compliant data transfers from the EU. Continue Reading

French State Council Upholds CNIL’s €50M Fine for GDPR Violations

Posted in GDPR

The Council decision contains useful considerations and clarifications on the “one-stop shop” mechanism, transparency obligations, and consent for targeted advertising.

By Myria Saarinen and Camille Dorval

On 19 June 2020, France’s Highest Administrative Court (Council) handed down its decision on the appeal filed by Google LLC (Google) against the French Data Protection Authority’s (CNIL’s) decision of 21 January 2019, which imposed a fine of €50M to Google for failure to comply with the obligations of transparency and to lawfully process personal data on the basis of a valid consent, with respect to the operating system for Android mobile terminals. Continue Reading

EDPB Guidelines – What is the Territorial Reach of the GDPR?

Posted in GDPR

After the recent two-year anniversary of the GDPR, one fundamental question remains — who does the GDPR apply to?

By Gail Crawford, Ulrich Wuermeling, and Calum Docherty

Last month marked the two-year anniversary of the General Data Protection Regulation (GDPR), but its territorial reach is still hotly debated. This blog post takes a detailed look at the final guidelines on the territorial scope of the GDPR, which the European Data Protection Board (the EDPB) published on 12 November 2019 following public consultation of its draft guidelines dated 23 November 2018 (the Guidelines).

The Guidelines contain several helpful clarifications around when the GDPR applies to controllers and processors of personal data. At the same time, however, the Guidelines still present latent ambiguity as to when and to what extent the GDPR applies, particularly for multinationals.

Continue Reading

UK Supreme Court Clarifies Position on Vicarious Liability for Data Breaches

Posted in Privacy

Judgment offers some comfort for data controllers, without eliminating the possibility of vicarious liability based on an employee’s actions.

By Ian Felstead and Calum Docherty

The UK Supreme Court (UKSC) has ruled that WM Morrisons Supermarkets plc (Morrisons) was not vicariously liable for the actions of a rogue employee who leaked the personal payroll data of 98,998 co-workers. The UKSC unanimously overturned a 2018 Court of Appeal judgment, and allowed Morrisons’ appeal against vicarious liability claims relating to breach of statutory duty under the Data Protection Act 1998 (DPA 1998), misuse of private information, and breach of confidence.

In its judgment, the UKSC found that Morrisons was not vicariously liable for the data breaches committed by its rogue employee, because the rogue employee’s “wrongful conduct was not so closely connected with acts which he was authorised to do”,  but held that the DPA 1998 does not exclude the imposition of vicarious liability. It is uncertain whether the same interpretation applies under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Continue Reading

Hong Kong Privacy Regulator Responds to Personal Data Privacy Issues Arising From COVID-19

Posted in Legislative & Regulatory Developments, Privacy

Hong Kong regulator declares that the disclosure of personal data of potential COVID-19 carriers is permissible under law.

By Kieran Donovan

COVID-19 is having a profound impact not only on the way the world interacts socially, but also in the way it interacts in business. Businesses are choosing to protect the health and well-being of their employees by vetting the travel histories and health status of visitors, as well as tracking potential COVID-19 carriers using social media.

Hong Kong’s data protection regulator, the Office of Privacy Commissioner for Personal Data (PCPD) has recently published guidance considering the implications of these activities, as described below.

Continue Reading

UK MRC Clarifies When Health Data Is Anonymised in Research Context

Posted in GDPR, Privacy

Research participants must identify which data sets constitute personal data to ensure compliance with the GDPR.

By Frances Stocks Allen and Mihail Krepchev

The UK Medical Research Council (MRC) has published a useful guidance note on the identifiability, anonymisation, and pseudonymisation of personal data in the context of research activities (the Guidance). The Guidance reminds research organisations that the General Data Protection Regulation (GDPR) applies to health data used in research and contains a number of recommendations that participants in the research process, particularly clinical trial sponsors, should bear in mind. The Guidance has been developed with the participation of the UK privacy regulator, the Information Commissioner’s Office (ICO). Continue Reading

California AG Releases Modified CCPA Regulations

Posted in Legislative & Regulatory Developments, Privacy

While still in draft form, the modifications both clarify certain obligations and introduce new uncertainty for businesses covered by the CCPA.

By Jennifer C. Archie, Michael H. Rubin, Robert Blamires, Marissa R. Boynton, and Scott C. Jones

Earlier this month, the California Attorney General released modified draft regulations further clarifying, and in some cases complicating, compliance with the California Consumer Privacy Act. Key developments include narrowing the definition of “personal information,” changing the use limitations on “service providers,” and other amendments affecting how businesses must respond to data rights requests. The regulations must be final by July 1, which means the California AG may still publish another round of modifications after the public comment period closes on February 25. For more information on all key modifications, see our recent Client Alert.

UK Government Releases Details of New ‘Online Harms’ Regime for Online Platforms

Posted in Legislative & Regulatory Developments, Privacy

Update confirms the introduction of an active “duty of care” and a dedicated regulator, as part of a comprehensive new online regulatory regime.

By Alain Traill, Rachael Astin, Gail E. Crawford, and Patrick Mitchell

Following a wave of commentary from industry, the social sector, and other organisations, on 11 February 2020 the UK government set out preliminary details of a new regulatory regime to govern content posted on online platforms. The details were released in an initial response to last year’s online harms white paper, with a full response expected this spring. While some changes have been made to the white paper proposals, seemingly in response to concerns raised by industry and other stakeholders, the government has confirmed that it will introduce an active “duty of care” on organisations to prevent certain content from appearing on their platforms.

The proposed new regime mirrors similar steps taken in other jurisdictions, e.g., Australia, to protect against harmful content online. It is also in-line with the direction of travel of platform regulation at a European level, taking into account, for example, changes to the AVMS Directive (EU) 2018/1808 (AVMSD) to regulate video-sharing platform services (VSPs) in relation to protection of minors and harmful content, and the planned EU Digital Services Act, which is likely to introduce changes to EU law regarding the liability of platform providers for content posted using their services. Continue Reading

The Pervasive Threat of Business Email Compromise Fraud — and How to Prevent It

Posted in Privacy, Security

Eliminating the risk of business email compromise (BEC) attacks requires all parties to a financial transaction to pay close attention to email security, financial controls, and communication protocols.

By Jennifer C. Archie, Serrin Turner, and Tim Wybitul

Key Points:

  • The FBI has identified BEC fraud as the No. 1 financial threat to businesses in the US.
  • The FBI’s Internet Crime Complaint Center (IC3) estimates that global “exposed dollar losses” to BEC fraud has exceeded US$26 billion in the past three years.[i] In 2019 alone, the IC3 recorded 23,775 complaints about BEC, which resulted in losses worth some US$1.7 billion.
  • All parties to financial transactions must be aware of this fraud risk. Each should put in place not only appropriate security controls for email, but also financial controls for bank account and wiring-instruction verification.

What Is Business Email Compromise?

Business email compromise is a type of Internet-based fraud that typically targets employees with access to company finances — using methods such as social engineering and computer intrusions. The objective of the fraud is to trick the employee into making a wire transfer to a bank account thought to belong to a trusted partner, but that in fact is actually controlled by the fraudster. Continue Reading

Data Protection Impacts for UK Businesses Under the UK Withdrawal Agreement

Posted in GDPR, Privacy

“Business as usual” for UK-EU data protection transition in 2020.  

By Gail E. Crawford and Susan Mann

On 29 January 2020, the EU Parliament approved the UK Withdrawal Agreement after the UK Parliament’s ratification via the EU Withdrawal Act 2020 on 23 January 2020 (Withdrawal Agreement). The Withdrawal Agreement maintains the UK pre-Brexit position and clarifies that the GDPR continues to apply in the UK during the transition period (between 1 February 2020 and 31 December 2020, or any extension agreed by UK and EU), allowing both sides to negotiate the future data protection relationship. The ICO confirmed that the GDPR will continue to apply, and that during the transition it will be “business as usual”.

The provisions of the UK GDPR will be incorporated directly into UK law from the end of the transition period, and will sit alongside the current UK Data Protection Act 2018. At the end of the transition period, there will be the current EU GDPR as well as a UK GDPR. The Withdrawal Agreement includes technical amendments to the current GDPR, so that it will work in a UK-only context. Continue Reading

LexBlog