Global Privacy & Security Compliance Law Blog

Tag Archives: GDPR

Irish Data Protection Commission Orders Meta Ireland to Suspend Facebook Data Transfers to the US and Imposes Record GDPR Fine of €1.2 Billion

By Ian Felstead, Gail Crawford, Serrin Turner, Tim Wybitul, and Hayley Pizzey[1] The final decision of the Irish Data Protection Commission (IDPC) in relation to the transfers of EU/EEA Facebook user data by Meta Platforms Ireland Limited (Meta Ireland) to its processor, Meta Platforms, Inc., in the US (the Transfers)[2] was published on 22 May … Continue Reading

CJEU Sets High Bar for Responses to Data Subject Access Requests

Organisations must provide individuals with information on the specific recipients of their data upon request. By Tim Wybitul, Isabelle Brams, Calum Docherty, and Amy Smyth The Court of Justice of the European Union (CJEU) has ruled that organisations must generally disclose the specific identity of data recipients on request from an individual in order to … Continue Reading

CJEU Advocate General Rejects Strict Liability for GDPR Fines

The CJEU’s final ruling could subject companies to direct GDPR enforcement by DPAs notwithstanding national procedural rules, but may rule against strict liability under the GDPR. By Tim Wybitul, Myria Saarinen, Isabelle Brams, Irina Vasile, and Amy Smyth On 27 April 2023 Advocate General of the Court of Justice of the European Union (CJEU) Campos … Continue Reading

European Data Protection Board Focuses Coordinated Enforcement on Data Protection Officers

Organisations should expect increased scrutiny and enforcement activity around the role of data protection officers in the coming year. By Gail E. Crawford, Fiona M. Maclean, Ben Leigh, and Amy Smyth The European Data Protection Board (EDPB) has announced that its coordinated enforcement action for 2023 will focus on the designation and position of data … Continue Reading

Saudi Arabia Issues Amended Data Protection Law for Consultation

The amendment proposes business-friendly changes regarding data localization and legitimate interests. By Brian Meenagh and Lucy Tucker On November 20, 2022, the Saudi Data and AI Authority (SDAIA) published an amended version of the Kingdom of Saudi Arabia’s (KSA or the Kingdom) Personal Data Protection Law (PDPL) for consultation (the Amended Draft). The Amended Draft … Continue Reading

The European Health Data Space — Panacea or Poison Pill?

The proposal provides a uniform basis for secondary research and clarifies uncertainty over implementation and interpretation of the GDPR but also raises many questions. By Oliver Mobasser and Gail Crawford On 3 May 2022, the European Commission launched its proposal for a Regulation for the European Health Data Space to “unleash the full potential of … Continue Reading

Advocate General: No Compensation for Mere Upset Caused by GDPR Infringement

The Advocate General opined that data subjects must prove that they suffered damage from a GDPR breach in order to claim compensation. By Tim Wybitul, Isabelle Brams, Lara Nonninger, and Hayley Pizzey Article 82 of the General Data Protection Regulation (GDPR) states that any person who has suffered material or non-material damage as a result … Continue Reading

UK Data Protection Bill: Overview of Proposed Changes (Part 1)

The bill would largely build on the UK data protection regime’s EU GDPR-style framework, albeit with UK-specific provisions. By James Lloyd, Fiona M. Maclean, Calum Docherty, Irina Vasile, Alex Ford-Cox, and Amy Smyth The UK government introduced the Data Protection and Digital Information Bill (the Bill) to Parliament on 18 July 2022, following the publication … Continue Reading

UK Data Protection Bill: Examination of Key Provisions (Part 2)

Areas of interest include anonymisation, “recognised legitimate interests”, and the ICO’s role. By James Lloyd, Fiona M. Maclean, Calum Docherty, Irina Vasile, Alex Ford-Cox, and Amy Smyth The UK Data Protection and Digital Information Bill (the Bill) sets out the government’s proposals for reforming the current UK data protection regime (consisting primarily of the UK … Continue Reading

UK Data Protection Reform: Examining the Road Ahead

UK government sets out ambitious proposal for reforming the UK data protection landscape. By Gail E. Crawford, Ian Felstead, Fiona M. Maclean, Irina Vasile, Timothy Neo, and Amy Smyth On 17 June 2022, the Department for Culture, Media and Sport (DCMS) published its response to its consultation “Data: a new direction” (the Consultation), setting out … Continue Reading

CJEU AG Sets High Bar for Responses to Data Subject Access Requests

The Advocate General argues that organisations should provide individuals with information on the specific recipients of their personal data. By Tim Wybitul, James Lloyd, Isabelle Brams, Irina Vasile, and Amy Smyth Advocate General Giovanni Pitruzzella (AG) of the Court of Justice of the European Union (CJEU) recently delivered an opinion (the Opinion) regarding the interpretation … Continue Reading

EDPB Emphasizes “Dissuasive” Fines in New Draft Guidelines on GDPR Fine Calculation

The EDPB sets out relevant steps and factors that EU supervisory authorities should consider when calculating administrative fines under the GDPR. By Gail Crawford, Ian Felstead, James Lloyd, Tim Wybitul, Irina Vasile, Sami Qureshi, and Amy Smyth On 16 May 2022, the European Data Protection Board (EDPB) adopted draft Guidelines 04/2022 on the calculation of … Continue Reading

CNIL Publishes White Paper on Digital Payments and Data Privacy

The French Data Protection Authority’s white paper discusses how companies can comply with data privacy and security obligations. By Christian F. McDermott, Myria Saarinen, Calum Docherty, Charlotte Guerin, Jiou (Alex) Park, and Amy Smyth The use of card, contactless, and innovative digital payment solutions has significantly increased in recent years, fueled by the immediate impacts … Continue Reading

New Standard Contractual Clauses and Final EDPB Recommendations – Next Steps

Companies have three months to prepare to use the latest standard contractual clauses for new data transfers, and 18 months to migrate existing arrangements. By Gail Crawford, Fiona Maclean, Danielle van der Merwe, and Amy Smyth On 4 June 2021, the European Commission released its much-anticipated final Implementing Decision containing the new standard contractual clauses … Continue Reading

German Court: CJEU Must Clarify Whether GDPR Provides Materiality Threshold

The decision means the CJEU will need to clarify the framework for GDPR damages claims. By Tim Wybitul, Dr. Christoph Baus, and Dr. Isabelle Brams The German Federal Constitutional Court has ruled that the Court of Justice of the European Union (CJEU) needs to clarify if the General Data Protection Regulation (GDPR) provides for a … Continue Reading

Data Protection Brexit Checklist: Businesses Can Rely on Personal Data Transfer Grace Period

As the Brexit transition period draws to a close, businesses will need to consider their data protection efforts to comply with both UK and EU regimes. By Gail Crawford, Fiona Maclean, and Amy Smyth The end of the Brexit transition period on 31 December 2020 will have several data protection consequences. The impact of one … Continue Reading

CNIL Issues Fines Totaling €135 Million in Landmark ePrivacy Directive Cases

The French data protection authority’s decisions cite violations of the cookie rules under the ePrivacy Directive and provide important insights on explicit consent. By Gail Crawford, Myria Saarinen, Tim Wybitul, and Wolf-Tassilo Böhm Between December 2019 and May 2020, the French data protection authority (CNIL) conducted multiple online investigations by visiting google.fr and amazon.fr, before … Continue Reading

Privacy and Payments: New Draft EU Advice for Financial Institutions

As contactless transactions boom, EU regulators publish draft guidelines on the interplay between the GDPR and PSD2. By Fiona M. Maclean, Christian F. McDermott, Calum Docherty, and Amy Smyth Last year, more than half of all payments in the UK were made by card and contactless methods, while cash made up less than a quarter … Continue Reading

How Does the New DIFC Data Protection Law Compare With the GDPR?

Latham lawyers explain who the DIFC’s new law applies to and how it maps against the GDPR. By Brian A. Meenagh, Fiona M. Maclean, Alexander Hendry, and Avinash Balendran The Dubai International Financial Centre (DIFC) recently issued a new data protection law and regulations: the Data Protection Law DIFC Law No. 5 of 2020 and … Continue Reading

France’s Highest Administrative Court Provides Insights on Lawful Cookie Practices

Court’s decision struck down blanket prohibition on so-called “cookie walls” that prevent users from accessing a website or an application. By Myria Saarinen and Charlotte Guérin France’s Highest Administrative Court (the Conseil d’Etat) issued a decision on 19 June 2020 upholding most of the guidance on cookies and other tracking devices that the French Data … Continue Reading

French State Council Upholds CNIL’s €50M Fine for GDPR Violations

The Council decision contains useful considerations and clarifications on the “one-stop shop” mechanism, transparency obligations, and consent for targeted advertising. By Myria Saarinen and Camille Dorval On 19 June 2020, France’s Highest Administrative Court (Council) handed down its decision on the appeal filed by Google LLC (Google) against the French Data Protection Authority’s (CNIL’s) decision … Continue Reading

EDPB Guidelines – What is the Territorial Reach of the GDPR?

After the recent two-year anniversary of the GDPR, one fundamental question remains — who does the GDPR apply to? By Gail Crawford, Ulrich Wuermeling, and Calum Docherty Last month marked the two-year anniversary of the General Data Protection Regulation (GDPR), but its territorial reach is still hotly debated. This blog post takes a detailed look … Continue Reading

UK Supreme Court Clarifies Position on Vicarious Liability for Data Breaches

Judgment offers some comfort for data controllers, without eliminating the possibility of vicarious liability based on an employee’s actions. By Ian Felstead and Calum Docherty The UK Supreme Court (UKSC) has ruled that WM Morrisons Supermarkets plc (Morrisons) was not vicariously liable for the actions of a rogue employee who leaked the personal payroll data … Continue Reading

UK MRC Clarifies When Health Data Is Anonymised in Research Context

Research participants must identify which data sets constitute personal data to ensure compliance with the GDPR. By Frances Stocks Allen and Mihail Krepchev The UK Medical Research Council (MRC) has published a useful guidance note on the identifiability, anonymisation, and pseudonymisation of personal data in the context of research activities (the Guidance). The Guidance reminds … Continue Reading
LexBlog