Judgment offers some comfort for data controllers, without eliminating the possibility of vicarious liability based on an employee’s actions. By Ian Felstead and Calum Docherty The UK Supreme Court (UKSC) has ruled that WM Morrisons Supermarkets plc (Morrisons) was not vicariously liable for the actions of a rogue employee who leaked the personal payroll data … Continue Reading
Research participants must identify which data sets constitute personal data to ensure compliance with the GDPR. By Frances Stocks Allen and Mihail Krepchev The UK Medical Research Council (MRC) has published a useful guidance note on the identifiability, anonymisation, and pseudonymisation of personal data in the context of research activities (the Guidance). The Guidance reminds … Continue Reading
Update confirms the introduction of an active “duty of care” and a dedicated regulator, as part of a comprehensive new online regulatory regime. By Alain Traill, Rachael Astin, Gail E. Crawford, and Patrick Mitchell Following a wave of commentary from industry, the social sector, and other organisations, on 11 February 2020 the UK government set … Continue Reading
China’s PCPPIC protects children’s personal information in much the same way as COPPA and the GDPR, but with a few differences. By Wei-Chun (Lex) Kuo, Weina (Grace) Gao, and Cheng-Ling Chen On August 22, 2019, the Cyberspace Administration of China (CAC) released a new data privacy regulation related to children, the Provisions on Cyber Protection … Continue Reading
Recent action by the Hamburg authority may present implications for companies regulated by a lead data protection supervisory authority in Europe. By Fiona Maclean, Tim Wybitul, Joachim Grittmann, Wolf Böhm, Isabelle Brams, and Amy Smyth A German supervisory authority has initiated an investigation into Google’s speech recognition practices and language assistant technologies, which are integrated … Continue Reading
Following in the footsteps of the CNIL and the ICO, the Berlin DPA will impose a multimillion-euro fine for breach of the GDPR. By Tim Wybitul, Joachim Grittmann, Ulrich Wuermeling, Wolf-Tassilo Böhm, and Isabelle Brams The Berlin Data Protection Authority (Berlin DPA) recently announced that it will issue a multimillion-euro fine for breach of the … Continue Reading
UK confirms reciprocal requirements for digital services providers to appoint UK representatives for NIS purposes, following Brexit. By Gail E. Crawford, Fiona Maclean, and Amy Smyth Following a consultation process, the UK government has now confirmed that it will put forward legislation to require non-UK-based digital services providers — larger cloud providers, search engines, and … Continue Reading
The guidance provides general requirements for obtaining valid consent and details conditions under which audience management cookies may be exempt. By Myria Saarinen and Camille Dorval On 4 July 2019, one day after the UK Information Commissioner’s Office (ICO) published new guidance on cookies, the French Data Protection Authority (CNIL) released its own new guidance … Continue Reading
The proposals would grant consumers increasing rights to require providers to share access to their data directly with chosen third parties. By Alain Traill and Gail Crawford The UK government has released a consultation advocating the introduction of sweeping new requirements for service providers to share both consumer data (upon request) and data regarding their own … Continue Reading
The guidance clarifies the interplay between the PECR and GDPR and provides practical steps to achieving cookie compliance. By Fiona M. Maclean, Laura Holden, and Grace E. Erskine The UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO), published guidance on 3 July 2019 to provide greater clarity to organisations grappling with how the … Continue Reading
The ICO issued notices of intent to fine British Airways and Marriott. What happened? By Gail Crawford, Fiona Maclean, Hayley Pizzey, and Calum Docherty On 8 July 2019, the UK Information Commissioner’s Office (ICO) announced a notice of intent to fine British Airways £183.39 million (about US$230 million) for violating the General Data Protection Regulation … Continue Reading
The closure of four cases involving targeted advertising provides lessons for navigating compliance standards under the GDPR. By Myria Saarinen and Elise Auvray Four French advertising technology companies that received a warning in 2018 from the French Data Protection Authority (CNIL) have all implemented the regulator’s required changes. The recent closure of the cases highlights … Continue Reading
European regulators are expected to align their processes and guidance to accommodate the EDPB’s recommended approach to processing special categories of personal data. By Gail E. Crawford, Frances Stocks Allen, and Mihail Krepchev In January, the European Data Protection Board (EDPB) issued an opinion (Opinion) on the interplay between the General Data Protection Regulation (GDPR) and … Continue Reading
Companies should identify data flows, implement a data transfer solution, and update internal documents and privacy notices. By Fiona M. Maclean and Jane Bentham Since our blog on “What a “No Deal” Brexit Means for UK Data Privacy”, the European Data Protection Board (EDPB) has published two information notes on data transfers in the event … Continue Reading
The FTC and many state attorneys general aggressively monitor apps, websites, and internet-connected products for COPPA compliance. By Jennifer C. Archie, Michael H. Rubin, and Alexander L. Stout In the United States, collecting data directly from children under 13 years of age is tightly regulated by a federal statute, which is aggressively monitored and enforced. … Continue Reading
The DIFC guidelines provide practical guidance for DIFC-registered entities engaging in electronic direct marketing, including useful “dos” and “don’ts”. By Brian A. Meenagh, Fiona M. Maclean, and Laura Holden What Do DIFC-Registered Entities Need to Know? In January 2019, the Commissioner for Data Protection for the Dubai International Financial Centre (DIFC) issued new Direct Marketing … Continue Reading
The European Commission adopted its adequacy decision for Japan on 23 January 2019, opening the doors for personal data to flow freely between the two major global economies. By Fiona M. Maclean and Laura Holden The Adequacy Decision Following two years of dialogue between the European Union (EU) and Japan, the European Commission (EC) adopted … Continue Reading
EU data protection authorities are imposing increased penalties under the GDPR, with more proceedings forecast for 2019. By Tim Wybitul, Prof. Dr. Thomas Grützner, Dr. Wolf-Tassilo Böhm, and Dr. Isabelle Brams The General Data Protection Regulation (GDPR) has been in effect since May 2018. Although the French data protection authority (CNIL) has imposed the highest … Continue Reading
The CNIL decision handed down on 21 January 2019, which cites violations of several GDPR obligations, provides important insights for groups wishing to benefit from the “one-stop-shop mechanism”. By Gail E. Crawford, Myria Saarinen, Camille Dorval, and Laura Holden The Complaints Not more than a week after the General Data Protection Regulation 2016/679 (GDPR) came … Continue Reading
Understanding the practical implications of a “No Deal” Brexit (as compared to an exit under an approved Withdrawal Agreement) following last week’s vote against the current withdrawal proposal. By Gail E. Crawford and Jane Bentham “No Deal” Brexit Unless the UK can agree on a deal with the EU that meets the approval of the … Continue Reading
Sponsors outside the European Union conducting clinical trials in the EU should consider current guidelines and the Breyer case to understand whether GDPR requirements will apply to them. By Gail Crawford and Frances Stocks Allen Many sponsors of clinical trials believe that companies based outside the EU who sponsor clinical trials conducted in the EU … Continue Reading
The Guidance provides helpful clarifications for service providers and their customers on both sides of the Atlantic. By Robert Blamires, Fiona M. Maclean, and Danielle van der Merwe Long-awaited guidance on the territorial scope of the General Data Protection Regulation (GDPR) has been published by the European Data Protection Board (EDPB) for public consultation (Guidance). … Continue Reading
Germany’s first GDPR fine offers lesson for companies planning a data breach policy. By Tim Wybitul, Wolf-Tassilo Böhm, and Isabelle Brams In November 2018, Germany’s first fine under the General Data Protection Regulation (GDPR) was imposed — and it was much lower than many expected. The favourable outcome of the proceedings for the defending company … Continue Reading
By Gail Crawford, Ulrich Wuermeling, Calum Docherty The General Data Protection Regulation (GDPR or Regulation) will become applicable in one year, as of May 25, 2018. A lot has happened since we set out the key provisions of the Regulation last year. As companies implement compliance programmes in efforts to protect data subjects and avoid … Continue Reading
