The end of the Brexit implementation period on 31 December 2020 has brought with it significant changes to the data protection landscape for UK-based businesses. Amid headlines about data transfer issues and a potential adequacy decision for the UK in
Ffion Flockhart (UK)
Interim proprietary injunction granted over bitcoin cyber extortion payment
An interim proprietary injunction has been granted by the English High Court over a bitcoin ransom payment paid to a third-party wallet.…
Bank of England cyber resilience exercise
BoE publish high level findings of the financial sector (“sector”) cyber simulation exercise.
Cyber law firm of the year nomination
We are pleased to report that Norton Rose Fulbright has been shortlisted for cyber law firm of the year at the 2019 Insurance Insider Cyber Rankings Awards.…
UK Supreme Court grant Morrisons permission to appeal vicarious liability finding
The Supreme Court has granted Morrisons to appeal against the judgment of the Court of Appeal in Morrison Supermarkets PLC v Various Claimants.…
Lloyd v Google – putting the brakes on English data breach litigation?
A judgment handed down today by the English High Court will be welcomed by UK data controllers. Lloyd v Google [2018] EWHC 2599 represents a corollary to recent case law expanding the circumstances in which litigation may be brought in…
Norton Rose Fulbright – cyber law firm of the year nomination
We are grateful to our clients and industry contacts for nominating us as cyber law firm of the year at the 2018 Insurance Insider Cyber Rankings Awards. The winner will be determined from the results of a wide-ranging survey of…
One week into GDPR – what you need to know
Websites go dark, complaints are filed within an hour, European Commission suffers an embarrassing data leak, and the US Commerce Secretary warns about the unintended trade impact of the law – all in the first week of the GDPR
The European Union’s far-reaching General Data Protection Regulation (GDPR) went into effect on 25 May amid much anticipation. Although the date itself was seen as a watershed moment, what comes after will reveal the full impact of the law. Even for those businesses that have declared that their GDPR compliance efforts have completed, the work of maintaining and updating their privacy and data protection framework will need to continue well after 25 May. We have also yet to see how 28 EU member states and the Court of Justice of the European Union will interpret the law.
In the days leading up to 25 May, millions of inboxes were filled with updated privacy notices and requests for marketing consent and pop-up notices for cookies were added to websites across the globe, as many businesses contemplated if and how the new law applies to them. Just in the first week, we are seeing glimpses of what lays ahead. Certain American news publications decided to shut themselves off to European users on their websites, a first series of complaints were filed against US tech giants and their subsidiaries, and the European Commission, in an embarrassing turn of events, was found to have had a data leak on one of its websites, Europa.eu. Just five days after the law has gone into effect, Wilbur Ross, the US Commerce Secretary, published an opinion piece in the Financial Times, that warns: “EU data privacy laws are likely to create barriers to trade.”
We take a look at the initial reactions and events that occurred in the first week following the implementation of the GDPR, provide some insight into the GDPR’s impact on the digital economy and trade and provide, as we always do, some practical tips for how to manage privacy and cybersecurity risks in this ‘new era’.
Vicarious liability in UK data breach-related litigation – is Morrisons a game-changer?
The High Court in London has handed down a judgment establishing that, as a matter of English law, a company can be held vicariously liable in respect of data breaches caused by its employees.
Damages for Emotional Distress for Privacy Claims to Stay in the UK
On June 30, 2016, Google withdrew its appeal from the UK Supreme Court in the landmark case of Google v. Vidal-Hall after the parties reached a settlement. In the ruling on appeal, the Court of Appeal had ruled that damages for emotional distress, without any pecuniary loss, may be awarded under the Data Protection Act 1998 (the “Act”). With the appeal withdrawn, this ruling will remain valid. Therefore, companies that operate in the UK may wish to consider this ruling when conducting risk analyses and responding to litigation.