Janine Regan (UK)

Subscribe to all posts by Janine Regan (UK)

EU – UK data transfers can continue: UK receives much welcome adequacy decision

Photo of Marcus Evans (UK)By Marcus Evans (UK) and Janine Regan (UK) on Posted in Data Transfer, Regulatory response
The European Commission has today published a positive adequacy finding in respect of the UK’s data protection regime (the Decision).  This means that personal data can continue to flow freely from the EU to the UK without the need for organisations to take further measures. For the time-being, however, the Decision does not concern personal … Continue reading

A deeper dive into the new Standard Contractual Clauses

Photo of Marcus Evans (UK)Photo of Lara White (UK)Photo of Christoph Ritzer (DE)By Janine Regan (UK), Marcus Evans (UK), Lara White (UK) and Christoph Ritzer (DE) on Posted in Data Transfer, Regulatory response
On Friday 4 June, the European Commission published the finalised version of the new Standard Contractual Clauses for transferring personal data from the EU to third countries (the New SCCs).  Privacy professionals have been waiting for the New SCCs for several years and have been particularly interested to know if the New SCCs will help … Continue reading

European Commission publishes much anticipated finalised Standard Contractual Clauses

Photo of Marcus Evans (UK)Photo of Lara White (UK)Photo of Christoph Ritzer (DE)By Marcus Evans (UK), Lara White (UK), Christoph Ritzer (DE) and Janine Regan (UK) on Posted in Data Transfer, Regulatory response
The European Commission has today published the finalised version of the new Standard Contractual Clauses (the new SCCs).  The purpose of the new SCCs are to help companies legalise transfers of personal data from outside of the EEA.  They will also be a lawful mechanism for UK companies to use too. The new SCCs were … Continue reading

EDPB cautiously welcomes UK adequacy finding

Photo of Lara White (UK)By Lara White (UK) and Janine Regan (UK) on Posted in General, Regulatory response
Yesterday, the European Data Protection Board (EDPB) published its opinion on the European Commission’s draft Decision that the UK ensures an adequate level of protection for personal data (the Opinion).  The Opinion was adopted by the EDPB on 13 April 2021, a couple of days before the Opinion’s official publication on 15 April 2021. The … Continue reading

European data export bonanza: revised SCCs and EDPB Schrems II guidance published

Photo of Marcus Evans (UK)Photo of Lara White (UK)Photo of Christoph Ritzer (DE)By Marcus Evans (UK), Lara White (UK), Christoph Ritzer (DE) and Janine Regan (UK) on Posted in Data Transfer, Regulatory response
On 12 November, the European Commission published revised Standard Contractual Clauses (SCCs) and a draft implementing decision.  A feedback period on the draft documents will run until 10 December.  Therefore, it is not possible to give a precise date for when the draft SCCs will become final but it could be by the end of … Continue reading

Two new CJEU judgments further tighten limits of government surveillance – significant for impending UK adequacy decision and “Schrems II country assessments”

Photo of Marcus Evans (UK)By Marcus Evans (UK) and Janine Regan (UK) on Posted in Data breach, Data Transfer, Regulatory response
On 6 October 2020, the Court of Justice of the European Union (CJEU) published two decisions that further define the permitted scope of governmental access to personal data. These decisions are relevant in two key areas: Complying with the Schrems II judgement: The judgment provides some guidance on how organisations should undertake the “case-by-case assessments” … Continue reading

ICO provides guidance on calculating monetary penalties

Photo of Marcus Evans (UK)Photo of Lara White (UK)Photo of Steven Hadwin (UK)Photo of Ally Corbridge (UK)By Marcus Evans (UK), Lara White (UK), Steven Hadwin (UK), Janine Regan (UK) and Ally Corbridge (UK) on Posted in Enforcement, Regulatory response
On 1 October 2020, the UK Information Commissioner’s Office (ICO) published draft statutory guidance, providing clarity about how it will regulate and enforce data protection legislation in the UK. The guidance, which sits alongside the ICO’s Regulatory Action Policy, covers the ICO’s range of enforcement powers, but of most interest is the section on how … Continue reading

Schrems II: recent developments – waiting is harder

Photo of Marcus Evans (UK)By Marcus Evans (UK) and Janine Regan (UK) on Posted in Compliance and risk management, Data Transfer, Enforcement, Regulatory response
In the immediate aftermath of the Schrems II judgement, Bruno Gencarelli (Head of the International data flows and protection unit at the European Commission) said that “Schrems II is data transfers from theory to practice”.  There have been several major developments over the last couple of weeks (explained below) which show this to be an … Continue reading

Key takeaways for the private sector from The Bridges v South Wales police facial recognition case

Photo of Lara White (UK)By Lara White (UK) and Janine Regan (UK) on Posted in General
On 11 August 2020, the Court of Appeal (CA) handed down its judgement in the case of R (on the application of Edward BRIDGES) v The Chief Constable of South Wales Police.  The court found that the use of automated facial recognition technology (AFT) by South Wales Police (SWP) was unlawful and did not comply … Continue reading

An “enhanced” Privacy Shield is being negotiated – third time a charm?

Photo of Lara White (UK)By Lara White (UK) and Janine Regan (UK) on Posted in Compliance and risk management, Data Transfer, Enforcement, General
On 10 August, the European Commission and the US Department of Commerce confirmed that talks have begun between the EU and US for an “enhanced” Privacy Shield. This will be the third attempt to revise this framework, following the invalidation of Safe Harbor in 2015 and Privacy Shield in July 2020. Third time a charm? … Continue reading

Schrems II landmark ruling: our recommendations

Photo of Marcus Evans (UK)Photo of Lara White (UK)Photo of Shiv Daddar (UK)Photo of David Kessler (US)Photo of Susan Ross (US)Photo of Christoph Ritzer (DE)By Marcus Evans (UK), Lara White (UK), Shiv Daddar (UK), Janine Regan (UK), David Kessler (US), Susan Ross (US) and Christoph Ritzer (DE) on Posted in Cybersecurity, Data Transfer, Vendor management and transactions
On 16 July 2020, the Court of Justice of the European Union (CJEU) published its decision in the landmark case Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18 (known as the Schrems II case).  While the EU-US Privacy Shield (Privacy Shield) has been completely invalidated, the Standard Contractual Clauses … Continue reading

Schrems II landmark ruling: Privacy Shield is invalid, Standard Contractual Clauses are valid but court puts obligations on parties and authorities

Photo of Marcus Evans (UK)Photo of Christoph Ritzer (DE)By Marcus Evans (UK), Christoph Ritzer (DE) and Janine Regan (UK) on Posted in Data breach, Enforcement, General, Regulatory response
The Court of Justice of the European Union (CJEU) has today published its decision in the landmark case, known as Schrems II. While Privacy Shield has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but the court has emphasised obligations on the parties to the SCCs  and Data Protection Authorities which have the … Continue reading

Schrems II judgement due in July – what this might mean for your outsourcing deal

Photo of Marcus Evans (UK)Photo of Lara White (UK)By Marcus Evans (UK), Lara White (UK) and Janine Regan (UK) on Posted in Compliance and risk management
Just when we thought our summers might have been looking a bit dull, it was announced that the Court of Justice of the European Union (CJEU) will be making its final ruling in Case C-311/18, Data Protection Commissioner v Facebook Ireland & Schrems on 16 July 2020.  This judgement concerns the legality of the European … Continue reading

Selling and utilising personal data in an insolvency situation

Photo of Marcus Evans (UK)Photo of Rebecca Oliver (UK)By Marcus Evans (UK), Janine Regan (UK), Rebecca Oliver (UK) and Alice Routh (UK) on Posted in Compliance and risk management
Many businesses are suffering serious financial difficulties as a result of COVID-19, particularly those in the retail, hospitality and tourism sectors.  For many of these businesses the one asset that will undoubtedly retain value, despite the pandemic, will be their customer database.  This valuable commodity could help attract potential purchasers. But this is a tricky … Continue reading

Irish data protection authority launches new cookie guidance and indicates cookie investigations are on the horizon

Photo of Christoph Ritzer (DE)Photo of Nadège Martin (FR)Photo of Marcus Evans (UK)By Janine Regan (UK), Christoph Ritzer (DE), Nadège Martin (FR) and Marcus Evans (UK) on Posted in Compliance and risk management
Last week, the Irish Data Protection Commission (“DPC”) published its much anticipated guidance note on cookies and similar tracking technologies (the “Guidance”).  It also published a report following a “cookie sweep” that took place between August 2019 and December 2019 of 38 data controllers (the “Report”).  The cookie sweep requested information from the data controllers … Continue reading

Good news for employers, finally – the UK Supreme Court hands down judgment in WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents)

Photo of Steven Hadwin (UK)Photo of Marcus Evans (UK)Photo of Amanda Sanders (UK)By Steven Hadwin (UK), Marcus Evans (UK), Amanda Sanders (UK) and Janine Regan (UK) on Posted in Cybercrime, Cybersecurity, Data breach, Dispute resolution and litigation
In a judgment which will be warmly welcomed by employers (and their insurers) in the UK, the UK Supreme Court today overruled the Court of Appeal in holding that that Morrisons supermarkets is not vicariously liable for a data breach maliciously caused by a former employee.… Continue reading

The Privacy Officers’ New Year’s Resolutions

Photo of Marcus Evans (UK)By Marcus Evans (UK) and Janine Regan (UK) on Posted in CCPA, Compliance and risk management
1. Brace yourself (for export turbulence) 2020 could well be a year of data export turmoil – so brace yourself. The Court of Justice of the European Union (CJEU) will determine the validity of the EU Standard Contractual Clauses (SCCs) (Data Protection Commissioner v Facebook Ireland Limited, Maximillan Schrems) whilst the General Court of the … Continue reading

Schrems II: AG deems SCCs valid but comes up with difficult new obligations and expresses “doubts” over privacy shield

Photo of Marcus Evans (UK)Photo of Christoph Ritzer (DE)Photo of David Kessler (US)By Marcus Evans (UK), Christoph Ritzer (DE), Janine Regan (UK) and David Kessler (US) on Posted in Compliance and risk management, Enforcement, General
What has happened? Yesterday, the Advocate General (“AG”) concluded that, in his opinion, the EU Standard Contractual Clauses (“SCCs”) are a valid mechanism to transfer personal data outside of the European Economic Area (“EEA”). However, the AG suggested new obligations for those using SCCs. They need to examine the national security laws of the country … Continue reading
LexBlog