Janine Regan (UK)

Subscribe to all posts by Janine Regan (UK)

New guidance on direct marketing

By Ali Fazeli-Nia, Lara White (UK) and Janine Regan (UK) on January 10, 2023 Posted in Data Protection, Privacy law

Introduction On 5 December 2022, the Information Commissioner’s office (ICO) published its new guidance on direct marketing (the Direct Marketing Guidance). The Direct Marketing Guidance is accompanied by various resources, including checklists, FAQs, an online training module, specific guidance relating to SMEs, B2B marketing, data brokers, political campaigning and direct marketing in the public sector. … Continue reading

Draft European Commission EU-US Data Privacy Framework adequacy decision published

By Marcus Evans (UK), Lara White (UK), Shiv Daddar (UK) and Janine Regan (UK) on December 13, 2022 Posted in Data Protection, Privacy law

On 13 December, the European Commission launched the process to adopt an adequacy decision for the EU-US Data Privacy Framework (EU-US DPF). The draft decision – available here – addresses the concerns raised by the Court of Justice of the European Union (CJEU) in its Schrems II decision of July 2020. These concerns centred around … Continue reading

The proposed EU Cyber Resilience Act: what it is and how it may impact the supply chain

By Janine Regan (UK) and Polina Maloshchinskaia on October 17, 2022 Posted in Cybersecurity

On 15 September 2022, the European Commission published its proposal for a new Regulation which sets out cybersecurity related requirements for products with “digital elements”, known as the proposed Cyber Resilience Act (the CRA). The CRA introduces common cybersecurity rules for manufacturers, developers and distributors of products with digital elements, covering both hardware and software. … Continue reading

EU – UK data transfers can continue: UK receives much welcome adequacy decision

By Marcus Evans (UK) and Janine Regan (UK) on June 28, 2021 Posted in Data Transfer, Regulatory response

The European Commission has today published a positive adequacy finding in respect of the UK’s data protection regime (the Decision). This means that personal data can continue to flow freely from the EU to the UK without the need for organisations to take further measures. For the time-being, however, the Decision does not concern personal … Continue reading

A deeper dive into the new Standard Contractual Clauses

By Janine Regan (UK), Marcus Evans (UK), Lara White (UK) and Christoph Ritzer (DE) on June 7, 2021 Posted in Data Transfer, Regulatory response

On Friday 4 June, the European Commission published the finalised version of the new Standard Contractual Clauses for transferring personal data from the EU to third countries (the New SCCs). Privacy professionals have been waiting for the New SCCs for several years and have been particularly interested to know if the New SCCs will help … Continue reading

European Commission publishes much anticipated finalised Standard Contractual Clauses

By Marcus Evans (UK), Lara White (UK), Christoph Ritzer (DE) and Janine Regan (UK) on June 4, 2021 Posted in Data Transfer, Regulatory response

The European Commission has today published the finalised version of the new Standard Contractual Clauses (the new SCCs). The purpose of the new SCCs are to help companies legalise transfers of personal data from outside of the EEA. They will also be a lawful mechanism for UK companies to use too. The new SCCs were … Continue reading

EDPB cautiously welcomes UK adequacy finding

By Lara White (UK) and Janine Regan (UK) on April 16, 2021 Posted in General, Regulatory response

Yesterday, the European Data Protection Board (EDPB) published its opinion on the European Commission’s draft Decision that the UK ensures an adequate level of protection for personal data (the Opinion). The Opinion was adopted by the EDPB on 13 April 2021, a couple of days before the Opinion’s official publication on 15 April 2021. The … Continue reading

European data export bonanza: revised SCCs and EDPB Schrems II guidance published

By Marcus Evans (UK), Lara White (UK), Christoph Ritzer (DE) and Janine Regan (UK) on November 13, 2020 Posted in Data Transfer, Regulatory response

On 12 November, the European Commission published revised Standard Contractual Clauses (SCCs) and a draft implementing decision. A feedback period on the draft documents will run until 10 December. Therefore, it is not possible to give a precise date for when the draft SCCs will become final but it could be by the end of … Continue reading

Two new CJEU judgments further tighten limits of government surveillance – significant for impending UK adequacy decision and “Schrems II country assessments”

By Marcus Evans (UK) and Janine Regan (UK) on October 15, 2020 Posted in Data breach, Data Transfer, Regulatory response

On 6 October 2020, the Court of Justice of the European Union (CJEU) published two decisions that further define the permitted scope of governmental access to personal data. These decisions are relevant in two key areas: Complying with the Schrems II judgement: The judgment provides some guidance on how organisations should undertake the “case-by-case assessments” … Continue reading

ICO provides guidance on calculating monetary penalties

By Marcus Evans (UK), Lara White (UK), Steven Hadwin (UK), Janine Regan (UK) and Ally Corbridge (UK) on October 7, 2020 Posted in Enforcement, Regulatory response

On 1 October 2020, the UK Information Commissioner’s Office (ICO) published draft statutory guidance, providing clarity about how it will regulate and enforce data protection legislation in the UK. The guidance, which sits alongside the ICO’s Regulatory Action Policy, covers the ICO’s range of enforcement powers, but of most interest is the section on how … Continue reading

Schrems II: recent developments – waiting is harder

By Marcus Evans (UK) and Janine Regan (UK) on September 9, 2020 Posted in Compliance and risk management, Data Transfer, Enforcement, Regulatory response

In the immediate aftermath of the Schrems II judgement, Bruno Gencarelli (Head of the International data flows and protection unit at the European Commission) said that “Schrems II is data transfers from theory to practice”. There have been several major developments over the last couple of weeks (explained below) which show this to be an … Continue reading

Key takeaways for the private sector from The Bridges v South Wales police facial recognition case

By Lara White (UK) and Janine Regan (UK) on August 27, 2020 Posted in General

On 11 August 2020, the Court of Appeal (CA) handed down its judgement in the case of R (on the application of Edward BRIDGES) v The Chief Constable of South Wales Police. The court found that the use of automated facial recognition technology (AFT) by South Wales Police (SWP) was unlawful and did not comply … Continue reading

An “enhanced” Privacy Shield is being negotiated – third time a charm?

By Lara White (UK) and Janine Regan (UK) on August 13, 2020 Posted in Compliance and risk management, Data Transfer, Enforcement, General

On 10 August, the European Commission and the US Department of Commerce confirmed that talks have begun between the EU and US for an “enhanced” Privacy Shield. This will be the third attempt to revise this framework, following the invalidation of Safe Harbor in 2015 and Privacy Shield in July 2020. Third time a charm? … Continue reading

Schrems II landmark ruling: our recommendations

By Marcus Evans (UK), Lara White (UK), Shiv Daddar (UK), Janine Regan (UK), David Kessler (US), Susan Ross (US) and Christoph Ritzer (DE) on July 27, 2020 Posted in Cybersecurity, Data Transfer, Vendor management and transactions

On 16 July 2020, the Court of Justice of the European Union (CJEU) published its decision in the landmark case Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18 (known as the Schrems II case). While the EU-US Privacy Shield (Privacy Shield) has been completely invalidated, the Standard Contractual Clauses … Continue reading

Schrems II landmark ruling: Privacy Shield is invalid, Standard Contractual Clauses are valid but court puts obligations on parties and authorities

By Marcus Evans (UK), Christoph Ritzer (DE) and Janine Regan (UK) on July 16, 2020 Posted in Data breach, Enforcement, General, Regulatory response

The Court of Justice of the European Union (CJEU) has today published its decision in the landmark case, known as Schrems II. While Privacy Shield has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but the court has emphasised obligations on the parties to the SCCs and Data Protection Authorities which have the … Continue reading

Schrems II judgement due in July – what this might mean for your outsourcing deal

By Marcus Evans (UK), Lara White (UK) and Janine Regan (UK) on June 17, 2020 Posted in Compliance and risk management

Just when we thought our summers might have been looking a bit dull, it was announced that the Court of Justice of the European Union (CJEU) will be making its final ruling in Case C-311/18, Data Protection Commissioner v Facebook Ireland & Schrems on 16 July 2020. This judgement concerns the legality of the European … Continue reading

Irish data protection authority launches new cookie guidance and indicates cookie investigations are on the horizon

By Janine Regan (UK), Christoph Ritzer (DE), Nadège Martin (FR) and Marcus Evans (UK) on April 16, 2020 Posted in Compliance and risk management

Last week, the Irish Data Protection Commission (“DPC”) published its much anticipated guidance note on cookies and similar tracking technologies (the “Guidance”). It also published a report following a “cookie sweep” that took place between August 2019 and December 2019 of 38 data controllers (the “Report”). The cookie sweep requested information from the data controllers … Continue reading

Good news for employers, finally – the UK Supreme Court hands down judgment in WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents)

By Steven Hadwin (UK), Marcus Evans (UK), Amanda Sanders (UK) and Janine Regan (UK) on April 1, 2020 Posted in Cybercrime, Cybersecurity, Data breach, Dispute resolution and litigation

In a judgment which will be warmly welcomed by employers (and their insurers) in the UK, the UK Supreme Court today overruled the Court of Appeal in holding that that Morrisons supermarkets is not vicariously liable for a data breach maliciously caused by a former employee.… Continue reading

The Privacy Officers’ New Year’s Resolutions

By Marcus Evans (UK) and Janine Regan (UK) on January 6, 2020 Posted in CCPA, Compliance and risk management

1. Brace yourself (for export turbulence) 2020 could well be a year of data export turmoil – so brace yourself. The Court of Justice of the European Union (CJEU) will determine the validity of the EU Standard Contractual Clauses (SCCs) (Data Protection Commissioner v Facebook Ireland Limited, Maximillan Schrems) whilst the General Court of the … Continue reading

Record Retention is a Key Component of Your Privacy and Cyber Compliance Program

By Marcus Evans (UK), Janine Regan (UK), Christoph Ritzer (DE), Andrea D'Ambra (US) and David Kessler (US) on December 23, 2019 Posted in Compliance and risk management, Cybersecurity

This blogpost summarises our recent webinar: “An urgent message from Berlin: The importance of record retention in privacy and cybersecurity”.… Continue reading

Schrems II: AG deems SCCs valid but comes up with difficult new obligations and expresses “doubts” over privacy shield

By Marcus Evans (UK), Christoph Ritzer (DE), Janine Regan (UK) and David Kessler (US) on December 20, 2019 Posted in Compliance and risk management, Enforcement, General

What has happened? Yesterday, the Advocate General (“AG”) concluded that, in his opinion, the EU Standard Contractual Clauses (“SCCs”) are a valid mechanism to transfer personal data outside of the European Economic Area (“EEA”). However, the AG suggested new obligations for those using SCCs. They need to examine the national security laws of the country … Continue reading