Introduction On 15 May, the ICO published the monetary penalty notice (MPN) in relation to the £12.7 million fine it imposed on TikTok in April. This MPN and its accompanying annexes set out details of TikTok’s non-compliance with data protection law and the reasons why the ICO considered that a fine was appropriate. Whilst a … Continue reading
Introduction: On 22 May, the Irish Data Protection Commissioner (the DPC) published its decision against Meta Platform Ireland Ltd (Meta Ireland) in relation to Facebook’s transfer of user’s personal data to the US (the Decision). In it, the DPC ordered Meta Ireland to suspend Facebook’s future transfers of personal data to the U.S. within five … Continue reading
On 11 May 2023, members of the European Parliament passed their compromise text of the AI Act (the AI Act) at the committee stage, taking this law a step closer to being finalised. The compromise text (the Parliament Draft), which amends the Commission’s original proposal, includes quite a large number of amendments, some of which … Continue reading
In December 2022, OpenAI released ChatGPT, a powerful AI-powered chatbot that could handle users’ questions and requests for information or content in a convincing and confident manner. The number of users signing up to use the tool increased very rapidly, with users using the tool to write letters, edit text, generate lists, prepare presentations and … Continue reading
At last, UK Government publishes its White Paper on AI – “A pro-innovation approach to AI regulation” – an opportune start, but as expected, a framework with detail to follow… The Department for Science, Innovation and Technology, has finally published its AI regulation white paper (the ‘White Paper’). Here are the key elements: What AI … Continue reading
EDPB Guidelines on the interplay between Article 3 and the provisions in Chapter V of the General Data Protection Regulation on international data transfers On 14 February 2023, the European Data Protection Board (EDPB) published its Guidelines on the interplay between Article 3 and the provisions in Chapter V of the General Data Protection Regulation … Continue reading
Introduction On 5 December 2022, the Information Commissioner’s office (ICO) published its new guidance on direct marketing (the Direct Marketing Guidance). The Direct Marketing Guidance is accompanied by various resources, including checklists, FAQs, an online training module, specific guidance relating to SMEs, B2B marketing, data brokers, political campaigning and direct marketing in the public sector. … Continue reading
On 13 December, the European Commission launched the process to adopt an adequacy decision for the EU-US Data Privacy Framework (EU-US DPF). The draft decision – available here – addresses the concerns raised by the Court of Justice of the European Union (CJEU) in its Schrems II decision of July 2020. These concerns centred around … Continue reading
On 17 November 2022, the Information Commissioner’s Office (ICO) published an update to its guidance on international transfers (Transfers Guidance). This included specific guidance about transfer risk assessments or TRAs and a tool for undertaking TRAs (the TRA Guidance and TRA Tool, respectively). In its blog post accompanying the updated Transfers Guidance, the ICO makes … Continue reading
As reported in our previous blogpost, on 7 October 2022, the US White House published an Executive Order on enhancing safeguards for United States signals intelligence activities (EO). In this blogpost, we set out the key points to note, including the background to the EO, what it does and does not do and what organisations … Continue reading
On 7 October 2022, the US White House published the Executive Order on enhancing safeguards for United States signals intelligence activities. This action is the first part of the US legal apparatus required for the EU Commission to find certain transfers to the US to be adequate. It is also likely in due course to … Continue reading
On 2 February 2022, the Belgian Data Protection Authority (the BDPA) fined IAB Europe for various infringements in relation to the IAB Transparency and Consent Framework. This decision could have a huge impact on the majority of players in the online adtech ecosystem who rely on the framework. Background The Interactive Advertising Bureau Europe’s (IAB) … Continue reading
The UK government has finally published the UK’s own standard form international data transfer agreement (UK IDTA) for transferring personal data outside the UK to countries not deemed to have adequate data protection regimes. It has also published a standard form international data transfer addendum to the revised EU SCCs (EU SCC UK Conversion Addendum) … Continue reading
On 10 September 2021, the UK Government published its consultation paper on proposals to reform the UK’s data protection regime. The deadline for responding to the consultation is 19 November 2021. In August, the Government announced that it intended to “seize the opportunity” afforded by the UK’s exit from the European Union to makes some … Continue reading
On 26 August 2021, in a move that puts it on a potential collision course with the EU, the UK Government made a number of announcements relating to the future of the UK’s data protection regime, with the stated intention of “seizing the opportunity” by “developing a world leading data policy that will deliver a … Continue reading
As part of its global strategy to ensure compliance with its new cookies mandatory guidelines, and as announced in its priority control themes for 2021, in May 2021 the CNIL issued formal notices to over twenty organizations (including international actors in the digital economy and some public bodies) for not enabling users to accept or … Continue reading
On 21 June 2021, the European Data Protection Board (EDPB) published its finalised version of the Recommendations on supplementary measures (the Recommendations) to assist companies comply with the Schrems II judgement. This comes just a couple of weeks after the European Commission (the Commission) published new, revised Standard Contractual Clauses (New SCCs) (read our blog … Continue reading
Introduction Max Schrems’ privacy NGO, noyb, has sent hundreds of draft complaints to companies across Europe that it claims use unlawful cookie banners along with a guide of how to comply. noyb is giving these companies one month to make the changes to their cookie banners and consent management solutions before filing formal complaints with … Continue reading
On Friday 4 June, the European Commission published the finalised version of the new Standard Contractual Clauses for transferring personal data from the EU to third countries (the New SCCs). Privacy professionals have been waiting for the New SCCs for several years and have been particularly interested to know if the New SCCs will help … Continue reading
The European Commission has today published the finalised version of the new Standard Contractual Clauses (the new SCCs). The purpose of the new SCCs are to help companies legalise transfers of personal data from outside of the EEA. They will also be a lawful mechanism for UK companies to use too. The new SCCs were … Continue reading
Yesterday, the European Data Protection Board (EDPB) published its opinion on the European Commission’s draft Decision that the UK ensures an adequate level of protection for personal data (the Opinion). The Opinion was adopted by the EDPB on 13 April 2021, a couple of days before the Opinion’s official publication on 15 April 2021. The … Continue reading
It has been some months since we wrote about the ePrivacy Regulation and some years since the first draft was proposed. Since then, we have seen numerous delays in achieving an agreed form of legislation, caused in part by strong views on how privacy and confidentiality shape the development of electronic communications services and passionate … Continue reading
On 12 November, the European Commission published revised Standard Contractual Clauses (SCCs) and a draft implementing decision. A feedback period on the draft documents will run until 10 December. Therefore, it is not possible to give a precise date for when the draft SCCs will become final but it could be by the end of … Continue reading
On 1 October 2020, the UK Information Commissioner’s Office (ICO) published draft statutory guidance, providing clarity about how it will regulate and enforce data protection legislation in the UK. The guidance, which sits alongside the ICO’s Regulatory Action Policy, covers the ICO’s range of enforcement powers, but of most interest is the section on how … Continue reading