Lara White (UK)

Subscribe to all posts by Lara White (UK)

Belgian DPA fines IAB Europe over its consent framework’s GDPR violations

On 2 February 2022, the Belgian Data Protection Authority (the BDPA) fined IAB Europe for various infringements in relation to the IAB Transparency and Consent Framework. This decision could have a huge impact on the majority of players in the online adtech ecosystem who rely on the framework. Background The Interactive Advertising Bureau Europe’s (IAB) … Continue reading

UK finally publishes revised standard form international data transfer agreements and conversion addendum for the use of revised EU SCCs

The UK government has finally published the UK’s own standard form international data transfer agreement (UK IDTA) for transferring personal data outside the UK to countries not deemed to have adequate data protection regimes. It has also published a standard form international data transfer addendum to the revised EU SCCs (EU SCC UK Conversion Addendum) … Continue reading

UK Government sets out proposals to shake up UK data protection laws

On 10 September 2021, the UK Government published its consultation paper on proposals to reform the UK’s data protection regime.  The deadline for responding to the consultation is 19 November 2021. In August, the Government announced that it intended to “seize the opportunity” afforded by the UK’s exit from the European Union to makes some … Continue reading

The UK Government unveils its post-Brexit plans to shake up data protection laws

On 26 August 2021, in a move that puts it on a potential collision course with the EU, the UK Government made a number of announcements relating to the future of the UK’s data protection regime, with the stated intention of “seizing the opportunity” by “developing a world leading data policy that will deliver a … Continue reading

It must be as easy to reject cookies as it is to accept them: 40 additional organizations on the radar of the CNIL

As part of its global strategy to ensure compliance with its new cookies mandatory guidelines, and as announced in its priority control themes for 2021, in May 2021 the CNIL issued formal notices to over twenty organizations (including international actors in the digital economy and some public bodies) for not enabling users to accept or … Continue reading

The EDPB publishes its finalised version of the Recommendations on supplementary measures

On 21 June 2021, the European Data Protection Board (EDPB) published its finalised version of the Recommendations on supplementary measures (the Recommendations) to assist companies comply with the Schrems II judgement. This comes just a couple of weeks after the European Commission (the Commission) published new, revised Standard Contractual Clauses (New SCCs) (read our blog … Continue reading

A deeper dive into the new Standard Contractual Clauses

On Friday 4 June, the European Commission published the finalised version of the new Standard Contractual Clauses for transferring personal data from the EU to third countries (the New SCCs).  Privacy professionals have been waiting for the New SCCs for several years and have been particularly interested to know if the New SCCs will help … Continue reading

European Commission publishes much anticipated finalised Standard Contractual Clauses

The European Commission has today published the finalised version of the new Standard Contractual Clauses (the new SCCs).  The purpose of the new SCCs are to help companies legalise transfers of personal data from outside of the EEA.  They will also be a lawful mechanism for UK companies to use too. The new SCCs were … Continue reading

EDPB cautiously welcomes UK adequacy finding

Yesterday, the European Data Protection Board (EDPB) published its opinion on the European Commission’s draft Decision that the UK ensures an adequate level of protection for personal data (the Opinion).  The Opinion was adopted by the EDPB on 13 April 2021, a couple of days before the Opinion’s official publication on 15 April 2021. The … Continue reading

Tentative further steps towards an agreed ePrivacy Regulation

It has been some months since we wrote about the ePrivacy Regulation and some years since the first draft was proposed.  Since then, we have seen numerous delays in achieving an agreed form of legislation, caused in part by strong views on how privacy and confidentiality shape the development of electronic communications services and passionate … Continue reading

European data export bonanza: revised SCCs and EDPB Schrems II guidance published

On 12 November, the European Commission published revised Standard Contractual Clauses (SCCs) and a draft implementing decision.  A feedback period on the draft documents will run until 10 December.  Therefore, it is not possible to give a precise date for when the draft SCCs will become final but it could be by the end of … Continue reading

ICO provides guidance on calculating monetary penalties

On 1 October 2020, the UK Information Commissioner’s Office (ICO) published draft statutory guidance, providing clarity about how it will regulate and enforce data protection legislation in the UK. The guidance, which sits alongside the ICO’s Regulatory Action Policy, covers the ICO’s range of enforcement powers, but of most interest is the section on how … Continue reading

Key takeaways for the private sector from The Bridges v South Wales police facial recognition case

On 11 August 2020, the Court of Appeal (CA) handed down its judgement in the case of R (on the application of Edward BRIDGES) v The Chief Constable of South Wales Police.  The court found that the use of automated facial recognition technology (AFT) by South Wales Police (SWP) was unlawful and did not comply … Continue reading

An “enhanced” Privacy Shield is being negotiated – third time a charm?

On 10 August, the European Commission and the US Department of Commerce confirmed that talks have begun between the EU and US for an “enhanced” Privacy Shield. This will be the third attempt to revise this framework, following the invalidation of Safe Harbor in 2015 and Privacy Shield in July 2020. Third time a charm? … Continue reading

Schrems II landmark ruling: our recommendations

On 16 July 2020, the Court of Justice of the European Union (CJEU) published its decision in the landmark case Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18 (known as the Schrems II case).  While the EU-US Privacy Shield (Privacy Shield) has been completely invalidated, the Standard Contractual Clauses … Continue reading

Schrems II judgement due in July – what this might mean for your outsourcing deal

Just when we thought our summers might have been looking a bit dull, it was announced that the Court of Justice of the European Union (CJEU) will be making its final ruling in Case C-311/18, Data Protection Commissioner v Facebook Ireland & Schrems on 16 July 2020.  This judgement concerns the legality of the European … Continue reading

No surprises in the recent Planet49 European Court of Justice judgment

On 1 October 2019, the European Court of Justice (ECJ) delivered its judgement on Case C – 673/17 (the “Planet49” case), which relates to the consent and transparency requirements for the use of cookies and similar technologies. The ECJ largely followed the March 2019 Opinion of Advocate General Szpunar and the judgment is generally consistent … Continue reading

Website operators joint controllers with third-party plugin providers

On 29 July 2019, the European Court of Justice (ECJ) issued its judgement on Case C-40/17 (the “Fashion-ID” case). In its ruling, the ECJ held that operators of websites embedding Facebook’s “Like” button act as data controllers jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors … Continue reading

ICO blog post on AI and solely automated decision-making

The ICO has published a blog post on the role of “meaningful” human reviews in AI systems to prevent them from being categorised as “solely automated decision-making” under Article 22 of the GDPR. That Article imposes strict conditions on making decisions with legal or similarly significant effects based on personal data where there is no … Continue reading

Parenting support club Bounty fined in ‘unprecedented’ data breach

On 12 April, the Information Commissioners Office (ICO) fined Bounty, a pregnancy and parent support club, £400,000 for illegally sharing personal data belonging to more than 14 million people. As the contravention took place just before the General Data Protection Regulation (GDPR) came into force, the fine was issued under the Data Protection Act 1998 … Continue reading
LexBlog