Lara White (UK)

Subscribe to all posts by Lara White (UK)

Tentative further steps towards an agreed ePrivacy Regulation

Photo of Lara White (UK)Photo of Fiona Bundy-Clarke (UK)By Lara White (UK) and Fiona Bundy-Clarke (UK) on Posted in Regulatory response
It has been some months since we wrote about the ePrivacy Regulation and some years since the first draft was proposed.  Since then, we have seen numerous delays in achieving an agreed form of legislation, caused in part by strong views on how privacy and confidentiality shape the development of electronic communications services and passionate … Continue reading

European data export bonanza: revised SCCs and EDPB Schrems II guidance published

Photo of Marcus Evans (UK)Photo of Lara White (UK)Photo of Christoph Ritzer (DE)By Marcus Evans (UK), Lara White (UK), Christoph Ritzer (DE) and Janine Regan (UK) on Posted in Data Transfer, Regulatory response
On 12 November, the European Commission published revised Standard Contractual Clauses (SCCs) and a draft implementing decision.  A feedback period on the draft documents will run until 10 December.  Therefore, it is not possible to give a precise date for when the draft SCCs will become final but it could be by the end of … Continue reading

ICO provides guidance on calculating monetary penalties

Photo of Marcus Evans (UK)Photo of Lara White (UK)Photo of Steven Hadwin (UK)Photo of Ally Corbridge (UK)By Marcus Evans (UK), Lara White (UK), Steven Hadwin (UK), Janine Regan (UK) and Ally Corbridge (UK) on Posted in Enforcement, Regulatory response
On 1 October 2020, the UK Information Commissioner’s Office (ICO) published draft statutory guidance, providing clarity about how it will regulate and enforce data protection legislation in the UK. The guidance, which sits alongside the ICO’s Regulatory Action Policy, covers the ICO’s range of enforcement powers, but of most interest is the section on how … Continue reading

Key takeaways for the private sector from The Bridges v South Wales police facial recognition case

Photo of Lara White (UK)By Lara White (UK) and Janine Regan (UK) on Posted in General
On 11 August 2020, the Court of Appeal (CA) handed down its judgement in the case of R (on the application of Edward BRIDGES) v The Chief Constable of South Wales Police.  The court found that the use of automated facial recognition technology (AFT) by South Wales Police (SWP) was unlawful and did not comply … Continue reading

An “enhanced” Privacy Shield is being negotiated – third time a charm?

Photo of Lara White (UK)By Lara White (UK) and Janine Regan (UK) on Posted in Compliance and risk management, Data Transfer, Enforcement, General
On 10 August, the European Commission and the US Department of Commerce confirmed that talks have begun between the EU and US for an “enhanced” Privacy Shield. This will be the third attempt to revise this framework, following the invalidation of Safe Harbor in 2015 and Privacy Shield in July 2020. Third time a charm? … Continue reading

Schrems II landmark ruling: our recommendations

Photo of Marcus Evans (UK)Photo of Lara White (UK)Photo of Shiv Daddar (UK)Photo of David Kessler (US)Photo of Susan Ross (US)Photo of Christoph Ritzer (DE)By Marcus Evans (UK), Lara White (UK), Shiv Daddar (UK), Janine Regan (UK), David Kessler (US), Susan Ross (US) and Christoph Ritzer (DE) on Posted in Cybersecurity, Data Transfer, Vendor management and transactions
On 16 July 2020, the Court of Justice of the European Union (CJEU) published its decision in the landmark case Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18 (known as the Schrems II case).  While the EU-US Privacy Shield (Privacy Shield) has been completely invalidated, the Standard Contractual Clauses … Continue reading

Schrems II judgement due in July – what this might mean for your outsourcing deal

Photo of Marcus Evans (UK)Photo of Lara White (UK)By Marcus Evans (UK), Lara White (UK) and Janine Regan (UK) on Posted in Compliance and risk management
Just when we thought our summers might have been looking a bit dull, it was announced that the Court of Justice of the European Union (CJEU) will be making its final ruling in Case C-311/18, Data Protection Commissioner v Facebook Ireland & Schrems on 16 July 2020.  This judgement concerns the legality of the European … Continue reading

No surprises in the recent Planet49 European Court of Justice judgment

Photo of Christoph Ritzer (DE)Photo of Natalia Filkina (DE)Photo of Lara White (UK)By Christoph Ritzer (DE), Natalia Filkina (DE) and Lara White (UK) on Posted in Dispute resolution and litigation
On 1 October 2019, the European Court of Justice (ECJ) delivered its judgement on Case C – 673/17 (the “Planet49” case), which relates to the consent and transparency requirements for the use of cookies and similar technologies. The ECJ largely followed the March 2019 Opinion of Advocate General Szpunar and the judgment is generally consistent … Continue reading

Website operators joint controllers with third-party plugin providers

Photo of Lara White (UK)Photo of Natalia Filkina (DE)Photo of Shiv Daddar (UK)By Lara White (UK), Natalia Filkina (DE) and Shiv Daddar (UK) on Posted in Enforcement
On 29 July 2019, the European Court of Justice (ECJ) issued its judgement on Case C-40/17 (the “Fashion-ID” case). In its ruling, the ECJ held that operators of websites embedding Facebook’s “Like” button act as data controllers jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors … Continue reading

ICO blog post on AI and solely automated decision-making

Photo of Lara White (UK)Photo of Marcus Evans (UK)Photo of Magdalene Lie (UK)By Lara White (UK), Marcus Evans (UK) and Magdalene Lie (UK) on Posted in Compliance and risk management
The ICO has published a blog post on the role of “meaningful” human reviews in AI systems to prevent them from being categorised as “solely automated decision-making” under Article 22 of the GDPR. That Article imposes strict conditions on making decisions with legal or similarly significant effects based on personal data where there is no … Continue reading

Parenting support club Bounty fined in ‘unprecedented’ data breach

Photo of Lara White (UK)By Lara White (UK) on Posted in Enforcement
On 12 April, the Information Commissioners Office (ICO) fined Bounty, a pregnancy and parent support club, £400,000 for illegally sharing personal data belonging to more than 14 million people. As the contravention took place just before the General Data Protection Regulation (GDPR) came into force, the fine was issued under the Data Protection Act 1998 … Continue reading

First multi-million Euro GDPR fine: Google LLC fined €50 million under GDPR for transparency and consent infringements in relation to use of personal data for personalized ads

Photo of Marcus Evans (UK)Photo of Lara White (UK)Photo of Cécile Auvieux (FR)By Marcus Evans (UK), Lara White (UK) and Cécile Auvieux (FR) on Posted in Compliance and risk management, Cybersecurity, Enforcement, Regulatory response
On January 21,2019 the French data protection authority (the CNIL) imposed a major fine on the U.S. Google entity, Google LLC.  It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net. We focus here on four key aspects … Continue reading

Parliament fails to approve the EU Withdrawal Agreement: Data protection implications

Photo of Lara White (UK)Photo of Marcus Evans (UK)Photo of Miranda Byrne Hill (UK)By Lara White (UK), Marcus Evans (UK) and Miranda Byrne Hill (UK) on Posted in Compliance and risk management
On 25 November 2018 the UK Government and the EU agreed a draft withdrawal agreement which set out the terms of the UK’s departure from the EU and made a political declaration on the framework for their future relationship, as provided for under Article 50(2) of the Treaty on European Union (Withdrawal Agreement). The purpose … Continue reading

European Commission Publishes Proposal for the New e-Privacy Regulation

Photo of Marcus Evans (UK)Photo of Lara White (UK)By Marcus Evans (UK) and Lara White (UK) on Posted in Compliance and risk management, Regulatory response
On 10 January 2017, the European Commission published the official proposal of the revised e-Privacy Regulation, which amends the current e-Privacy Directive. Many of the alarming changes that were included in the leaked December draft of the Regulation, which we covered, have been changed, resulting in a practical set of rules that align with the … Continue reading

Article 29 Working Party Releases GDPR Implementation Guidance

Photo of Lara White (UK)Photo of Marcus Evans (UK)By Lara White (UK) and Marcus Evans (UK) on Posted in Compliance and risk management, Regulatory response
On 15 December 2016, the Article 29 Working Party (WP29) issued guidelines and FAQs on the provisions in the General Data Protection Regulation (the GDPR) relating to data portability (Guidelines / FAQs), data protection officers (Guidelines / FAQs), and the lead supervisory authority (Guidelines / FAQs). WP29 will accept comments on these guidelines until the … Continue reading

Leaked Draft of ePrivacy Regulation Published

Photo of Lara White (UK)By Lara White (UK) on Posted in Compliance and risk management, Regulatory response
Earlier this week, the first draft of the EU’s ePrivacy Regulation was leaked. ePrivacy laws in Europe aim to protect the right to privacy and confidentiality with respect to the processing of personal data in the electronic communications sector (e.g., relating to cookie usage and online direct marketing). The leaked draft is intended to bring the … Continue reading

Article 29 Working Party Releases Opinion on the Revision of the ePrivacy Directive

Photo of Lara White (UK)Photo of Marcus Evans (UK)By Lara White (UK) and Marcus Evans (UK) on Posted in Compliance and risk management, Regulatory response
The Article 29 Working Party (WP29) has issued an opinion on the evaluation and review of Directive 2002/58/EC (the ePrivacy Directive). In its opinion, WP29 notes the need for a thorough revision of the rules in the ePrivacy Directive to take into account the technological developments in the digital market and the recent adoption of … Continue reading
LexBlog