Marcus Evans (UK)

Photo of Marcus Evans (UK)

Marcus is a communications, media and technology lawyer based in London. He focuses on data privacy and IT services.

Subscribe to all posts by Marcus Evans (UK)

Privacy notices – the ICO follows the lead of the EU data protection authorities in their interpretation of Article 13 UK GDPR

Photo of Marcus Evans (UK)Photo of Lara White (UK)By Marcus Evans (UK) and Lara White (UK) on Posted in General
Introduction On 15 May, the ICO published the monetary penalty notice (MPN) in relation to the £12.7 million fine it imposed on TikTok in April. This MPN and its accompanying annexes set out details of TikTok’s non-compliance with data protection law and the reasons why the ICO considered that a fine was appropriate. Whilst a … Continue reading

Schrems II – Irish DPC finally issues its decision – suspension order, deletion/ repatriation of data and fine

Photo of Lara White (UK)Photo of Marcus Evans (UK)Photo of Christoph Ritzer (DE)Photo of Jurriaan JansenPhoto of Nadège Martin (FR)By Lara White (UK), Marcus Evans (UK), Christoph Ritzer (DE), Jurriaan Jansen and Nadège Martin (FR) on Posted in General
Introduction: On 22 May, the Irish Data Protection Commissioner (the DPC) published its decision against Meta Platform Ireland Ltd (Meta Ireland) in relation to Facebook’s transfer of user’s personal data to the US (the Decision). In it, the DPC ordered Meta Ireland to suspend Facebook’s future transfers of personal data to the U.S. within five … Continue reading

The AI Act – A step closer to the first law on Artificial Intelligence

Photo of Lara White (UK)Photo of Marcus Evans (UK)By Lara White (UK) and Marcus Evans (UK) on Posted in General
On 11 May 2023, members of the European Parliament passed their compromise text of the AI Act (the AI Act) at the committee stage, taking this law a step closer to being finalised. The compromise text (the Parliament Draft), which amends the Commission’s original proposal, includes quite a large number of amendments, some of which … Continue reading

Everyone is using ChatGPT what does my organisation need to watch out for

Photo of Marcus Evans (UK)Photo of Lara White (UK)Photo of Steve Roosa (US)By Marcus Evans (UK), Lara White (UK) and Steve Roosa (US) on Posted in Cybersecurity, Fintech
In December 2022, OpenAI released ChatGPT, a powerful AI-powered chatbot that could handle users’ questions and requests for information or content in a convincing and confident manner. The number of users signing up to use the tool increased very rapidly, with users using the tool to write letters, edit text, generate lists, prepare presentations and … Continue reading

UK AI White Paper

Photo of Marcus Evans (UK)Photo of Lara White (UK)By Marcus Evans (UK) and Lara White (UK) on Posted in Data Protection, General
At last, UK Government publishes its White Paper on AI – “A pro-innovation approach to AI regulation” – an opportune start, but as expected, a framework with detail to follow… The Department for Science, Innovation and Technology, has finally published its AI regulation white paper (the ‘White Paper’). Here are the key elements: What AI … Continue reading

EDPB Guidelines on international transfers: 6 key takeways

Photo of Marcus Evans (UK)Photo of Lara White (UK)By Marcus Evans (UK) and Lara White (UK) on Posted in General
EDPB Guidelines on the interplay between Article 3 and the provisions in Chapter V of the General Data Protection Regulation on international data transfers On 14 February 2023, the European Data Protection Board (EDPB) published its Guidelines on the interplay between Article 3 and the provisions in Chapter V of the General Data Protection Regulation … Continue reading

Draft European Commission EU-US Data Privacy Framework adequacy decision published

Photo of Marcus Evans (UK)Photo of Lara White (UK)Photo of Shiv Daddar (UK)By Marcus Evans (UK), Lara White (UK), Shiv Daddar (UK) and Janine Regan (UK) on Posted in Data Protection, Privacy law
On 13 December, the European Commission launched the process to adopt an adequacy decision for the EU-US Data Privacy Framework (EU-US DPF).  The draft decision – available here – addresses the concerns raised by the Court of Justice  of the European Union (CJEU) in its Schrems II decision of July 2020.  These concerns centred around … Continue reading

The servant of two masters: ICO and OFCOM Joint Statement on Online Safety and Data Protection – coordination so service providers can comply with both

Photo of Marcus Evans (UK)Photo of *Jamie Brazier (UK)By Marcus Evans (UK) and *Jamie Brazier (UK) on Posted in Data Protection
On 25 November 2022, the UK Information Commissioner’s Office (ICO) and the Office of Communications (OFCOM) (together, the Regulators) released a joint statement setting out their shared views on the interactions between online safety and data protection (the Statement). The Statement, which is primarily intended for online services providers in scope of the Online Safety … Continue reading

Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities: Paving the way toward adequacy

Photo of Shiv Daddar (UK)Photo of Marcus Evans (UK)Photo of Lara White (UK)By Shiv Daddar (UK), Marcus Evans (UK) and Lara White (UK) on Posted in Privacy law
As reported in our previous blogpost, on 7 October 2022, the US White House published an Executive Order on enhancing safeguards for United States signals intelligence activities (EO). In this blogpost, we set out the key points to note, including the background to the EO, what it does and does not do and what organisations … Continue reading

First part of EU/ US Transatlantic Data Protection Framework published today

Photo of Marcus Evans (UK)Photo of Lara White (UK)Photo of Susan Ross (US)By Marcus Evans (UK), Lara White (UK) and Susan Ross (US) on Posted in Data Transfer
On 7 October 2022, the US White House published the Executive Order on enhancing safeguards for United States signals intelligence activities. This action is the first part of the US legal apparatus required for the EU Commission to find certain transfers to the US to be adequate. It is also likely in due course to … Continue reading

UK GDPR Reform: government publishes response to consultation – likely to form basis of forthcoming UK Data Reform Bill

Photo of Marcus Evans (UK)Photo of Fiona Bundy-Clarke (UK)Photo of Shiv Daddar (UK)By Marcus Evans (UK), Fiona Bundy-Clarke (UK) and Shiv Daddar (UK) on Posted in Compliance and risk management, Regulatory response
The Department for Culture, Media and Sport (DCMS) has finally published the UK government’s long-awaited response to the consultation on the future of the UK data protection regime. The government set out very high level principles for a Data Reform Bill in the Queen’s Speech in May. If legislation is to be passed in this … Continue reading

Points to note on the European Commission’s questions and answers on the Revised Standard Contractual Clauses (SCCs)

Photo of Marcus Evans (UK)Photo of Shiv Daddar (UK)By Marcus Evans (UK) and Shiv Daddar (UK) on Posted in General
On May 25th 2022, the European Commission published a series of questions and answers on the SCCs to be used between controllers and processors within the European Economic Area (EEA), and the SCCs to be used for transfers to countries not considered adequate by the European Commission (Third Countries) (the Q&As). The text of the … Continue reading

EDPB publishes guidance on calculating GDPR fines

Photo of Steven Hadwin (UK)Photo of Marcus Evans (UK)Photo of Christoph Ritzer (DE)By Polina Maloshchinskaia, Steven Hadwin (UK), Marcus Evans (UK) and Christoph Ritzer (DE) on Posted in General
On 12 May 2022 EDPB adopted Guidelines on the calculation of administrative fines (the Guidelines).  The Guidelines supplement the Article 29 Working Party’s Guidelines on the application and setting of administrative fines (WP253) adopted in October 2017 and recommends that the two are read together.  Whereas the previous guidance set out general principles for when … Continue reading

Nascent EU/ US Trans-Atlantic Data Privacy Framework: some points to note

Photo of Marcus Evans (UK)Photo of Shiv Daddar (UK)By Marcus Evans (UK) and Shiv Daddar (UK) on Posted in Privacy law
On 25 March the EU Commission (Commission) and United States (US) announced that they had agreed in principle on a new “Trans-Atlantic Data Privacy Framework” (TADPF) to foster trans-Atlantic data flows and address the concerns raised by Schrems II.  We briefly discuss the implications below. The announcement was very high level and short on detail. … Continue reading

UK finally publishes revised standard form international data transfer agreements and conversion addendum for the use of revised EU SCCs

Photo of Lara White (UK)Photo of Marcus Evans (UK)By Lara White (UK) and Marcus Evans (UK) on Posted in Data Transfer
The UK government has finally published the UK’s own standard form international data transfer agreement (UK IDTA) for transferring personal data outside the UK to countries not deemed to have adequate data protection regimes. It has also published a standard form international data transfer addendum to the revised EU SCCs (EU SCC UK Conversion Addendum) … Continue reading

The UK National AI Strategy: Regulation, Data Protection and IPR in the Mix

Photo of Marcus Evans (UK)Photo of Michael Sinclair (UK)Photo of Peter McBurneyBy Marcus Evans (UK), Michael Sinclair (UK) and Peter McBurney on Posted in General
The UK Government has published its National AI Strategy. Click here to read more about what the National AI Strategy says about AI regulation, and its implications for data protection in the UK. In this detailed blog we examine three discrete issues addressed in it (AI regulation, data protection and intellectual property rights) and we … Continue reading

UK Government sets out proposals to shake up UK data protection laws

Photo of Marcus Evans (UK)Photo of Lara White (UK)By Marcus Evans (UK), Lara White (UK) and Sahar Bhaimia on Posted in Compliance and risk management, General
On 10 September 2021, the UK Government published its consultation paper on proposals to reform the UK’s data protection regime.  The deadline for responding to the consultation is 19 November 2021. In August, the Government announced that it intended to “seize the opportunity” afforded by the UK’s exit from the European Union to makes some … Continue reading

Over-retention of personal data

Photo of David Kessler (US)Photo of Marcus Evans (UK)Photo of Susan Ross (US)By David Kessler (US), Marcus Evans (UK) and Susan Ross (US) on Posted in Compliance and risk management
The declining cost of electronic data storage may have caused some company executives to conclude that retaining personal data forever is “cheap.”  Perhaps the CNIL’s  €1.75 million (USD $2,051,930) penalty for over-retention will lead to a different view. The matter involved one of France’s largest insurers, SGAM AG2R LA MONDIALE, which was subject to an … Continue reading

The UK Government unveils its post-Brexit plans to shake up data protection laws

Photo of Lara White (UK)Photo of Marcus Evans (UK)By Lara White (UK), Marcus Evans (UK) and Isabella Martinez-Sistac Orozco on Posted in General, Privacy law, Regulatory response
On 26 August 2021, in a move that puts it on a potential collision course with the EU, the UK Government made a number of announcements relating to the future of the UK’s data protection regime, with the stated intention of “seizing the opportunity” by “developing a world leading data policy that will deliver a … Continue reading

EU – UK data transfers can continue: UK receives much welcome adequacy decision

Photo of Marcus Evans (UK)By Marcus Evans (UK) and Janine Regan (UK) on Posted in Data Transfer, Regulatory response
The European Commission has today published a positive adequacy finding in respect of the UK’s data protection regime (the Decision).  This means that personal data can continue to flow freely from the EU to the UK without the need for organisations to take further measures. For the time-being, however, the Decision does not concern personal … Continue reading

The EDPB publishes its finalised version of the Recommendations on supplementary measures

Photo of Marcus Evans (UK)Photo of Lara White (UK)Photo of Christoph Ritzer (DE)By Marcus Evans (UK), Lara White (UK) and Christoph Ritzer (DE) on Posted in Data Transfer, Regulatory response
On 21 June 2021, the European Data Protection Board (EDPB) published its finalised version of the Recommendations on supplementary measures (the Recommendations) to assist companies comply with the Schrems II judgement. This comes just a couple of weeks after the European Commission (the Commission) published new, revised Standard Contractual Clauses (New SCCs) (read our blog … Continue reading

A deeper dive into the new Standard Contractual Clauses

Photo of Marcus Evans (UK)Photo of Lara White (UK)Photo of Christoph Ritzer (DE)By Janine Regan (UK), Marcus Evans (UK), Lara White (UK) and Christoph Ritzer (DE) on Posted in Data Transfer, Regulatory response
On Friday 4 June, the European Commission published the finalised version of the new Standard Contractual Clauses for transferring personal data from the EU to third countries (the New SCCs).  Privacy professionals have been waiting for the New SCCs for several years and have been particularly interested to know if the New SCCs will help … Continue reading

European Commission publishes much anticipated finalised Standard Contractual Clauses

Photo of Marcus Evans (UK)Photo of Lara White (UK)Photo of Christoph Ritzer (DE)By Marcus Evans (UK), Lara White (UK), Christoph Ritzer (DE) and Janine Regan (UK) on Posted in Data Transfer, Regulatory response
The European Commission has today published the finalised version of the new Standard Contractual Clauses (the new SCCs).  The purpose of the new SCCs are to help companies legalise transfers of personal data from outside of the EEA.  They will also be a lawful mechanism for UK companies to use too. The new SCCs were … Continue reading

Final Revised SCCs expected as early as next week with Final Revised EDPB Recommendations to follow after 15 June

Photo of Marcus Evans (UK)Photo of Christoph Ritzer (DE)By Marcus Evans (UK) and Christoph Ritzer (DE) on Posted in Data Transfer
It was reported yesterday that publication of revised final EU Standard Contractual Clauses may be as soon as next week and that revised final EDPB Recommendations possibly following the EDPB’s next plenary meeting on 15 June.  This follows comments made by Ralf Sauer, EU Commission Deputy Head for International Data Flows, and Alexander Filip, Head … Continue reading
LexBlog