Marcus Evans (UK)

Marcus is a communications, media and technology lawyer based in London. He focuses on data privacy and IT services.

Subscribe to all posts by Marcus Evans (UK)

The EDPB publishes its finalised version of the Recommendations on supplementary measures

By Marcus Evans (UK), Lara White (UK) and Christoph Ritzer (DE) on June 22, 2021 Posted in Data Transfer, Regulatory response

On 21 June 2021, the European Data Protection Board (EDPB) published its finalised version of the Recommendations on supplementary measures (the Recommendations) to assist companies comply with the Schrems II judgement. This comes just a couple of weeks after the European Commission (the Commission) published new, revised Standard Contractual Clauses (New SCCs) (read our blog … Continue reading

A deeper dive into the new Standard Contractual Clauses

By Janine Regan (UK), Marcus Evans (UK), Lara White (UK) and Christoph Ritzer (DE) on June 7, 2021 Posted in Data Transfer, Regulatory response

On Friday 4 June, the European Commission published the finalised version of the new Standard Contractual Clauses for transferring personal data from the EU to third countries (the New SCCs). Privacy professionals have been waiting for the New SCCs for several years and have been particularly interested to know if the New SCCs will help … Continue reading

European Commission publishes much anticipated finalised Standard Contractual Clauses

By Marcus Evans (UK), Lara White (UK), Christoph Ritzer (DE) and Janine Regan (UK) on June 4, 2021 Posted in Data Transfer, Regulatory response

The European Commission has today published the finalised version of the new Standard Contractual Clauses (the new SCCs). The purpose of the new SCCs are to help companies legalise transfers of personal data from outside of the EEA. They will also be a lawful mechanism for UK companies to use too. The new SCCs were … Continue reading

Final Revised SCCs expected as early as next week with Final Revised EDPB Recommendations to follow after 15 June

By Marcus Evans (UK) and Christoph Ritzer (DE) on May 21, 2021 Posted in Data Transfer

It was reported yesterday that publication of revised final EU Standard Contractual Clauses may be as soon as next week and that revised final EDPB Recommendations possibly following the EDPB’s next plenary meeting on 15 June. This follows comments made by Ralf Sauer, EU Commission Deputy Head for International Data Flows, and Alexander Filip, Head … Continue reading

EU Commission draft UK Data Protection Adequacy Decision published

By Marcus Evans (UK) and Shiv Daddar (UK) on February 19, 2021 Posted in Enforcement, General, Regulatory response

Following nine months of assessment of the UK’s data protection laws (including the rules on access to data by public authorities), the European Commission has today published its draft decision on the adequate protection of personal data by the United Kingdom. The draft decision can be found here. The draft decision is welcome news to … Continue reading

EU data governance regulation – A wave of digital, regulatory and antitrust reform begins – Part Three

By Marcus Evans (UK), Jay Modrall (BE) and Michael Sinclair (UK) on December 17, 2020 Posted in Regulatory response

On 25 November 2020, the European Commission (EC) published its proposed Data Governance Regulation (the DGR), which will create a new legal framework to encourage the development of a European single market for data. This is part three of a series of three blog posts. In this blog post, we consider the DGR’s relationship to competition law rules. … Continue reading

EU data governance regulation – A wave of digital, regulatory and antitrust reform begins – Part Two

By Marcus Evans (UK), Jay Modrall (BE) and Michael Sinclair (UK) on December 17, 2020 Posted in Regulatory response

On 25 November 2020, the European Commission (EC) published its proposed Data Governance Regulation (the DGR), which will create a new legal framework to encourage the development of a European single market for data. This is part two of a series of three blog posts. In this blog post, we outline the new regimes for data sharing service … Continue reading

EU data governance regulation – a wave of digital, regulatory and antitrust reform begins – Part 1

By Marcus Evans (UK), Jay Modrall (BE) and Michael Sinclair (UK) on December 17, 2020 Posted in Regulatory response

On 25 November 2020, the European Commission (EC) published its proposed Data Governance Regulation (the DGR), which will create a new legal framework to encourage the development of a European single market for data. This is part one of a series of three blog posts. In this first blog post, we outline key aspects of the DGR, set … Continue reading

European data export bonanza: revised SCCs and EDPB Schrems II guidance published

By Marcus Evans (UK), Lara White (UK), Christoph Ritzer (DE) and Janine Regan (UK) on November 13, 2020 Posted in Data Transfer, Regulatory response

On 12 November, the European Commission published revised Standard Contractual Clauses (SCCs) and a draft implementing decision. A feedback period on the draft documents will run until 10 December. Therefore, it is not possible to give a precise date for when the draft SCCs will become final but it could be by the end of … Continue reading

Two new CJEU judgments further tighten limits of government surveillance – significant for impending UK adequacy decision and “Schrems II country assessments”

By Marcus Evans (UK) and Janine Regan (UK) on October 15, 2020 Posted in Data breach, Data Transfer, Regulatory response

On 6 October 2020, the Court of Justice of the European Union (CJEU) published two decisions that further define the permitted scope of governmental access to personal data. These decisions are relevant in two key areas: Complying with the Schrems II judgement: The judgment provides some guidance on how organisations should undertake the “case-by-case assessments” … Continue reading

ICO provides guidance on calculating monetary penalties

By Marcus Evans (UK), Lara White (UK), Steven Hadwin (UK), Janine Regan (UK) and Ally Corbridge (UK) on October 7, 2020 Posted in Enforcement, Regulatory response

On 1 October 2020, the UK Information Commissioner’s Office (ICO) published draft statutory guidance, providing clarity about how it will regulate and enforce data protection legislation in the UK. The guidance, which sits alongside the ICO’s Regulatory Action Policy, covers the ICO’s range of enforcement powers, but of most interest is the section on how … Continue reading

Schrems II: recent developments – waiting is harder

By Marcus Evans (UK) and Janine Regan (UK) on September 9, 2020 Posted in Compliance and risk management, Data Transfer, Enforcement, Regulatory response

In the immediate aftermath of the Schrems II judgement, Bruno Gencarelli (Head of the International data flows and protection unit at the European Commission) said that “Schrems II is data transfers from theory to practice”. There have been several major developments over the last couple of weeks (explained below) which show this to be an … Continue reading

Schrems II landmark ruling: our recommendations

By Marcus Evans (UK), Lara White (UK), Shiv Daddar (UK), Janine Regan (UK), David Kessler (US), Susan Ross (US) and Christoph Ritzer (DE) on July 27, 2020 Posted in Cybersecurity, Data Transfer, Vendor management and transactions

On 16 July 2020, the Court of Justice of the European Union (CJEU) published its decision in the landmark case Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18 (known as the Schrems II case). While the EU-US Privacy Shield (Privacy Shield) has been completely invalidated, the Standard Contractual Clauses … Continue reading

Schrems II landmark ruling: Privacy Shield is invalid, Standard Contractual Clauses are valid but court puts obligations on parties and authorities

By Marcus Evans (UK), Christoph Ritzer (DE) and Janine Regan (UK) on July 16, 2020 Posted in Data breach, Enforcement, General, Regulatory response

The Court of Justice of the European Union (CJEU) has today published its decision in the landmark case, known as Schrems II. While Privacy Shield has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but the court has emphasised obligations on the parties to the SCCs and Data Protection Authorities which have the … Continue reading

Schrems II judgement due in July – what this might mean for your outsourcing deal

By Marcus Evans (UK), Lara White (UK) and Janine Regan (UK) on June 17, 2020 Posted in Compliance and risk management

Just when we thought our summers might have been looking a bit dull, it was announced that the Court of Justice of the European Union (CJEU) will be making its final ruling in Case C-311/18, Data Protection Commissioner v Facebook Ireland & Schrems on 16 July 2020. This judgement concerns the legality of the European … Continue reading

Irish data protection authority launches new cookie guidance and indicates cookie investigations are on the horizon

By Janine Regan (UK), Christoph Ritzer (DE), Nadège Martin (FR) and Marcus Evans (UK) on April 16, 2020 Posted in Compliance and risk management

Last week, the Irish Data Protection Commission (“DPC”) published its much anticipated guidance note on cookies and similar tracking technologies (the “Guidance”). It also published a report following a “cookie sweep” that took place between August 2019 and December 2019 of 38 data controllers (the “Report”). The cookie sweep requested information from the data controllers … Continue reading

Obtaining and sharing employee health status information in a pandemic

By Marcus Evans (UK) and Miranda Byrne Hill (UK) on April 6, 2020 Posted in Compliance and risk management

Employers across the world are facing extremely difficult challenges in keeping their workplaces safe for their employees, contractors and visitors during the COVID-19 pandemic. Although the prevailing instinct is likely to be to protect and to prevent the spread of the virus at all costs, under data protection laws this still needs to be weighed … Continue reading

Good news for employers, finally – the UK Supreme Court hands down judgment in WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents)

By Steven Hadwin (UK), Marcus Evans (UK), Amanda Sanders (UK) and Janine Regan (UK) on April 1, 2020 Posted in Cybercrime, Cybersecurity, Data breach, Dispute resolution and litigation

In a judgment which will be warmly welcomed by employers (and their insurers) in the UK, the UK Supreme Court today overruled the Court of Appeal in holding that that Morrisons supermarkets is not vicariously liable for a data breach maliciously caused by a former employee.… Continue reading

The Privacy Officers’ New Year’s Resolutions

By Marcus Evans (UK) and Janine Regan (UK) on January 6, 2020 Posted in CCPA, Compliance and risk management

1. Brace yourself (for export turbulence) 2020 could well be a year of data export turmoil – so brace yourself. The Court of Justice of the European Union (CJEU) will determine the validity of the EU Standard Contractual Clauses (SCCs) (Data Protection Commissioner v Facebook Ireland Limited, Maximillan Schrems) whilst the General Court of the … Continue reading

Record Retention is a Key Component of Your Privacy and Cyber Compliance Program

By Marcus Evans (UK), Janine Regan (UK), Christoph Ritzer (DE), Andrea D'Ambra (US) and David Kessler (US) on December 23, 2019 Posted in Compliance and risk management, Cybersecurity

This blogpost summarises our recent webinar: “An urgent message from Berlin: The importance of record retention in privacy and cybersecurity”.… Continue reading

Schrems II: AG deems SCCs valid but comes up with difficult new obligations and expresses “doubts” over privacy shield

By Marcus Evans (UK), Christoph Ritzer (DE), Janine Regan (UK) and David Kessler (US) on December 20, 2019 Posted in Compliance and risk management, Enforcement, General

What has happened? Yesterday, the Advocate General (“AG”) concluded that, in his opinion, the EU Standard Contractual Clauses (“SCCs”) are a valid mechanism to transfer personal data outside of the European Economic Area (“EEA”). However, the AG suggested new obligations for those using SCCs. They need to examine the national security laws of the country … Continue reading

US CLOUD Act and International Privacy

By Marcus Evans (UK), David Kessler (US), Jim Lennon (AU) and Susan Ross (US) on August 1, 2019 Posted in Compliance and risk management, Enforcement, General

The U.S. Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) is apparently the Goldilocks of the privacy world, according to recent statements issued by two international jurisdictions. The CLOUD Act’s requirements are “too hard” for Australian law, according to the Law Council of Australia, but the privacy protections are “too soft” for the European … Continue reading

The UK ICO updates its cookie guidance

By Lara White (UK) and Marcus Evans (UK) on July 10, 2019 Posted in Compliance and risk management

On 3 July 2019, the ICO published its updated guidance on the use of cookies and similar technologies. This came shortly after it updated the cookie consent collection mechanism on its own website. Much of the guidance is unsurprising and reflects what companies already do in practice. However, other parts of the guidance are likely … Continue reading