Topic: Regulatory response
Subscribe to Regulatory response RSS feedThe aftermath of an incident – why keeping records of data breaches and privacy incidents matters
As privacy incidents and security breaches involving personal information become increasingly frequent, organizations are more and more aware of the importance of implementing a robust privacy program to mitigate the risks and impacts of such incidents. While this preparation is important, organizations must also consider the aftermath of a privacy incident. In this first blog … Continue reading
FTC Signals Additional Scrutiny for Data Breaches
The UK’s ICO issues a monetary penalty notice to professional services firm after ransomware attack
The UK Government unveils its post-Brexit plans to shake up data protection laws
Posted in General, Privacy law, Regulatory response
On 26 August 2021, in a move that puts it on a potential collision course with the EU, the UK Government made a number of announcements relating to the future of the UK’s data protection regime, with the stated intention of “seizing the opportunity” by “developing a world leading data policy that will deliver a … Continue reading
“Am I a CII operator?” – New regulation in China provides more clarity
Posted in Cybersecurity, Data Transfer, Regulatory response
China’s Cyber Security Law (CSL), enacted in 2016, requires operators of critical information infrastructure (CII) to follow a number of enhanced security obligations, including storing within China all personal information and important data collected or generated during their operations in China. Given the more onerous obligation on CII operators, we are constantly asked the same … Continue reading
Subject Access Request: Germany’s highest court widens the scope of data subject access requests in Germany
Posted in General, Regulatory response
Germany’s highest civil court, the Federal Court Of Justice (Bundesgerichtshof, the FCJ), has just published a decision specifying the scope of data subject access requests (DSARs). The FCJ held that Article 15 of the EU General Data Protection Regulation (GDPR) has a broader scope than previously understood in Germany. Pursuant to the court’s decision, Article 15 … Continue reading
It must be as easy to reject cookies as it is to accept them: 40 additional organizations on the radar of the CNIL
Posted in Enforcement, Regulatory response
As part of its global strategy to ensure compliance with its new cookies mandatory guidelines, and as announced in its priority control themes for 2021, in May 2021 the CNIL issued formal notices to over twenty organizations (including international actors in the digital economy and some public bodies) for not enabling users to accept or … Continue reading
EU’s possible Data Act: What can we anticipate from the Inception Impact Assessment and the Consultation?
Posted in Data Transfer, Enforcement, Regulatory response
The European Commission (EC) signalled plans for a new Data Act, to be published in late 2021, in its February 2020 Data Strategy Communication. The EC revealed more details in its 2021 Consultation and Inception Impact Assessment. The responses to the Consultation and Inception Impact Assessment are bound to shape the future of EU’s digital … Continue reading
EU – UK data transfers can continue: UK receives much welcome adequacy decision
Posted in Data Transfer, Regulatory response
The European Commission has today published a positive adequacy finding in respect of the UK’s data protection regime (the Decision). This means that personal data can continue to flow freely from the EU to the UK without the need for organisations to take further measures. For the time-being, however, the Decision does not concern personal … Continue reading
The EDPB publishes its finalised version of the Recommendations on supplementary measures
Posted in Data Transfer, Regulatory response
On 21 June 2021, the European Data Protection Board (EDPB) published its finalised version of the Recommendations on supplementary measures (the Recommendations) to assist companies comply with the Schrems II judgement. This comes just a couple of weeks after the European Commission (the Commission) published new, revised Standard Contractual Clauses (New SCCs) (read our blog … Continue reading
A deeper dive into the new Standard Contractual Clauses
Posted in Data Transfer, Regulatory response
On Friday 4 June, the European Commission published the finalised version of the new Standard Contractual Clauses for transferring personal data from the EU to third countries (the New SCCs). Privacy professionals have been waiting for the New SCCs for several years and have been particularly interested to know if the New SCCs will help … Continue reading
European Commission publishes much anticipated finalised Standard Contractual Clauses
Posted in Data Transfer, Regulatory response
The European Commission has today published the finalised version of the new Standard Contractual Clauses (the new SCCs). The purpose of the new SCCs are to help companies legalise transfers of personal data from outside of the EEA. They will also be a lawful mechanism for UK companies to use too. The new SCCs were … Continue reading
Proposed amendments to the Personal Data (Privacy) Ordinance to combat doxxing acts
Posted in Regulatory responseNYDFS settles cybersecurity regulation matter for $3 million
Posted in Cybersecurity, Data breach, Regulatory response
On April 14, 2021, the New York Department of Financial Services (NYDFS) announced a $3 million settlement with insurance company National Securities Corp. (NSC), relating to violations of three different requirements of the NYDFS cybersecurity regulation during the period 2018 to 2020.… Continue reading
EDPB cautiously welcomes UK adequacy finding
Posted in General, Regulatory responseYesterday, the European Data Protection Board (EDPB) published its opinion on the European Commission’s draft Decision that the UK ensures an adequate level of protection for personal data (the Opinion). The Opinion was adopted by the EDPB on 13 April 2021, a couple of days before the Opinion’s official publication on 15 April 2021. The … Continue reading
EU Commission draft UK Data Protection Adequacy Decision published
Posted in Enforcement, General, Regulatory response
Following nine months of assessment of the UK’s data protection laws (including the rules on access to data by public authorities), the European Commission has today published its draft decision on the adequate protection of personal data by the United Kingdom. The draft decision can be found here. The draft decision is welcome news to … Continue reading
Germany: Data protection authorities announce closer monitoring of data transfers to the US after Schrems II
Posted in Data Transfer, Regulatory response
Following the CJEU’s Schrems II ruling (case C-311/18 of July 16, 2020), transfers of personal data to the US are coming under close scrutiny by the German data protection authorities. Some German data protection authorities have announced that they will be taking a stricter approach against companies that fail to comply with the Schrems II … Continue reading
Tentative further steps towards an agreed ePrivacy Regulation
Posted in Regulatory responseIt has been some months since we wrote about the ePrivacy Regulation and some years since the first draft was proposed. Since then, we have seen numerous delays in achieving an agreed form of legislation, caused in part by strong views on how privacy and confidentiality shape the development of electronic communications services and passionate … Continue reading
EU data governance regulation – A wave of digital, regulatory and antitrust reform begins – Part Three
Posted in Regulatory responseOn 25 November 2020, the European Commission (EC) published its proposed Data Governance Regulation (the DGR), which will create a new legal framework to encourage the development of a European single market for data. This is part three of a series of three blog posts. In this blog post, we consider the DGR’s relationship to competition law rules. … Continue reading
EU data governance regulation – A wave of digital, regulatory and antitrust reform begins – Part Two
Posted in Regulatory responseOn 25 November 2020, the European Commission (EC) published its proposed Data Governance Regulation (the DGR), which will create a new legal framework to encourage the development of a European single market for data. This is part two of a series of three blog posts. In this blog post, we outline the new regimes for data sharing service … Continue reading
EU data governance regulation – a wave of digital, regulatory and antitrust reform begins – Part 1
Posted in Regulatory responseOn 25 November 2020, the European Commission (EC) published its proposed Data Governance Regulation (the DGR), which will create a new legal framework to encourage the development of a European single market for data. This is part one of a series of three blog posts. In this first blog post, we outline key aspects of the DGR, set … Continue reading
Hong Kong introduces a contact tracing app
Posted in Cybersecurity, Enforcement, Regulatory response
As countries around the globe continue to battle the COVID-19 pandemic, contact tracing apps continue to evolve and be developed. On November 16, 2020, the Hong Kong government is launching a voluntary contact tracing app. The app, known as LeaveHomeSafe, will enable users to record the date and time they visited participating venues by scanning … Continue reading
European data export bonanza: revised SCCs and EDPB Schrems II guidance published
Posted in Data Transfer, Regulatory responseOn 12 November, the European Commission published revised Standard Contractual Clauses (SCCs) and a draft implementing decision. A feedback period on the draft documents will run until 10 December. Therefore, it is not possible to give a precise date for when the draft SCCs will become final but it could be by the end of … Continue reading
