Regulatory response

Subscribe to Regulatory response via RSS

FTC Signals Additional Scrutiny for Data Breaches

By Anna Rudawski (US) & Chris Cwalina (US) on May 25, 2022

On May 20, 2022, the Federal Trade Commission (FTC) stated that failure to disclose a data breach may be a violation of Section 5 of the FTC Act. Historically, the FTC has not been explicit about its notification…

The UK’s ICO issues a monetary penalty notice to professional services firm after ransomware attack

By Steven Hadwin (UK) & Tim Jones on March 22, 2022

On 10 March 2022, the Information Commissioner’s Office (ICO) issued a monetary penalty notice to a professional services firm (the Firm) to the tune of £98,000 for a breach of Article 5(1)(f) of the General Data Protection…

The UK Government unveils its post-Brexit plans to shake up data protection laws

By Lara White (UK), Marcus Evans (UK) & Isabella Martinez-Sistac Orozco on August 27, 2021

On 26 August 2021, in a move that puts it on a potential collision course with the EU, the UK Government made a number of announcements relating to the future of the UK’s data protection regime, with the stated intention…

“Am I a CII operator?” – New regulation in China provides more clarity

By Anna Gamvros & Lianying Wang (CN) on August 18, 2021

China’s Cyber Security Law (CSL), enacted in 2016, requires operators of critical information infrastructure (CII) to follow a number of enhanced security obligations, including storing within China all personal information and important data collected or generated…

Subject Access Request: Germany’s highest court widens the scope of data subject access requests in Germany

By Christoph Ritzer (DE) & Natalia Filkina (DE) on July 28, 2021

Germany’s highest civil court, the Federal Court Of Justice (Bundesgerichtshof, the FCJ), has just published a decision specifying the scope of data subject access requests (DSARs). The FCJ held that Article 15 of the EU General Data…

It must be as easy to reject cookies as it is to accept them: 40 additional organizations on the radar of the CNIL

By Lara White (UK) & Barbara Ghebali (FR) on July 27, 2021

As part of its global strategy to ensure compliance with its new cookies mandatory guidelines, and as announced in its priority control themes for 2021, in May 2021 the CNIL issued formal notices to over twenty organizations (including international actors…

EU’s possible Data Act: What can we anticipate from the Inception Impact Assessment and the Consultation?

By Seiko Hidaka (UK) & Jay Modrall (BE) on July 5, 2021

The European Commission (EC) signalled plans for a new Data Act, to be published in late 2021, in its February 2020 Data Strategy Communication. The EC revealed more details in its 2021 Consultation and Inception Impact Assessment. The…

EU – UK data transfers can continue: UK receives much welcome adequacy decision

By Marcus Evans (UK) & Janine Regan (UK) on June 28, 2021

The European Commission has today published a positive adequacy finding in respect of the UK’s data protection regime (the Decision). This means that personal data can continue to flow freely from the EU to the UK without the need…

The EDPB publishes its finalised version of the Recommendations on supplementary measures

By Marcus Evans (UK), Lara White (UK) & Christoph Ritzer (DE) on June 22, 2021

On 21 June 2021, the European Data Protection Board (EDPB) published its finalised version of the Recommendations on supplementary measures (the Recommendations) to assist companies comply with the Schrems II judgement.

This comes just a couple…

A deeper dive into the new Standard Contractual Clauses

By Janine Regan (UK), Marcus Evans (UK), Lara White (UK) & Christoph Ritzer (DE) on June 7, 2021

On Friday 4 June, the European Commission published the finalised version of the new Standard Contractual Clauses for transferring personal data from the EU to third countries (the New SCCs). Privacy professionals have been waiting for the New SCCs for…

Data Protection Report