On 22 May 2023, the Irish data protection regulator (DPC) announced that it had issued a record-breaking €1.2 billion fine in a decision relating to non-compliant EU-to-U.S. data transfers under the GDPR. This fine imposed by the DPC substantially overshadows the previous record of €746 million under the GDPR, and raises several concerns for organisations transferring personal data from the EU to the U.S.
On 17 June 2022, the UK government released its much anticipated response to the consultation on the reform of the UK data protection regime. As part of the UK’s post-Brexit national data strategy, the consultation gathered responses on proposals aimed at reforming the UK’s data protection regime to boost the UK economy. In its response, the UK government has signalled which of the proposals it will be proceeding with and are likely to appear in an upcoming Data Reform Bill.
Overall, these reforms do not overhaul the existing UK data protection compliance regime, which is derived from EU legislation such as the General Data Protection Regulation and ePrivacy Directive. Instead, the proposals are incremental and largely modify obligations that organizations will be familiar with under the existing regime. As expected, these reforms are largely business-focused, with an overall aim of reducing compliance burdens faced by businesses of all sizes and facilitating the use (and re-use) of data for research.…
On Friday 25 March President Biden and the President of the European Commission jointly announced that they had reached an agreement in principle on a revised trans-Atlantic data flow mechanism. The timing could not have been better, as I was moderating a panel on “International Data Transfers in 2022 and Beyond” at the Privacy + Security Forum Spring Forum on the same day.
The panel was made up of William Malcolm, Director of Privacy at Google, Vivienne Artz, OBE Chair of the International Regulatory Strategy Group Data Committee, and Joe Jones, Deputy Director International Data Transfers Data Policy Directorate at the UK’s Department for Culture, Media & Sport. Our plan was to facilitate a discussion focused on recent enforcement actions and statements by data protection authorities in the EU and UK that had highlighted the increasingly complex challenges organizations face in complying with GDPR when transferring personal data out of Europe. Instead we had a very engaging hour discussing how important data transfers are in a digital economy, noting that at the EU-US summit the discussion of data was second only to discussions of the situation in Ukraine; and that although the EU-US announcement had set Twitter feeds alight, it provided no information as to what the actual agreement was or how it would avoid falling foul of being challenged as Schrems III, IV or V. Finally, we brainstormed some ideas as to the direction or detail that could be contained in the new EU-US agreement and which could really drive change in the regulation of international data flows.
It was clear to all that following the CJEU’s ruling in Schrems II, which invalidated the EU-US Privacy Shield and made use of Standard Contractual Clauses more challenging for business, commercial organizations find themselves in the situation in which data transfers are becoming an impediment to business when really they should be the soil of the digital society in which services and societal benefits can grow globally.…
A recent decision by the Austrian Supervisory Authority (“SA”) casts a spotlight on the complexities of data transfers and cookie use, and highlights a shift in regulatory focus onto these topics in the year ahead. Regulators around Europe are increasingly beginning to weigh in on such transfers, and the outcomes of their deliberations will shape the data transfer compliance landscape in the months to come. These decisions present complex questions about the future of data transfers in the EU and UK.
Continue Reading Increased EU Scrutiny of US Data Transfers Through Cookie Use
There were 887 million reasons why one GDPR story was dominating the press on Friday. But sneaking under the radar was a decision from the English High Court that I reckon should be more interesting to businesses in the UK.
In a nutshell, the High Court rejected a £5,000 claim for distress-related damages brought by an individual whose personal data were involved in a cyber-attack suffered by DSG, a British retailer that operates the Currys PC Worlds and Dixons Travel brands. The claim relied on breach of confidence, misuse of private information, breach of the DPA 1998 and common law negligence, and the judgment is short and easy to digest, so it’s well worth a read.
Continue Reading De-stressing Distress Disputes