Since the joint announcement by US President Joe Biden and European Commission President Ursula von de Leyen, on 25 March 2022, of an agreement in principle on the long-awaited replacement to the EU-US Privacy Shield, transatlantic data flows have again become the focus of GDPR discussions. The lack of details provided to date has, however, resulted in many organisations (and legal commentators alike) wondering where this leaves them.

Should US organisations prepare for certification to yet another incarnation of the Safe Harbor (which will almost certainly be subject to prompt legal challenge in the form of Schrems III)? Should organisations subject to the GDPR continue with their transfer impact assessments and the uncertainty of the standard contractual clauses (“SCCs”) when transferring personal data to the US? Will the new safeguards have any impact on the SCCs at all? And how will this affect transfers to the US from the UK or other non-EU jurisdictions?

Representatives of the US Government and the European Commission recently provided some much-needed context, including further details around the timing of the replacement framework and of the potential shape of the new redress mechanism. Their comments offer some hints about the UK’s approach to transatlantic and other international data flows.Continue Reading Transatlantic Data Flows – Where Are We Now?

A recent decision by the Austrian Supervisory Authority (“SA”) casts a spotlight on the complexities of data transfers and cookie use, and highlights a shift in regulatory focus onto these topics in the year ahead. Regulators around Europe are increasingly beginning to weigh in on such transfers, and the outcomes of their deliberations will shape the data transfer compliance landscape in the months to come. These decisions present complex questions about the future of data transfers in the EU and UK.
Continue Reading Increased EU Scrutiny of US Data Transfers Through Cookie Use

As 2021 comes to a close, so does our 12 Days of Data series, but we will see you on the other side in 2022 with more posts on the top privacy and data protection issues. 2021 was an interesting year. While vaccinations spread and some sense of normalcy started to return, new strains of COVID-19 led to additional waves of shutdowns that stalled many of the debates. In 2022, we anticipate that the move toward a new normal will continue, and we will once again start to see traction on some of these data, privacy, and cybersecurity issues. As a preview, here are some of the key areas where we expect to see potential developments in 2022.
Continue Reading Closing out the 12 Days of Data: What to Expect in 2022

LockThe FTC’s recent settlement with Flo Health, announced on June 22, 2021, offers insights into what practices could invite FTC investigation, especially when companies that collect sensitive information make specific promises about high levels of health privacy and data security. More than 100 million consumers use Flo, an app developed by Flo Health Inc., to help women track their periods and fertility. Although the settlement contains no admissions by Flo, the agency alleged that Flo shared users’ health information with outside data analytics providers; an arrangement that is not uncommon for apps that deal with less-sensitive data, but one which contradicted the company’s promise to keep users’ personal information private.
Continue Reading Recent FTC Settlement with Flo Health Focuses on Notice and Consent for Companies Sharing Sensitive Data

There were 887 million reasons why one GDPR story was dominating the press on Friday. But sneaking under the radar was a decision from the English High Court that I reckon should be more interesting to businesses in the UK.

In a nutshell, the High Court rejected a £5,000 claim for distress-related damages brought by an individual whose personal data were involved in a cyber-attack suffered by DSG, a British retailer that operates the Currys PC Worlds and Dixons Travel brands. The claim relied on breach of confidence, misuse of private information, breach of the DPA 1998 and common law negligence, and the judgment is short and easy to digest, so it’s well worth a read.
Continue Reading De-stressing Distress Disputes

Cyber SecurityWhat Is Tax-Related Identity Theft?

Fraudulent tax refunds issued as a result of identity theft occur when an individual steals a victim’s personally identifiable information (PII), such as a Social Security number (SSN), and files a tax return claiming to be the victim. More than 89,000 Americans filed complaints with the Federal Trade Commission (FTC) reporting tax fraud linked to identity theft in 2020. Similarly, businesses may also fall victim to tax fraud, where an individual steals a business’s employer identification number (EIN) to file fraudulent returns. In both scenarios, the victims usually discover they have fallen victim to such fraud when their tax returns are rejected, or when the business receives notice about Forms W-2 they didn’t file with the Social Security Administration or notices for balances due to the Internal Revenue Service (IRS) that are not owed. Most frequently, neither businesses nor individuals will have any reliable information as to how their information has been exposed. The IRS has noted such tax fraud tends to increase during tax season and time of crisis, and cybercriminals have undeniably taken advantage of the COVID-19 pandemic to unleash an unprecedented number of tax fraud schemes to steal information from taxpayers.
Continue Reading Best Practices to Avoid Tax-Related Identity Theft

In news that is likely to concern individuals and privacy activists alike, it has been reported that the NHS booking system for COVID-19 vaccinations has led to complaints that it could be used to reveal the vaccination status of individuals through the use of simple personal information.

The website allows users to book appointments for COVID-19 vaccinations, either by means of their NHS number, or by entering certain basic personal data, (including names, dates of birth and postcodes).  The website then provides a variety of responses based on the user’s vaccination status, with different responses being provided based on whether the individual has received no vaccinations, one vaccination, or both.
Continue Reading COVID-19 Vaccination Booking Site May Reveal Vaccination Status

In encouraging news for UK-based organizations involved in the processing of personal data, the European Data Protection Board (EDPB) has adopted two Opinions on the draft UK adequacy decisions which, if approved, would allow the transfer of personal data from the European Economic Area (EEA) to the UK to continue freely.

The first Opinion (Opinion 14/2021) relates to the GDPR and considers general data protection issues and also government access to personal data transferred from the EEA for national security and law enforcement purposes set out in the draft adequacy decision. The second Opinion (Opinion 15/2021) relates to the Law Enforcement Directive (LED) and considers various issues.
Continue Reading European Data Protection Board Adopts Two Opinions on Draft UK Adequacy Decisions

remote workThe UK Information Commissioner (ICO) has launched a new toolkit for organizations which are planning to use personal data for data analytics as part of the ICO’s priority work on artificial intelligence (AI).

The toolkit outlines some important personal data protection considerations which organizations should take into account at the beginning of any scheme involving such personal data processing and follows the ICO’s recent publications ‘Explaining decisions made with AI’ and ‘Guidance on AI and data protection’.
Continue Reading UK Information Commissioner Launches Data Analytics Toolkit

The debate surrounding vaccine passports to assist with the easing of lockdown restrictions and controlling the spread of COVID-19 continues to raise a number of concerns in the UK.

Although the use of such passports is apparently under consideration, such proposals raise a number of different ethical, scientific and legal issues. A recent Royal Society report sounded a note of caution, suggesting that 12 tests should be met by any such proposal. Among other things, vaccine passports would need to meet various ethical and legal standards, including in respect of data protection.
Continue Reading Possible Use of COVID Vaccine Passports Raises Data Protection Concerns