Data protection, privacy and cyber
Government sets out response to consultation Commentary Following its September 2021 consultation on reform of UK data protection law, on 23 June 2022 the UK government published its response and proposals to move forward. Whilst the proposals for a post-GDPR data protection law in the UK contain some sensible reforms and updates, it is clear …
UK sets out two alternatives to provide adequate contractual protection for the export of personal data from the UK What happened? In February 2022, the UK government published 2 alternative sets of contracts that can be used by organisations wishing to export personal data from the UK to countries that do not otherwise provide adequate …
New UK data protection law: worthwhile divergence or political point-scoring? What is proposed? On 10 September 2021, the UK government published its proposals to reform UK data protection law. Whilst current UK data protection law in the form of UK GDPR mirrors EU data protection law, the proposals represent the UK government seizing the opportunity …
On 28 June 2021, the EU Commission found that the UK provides adequate protection for personal data, enabling personal to freely flow from the EU (and EEA) to the UK. Background European privacy law (specifically articles 44-50 of the General Data Protection Regulation (GDPR)) prohibits the export of personal data from the EU to a third …
From 27 June 2021, organisations will be able to adopt new ‘standard contractual clauses’ (SCCs) to permit lawful export of personal data from the EU to ‘third countries’. This post: recommends what companies should do now describes the background to the EU’s data export rules explains how the new SCCs differ from prior versions What …
In documents published last week, the EU provided some welcome clarity on how organisations should address the invalidation of Privacy Shield as a basis for exporting personal data from the EU. On 10 November 2020, the European Data Protection Board (EDPB) adopted recommendations on ‘supplemental measures’, which can be considered to ensure compliance with the …
On 10 November, the European Data Protection Board adopted a recommendation on supplemental measures which might be used to ensure compliance with the EU level of protection of personal data when exported to third countries with an insufficient level of protection. The recommendation both sets out a process to be followed by data exporters and, …
Are you sure you are a data processor? Introduction On 7 September 2020, the European Data Protection Board (EDPB), successor to the ‘article 29 working party’, released updated guidance on the concepts of ‘data controller’ and ‘data processor’ under European Privacy law (i.e. General Data Protection Regulation or GDPR). Whilst this has already been subject …
On 10 August 2020, Following the European Court’s Schrems II judgment invalidating the US Privacy Shield (and calling into question the legal basis for other transatlantic data transfers), the EU Commission and US Department of commerce issued a short, joint statement: “The U.S. Department of Commerce and the European Commission have initiated discussions to evaluate …
As previously discussed, the European Court of Justice’s recent Schrems II decision both (i) invalidated the US privacy shield; and (ii) threw into question alternative justifications for the export of personal data from the EU to the US. Whilst there is yet to be a substantive response from the European Commission, initial reactions from the …