The U.K. government recently launched a consultation proposing significant changes to the U.K. General Data Protection Regulation (UK GDPR). The U.K. aims to craft a bespoke “pro-growth and pro-innovation regime whilst maintaining…world-leading data protection standards.” The Consultation sets out in detail the significant reforms which the U.K. government seeks to implement – at the potential risk of losing its adequacy status for data transfers from the EU.
Author: Huw Beverley-Smith
Huw Beverley-Smith advises customers and suppliers on a wide range of international transactions and regulatory issues, including technology, telecommunications and business process outsourcing, complex services agreements, intellectual property ownership and licensing. He counsels clients on privacy and cybersecurity issues and helps navigate regulatory hurdles and operational and commercial risks. View Huw's full bio on the Faegre Drinker website.
New Tools for International Data Transfers: European Commission Adopts New Standard Contractual Clauses
The European Commission recently adopted a new set of Standard Contractual Clauses (SCCs) for organizations to use in compliance with the EU General Data Protection Regulation requirements for transfers of personal data from the European Economic Area. The previous SCCs were outdated and did not cover many common data processing scenarios. Organizations will have an 18-month transition period to adopt the new SCCs, but many parties will need this time to re-examine their dataflows and review their internal compliance procedures to meet the exacting new standards.
Draft Standard Contractual Clauses Released by European Commission: New Clause Cause for Applause?
Following on from last week’s big announcement by the European Data Protection Board (EDPB) on its expectations for international data transfers after the European Court of Justice’s July 16 Schrems II decision, the European Commission released a draft set of new Standard Contractual Clauses (SCCs) and a draft implementing decision. The Commission’s draft set of clauses allows for two new types of transfer and contains important updates to bring the text of the clauses in line with the General Data Protection Regulation. The draft documents are now available for public consultation, and both the EDPB and the European Data Protection Supervisor will be asked for their opinions on the documents. Following the Schrems II decision, many organizations have been waiting for guidance on additional safeguards and for the (long overdue) arrival of updated Standard Contractual Clauses. While the last few days have seen some welcome developments after a period of hiatus, organizations will likely need some time to assess the practical implications before making radical changes to international data transfer arrangements.
For the full alert, visit the Faegre Drinker website.
European Data Protection Board Issues New Recommendations for International Data Transfers: Essential Guarantees, Supplemental Measures, and False Warrant Canaries
A pair of highly anticipated guidance documents outline the European Data Protection Board’s (EDPB) expectations for organizations transferring data out of the EU. While the detailed process for evaluating data transfers brings welcomed guidance and clarity, some aspects of the EDPB’s framework present significant obstacles for those working with non-EU service providers or moving data for routine business purposes.
For the full alert, visit the Faegre Drinker website.
Marriott Cyberattack Fine Reduced as ICO Shifts Penalty Policy
More than two years after receiving a massive initial fine, hotel chain Marriott International, Inc. reduces a cyberattack penalty by more than 80%. A shift in the United Kingdom’s Information Commissioner’s Office (ICO) calculation policy, along with other mitigating factors, led to the significant decrease. While the ICO reinforces the importance of responsibilities of data controllers in managing sophisticated cyberattacks, this latest development marks a continued shift away from turnover-centric penalty policies.
For the full alert, visit Faegre Drinker’s website.
British Airways Faces Significantly Reduced £20M Fine for GDPR Breach
At £20 million, the fine imposed on British Airways for its infringement of the General Data Protection Regulation is the biggest fine of its kind in the history of the U.K.’s Information Commissioner’s Office (ICO). Whilst markedly lower than the fine initially proposed, the process by which the revised figure was reached provides some interesting insights on the factors that regulators will take into account and is a clear sign that despite the current economic climate, the ICO is not afraid to enforce strict GDPR compliance.
For the full alert, visit the Faegre Drinker website.