With an effective date of February 17, 2024, the Digital Services Act (“DSA”) will start applying to most online platform providers in less than a year. The DSA, which introduces due diligence and transparency obligations regarding algorithmic decision-making by online platforms, such as social media, video sharing or e-commerce, entered into force on November 16, 2022. For providers of Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs)—providers reaching 45 million EU users monthly—the DSA may apply four months following a notification to the provider concerned, which will be a date earlier than February 17, 2024.

In this Legal Update, we provide further detail on these obligations and note the steps businesses can take to comply with the DSA.

Continue reading.

On March 9, 2023, the Securities and Exchange Commission (“SEC”) announced that Blackbaud Inc. (“Blackbaud”) agreed to pay $3 million to settle charges for alleged misleading disclosures about its 2020 ransomware attack and for alleged disclosure control failures.1

Blackbaud, a South Carolina-based company that provides data management software to colleges, universities, and non-profit organizations, suffered a ransomware attack in 2020 impacting more than 13,000 customers. According to the SEC’s order, unauthorized access to Blackbaud systems began in February of 2020 and was first discovered in May 2020.

Continue reading.

The UK Government has relaunched its efforts to reform the UK’s data protection regime, with the Data Protection and Digital Information Bill (No. 2) (the “Bill“) being introduced to Parliament on Wednesday 8 March. The Bill supersedes a previous version that was originally published in July 2022 (see our previous legal update).

The Bill provides organisations with greater flexibility over the use of personal data, while reducing the burden of complying with UK data protection laws. The Bill does not comprise an extensive overhaul of the UK’s data protection laws, but rather a set of clarifications and adjustments to provide organisations with greater flexibility over the use of personal data, while reducing the burden of complying with UK data protection laws. Businesses that already comply with the UK’s existing data protection laws will not be required to take additional steps to comply with the Bill. However, some businesses might decide to take advantage of the changes proposed in the Bill to streamline their data protection compliance in the UK.

Continue reading.

On February 28, 2023, the European Data Protection Board (“EDPB”) issued its opinion on the draft adequacy decision of the European Commission (the “Commission”) on the new EU-US Data Privacy Framework (“DPF”). The EDPB expressed reservations in connection with the DPF, which will now undergo scrutiny by other European institutions.

Who Should Read This Legal Update

This Legal Update is relevant for companies whose business may involve the transfer of personal data between the EU and the US. If the US is approved as a country with data adequacy on the basis of the DPF, data transfers from the EU by businesses that are certified to the DPF will no longer require separate data transfer mechanisms to provide additional safeguards such as Binding Corporate Rules or Standard Contractual Clauses.

Continue reading.

The Biden administration released its National Cybersecurity Strategy (“Strategy”) on March 2, 2023.1 The Strategy builds on previous policy actions by the Biden administration that sought to strengthen cybersecurity in critical infrastructure and protect personal data, including through regulatory action, government procurement requirements, and an emphasis on software security. The Strategy calls for (1) a “[r]ebalanc[ing of] the responsibility to defend cyberspace,” under which the “most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem,” with the Strategy notably highlighting the role of cloud services and software providers and (2) a “realign[ment of] incentives to favor long-term investments,” in part to “ensure that market forces and public programs alike reward security and resilience.” While still emphasizing public-private sector collaboration, the Strategy reflects an increased focus on regulatory action and private sector liability. Although many of the Strategy’s proposed changes will hinge on congressional action, if implemented by Congress and the administration, the Strategy would have significant consequences for certain businesses, including owners and operators of critical infrastructure, software developers, cloud providers, government contractors, and businesses that handle personal information. Understanding the Strategy and its potential implications accordingly will be important for companies across sectors.

Continue reading.

In what is becoming a pattern, the Illinois Supreme Court recently issued another decision interpreting the Biometric Information Privacy Act (“BIPA”) to expand potential liability for businesses. The court held in Cothron v. White Castle that each time a business collects or discloses an individual’s biometric data without first obtaining BIPA-compliant consent, a separate claim accrues under BIPA. BIPA authorizes statutory damages of $1,000 for “each violation” of the statute—and $5,000 if the violation is found to be intentional or reckless. Even before this decision, companies with many customers or employees faced massive potential exposure under BIPA—often in the millions and sometimes billions of dollars. But under Cothron, that threatened exposure is multiplied many times over given that a new claim can accrue with each repeated collection or disclosure (for example, each time an employee clocks in and out of work using a fingerprint timekeeping system). And Cothron follows on the heels of another recent Illinois Supreme Court decision, Tims v. Black Horse Carriers, that declared that a 5-year statute of limitations applies to all BIPA claims.

Continue reading.

Following on from our alert in relation to technology, data privacy, cybersecurity and IP legal developments to look out for in 2023, this update outlines some of the potential developments and trends in the UK cyber incident response landscape for 2023.

Increased litigation risk for cyber breach victims – the Information Commissioner’s Office begins naming and shaming data breach victims

At some point in summer 20221, the UK Information Commissioner’s Office (the “ICO“) quietly began publishing the names of organisations who have notified them of a data breach or cyber incident. Historically, the ICO would keep such notifications confidential in an effort to promote prompt and transparent notifications from such companies.

However, since as early as 2019, the ICO have publicly committed to an open and transparent approach to its work and in particular in relation to the organisations which it regulates and the data breaches suffered by such organisations. This shift was further emphasised in a November 2022 speech by the Information Commissioner himself, John Edwards, and the move towards the publication of breach data appears to be related to this commitment to an open and transparent approach. It is unclear why the ICO have only moved to implement such an approach now, however.

Continue reading.

On 13 December 2022, the European Commission published its draft adequacy decision for EU-U.S. data transfers. The draft decision follows the EU-U.S. announcement of an agreement on a new EU-U.S. Data Privacy Framework (“DPF”) in March 2022 as well as the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (“Executive Order”) signed by President Biden in October 2022, which aimed at implementing the commitments of the U.S. under the DPF.

If the draft adequacy decision is adopted, the DPF will be the successor to the EU-U.S. Privacy Shield, which was based on an adequacy decision of the European Commission declared invalid under the General Data Protection Regulation (“GDPR”) by the Court of Justice of the European Union (“CJEU”) in its Schrems II decision in July 2020. The DPF is expected to tackle the concerns of the CJEU with respect to transfers of EU personal data to the U.S.

Continue reading.

Companies that rely on standard contractual clauses (“SCCs”) for transferring personal data from the European Economic Area (“EEA”) to jurisdictions not considered to offer an adequate level of data protection under the EU General Data Protection Regulation must ensure that none of their existing contracts use the old SCCs after 27 December 2022.

Businesses are required to update their existing contracts with customers, vendors and entities in their corporate group to include the European Commission’s new SCCs to legally transfer personal data from the EEA to non-adequate jurisdictions (such as the United States).

Continue reading.

The Secretariat of the National Information Security Standardisation Technical Committee (TC260) released a draft revision of the Technical Specification for Certification of Cross-Border Transfers of Personal Information (Certification Specification V2.0) on 8 November 2022, nearly five months after it issued the finalised specification of the same name (Certification Specification V1.0) (see our previous Legal Update on Certification Specification V1.0).

Continue reading.