Today, 28 June 2021, the European Commission formally adopted two adequacy decisions with respect of transferring personal data from the European Economic Area (the “EEA”) to the United Kingdom (the “UK”): one under the EU General Data Protection Regulation and one under the EU Law Enforcement Directive. The two decisions come into
Dr. Guido Zeppenfeld, LLM
New requirements for transferring personal data from Europe: a detailed analysis of the new draft Standard Contractual Clauses published by the European Commission
On 12 November, the European Commission published draft standard contractual clauses for transfers of personal data from the European Union to third countries (“New SCCs“).
Once approved, the New SCCs will replace the previous standard contractual clauses which pre-date the implementation of the General Data Protection Regulation 2016/679 (“GDPR“). The draft…
European Commission publishes draft new standard contractual clauses for international personal data transfers and Article 28 GDPR clauses between EU controllers and processors
On 12 November, the European Commission published two sets of documents:
Personal Data Transfers to the US and Other Non-EEA Countries
On 16 July 2020, the Court of Justice of the European Union (“CJEU“) examined the validity of the European Commission’s Privacy Shield Decision (Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield) as well as the validity of the European Commission’s Decision 2010/87/EC on Standard Contractual Clauses between…
UK ICO to Begin Formal Enforcement Action Against the Adtech Industry
In June 2019, the UK Information Commissioner’s Office (“ICO“) produced a report on the advertising industry’s use of adtech and real time bidding (“RTB“) and whether UK data protection and e-marketing legislation was being complied with. The report criticised parts of the sector for not doing enough to safeguard personal data,…
ICO Fines Dixons Carphone £500,000 After Cyber-Attack
On 9 January 2020, the UK’s Information Commissioner’s Office (“ICO”) announced that it had fined DSG Retail Limited (“DSG”) a UK-based IT retailer trading under brands including Curry’s PC World and Dixons Travel, £500,000 in connection with a cyber-attack which affected at least 14 million people.
The ICO’s investigation revealed that…
The UK High Court Finds Police Use of Automated Facial-Recognition Technology Permissible
On 4 September 2019, the High Court in England and Wales rejected a judicial review claim brought by Edward Bridges, a civil liberties campaigner (the “Claimant“) regarding the use of automated facial-recognition technology (“AFR“) by the Chief Constable of South Wales Police’s (“SWP“). The High Court dismissed claims that…
The UK ICO Intends to Fine Marriott over £99m for Personal Data Breach Under the GDPR
In its second statement of intent of the week, on 9 July 2019, the UK’s Information Commissioner’s Office (“ICO”) announced its intention to fine Marriott International, Inc (“Marriott”) £99.2m under the General Data Protection Regulation (“GDPR”) for a personal data breach that occurred in relation to the Starwood guest reservation database system.
The breach is…
British Airways Fined Over £183m for Personal Data Breach Under the GDPR
The UK’s Information Commissioner’s Office (“ICO”) today (8 July 2019) announced its intention to fine British Airways (“BA”) £183.39m under the General Data Protection Regulation (“GDPR”) for a personal data breach. This is the highest fine issued so far by a European Union data protection supervisory authority for a personal data breach under the GDPR.…
EDPB’s New Draft Guidelines on the Territorial Scope of the GDPR
The European General Data Protection Regulation (“GDPR”), which came into force over six months ago, illustrates a significant evolution in European data protection law marked by the extension of territorial scope. On November 23, the European Data Protection Board (“EDPB”), previously known as the Article 29 Working Party, issued new draft guidelines (“Guidelines”) relating to…