Today, 28 June 2021, the European Commission formally adopted two adequacy decisions with respect of transferring personal data from the European Economic Area (the “EEA”) to the United Kingdom (the “UK”): one under the EU General Data Protection Regulation and one under the EU Law Enforcement Directive. The two decisions come into

On 12 November, the European Commission published draft standard contractual clauses for transfers of personal data from the European Union to third countries (“New SCCs“).

Once approved, the New SCCs will replace the previous standard contractual clauses which pre-date the implementation of the General Data Protection Regulation 2016/679 (“GDPR“). The draft

On 12 November, the European Commission published two sets of documents:

  1. draft of the new standard contractual clauses for transfers of personal data from the European Union to third countries (“New SCCs”); and
  2. draft of standard contractual clauses that can be used by controllers when engaging processors located in the European

On 16 July 2020, the Court of Justice of the European Union (“CJEU“) examined the validity of the European Commission’s Privacy Shield Decision (Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield) as well as the validity of the European Commission’s Decision 2010/87/EC on Standard Contractual Clauses between

In June 2019, the UK Information Commissioner’s Office (“ICO“) produced a report on the advertising industry’s use of adtech and real time bidding (“RTB“) and whether UK data protection and e-marketing legislation was being complied with. The report criticised parts of the sector for not doing enough to safeguard personal data,

On 9 January 2020, the UK’s Information Commissioner’s Office (“ICO”) announced that it had fined DSG Retail Limited (“DSG”) a UK-based IT retailer trading under brands including Curry’s PC World and Dixons Travel, £500,000 in connection with a cyber-attack which affected at least 14 million people.

The ICO’s investigation revealed that

On 4 September 2019, the High Court in England and Wales rejected a judicial review claim brought by Edward Bridges, a civil liberties campaigner (the “Claimant“) regarding the use of automated facial-recognition technology (“AFR“) by the Chief Constable of South Wales Police’s (“SWP“).  The High Court dismissed claims that

In its second statement of intent of the week, on 9 July 2019, the UK’s Information Commissioner’s Office (“ICO”) announced its intention to fine Marriott International, Inc (“Marriott”) £99.2m under the General Data Protection Regulation (“GDPR”) for a personal data breach that occurred in relation to the Starwood guest reservation database system.

The breach is

The UK’s Information Commissioner’s Office (“ICO”) today (8 July 2019) announced its intention to fine British Airways (“BA”) £183.39m under the General Data Protection Regulation (“GDPR”) for a personal data breach. This is the highest fine issued so far by a European Union data protection supervisory authority for a personal data breach under the GDPR.

The European General Data Protection Regulation (“GDPR”), which came into force over six months ago, illustrates a significant evolution in European data protection law marked by the extension of territorial scope. On November 23, the European Data Protection Board (“EDPB”), previously known as the Article 29 Working Party, issued new draft guidelines (“Guidelines”) relating to