With the end of the Brexit transition period rapidly approaching and the United Kingdom (UK) poised to become a “third country” after it leaves the European Union (EU), the UK and the EU have yet to reach any “deal” on how the transfer of personal data should be dealt with starting January 1, 2021. With the negotiations deep into their final phase, the advice from regulators, including the UK’s Information Commissioner’s Office (ICO), is that organisations should be taking steps to prepare for the UK becoming a third country (for the EU data protection regime) after Brexit.
Hot on the heels of the £20 million fine issued to British Airways, the Information Commissioner’s Office (“ICO“) has issued Marriott International Inc. (“Marriott“) with a long-awaited penalty notice for its failure to ensure appropriate security of the personal data it processed. The global hotel chain has been fined £18.4 million, which is a substantial reduction from the £99.2 million contemplated by the ICO’s notice of intention to fine. Unfortunately, the decision failed to give any detailed explanation for the reduction in the level of the fine from £99.2 million to £28 million. Although, a further 20% reduction to £22.4 million was designed to acknowledge Marriott’s cooperation, and a further £2 million reduction was to reflect the impact of the coronavirus pandemic. READ MORE
On November 11, 2020, the European Data Protection Board (EDPB) published its long-awaited guidance on what parties to international data transfers should be doing to perform such transfers in a manner compliant with the Regulation (EU) 2016/679 (the General Data Protection Regulation or GDPR) in light of the European Court of Justice’s (CJEU) decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II).
Unfortunately, the draft guidelines provide no panacea for companies engaged in international data transfers of personal data from the EEA to third countries. Instead, organizations face 55 pages of guidance that provide few workable solutions for international data transferors—apart from a lengthy protocol for conducting risk assessments. READ MORE
Join Orrick and the Silicon Valley Arbitration and Mediation Center (SVAMC) on November 4, 2020, for a complimentary webinar on how arbitration can deal with substantive data, privacy and cyber issues arising in international disputes. Orrick’s James Hargrove (International Arbitration partner/Geneva and London) and Keily Blair (Cyber, Privacy & Data Innovation partner/London) will join other panelists to address current topics in arbitrating data and cyber issues, for example, arbitrability, mass arbitrations, multiplicity of proceedings, follow-on claims from data breaches, territorial limitations, interim and final relief and sanctions, future issues – how will arbitration deal with the ever-growing importance and value of data. Keily, James and their fellow panelists will put an up-to-date focus on data, privacy and cyber issues in arbitration proceedings, with a discussion of current practices, remote hearings and technological advances, hearings protocols, increased cyber risks and steps to protect data integrity. Learn more and register here.
Webinar | November 4, 2020 | 12:00pm – 1:00pm EST
When British Airways (“BA”) suffered a significant personal data breach in September 2018, just months after the coming into force of the EU General Data Protection Regulation (“GDPR”), all eyes were on the UK’s Information Commissioner’s Office (“ICO”). Would the ICO use the UK’s flagship airline as a “poster child” for post GDPR enforcement? Was this the moment that much-hyped fines of up to 4% of global turnover come to pass? READ MORE
The legal risks associated with cybersecurity continue to increase, as regulators and plaintiffs’ lawyers become more and more aggressive in bringing cybersecurity claims under existing laws and as legislatures continue to enact new ones. A key element of many of the cybersecurity claims brought under these laws is a requirement to show that the company in question failed to implement “reasonable” security for personal information. California’s new Consumer Privacy Act (“CCPA”), for instance, allows consumers to sue businesses for statutory damages when specified types of personal information are subject to unauthorized access and exfiltration, theft, or disclosure because of a failure to implement and maintain “reasonable” security measures and the business has not cured the alleged violation within the CCPA’s pre-suit period. Cal. Civ. Code § 1798.150. Even though consumers often suffer no injury in a data beach, the CCPA provides for statutory damages of $100–$750 per consumer per incident. READ MORE
On October 1st, 2020, the Data Protection Authority of Hamburg (“DPA”) announced that it issued a massive EUR 35.3 million fine against the clothing company H&M Hennes & Mauritz Online Shop A.B. & Co. KG (“H&M”) for the alleged wrongful collection of data of a couple of hundred employees which related to their private life (the English press release can be accessed here). This is the highest fine that has ever been issued in Germany, sending a strong signal to companies to ensure they comply with the data protection law when they process employee data. READ MORE
In September 2020, the UK government published its National Data Strategy (“NDS”), aiming to use data to boost the UK economy and to “unlock the power of data for the UK,” particularly in light of Brexit. The NDS is intended to set out the UK’s government focus on data, following the recent announcement that responsibility for government use of data will move from the Department for Digital Culture Media and Sport to the Cabinet Office. READ MORE
Following the CJEU’s invalidation of the EU Commission’s adequacy decision on the EU-U.S. Privacy Shield in Schrems 2.0, on September 8, 2020, the Federal Data Protection and Information Commissioner (FDPIC) found that the Swiss-U.S. Privacy Shield does not meet the data protection standards set by the country’s Federal Act on Data Protection (FADP). READ MORE
Brazil’s long-anticipated data protection law, Lei Geral De Proteção de Dados Pessoais (“General Law for Data Protection” or “LGPD”), now appears positioned to take effect in a matter of days. Ever since the law was originally passed in August 2018, implementation and enforcement timelines have been in flux. In a rather sudden turn of events last week, however, dramatic back-to-back votes by each house of Brazil’s National Congress now put the substantive provisions of the LGPD on track to take effect in a few days’ time, upon approval by Brazil’s president. The LGPD’s administrative fines and sanctions provisions remain scheduled to take effect next year in August 2021. READ MORE