Following the CJEU’s invalidation of the EU Commission’s adequacy decision on the EU-U.S. Privacy Shield in Schrems 2.0, on September 8, 2020, the Federal Data Protection and Information Commissioner (FDPIC) found that the Swiss-U.S. Privacy Shield does not meet the data protection standards set by the country’s Federal Act on Data Protection (FADP). READ MORE
Keily heads up the Cyber & Data Privacy Enforcement & Litigation Practice in London. Keily works with her clients to navigate privacy and cyber security crises to achieve better commercial, regulatory and judicial outcomes.
As a litigator, Keily has a different perspective on cybersecurity and data privacy issues. She has led the response to investigations by the UK’s Information Commissioner’s Office, the Irish Data Protection Commission, the Competition and Markets Authority, the FCA, the SFO, the U.S. Department of Justice, the FBI, the SEC and Parliamentary Select Committees. Keily has also acted as external legal counsel for privacy and financial service regulators.
On cybersecurity issues, Keily directs cybersecurity incidents and investigations across multiple jurisdictions and incident types from simple business email compromises, to enterprise-wide network intrusions and cyberattacks with national security implications. Keily has worked with national and international law enforcement and is called upon to act as external legal counsel to security and forensics firms when engaging with regulators.
In the civil arena, Keily has led on a number of high profile privacy litigation matters, including civil damages claims and collective actions following personal data breaches and privacy-related judicial reviews. She frequently counsels clients on the growing risk of privacy-related class actions and interventions by privacy advocates in the UK and the EU.
Keily uses the insights from her regulatory practice to inform her advisory work, where she regularly advises stakeholders from legal, information security, privacy and the C-suite on a host of privacy and cybersecurity governance, risk mitigation and regulatory engagement strategies.
She is ranked as a key practitioner in data protection, privacy and cybersecurity in The Legal 500 and has represented the private sector at the United Nations and the European Criminal Bar Association. Keily also sits on the Law360's 2020 Editorial Advisory Board on Cybersecurity & Privacy and also leads the IAPP Cyber & Privacy Investigations, Enforcement & Litigation Affinity Group. Keily has represented the private sector at the United Nations and the European Criminal Bar Association. She is committed to improving diversity and social mobility in the legal sector.
Prior to joining Orrick, Keily led the Contentious Data Privacy, Law & Strategy practice at PwC having been a litigator at two international law firms before this.
Posts by: Keily Blair
In one of the world’s first test cases regarding the legality of the use of automated facial recognition and biometric technology, on 11 August 2020 the English Court of Appeal handed down judgment in R (Bridges) v CC South Wales. The court found that the use of this technology by the South Wales Police Force violated privacy, equality and data protection laws. READ MORE
Whatever the outcome of Schrems 2.0, the key takeaway is, don’t panic.
Tomorrow, July 16, 2020, the European Court of Justice (CJEU) is expected to rule in the case of Data Protection Commissioner Ireland v Facebook Ireland Limited, Maximillian Schrems, colloquially known as “Schrems 2.0”.
The main ingredients haven’t changed much for this long-awaited sequel to the decision that invalidated the Safe Harbor regime in 2015: Austrian data protection activist Max Schrems, Facebook Ireland, Ltd, and another commonly used international personal data transfer mechanism on the chopping block for invalidation.
This time around the court is considering the validity of the Standard Contractual Clauses (SCC) adopted by the European Commission, which goes beyond EU-U.S. transfers and could affect most agreements governing data sharing between the EU and the rest of the world. Regardless of the outcome, tomorrow’s decision is going to have a profound impact on the way international data transfers are treated for years to come – but the key takeaway is not to panic. In this blog post, we have set out the three potential rulings open to the CJEU and what steps you can take to following such a ruling. READ MORE
Today’s decision by the Supreme Court to allow the appeal in WM Morrison Supermarkets plc v Various Claimants may on first glance look like a significant setback to privacy advocates. However, the court’s unanimous judgment should be viewed with some relief by those arguing for greater privacy protections. Whilst the Supreme Court ruled that, on the facts, WM Morrisons Supermarkets plc (“Morrisons”) could not be held liable for the actions of its rogue former employee, the court said that, had it been necessary to decide the question, it would have held that the statutory data protection regime did not exclude the imposition of vicarious liability on employers. Furthermore, the decision also provides no protection to companies who have been held to be at fault for a data breach, since data subjects will have a direct right of action against the company in those cases and will not be relying on establishing vicarious liability. READ MORE
We expect national and international privacy regulators to take a pragmatic and reasonable approach to helping organisations navigate data protection compliance during the current COVID-19 crisis. This week, both the European Data Protection Supervisor (the “EDPS”) and the UK’s Information Commissioner’s Office (the “ICO”) have shown that expected pragmatism. READ MORE
Over the past few days, commentators and, in some cases, government ministers have stated that the GDPR (and by association the Data Protection Act 2018) are preventing some organisations from providing a comprehensive response to the COVID-19 crisis. READ MORE
The decision to appeal a regulatory finding is never taken lightly. By the time a regulator has completed its investigation and notified a company of its intention to fine, the company will have invested significant time and money in responding to the regulatory investigation. As such, there is a real temptation to accept the fine and the accompanying statement from the regulator and move on.
However, in the case of recent regulatory findings, fines and intentions to fine issued by the UK’s Information Commissioner’s Office (the “ICO”) against British Airways, Marriott and Dixons Carphone, all three companies have appealed or indicated an intention to appeal despite the significant difference in the levels of the fines/intentions to fine. In our view, this is related to the spectre of an emerging class action litigation culture in the UK that increases the stakes for any company facing negative regulatory findings.
In this UK-focused blog we explore the potential motivation behind these decisions to appeal, why we expect to see more companies taking this approach in the future, and the steps to be taken in order to appeal decisions by the ICO and we also consider whether the companies that have failed to appeal and are now facing class actions made the right decision when they elected not to appeal.