Keily Blair

Partner

London


Read full biography at www.orrick.com

Keily heads up the Cyber & Data Privacy Enforcement & Litigation Practice in London. Keily works with her clients as a "strategic business partner" to navigate privacy and cyber security crises to achieve better commercial, regulatory and judicial outcomes.

As a litigator, Keily has a different perspective on cybersecurity and data privacy issues. She has led the response to investigations by the UK’s Information Commissioner’s Office, the Irish Data Protection Commission, the Competition and Markets Authority, the FCA, the SFO, the U.S. Department of Justice, the FBI, the SEC and Parliamentary Select Committees. Keily has also acted as external legal counsel for privacy and financial service regulators.

On cybersecurity issues, Keily directs cybersecurity incidents and investigations across multiple jurisdictions and incident types from simple business email compromises, to enterprise-wide network intrusions and cyberattacks with national security implications. Keily has worked with national and international law enforcement and is called upon to act as external legal counsel to security and forensics firms when engaging with regulators.

In the civil arena, Keily has led on a number of high profile privacy litigation matters, including civil damages claims and collective actions following personal data breaches and privacy-related judicial reviews. She frequently counsels clients on the growing risk of privacy-related class actions and interventions by privacy advocates in the UK and the EU.

Keily uses the insights from her regulatory practice to inform her advisory work, where she regularly advises stakeholders from legal, information security, privacy and the C-suite on a host of privacy and cybersecurity governance, risk mitigation and regulatory engagement strategies. According to clients Keily has the "subject matter expertise and ability to understand and interact with companies' culture and capabilities, recognising a one size fits all approach doesn't work".

She is ranked as a key practitioner in data protection, privacy and cybersecurity in The Legal 500 and has represented the private sector at the United Nations and the European Criminal Bar Association. Keily also sits on the Law360's 2020 Editorial Advisory Board on Cybersecurity & Privacy and also leads the IAPP Cyber & Privacy Investigations, Enforcement & Litigation Affinity Group. Keily has represented the private sector at the United Nations and the European Criminal Bar Association. She is committed to improving diversity and social mobility in the legal sector.    

Prior to joining Orrick, Keily led the Contentious Data Privacy, Law & Strategy practice at PwC having been a litigator at two international law firms before this.

Posts by: Keily Blair

Marriott Secures 80% Reduction in ICO Fine, but Here’s What You Missed…

Hot on the heels of the £20 million fine issued to British Airways, the Information Commissioner’s Office (“ICO“) has issued Marriott International Inc. (“Marriott“) with a long-awaited penalty notice for its failure to ensure appropriate security of the personal data it processed. The global hotel chain has been fined £18.4 million, which is a substantial reduction from the £99.2 million contemplated by the ICO’s notice of intention to fine. Unfortunately, the decision failed to give any detailed explanation for the reduction in the level of the fine from £99.2 million to £28 million. Although, a further 20% reduction to £22.4 million was designed to acknowledge Marriott’s cooperation, and a further £2 million reduction was to reflect the impact of the coronavirus pandemic. READ MORE

International Transfers at Risk – The EDPB’s Guidelines on International Transfers Post-Schrems II

On November 11, 2020, the European Data Protection Board (EDPB) published its long-awaited guidance on what parties to international data transfers should be doing to perform such transfers in a manner compliant with the Regulation (EU) 2016/679 (the General Data Protection Regulation or GDPR) in light of the European Court of Justice’s (CJEU) decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II).

Unfortunately, the draft guidelines provide no panacea for companies engaged in international data transfers of personal data from the EEA to third countries. Instead, organizations face 55 pages of guidance that provide few workable solutions for international data transferors—apart from a lengthy protocol for conducting risk assessments. READ MORE

Upcoming Webinar: Data, Privacy and Cyber Security Issues in International Arbitration

Join Orrick and the Silicon Valley Arbitration and Mediation Center (SVAMC) on November 4, 2020, for a complimentary webinar on how arbitration can deal with substantive data, privacy and cyber issues arising in international disputes. Orrick’s James Hargrove (International Arbitration partner/Geneva and London) and Keily Blair (Cyber, Privacy & Data Innovation partner/London) will join other panelists to address current topics in arbitrating data and cyber issues, for example, arbitrability, mass arbitrations, multiplicity of proceedings, follow-on claims from data breaches, territorial limitations, interim and final relief and sanctions, future issues – how will arbitration deal with the ever-growing importance and value of data. Keily, James and their fellow panelists will put an up-to-date focus on data, privacy and cyber issues in arbitration proceedings, with a discussion of current practices, remote hearings and technological advances, hearings protocols, increased cyber risks and steps to protect data integrity.  Learn more and register here.

Webinar  |  November 4, 2020  |  12:00pm – 1:00pm EST

Exemplary and Record-Breaking: After a Two-Year Investigation, the UK’s ICO Issues British Airways with Its Largest Fine to Date (£20m)

When British Airways (“BA”) suffered a significant personal data breach in September 2018, just months after the coming into force of the EU General Data Protection Regulation (“GDPR”), all eyes were on the UK’s Information Commissioner’s Office (“ICO”). Would the ICO use the UK’s flagship airline as a “poster child” for post GDPR enforcement? Was this the moment that much-hyped fines of up to 4% of global turnover come to pass? READ MORE

UK National Data Strategy: A Step in the Wrong Direction for EU Data Adequacy?

In September 2020, the UK government published its National Data Strategy (“NDS”), aiming to use data to boost the UK economy and to “unlock the power of data for the UK,” particularly in light of Brexit. The NDS is intended to set out the UK’s government focus on data, following the recent announcement that responsibility for government use of data will move from the Department for Digital Culture Media and Sport to the Cabinet Office. READ MORE

SWISS-U.S. PRIVACY SHIELD: SCHREMS 2.0’S LATEST VICTIM?

Following the CJEU’s invalidation of the EU Commission’s adequacy decision on the EU-U.S. Privacy Shield in Schrems 2.0, on  September 8, 2020, the Federal Data Protection and Information Commissioner (FDPIC) found that the Swiss-U.S. Privacy Shield does not meet the data protection standards set by the country’s Federal Act on Data Protection (FADP). READ MORE

Face-off on Use of Biometric Technology in the UK

In one of the world’s first test cases regarding the legality of the use of automated facial recognition and biometric technology, on 11 August 2020 the English Court of Appeal handed down judgment in R (Bridges) v CC South Wales. The court found that the use of this technology by the South Wales Police Force violated privacy, equality and data protection laws. READ MORE

Privacy Shield Sunk – SCCs Treading Water: What Can Companies Do to Keep Their Head Above Water

Today the European Court of Justice (CJEU) published its highly anticipated judgement in the case of Data Protection Commissioner Ireland v Facebook Ireland Limited, Maximillian Schrems, colloquially known as “Schrems 2.0”. There were three key elements to the decision:

READ MORE

Schrems 2.0 – The Next Big Blow for EU-US Data Flows? – What to Expect on Thursday, July 16th

Whatever the outcome of Schrems 2.0, the key takeaway is, don’t panic.

Tomorrow, July 16, 2020, the European Court of Justice (CJEU) is expected to rule in the case of Data Protection Commissioner Ireland v Facebook Ireland Limited, Maximillian Schrems, colloquially known as “Schrems 2.0”.

The main ingredients haven’t changed much for this long-awaited sequel to the decision that invalidated the Safe Harbor regime in 2015: Austrian data protection activist Max Schrems, Facebook Ireland, Ltd, and another commonly used international personal data transfer mechanism on the chopping block for invalidation.

This time around the court is considering the validity of the Standard Contractual Clauses (SCC) adopted by the European Commission, which goes beyond EU-U.S. transfers and could affect most agreements governing data sharing between the EU and the rest of the world. Regardless of the outcome, tomorrow’s decision is going to have a profound impact on the way international data transfers are treated for years to come – but the key takeaway is not to panic. In this blog post, we have set out the three potential rulings open to the CJEU and what steps you can take to following such a ruling. READ MORE

Class Actions For Security Breaches in the UK Are Here To Stay

Today’s decision by the Supreme Court to allow the appeal in WM Morrison Supermarkets plc v Various Claimants may on first glance look like a significant setback to privacy advocates. However, the court’s unanimous judgment should be viewed with some relief by those arguing for greater privacy protections. Whilst the Supreme Court ruled that, on the facts, WM Morrisons Supermarkets plc (“Morrisons”) could not be held liable for the actions of its rogue former employee, the court said that, had it been necessary to decide the question, it would have held that the statutory data protection regime did not exclude the imposition of vicarious liability on employers. Furthermore, the decision also provides no protection to companies who have been held to be at fault for a data breach, since data subjects will have a direct right of action against the company in those cases and will not be relying on establishing vicarious liability. READ MORE