Data transfers

Marriott Secures 80% Reduction in ICO Fine, but Here’s What You Missed…

Hot on the heels of the £20 million fine issued to British Airways, the Information Commissioner’s Office (“ICO“) has issued Marriott International Inc. (“Marriott“) with a long-awaited penalty notice for its failure to ensure appropriate security of the personal data it processed. The global hotel chain has been fined £18.4 million, which is a substantial reduction from the £99.2 million contemplated by the ICO’s notice of intention to fine. Unfortunately, the decision failed to give any detailed explanation for the reduction in the level of the fine from £99.2 million to £28 million. Although, a further 20% reduction to £22.4 million was designed to acknowledge Marriott’s cooperation, and a further £2 million reduction was to reflect the impact of the coronavirus pandemic. READ MORE

International Transfers at Risk – The EDPB’s Guidelines on International Transfers Post-Schrems II

On November 11, 2020, the European Data Protection Board (EDPB) published its long-awaited guidance on what parties to international data transfers should be doing to perform such transfers in a manner compliant with the Regulation (EU) 2016/679 (the General Data Protection Regulation or GDPR) in light of the European Court of Justice’s (CJEU) decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II).

Unfortunately, the draft guidelines provide no panacea for companies engaged in international data transfers of personal data from the EEA to third countries. Instead, organizations face 55 pages of guidance that provide few workable solutions for international data transferors—apart from a lengthy protocol for conducting risk assessments. READ MORE

UK National Data Strategy: A Step in the Wrong Direction for EU Data Adequacy?

In September 2020, the UK government published its National Data Strategy (“NDS”), aiming to use data to boost the UK economy and to “unlock the power of data for the UK,” particularly in light of Brexit. The NDS is intended to set out the UK’s government focus on data, following the recent announcement that responsibility for government use of data will move from the Department for Digital Culture Media and Sport to the Cabinet Office. READ MORE