On December 14, 2023, the EU Court of Justice (“CJEU”) issued its first ever ruling on the scope of data security requirements under the GDPR. In VB v. NAP, the CJEU held that an organization is not liable for a security breach unless it failed to implement appropriate security measures….
On 21 September 2023, the UK government announced the UK Extension to the EU-US Data Privacy Framework (DPF), i.e., the US-UK data bridge (Data Bridge). The Data Bridge will go live on 12 October 2023 and will enable UK organisations to transfer personal data to organisations in the US that…
On December 29, 2022, France’s privacy regulator (CNIL) imposed an €8 million fine on Apple. The CNIL found Apple in breach of France’s ePrivacy rules for not obtaining mobile users’ consent prior to reading and depositing Identifiers for Advertising (IDFAs) on those users’ devices. Apple has announced that it intends…
Introduction On June 4, 2021, the European Commission (the “EC”) abolished the old Standard Contractual Clauses (the “Old SCCs”) and published a new more flexible set of clauses (the “New SCCs”) for companies that wish to export personal data from the EU to elsewhere to rely on (for more information,…
On June 17, 2022, the UK Government’s Department for Digital, Culture, Media and Sport (“DCMS”) issued a final response (“Response”) to the consultation, ‘Data: a new direction’ (“Consultation”), which launched on September 10, 2021, to receive input from stakeholders on the DCMS proposals to reform the UK’s data protection regime….
The International Data Transfer Agreement (“IDTA”), the long awaited mechanism for international transfers of personal data originating from the United Kingdom (“UK”), is now in force as of March 21, 2022, along with a separate addendum to the EU standard contractual clauses (“UK Addendum”). These transfer mechanisms were introduced by…
Introduction On 13 January 2022, the Austrian Data Protection Authority (“DSB“) ruled that the use of Google Analytics (“GA”) and the resulting export of personal data to the United States (“US”) violates the GDPR’s data export requirements. On 10 February 2022 the French data protection authority (“CNIL”) also confirmed that…
On 17 December 2021, the Irish Data Protection Commission (“DPC”) published the final version of its guidance “Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing” (“the Fundamentals”). The Fundamentals set out principles and recommendations for companies to follow when processing children’s data in Ireland. The Fundamentals seek…
On 25 November 2021, the UK Information Commissioner’s Office (“ICO”) published an Opinion on Data Protection and Privacy Expectations for Online Advertising Proposals (“Opinion”). The Opinion emphasizes several data protection concerns relating to behavioural advertising and sets out overarching expectations that companies must meet to safeguard people’s privacy online when…
Data controllers processing personal data in Turkey must register with the Turkish Data Controllers Registry, “VERBIS”, to notify the Turkish Data Protection Authority (“DPA”) of their processing activities by 31 December 2021, under penalty of a fine. In addition, data controllers not established in Turkey (“foreign controllers”) will need to…