As the Paris 2024 Summer Olympic and Paralympic Games (the “Games”) turn onto the final straight, the Games have yet again captured widespread global attention, on and off the track. With over 15.3 million visitors in Paris...more
9/4/2024
/ Algorithms ,
Artificial Intelligence ,
Cameras ,
CNIL ,
Data Privacy ,
Data Protection ,
Data Security ,
France ,
General Data Protection Regulation (GDPR) ,
Olympics ,
Privacy Concerns ,
Public Property ,
Security and Privacy Controls ,
Security Cameras
Following the publication of several press articles and employee complaints, the French data protection regulator (“CNIL”) carried out an investigation at the Amazon France Logistique’s (“Amazon”) warehouses.
The CNIL's...more
1/31/2024
/ Amazon ,
CCTV ,
CNIL ,
Corporate Fines ,
Data Collection ,
Data Protection ,
Employee Monitoring ,
Employee Privacy Rights ,
Employee Rights ,
Enforcement Actions ,
France ,
General Data Protection Regulation (GDPR) ,
Health and Safety ,
Investigations ,
Surveillance ,
Temporary Employees
Over the past few years there has been significant growth in the use of technology for monitoring workers, especially following the onset of the COVID-19 pandemic. Global demand (based on the number of internet searches...more
On 14 November 2023, the European Data Protection Board (EDPB) adopted guidelines on the technical scope of Article 5(3) of the ePrivacy Directive (Directive 2002/58/EC, as amended) (ePD). This reflects the EDPB's intent to...more
The pace of new EU law continues unabated, with IoT, cyber security and digital services being key areas of activity. The BCLP Data Privacy & Security team is tracking EU law developments relevant to data and cyber security....more
A few weeks ago, on 24 September 2023, the Data Governance Act (Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance) (“DGA”) came into force.
The DGA aims to...more
11/14/2023
/ Administrative Authority ,
Best Practices ,
Data Collection ,
Data Management ,
Data Protection ,
EU ,
European Commission ,
General Data Protection Regulation (GDPR) ,
Information Governance ,
Information Management ,
International Data Transfers ,
Member State ,
Public Sector ,
Third-Party Service Provider
A few days ago, the French Data Protection Authority (CNIL) published its first draft guidelines for the use of AI systems in the form of "AI How-To Sheets" with the aim to “help professionals reconcile innovation with...more
On 12 October the UK–U.S. “data bridge” becomes operational, providing an additional, compliant route for UK-outbound transfers of personal data to U.S. organisations that are EU-U.S. Data Privacy Framework members. UK...more
10/12/2023
/ Adequacy Requirement ,
Biden Administration ,
Data Protection ,
Data Subjects Rights ,
Executive Orders ,
Federal Trade Commission (FTC) ,
International Data Transfers ,
Personal Data ,
Popular ,
Privacy Framework ,
Regulatory Oversight ,
UK
On 18 August 2023, the UK’s Information Commissioner’s Office (“ICO”) published draft guidance on biometric recognition (the “Draft Guidance”) for public consultation. The Draft Guidance explains how data protection law...more
9/11/2023
/ Artificial Intelligence ,
Biometric Information ,
Consultation ,
Data Protection ,
Data Protection Impact Assessments (DPIAs) ,
Draft Guidance ,
Personal Data ,
Privacy-By-Design ,
UK ,
UK GDPR ,
UK ICO
On 8 March 2023, the newly-created Department for Science, Innovation and Technology (“DSIT”) introduced the UK government’s updated proposals for data protection reform in the shape of the Data Protection and Digital...more
4/12/2023
/ Compliance ,
Consent ,
Cookies ,
Data Controller ,
Data Processors ,
Data Protection ,
Data Protection Officers (DPOs) ,
General Data Protection Regulation (GDPR) ,
Proposed Legislation ,
Regulatory Requirements ,
Small and Medium-Sized Enterprises (SMEs) ,
UK
The updated guidelines (05/2021) from the European Data Protection Board (“EDPB”) issued on 14 February 2023 (the “New Guidelines”) look at the interplay of two fundamental, protective mechanisms contained in the EU GDPR....more
3/17/2023
/ Data Controller ,
Data Processors ,
Data Protection ,
Draft Guidance ,
EU ,
EU Data Protection Laws ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
Guidance Update ,
International Data Transfers ,
Personal Data
The recent CJEU decision in X-FAB (Case C-453/21) provides guidance on how to determine whether a conflict of interest could arise for your Data Protection Officer (“DPO”) and how to avoid this. It also confirms the approach...more
On 18 January 2023, the European Data Protection Board (the “EDPB”) announced the adoption of a report on the work undertaken by the Cookie Banner Task Force (the “Task Force”). The Task Force was formed in September 2021 for...more
2/9/2023
/ Consent ,
Cookie Banners ,
Cookies ,
e-Privacy Directive ,
EU ,
EU Data Protection Laws ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
Information Commissioner's Office (ICO) ,
NGOs ,
Schrems I & Schrems II ,
UK
On 3 February 2022, the French Commission Nationale de l'Informatique et des Libertés (the "CNIL") published a set of commercial management guidelines for all organizations that conduct data processing for the management of...more
Two and a half years after the Schrems II decision invalidated the EU-US Privacy Shield, the EU and US are inching closer to a replacement data transfer mechanism for EU to US personal data transfers. On 13 December 2022, the...more
With the 27 December 2022 deadline for updating data transfer contracts with the EU SCCs fast approaching, this alert mines European Commission guidance, as well as the team’s experience, and offers some tips for successful...more
The Age Appropriate Design Code (“AADC”) - more commonly known as the Children’s Code - has been heralded as the world’s first code to protect children online. Compliance with the AADC became mandatory for in-scope businesses...more
In a joint letter this summer, the UK’s data protection regulator (the ICO) and the UK’s National Cyber Security Centre (the NCSC) sought to convey some key messages to the legal profession relevant to advising clients...more
8/22/2022
/ Australia ,
Client Services ,
Corporate Counsel ,
Cybersecurity ,
Cybersecurity Information Sharing Act (CISA) ,
Data Protection Authority ,
ENISA ,
FBI ,
Information Commissioner's Office (ICO) ,
NCSC ,
Popular ,
Ransomware ,
Reporting Requirements ,
Risk Mitigation ,
UK ,
UK GDPR
Websites that distribute content not intended for minors usually request that visitors confirm they are over 18 through a simple click. The efficiency of this approach is clearly limited, and 44% of 11-18 year olds in France...more
On 28 January 2022 (Data Protection Day), the UK’s International Data Transfer Agreement (“IDTA”) and International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses (the “EU Addendum”) were...more
It is well known that the EU GDPR (specifically, Chapter V) restricts transfers of personal data from the EU to a “third country” (i.e. a jurisdiction outside the EEA) or to an international organisation. But what is meant by...more
12/2/2021
/ Consultation ,
Corporate Counsel ,
Data Controller ,
Data Processors ,
EU ,
EU Data Protection Laws ,
European Data Protection Board (EDPB) ,
European Economic Area (EEA) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Multinationals ,
New Guidance ,
Personal Data ,
Standard Contractual Clauses ,
Third Country Entities (TCEs)
On 11 August, the UK Information Commissioner’s Office launched a consultation paper on “International transfers under UK GDPR”. The documents released alongside the paper include a draft International Data Transfer Agreement...more
8/16/2021
/ Consultation ,
Corporate Counsel ,
EU ,
European Commission ,
General Data Protection Regulation (GDPR) ,
Information Commissioner's Office (ICO) ,
International Data Transfers ,
Personal Data ,
Risk Assessment ,
Schrems I & Schrems II ,
Standard Contractual Clauses ,
UK
In short, no. It is not necessary to use both the new SCCs and the new Article 28 clauses at the same time....more
This depends on whether you are looking at (a) entering into new data transfer agreements or (b) repapering existing ones. The longstop date for repapering existing agreements is 27 December 2022; however, the new EU SCCs...more
The European Commission recently adopted new standard contractual clauses (SCCs) for transfers of personal data from the EU to “third countries” (the “new SCCs”). In this post, we highlight key developments in the UK’s data...more
7/9/2021
/ Data Controller ,
Data Processors ,
EU ,
General Data Protection Regulation (GDPR) ,
Information Commissioner's Office (ICO) ,
International Data Transfers ,
Member State ,
Personal Data ,
Standard Contractual Clauses ,
UK ,
UK Brexit