The stakes are high for FemTech – as Benjamin Franklin noted: ‘it takes many good deeds to build a good reputation and only one bad one to lose it.’...more
7/19/2024
/ Consumer Privacy Rights ,
Data Protection ,
Data Protection Impact Assessments (DPIAs) ,
EU ,
Mobile Health Apps ,
Patient Privacy Rights ,
Personal Data ,
Regulatory Requirements ,
Risk Management ,
Sensitive Personal Information ,
Technology Sector ,
UK
Security, scale or functionality – pick two. This computer science principle coined by the late Professor Anderson is particularly relevant to the FemTech industry. Anderson’s Rule states that for a system to provide high...more
5/17/2024
/ Business Strategies ,
Digital Health ,
EU ,
General Data Protection Regulation (GDPR) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Health Technology ,
Innovation ,
Life Sciences ,
Med Tech ,
Popular ,
UK
Clearview AI Inc's successful challenge to the ICO’s £7.5 million fine focused on the limits of the UK GDPR’s jurisdictional reach, succeeding on the grounds that Clearview’s processing activities were outside the scope of...more
1/19/2024
/ Appeals ,
Artificial Intelligence ,
Corporate Fines ,
Data Collection ,
Data Processors ,
EU ,
Facial Recognition Technology ,
General Data Protection Regulation (GDPR) ,
Jurisdiction ,
Law Enforcement ,
Personal Data ,
UK GDPR
Political agreement was reached on 9 December in the negotiations on the EU AI Act, arguably the world’s most comprehensive and ambitious AI law to date.
Some further steps must take place, including confirmation by the...more
On 14 November 2023, the European Data Protection Board (EDPB) adopted guidelines on the technical scope of Article 5(3) of the ePrivacy Directive (Directive 2002/58/EC, as amended) (ePD). This reflects the EDPB's intent to...more
The pace of new EU law continues unabated, with IoT, cyber security and digital services being key areas of activity. The BCLP Data Privacy & Security team is tracking EU law developments relevant to data and cyber security....more
A few weeks ago, on 24 September 2023, the Data Governance Act (Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance) (“DGA”) came into force.
The DGA aims to...more
11/14/2023
/ Administrative Authority ,
Best Practices ,
Data Collection ,
Data Management ,
Data Protection ,
EU ,
European Commission ,
General Data Protection Regulation (GDPR) ,
Information Governance ,
Information Management ,
International Data Transfers ,
Member State ,
Public Sector ,
Third-Party Service Provider
Updated June 2023 -
The BCLP Data Privacy & Security team is tracking EU law developments relevant to data and cyber security. This tracker summarizes the effect and status of the following: the Digital Services Act, the...more
6/19/2023
/ Cybersecurity ,
Data Privacy ,
Data Protection ,
Data Security ,
Data Transfers ,
Digital Marketplace ,
Digital Service Providers ,
Digital Services ,
EU ,
EU Data Protection Laws ,
Information Governance ,
International Data Transfers ,
New Legislation ,
Pending Legislation ,
Personal Data ,
Popular
Artificial intelligence (“AI”), once limited to the pages of science fiction novels, is now viewed as a key strategic priority for both the UK and EU.
The UK, in particular, plays a prominent role at the cutting edge of...more
The updated guidelines (05/2021) from the European Data Protection Board (“EDPB”) issued on 14 February 2023 (the “New Guidelines”) look at the interplay of two fundamental, protective mechanisms contained in the EU GDPR....more
3/17/2023
/ Data Controller ,
Data Processors ,
Data Protection ,
Draft Guidance ,
EU ,
EU Data Protection Laws ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
Guidance Update ,
International Data Transfers ,
Personal Data
The recent CJEU decision in X-FAB (Case C-453/21) provides guidance on how to determine whether a conflict of interest could arise for your Data Protection Officer (“DPO”) and how to avoid this. It also confirms the approach...more
On 18 January 2023, the European Data Protection Board (the “EDPB”) announced the adoption of a report on the work undertaken by the Cookie Banner Task Force (the “Task Force”). The Task Force was formed in September 2021 for...more
2/9/2023
/ Consent ,
Cookie Banners ,
Cookies ,
e-Privacy Directive ,
EU ,
EU Data Protection Laws ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
Information Commissioner's Office (ICO) ,
NGOs ,
Schrems I & Schrems II ,
UK
Though perhaps falling short of being a universally accepted one, it is a truth that any organisation processing personal data needs a privacy programme. But how best should an internal compliance framework be structured...more
The UK government confirmed on 30 November 2022 that there will be changes to the UK’s cybersecurity regulations in response to a public consultation launched earlier this year. This follows recent updates relating to the...more
12/30/2022
/ Compliance ,
Consultation ,
Cyber Attacks ,
Cyber Incident Reporting ,
Cybersecurity ,
Data Protection ,
Data Security ,
EU ,
EU Directive ,
Information Technology ,
Outsourcing ,
Popular ,
Proposed Amendments ,
Proposed Regulation ,
Third-Party Service Provider ,
UK
Two and a half years after the Schrems II decision invalidated the EU-US Privacy Shield, the EU and US are inching closer to a replacement data transfer mechanism for EU to US personal data transfers. On 13 December 2022, the...more
With the 27 December 2022 deadline for updating data transfer contracts with the EU SCCs fast approaching, this alert mines European Commission guidance, as well as the team’s experience, and offers some tips for successful...more
On 27 April 2022, the Russia (Sanctions) (EU Exit) (Amendment) (No 9) Regulations 2022, SI 2022/477 (the ‘Regulations’) were laid before Parliament and came into force two days later. The regime created under the statutory...more
Since the Schrems II 2020 judgment famously “cancelled” the EU/U.S. Privacy Shield program for personal data flows from the EU to the United States, it would be an understatement to say that U.S.-bound personal data flows...more
On 28 January 2022 (Data Protection Day), the UK’s International Data Transfer Agreement (“IDTA”) and International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses (the “EU Addendum”) were...more
It is well known that the EU GDPR (specifically, Chapter V) restricts transfers of personal data from the EU to a “third country” (i.e. a jurisdiction outside the EEA) or to an international organisation. But what is meant by...more
12/2/2021
/ Consultation ,
Corporate Counsel ,
Data Controller ,
Data Processors ,
EU ,
EU Data Protection Laws ,
European Data Protection Board (EDPB) ,
European Economic Area (EEA) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Multinationals ,
New Guidance ,
Personal Data ,
Standard Contractual Clauses ,
Third Country Entities (TCEs)
On 11 August, the UK Information Commissioner’s Office launched a consultation paper on “International transfers under UK GDPR”. The documents released alongside the paper include a draft International Data Transfer Agreement...more
8/16/2021
/ Consultation ,
Corporate Counsel ,
EU ,
European Commission ,
General Data Protection Regulation (GDPR) ,
Information Commissioner's Office (ICO) ,
International Data Transfers ,
Personal Data ,
Risk Assessment ,
Schrems I & Schrems II ,
Standard Contractual Clauses ,
UK
In short, no. It is not necessary to use both the new SCCs and the new Article 28 clauses at the same time....more
This depends on whether you are looking at (a) entering into new data transfer agreements or (b) repapering existing ones. The longstop date for repapering existing agreements is 27 December 2022; however, the new EU SCCs...more
The European Commission recently adopted new standard contractual clauses (SCCs) for transfers of personal data from the EU to “third countries” (the “new SCCs”). In this post, we highlight key developments in the UK’s data...more
7/9/2021
/ Data Controller ,
Data Processors ,
EU ,
General Data Protection Regulation (GDPR) ,
Information Commissioner's Office (ICO) ,
International Data Transfers ,
Member State ,
Personal Data ,
Standard Contractual Clauses ,
UK ,
UK Brexit
On 28 June, the European Commission adopted its Adequacy Decision for the UK, putting to an end (at least for now), the uncertainty surrounding EU to UK personal data flows. This averted a “cliff edge” in the shape of the 30...more