After what appears to be a period of relative leniency in 2018/19, enforcement actions for violations of the EU General Data Protection Regulation (“GDPR”) have since intensified. In 2020, according to publically available information, supervisory authorities across the EU and the UK Information Commissioner’s Office (“ICO”) have issued over EUR 170 million worth of fines combined[1], with six of the top ten individual fines imposed being issued in 2020[2].
Continue Reading Ready to Pounce: Regulators Are Intensifying GDPR Enforcement
U.S. CLOUD Act’s Potential Impact on the GDPR
Responding to a request by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), the EU’s data protection supervisory bodies released an initial joint opinion on the impact of the U.S. Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) on the EU data protection framework.
The preliminary assessment by the European…
EDPB Issues First Opinion on Administrative Arrangements Under the GDPR for Cross-Border Data Flows Between EU and Non-EU Securities Agencies
On 12 February 2019, the European Data Protection Board (“EDPB”)[1] adopted its first opinion on an “administrative arrangement,” which provides a new mechanism for the transfer of personal data between European Union (“EU”) financial supervisory authorities and securities agencies and their non-EU counterparts.
Under the EU’s General Data Protection Regulation 2016/679 (“GDPR”), personal data cannot be transferred from the European Economic Area (“EEA”) to a third country unless the European Commission has decided that such third country is “adequate” from a data protection laws perspective, or “appropriate safeguards” are in place to ensure that the treatment of personal data in the hands of the recipient reflects the GDPR’s high standards. Article 46 of the GDPR provides for various safeguarding options, including the possibility of “provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.”[2] No such “administrative arrangements” have been approved by the EDPB until now.
Continue Reading EDPB Issues First Opinion on Administrative Arrangements Under the GDPR for Cross-Border Data Flows Between EU and Non-EU Securities Agencies
Key Lessons From the FCA’s £16.4 Million Fine of Tesco Bank for Failings Around Cyber-Attack
The £16.4 million fine imposed by the UK Financial Conduct Authority on Tesco Personal Finance plc provides a salutary lesson on the regulatory exposure associated with failing adequately to prepare for and respond to a cyber-attack – one of the FCA’s stated regulatory priorities.
The episode illustrates how cybersecurity failures can expose a business not…