New reciprocal adequacy decision allows free flow of personal data between Japan and the EEA

On 17 July 2018, the EU Commission (“Commission”) and Japan concluded the negotiations on a reciprocal finding of an adequate level of data protection by both sides.

Under the General Data Protection Regulation (“GDPR”) which became effective across Europe on 25 May 2018, an adequacy decision adopted by the Commission is one of the ways which allows personal data to be transferred outside the European Economic Area (“EEA”). An adequacy decision is adopted if the Commission, after its assessment of the level of protection in the recipient jurisdiction, decides that the recipient jurisdiction ensures an adequate level of protection to the personal data of EU data subjects.

This is the first time the Commission and a third country have agreed on reciprocal recognition in respect of data protection adequacy. The other countries or territories which have been assessed by the Commission as having an adequate level of protection of personal data are all based on the Commission’s unilateral decisions (e.g. New Zealand, Canada and Switzerland). Reciprocal recognition means that not only can personal data be transferred from the EEA to Japan in compliance with the GDPR, it can also be transferred from Japan to the EU in compliance with the Japanese law.

Continue reading

Court makes permanent injunction against unknown parties preventing disclosure of confidential information unlawfully removed from computer

In the cases of Clarkson Plc v Person(s) Unknown (“Clarkson”) and PML v Person(s) unknown (“PML”), the court has created a new tool in the fight against cyber attackers. The defendants who are unknown person(s) gained unauthorised access to the claimants’ IT systems and acquired a considerable quantity of information. The unknown defendant(s) then threatened to publicise the information unless a substantial sum was paid. Despite not being able to identify the attackers directly the court was prepared to grant an injunction. Continue reading

NIS Directive and Regulations now in force

The EU Network and Information Systems Directive (“NISD”) was required to be implemented into national law by 9 May 2018. The UK implementing regulations (the Network and Information Systems Regulations 2018) (“Regulations”) are now in force.

The Regulations impose cyber security standards on operators of essential services (“OES”) and certain digital service providers (“DSPs”) to help ensure that cyber attacks do not damage the wider economy. Continue reading

Data breaches: new Article 29 Working Party guidance

In anticipation of the GDPR, various guidance has been published by the Article 29 Working Party, the body of national EU data regulators.

Of most relevance in the cyber context is the guidance on personal data breach notifications; the Article 29 Working Party issued its initial guidance in October 2017 and published a final version of the guidelines (which remained mostly unchanged) in February 2018.

This guidance relates to the new requirement under the GDPR for all controllers to notify the appropriate data protection authority of a personal data breach, following a cyber attack for example. This will include providing the regulator with a significant amount of information about the breach and marks a change from the previous regime (under the Data Protection Act 1998) where notification to the ICO was not mandatory, although the ICO encouraged notification for serious breaches.

The key areas addressed by the guidance include further clarity on what constitutes awareness of a breach, when notification is and is not required in respect of examples of different types of breaches, when the clock starts running in relation to the 72 hour deadline and how to manage conflicting requirements of the GDPR and those of law enforcement authorities outside of the EU. For further information, a copy of the guidance can be found here.

Continue reading

Internet of Things – ICO’s six reasons why businesses should be thinking about data protection and the DCMS’s Secure by Design Report

In light of the booming market of the Internet of Things (“IoT”) and of the General Data Protection Regulation (“GDPR”), the Information Commissioner’s Office (“ICO”) has published an article focusing on the key factors manufacturers and retailers of IoT devices should be thinking about. This follows the ICO’s draft guidance on data controller and processor liability issued in September last year, which can be found here.

Continue reading

Compliant or not: the GDPR is here

The GDPR came into force on 25 May 2018 and brought with it additional rights for individuals and additional obligations for organisations. It also extends its reach beyond European borders and applies not just to companies within the EEA but also to some organisations outside the EEA.

With the legislation now in force, all eyes will turn towards the regulators to see how this piece of legislation will be enforced. We have already heard from the Information Commissioner in the UK that high fines can and will be levied on those that persistently, deliberately or negligently flout the law. And the ICO’s specified areas of focus are reportedly cyber security, artificial intelligence and device tracking. How this will all play out in practice remains to be seen.

For those organisations still on the compliance journey, there is a wealth of information to assist. We have published a GDPR hub, accessible here, which includes a series of briefings and webinars that take a deeper dive into some of the key considerations in any compliance programme. Copies of the briefings are accessible by clicking on the links below:

  1. The GDPR: the “whole of business” issue at the top of your board agenda
  2. The rise of the intelligent business: spotlight on employers
  3. Extending the long arm of the law: Extra-territoriality and the GDPR
  4. Data use – protecting a critical resource
  5. Supply Chain Arrangements: The ABC to GDPR Compliance

Continue reading