EDPB publishes opinion on the interplay between GDPR and ePrivacy

The European Data Protection Board (the “EDPB“) has published its opinion on the interplay between the GDPR and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (the “ePrivacy Directive“).

The opinion confirms that it is possible for personal data processing to fall within the scope of both the GDPR and the ePrivacy Directive. For example, the use of cookies. Continue reading

Clarification on the status of the EU-US Privacy Shield on a no deal Brexit

The UK Government has published a new data-related Brexit statutory instrument clarifying the position with respect to transfers of personal data to the US in reliance on the EU-US Privacy Shield (the “Privacy Shield“) and in a no-deal Brexit scenario.

Transfers to the US under the Privacy Shield are currently made pursuant to a special category of adequacy decision based on a specific arrangement put in place between the US and EU authorities. However, advice and guidance on how such arrangements could continue to work in a no-deal Brexit scenario had differed. Continue reading

ICO and FCA announce new Memorandum of Understanding

On 18 February 2019, the Information Commissioner’s Office (the “ICO“) and the Financial Conduct Authority (the “FCA“) published a new Memorandum of Understanding (“MoU“) between them. This will no doubt be of interest to any business regulated by the FCA and while it is good news that regulators will be co-operating in the exercise of their functions, the MoU does not remove the risk for such businesses that they could, in the event of any data protection breach, face parallel investigation and enforcement action from more than one regulator, both with very significant sanctioning powers.

We have set out below a high-level overview of the MoU, the conduct of investigation and enforcement and the legal basis on which information can flow between the two regulators – paving the way for further joined-up regulatory thinking in the wake of the GDPR. Continue reading