Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Tag Archives: UK

Posted in News & Events

All-Day Workshop: Privacy and Cybersecurity KnowledgeShare (Agenda & Speakers Announced)

Join us on Thursday 19 September for the Hogan Lovells Privacy and Cybersecurity KnowledgeShare in London. We will share our latest thinking on the key privacy and cybersecurity issues faced by those with data protection responsibilities within organisations. Our all-day event will cover a lot of ground through incisive quick-fire presentations, Q&A panels and hands-on workshops.

Posted in News & Events

All-Day Workshop: Privacy and Cybersecurity KnowledgeShare

Join us on Thursday 19 September for the Hogan Lovells Privacy and Cybersecurity KnowledgeShare in London. We will share our latest thinking on the key privacy and cybersecurity issues faced by those with data protection responsibilities within organisations. Our all-day event will cover a lot of ground through incisive quick-fire presentations, Q&A panels and hands-on workshops.

Posted in International/EU Privacy

The UK ICO’s Regulatory Sandbox Points to a Future of Pro-Active Engagement

As companies continue to grapple with interpreting how the GDPR’s principles apply to their own businesses, in particular contexts, there is a growing need for data protection regulators to provide clarity on the practical application of the regulation. In the UK, the Information Commissioner has recently taken steps to address these concerns through the announcement of a ‘Regulatory Sandbox’.

Posted in Cybersecurity & Data Breaches, International/EU Privacy

Time to Take Notice: ICO to Impose Record Fine for Data Security Breach

On 8 July 2019, the UK data protection authority issued a notice of its intention to fine British Airways GBP 183.39 million (approx. USD 229.46 million) for infringements of the General Data Protection Regulation. The proposed fine relates to a data breach in which personal data of approximately 500,000 customers were compromised.

Posted in International/EU Privacy

Eduardo Ustaran Discusses Brexit and ePrivacy on IAPP Podcast

Eduardo Ustaran was featured on the IAPP’s Privacy Advisor Podcast to discuss latest developments of Brexit—including various potential outcomes—and how companies doing business in the United Kingdom are looking ahead to prepare post-Brexit privacy and data protection compliance practices. Eduardo also outlined the state-of-legislation of the European Union’s ePrivacy update and discussed how the anticipated regulation may develop during Romania’s term in the Presidency of the Council of the European Union.

Posted in International/EU Privacy

Action Required: Privacy Shield Participants Must Update Privacy Policies for Brexit

With the deadline for a no-deal Brexit looming—the UK’s exit date from the European Union is now slated for April 12—companies certified to the EU-U.S. Privacy Shield should update their Privacy Shield privacy policies if they have not done so already to ensure that they are able to lawfully receive personal data from the UK post-Brexit.

Posted in International/EU Privacy

EU and Japan Create World’s Largest Area of Safe Data Transfers

On 23 January, the European Commission announced that it had adopted an adequacy decision in relation to Japan, to enter into force immediately. The mutual agreement, which covers Japan’s 127m citizens as well as the whole of the EU, allows personal data to be transferred between Japan and the EU without the need for additional safeguards such as Standard Contractual Clauses, and creates the largest area of safe data transfers in the world.

Posted in International/EU Privacy

Brexit – A Data Protection Action Plan

Right now, the whole of the U.K. appears to be on the same spot looking over a precipice. However, this is not the moment to be blind. As politicians struggle to find a magic formula for a prosperous Brexit, businesses are stepping up their efforts to mitigate the damage of a possible “no-deal Brexit.” The data protection community is no different. The proposed withdrawal agreement would have preserved the status quo in data protection terms, at least until the end of the transition period in December 2020. However, if the U.K. leaves the EU without a deal, the implications for international data flows and privacy compliance generally will be severe. Therefore, British pragmatism demands an urgent and thorough approach to preparing for the eventuality of a no-deal Brexit.

Posted in International/EU Privacy

UK Government Aims for Data Protection Continuity Despite No Deal Brexit Prospect

Amid the constitutional and political uncertainties surrounding the Brexit process, the UK Government has provided welcome assurance on the data protection front. Guidance issued by the Department for Digital, Culture, Media & Sport (DCMS) confirms how UK data protection law will work in the event the UK leaves the EU without a deal. Whilst the Government still regards a No Deal Brexit as “unlikely”, given the extremely severe implications of that scenario for transfers of personal data into and out of the UK, the DCMS confirmation is hugely helpful in terms of the preparations needed for that eventuality.

Posted in International/EU Privacy

Data Protection and the Draft EU-UK Withdrawal Agreement: Ten Initial Conclusions

The draft text of the EU-UK withdrawal agreement was published by the UK Government and the European Union yesterday, providing some of the first concrete indicators of the possible direction of travel in the area of data protection. In this post, we discuss ten initial conclusions from the draft text.

Posted in International/EU Privacy, Privacy & Security Litigation

U.S. Court Allows Video Deposition Over EU Deponent’s Privacy Objections

A U.S. court has recently ruled that an EU citizen’s privacy rights and the GDPR do not trump a U.S. litigant’s right to obtain discovery, including video-taped depositions. In d’Amico Dry d.a.c. v. Nikka Finance, Inc., CA 18-0284-KD-MU, Dkt. No. 140 (Adm. S.D. Ala. Oct. 19, 2018), a federal magistrate denied an EU citizen’s motion […]

Posted in International/EU Privacy

Will the UK Meet the EU Adequacy Test?

Unless there is a political earthquake (some would say a miracle) Brexit will happen on 29 March 2019. Upon Brexit the UK will cease to be an EU Member State and become a so-called ‘third country’. As a result, UK-based organisations, which in the context of transfers of personal data to countries outside the EU have always been exporters, will become importers of data originating from the EU. This is a serious concern because transfers of personal data from the EU to third countries are severely restricted. So a key UK Government objective from day one has been to ensure that the UK is regarded as an adequate jurisdiction, which would allow unconstrained transfers of personal data from the EU. But will it be?

Posted in International/EU Privacy

Data Protection in the Event of a “No Deal Brexit”

The Department for Digital, Culture, Media and Sport (‘DDCMS’) has today released guidance on “Data protection if there’s no Brexit deal”, which is part of its preparations for if there is a “no deal” scenario when the Article 50 negotiating period comes to an end on 29 March 2019. The UK will become a “third country” on its exit from the European Union, which means that unhindered cross-border transfers of data will no longer automatically be able to take place between the UK and the EU. The guidance confirms that, given the “unprecedented alignment” between the UK and EU data protection regimes, the UK would continue to allow transfers of data from the UK to the EU at the point of exit. However, the Commission has made it clear that they would not make a decision on adequacy until the UK is a third country (that is, after 29 March 2018), and its procedure for reaching a decision typically lasts several months.

Posted in International/EU Privacy

UK’s Draft GDPR Implementation Law: The Starting Point

On September 13, the U.K. government introduced in Parliament the Data Protection Bill. The main aim of the bill is to implement the General Data Protection Regulation (EU) 2016/679 into U.K. domestic law. However, as perhaps reflected in the length and complexity of the bill, it is also intended to do several other things. This post outlines key observations on the structure and content of the bill.

Posted in Health Privacy/HIPAA, International/EU Privacy

Focus on Google DeepMind under the GDPR’s Lens

The Information Commissioner’s Officer ruled, on 3 July 2017, that the Royal Free NHS Foundation Trust had failed to comply with the Data Protection Act 1998 when it provided 1.6 million patient details to Google DeepMind as part of a trial diagnosis and detection system for acute kidney injury, and required the Trust to sign an undertaking. The investigation brings together some of the most potent and controversial issues in data privacy today; sensitive health information and its use by the public sector to develop solutions combined with innovative technology driven by a sophisticated global digital company. This analysis provides insight on the investigation into Google DeepMind with focus on how the General Data Protection Regulation may impact the use of patient data going forward.

Posted in International/EU Privacy

UK Government Releases Statement of Intent on Proposed Data Protection Bill

On 7 August 2017, the UK Department for Culture, Media and Sport published its Statement of Intent on a proposed Data Protection Bill, which will replace the current UK Data Protection Act 1998. The Bill is designed to fully implement the two new laws emanating from the EU – the General Data Protection Regulation and the Data Protection Law Enforcement Directive – in an effort to make the UK’s transition out of the EU as smooth as possible from a data protection perspective and to ensure that both commercial and law enforcement data flows ‘remain uninterrupted after the UK’s exit from the EU’.

Posted in International/EU Privacy

UK to Align Itself with the GDPR Despite Brexit

“A new law will ensure that the United Kingdom retains its world-class regime protecting personal data”. This is today’s strong statement by Her Majesty The Queen reflecting the level of priority given by the UK government to privacy and data protection. Aside from the political controversies surrounding the recent general Election and the prospect of Brexit, the Queen has confirmed that during this Parliament the government intends to pass a new Data Protection Act replacing the existing one.

Posted in International/EU Privacy

State of the Cyber Nation: UK Government Report on Cybersecurity Breaches

On 19 April 2017, the UK Government’s Department for Culture, Media and Sport (DCMS) published a report on cyber security breaches and how they affected UK companies in the last year. The report indicates that a number of UK companies have not implemented comprehensive cybersecurity policies or implemented strong safeguards to protect against cyber attacks. The General Data Protection Regulation — in particular the requirement to ensure all personal data is protected by appropriate technical and organisational measures — provides a real opportunity for any organisation to build a new cyber security strategy. Documenting the decisions taken on these measures will be useful for showing compliance with the new requirements for data protection by design and by default.

Posted in International/EU Privacy

UK ICO Publishes Guidance on Consent Under GDPR

The UK Information Commissioner’s Office has just published draft guidance on consent under GDPR. This is an interesting move given that the Article 29 Working Party has promised guidance on the same topic later this year, but reading the guidance makes it clear why the ICO decided to prioritise it: many of the practices which it identifies as unacceptable are fairly common in the UK, meaning many companies are going to have to re-think their approach to legitimising their data processing.

Posted in International/EU Privacy

ICO Turns Spotlight on Data Broker Industry

Data brokers are organisations that obtain data from a variety of sources and then sell or license it to third parties. Many trade in personal data, which is purchased by their customers for several purposes, most commonly to support marketing campaigns. The UK data protection regulator has for some time been actively enforcing against organisations who buy individuals’ personal data for direct marketing purposes without first conducting appropriate due diligence to ensure that those individuals have adequately consented to receiving marketing communications. However, in a recently issued monetary penalty notice, the ICO indicated that it may be shifting its enforcement strategy. This post discusses the latest developments.