On June 25, 2021, the Supreme Court of the United States handed down its decision in TransUnion LLC v. Ramirez, which tightened the Court’s requirements for showing standing and will significantly affect class action litigation, particularly in cases involving causes of action created by federal statute or involving allegations of a potential risk of injury.
On 28 June 2021, the European Commission announced that it has adopted two adequacy decisions for the UK, one under the General Data Protection Regulation (GDPR) and one under the Data Protection Directive with Respect to Law Enforcement (Law Enforcement Directive) (Adequacy Decisions). The announcement comes just two days before the bridging period for data transfers between the EU and the UK was set to expire. In its assessment, the European Commission has determined the UK’s data protection laws are “essentially equivalent” to the data protection laws ensured within the EU. As a result of the Adequacy Decisions, personal data can continue to freely flow between the EU to the UK without the need for a data transfer safeguard (e.g., Standard Contractual Clauses or SCCs) in place. This announcement comes as very welcome news to many organisations transferring data between the EU and the UK.
Two years after the UK Government first put forward its intention to introduce a new regime to address illegal and harmful content online, the UK Government published the Online Safety Bill (“Bill”) on 12 May 2021. The Bill imposes duties of care on providers of digital services, social media platforms and other online services to make them responsible for content generated and shared by their users and to mitigate the risk of harm arising from illegal content (e.g., by minimising the spread of such content). The Bill also aims to ensure that users are able to express themselves freely online and requires platforms to consider the importance of freedom of expression when fulfilling their duties.
The European Data Protection Board (“EDPB”), adopted on 18 June 2021 its final recommendations describing how controllers and processors transferring personal data outside the European Economic Area (“EEA”) may comply with the Schrems II ruling (“Final Schrems II Recommendations”). The Final Schrems II Recommendations, together with the new Standard Contractual Clauses (“SCCs”) adopted by the European Commission on 4 June 2021, will now allow organizations to proceed with addressing international data transfers following the landmark Schrems II ruling by the Court of Justice of the European Union in July 2020.
The Final Schrems II Recommendations have maintained the requirement to carry out a 6 Step assessment prior to transferring personal data outside the EEA in reliance on a data transfer tool, such as SCCs. However, there have been some important amendments from the draft recommendations published in November 2020 in order to:
Our previous blog post on the draft EDPB’s Schrems II recommendations – accessible here – provides further details on the 6 Step process that organizations should follow when transferring personal data from the EEA to a third country such as the U.S. Here we summarise some of the key differences in the 6 Steps as between the draft recommendations and the Final Schrems II Recommendations.
On June 15, 2021, the SEC announced settled charges against First American Title Insurance Company (First American) for disclosure controls and procedures violations related to a cybersecurity vulnerability that exposed sensitive customer information.1 Without admitting or denying the SEC’s findings, First American agreed to a cease-and-desist order and to pay a $487,616 penalty (Order). This resolution highlights the SEC’s continued focus on cybersecurity. The SEC is considering enhancing its disclosure rules concerning cybersecurity risk governance and has indicated a target release date of October 2021.2
After months of anticipation, the European Data Protection Board (EDPB) has released its finalised recommendations (Recommendations) on how to carry out the required assessment of international data transfers post-Schrems II. In what is considered to be one of the most important documents for the future of data transfers, this development marks a turning point for international entities.
Continuing its series of webinars on the fallout since Schrems II, Sidley and OneTrust DataGuidance are hosting a panel discussion to provide insight on the EDPB’s Recommendations, how they differ from the draft version, and how entities can approach international data flows.
On May 7, 2021, Colonial Pipeline experienced a ransomware cyberattack on its corporate network. This attack, attributed to the DarkSide hacking group, led the company to temporarily halt the operation of its pipeline network—causing fuel shortages throughout the East Coast. Although highly publicized, the Colonial Pipeline cyberattack is not unique. In fact, the event was just one in a growing pattern of ransomware attacks against major U.S. companies and critical infrastructure. In light of these events, the issue of cyberattacks—particularly those involving ransomware—has become a key area of concern for federal lawmakers.
Tomoki Ishiara
Tokyo
tishiara@sidley.com
Richard D. Klingler
Washington, D.C.
rklingler@sidley.com
Linh Lieu
Hong Kong
linh.lieu@sidley.com
William RM Long
London
wlong@sidley.com
Sujit M. Raman
Washington, D.C.
sujit.raman@sidley.com
Alan Charles Raul
Washington, D.C.
araul@sidley.com
Yuet Ming Tham
Hong Kong
Singapore
yuetming.tham@sidley.com
John K. Van De Weert
Washington, D.C.
jvandeweert@sidley.com
Click here to view all of Sidley's Privacy and Cybersecurity professionals.
