U.S. Supreme Court Tightens Standing Requirements in TransUnion Decision

On June 25, 2021, the Supreme Court of the United States handed down its decision in TransUnion LLC v. Ramirez, which tightened the Court’s requirements for showing standing and will significantly affect class action litigation, particularly in cases involving causes of action created by federal statute or involving allegations of a potential risk of injury.

Read More

EmailShare

European Commission Adopts UK Adequacy Decisions Allowing Personal Data to Freely Flow from the EU to the UK

On 28 June 2021, the European Commission announced that it has adopted two adequacy decisions for the UK, one under the General Data Protection Regulation (GDPR) and one under the Data Protection Directive with Respect to Law Enforcement (Law Enforcement Directive) (Adequacy Decisions). The announcement comes just two days before the bridging period for data transfers between the EU and the UK was set to expire. In its assessment, the European Commission has determined the UK’s data protection laws are “essentially equivalent” to the data protection laws ensured within the EU. As a result of the Adequacy Decisions, personal data can continue to freely flow between the EU to the UK without the need for a data transfer safeguard (e.g., Standard Contractual Clauses or SCCs) in place. This announcement comes as very welcome news to many organisations transferring data between the EU and the UK.

Read More

EmailShare

Long-Awaited Online Safety Bill is Introduced by the UK Government to Combat “Harmful” Online Content

Two years after the UK Government first put forward its intention to introduce a new regime to address illegal and harmful content online, the UK Government published the Online Safety Bill (“Bill”) on 12 May 2021. The Bill imposes duties of care on providers of digital services, social media platforms and other online services to make them responsible for content generated and shared by their users and to mitigate the risk of harm arising from illegal content (e.g., by minimising the spread of such content). The Bill also aims to ensure that users are able to express themselves freely online and requires platforms to consider the importance of freedom of expression when fulfilling their duties.

Read More

EmailShare

European Data Protection Board Issues Final Schrems II Recommendations

The European Data Protection Board (“EDPB”), adopted on 18 June 2021 its final recommendations describing how controllers and processors transferring personal data outside the European Economic Area (“EEA”) may comply with the Schrems II ruling (“Final Schrems II Recommendations”). The Final Schrems II Recommendations, together with the new Standard Contractual Clauses (“SCCs”) adopted by the European Commission on 4 June 2021, will now allow organizations to proceed with addressing international data transfers following the landmark Schrems II ruling by the Court of Justice of the European Union in July 2020.

The Final Schrems II Recommendations have maintained the requirement to carry out a 6 Step assessment prior to transferring personal data outside the EEA in reliance on a data transfer tool, such as SCCs. However, there have been some important amendments from the draft recommendations published in November 2020 in order to:

  • better align with the new SCCs recently adopted by the European Commission; and
  • allow more flexibility in carrying out the assessment of third country laws in Step 3 by being able to take into account practice in the third country as well as the documented practical experience of the data importer.

Our previous blog post on the draft EDPB’s Schrems II recommendations – accessible here – provides further details on the 6 Step process that organizations should follow when transferring personal data from the EEA to a third country such as the U.S. Here we summarise some of the key differences in the 6 Steps as between the draft recommendations and the Final Schrems II Recommendations.

Read More

EmailShare

SEC Announces Settled Charges Against First American for Cybersecurity Disclosure Controls Failures – Lessons Learned

On June 15, 2021, the SEC announced settled charges against First American Title Insurance Company (First American) for disclosure controls and procedures violations related to a cybersecurity vulnerability that exposed sensitive customer information.1  Without admitting or denying the SEC’s findings, First American agreed to a cease-and-desist order and to pay a $487,616 penalty (Order). This resolution highlights the SEC’s continued focus on cybersecurity. The SEC is considering enhancing its disclosure rules concerning cybersecurity risk governance and has indicated a target release date of October 2021.2

Read More

EmailShare

Schrems II Fallout Continued: Finalised EDPB Recommendations Released

After months of anticipation, the European Data Protection Board (EDPB) has released its finalised recommendations (Recommendations) on how to carry out the required assessment of international data transfers post-Schrems II. In what is considered to be one of the most important documents for the future of data transfers, this development marks a turning point for international entities.

Continuing its series of webinars on the fallout since Schrems II, Sidley and OneTrust DataGuidance are hosting a panel discussion to provide insight on the EDPB’s Recommendations, how they differ from the draft version, and how entities can approach international data flows.

Read More

EmailShare

Federal Government Interest in Cyber Continues: Congressional Hearings on the Colonial Pipeline Cyberattack

On May 7, 2021, Colonial Pipeline experienced a ransomware cyberattack on its corporate network. This attack, attributed to the DarkSide hacking group, led the company to temporarily halt the operation of its pipeline network—causing fuel shortages throughout the East Coast. Although highly publicized, the Colonial Pipeline cyberattack is not unique. In fact, the event was just one in a growing pattern of ransomware attacks against major U.S. companies and critical infrastructure. In light of these events, the issue of cyberattacks—particularly those involving ransomware—has become a key area of concern for federal lawmakers.

Read More

EmailShare
1 2 3 100
EmailShare
XSLT Plugin by BMI Calculator