February 1, 2021
For the third consecutive year, following the publication of Gibson Dunn’s ninth annual U.S. Cybersecurity and Data Privacy Outlook and Review on Data Privacy Day, we offer this separate International Outlook and Review.
Like many recent years, 2020 saw significant developments in the evolution of the data protection and cybersecurity landscape in the European Union (“
EU”):
CJEU” or “
Court”) struck down as legally invalid the EU-U.S. Privacy Shield, on which some companies relied to transfer personal data from the EU to the U.S. While companies are turning to other frameworks to transfer personal data, such as Standard Contract Clauses (“
ICO Confirms UK Firms May Rely on Public Interest Derogation for SEC Transfers Friday, January 29, 2021
On January 19, 2021, the UK Information Commissioner’s Office (“ICO”) published its analysis of the application of the UK General Data Protection Regulation (the “UK GDPR”) to transfers from UK-based firms or branches that are registered, required to be registered or otherwise regulated by the U.S. Securities and Exchange Commission (“SEC”). Such firms or branches include investment advisers, securities-based swap dealers and other market participants. The ICO also reviewed the application of the UK GDPR to transfers made by UK issuers that have equity securities or depositary receipts registered with the SEC and listed on a U.S. exchange or market.
13 January 2021 – EU supervisory authorities response to UK cross-border transfers
Following the finalisation of the TCA, a number of supervisory authorities in the EU issued statements in response. In addition, on 13 January 2021, the European Data Protection Board (
EDPB) issued updated versions of its Brexit information note and statement. The amendments in both documents reflect the provisions of the TCA allowing free flow of personal data from the EU and EEA countries to the UK during a period of six months during which the European Commission is expected to adopt an adequacy decision in relation to the UK.
The information note is available here and statement here.
The UK Information Commissioner’s Office has warned that many media companies are breaking the law and urged them to review how they use personal data as it resumed its adtech investigation.
Its probe into the UK’s £13bn a year online advertising industry will particularly look into widespread non-compliance with GDPR, the EU data regulations which were incorporated into UK law in 2018.
Under GDPR people must unambiguously opt-in to receive marketing communications and to share their personal data. GDPR states that marketers and publishers must also abide by strict rules around the storage of data and how it is shared with other companies.
To print this article, all you need is to be registered or login on Mondaq.com.
Alja Poler De Zwart authored an article for the International
Association of Privacy Professionals covering the guidance issued
by the UK Information Commissioner s Office and the
Netherlands Autoriteit Persoonsgegevens that says companies
dealing with an increase in data subject requests (DSRs) by
concerned individuals in the aftermath of large security breaches
cannot extend the one-month response period. Such a position imposes unreasonable burdens on
organizations in the midst of a large security breach, Alja
wrote. It is also contrary to the legislative history of the