The European Data Protection Board (“EDPB”) recently published new guidance on how companies can validly transfer EU personal data to the many countries that have not been deemed by the EU Commission to generally provide an adequate level of data protection – most notably the U.S. (so called “third countries”). The guidance has particularly important implications for companies that transfer…

EU authorities have understandably declined to put forward a single list of mandatory data security controls that apply to all companies subject to the GDPR. As a result, each new enforcement action by EU data protection authorities provides guidance as to what the GDPR requires for “appropriate technical or organisational measures” to safeguard personal data. We summarise here the lessons…

On November 4, 2020, Vincent Pitaro of the Cybersecurity Law Report published: Comparing U.S. and E.U. Approaches to Incident Response and Breach Notification. The article summarises a panel discussion at the European Incident Response Forum 2020 which featured Robert Maddox from Debevoise & Plimpton’s London office. The panel compared the U.S. and E.U. approaches to incident response across a variety…

On November 16-17, 2020, Anna Gressel and Avi Gesser from Debevoise’s Data Strategy and Security Group will be joining AI thought leaders from around the globe at “The Athens Roundtable on Artificial Intelligence and the Rule of Law,” hosted by the European Parliament’s Science and Technology Options Assessment Panel, UNESCO, the IEEE and other prominent institutions.  This two-day event will focus…

October was a particularly busy month, with headline-grabbing stories such as the long-awaited finalisation of the fines against British Airways and Marriott, which may well be the last penalties the UK Information Commissioner’s Office (the “ICO”) issues as a GDPR Lead Supervisory Authority.  Having already covered both fines (here and here), and the French CNIL’s latest cookies guidance, below is…

California voters have approved the new California Privacy Rights Act (“CPRA”). The margin was 56% – 44% – comfortable, if significantly tighter than pre-election polling that showed CPRA winning in a landslide. That comes on the heels of the California Attorney General’s release of still more proposed amendments to the regulations for the existing California Consumer Privacy Act (“CCPA”). Below…

Hot on the heels of British Airways’ £20m fine (covered here), the UK Information Commissioner’s Office has fined Marriott £18.4m for alleged data security failings linked to the breach of 339 million guest records.  Like the British Airways fine, the penalty is a significant climb-down from the amount originally proposed (£99m) in July 2019.  The penalty notice provides helpful insights…

Earlier this month, the Personal Data Protection (Amendment) Bill was read for the first time in Singapore’s Parliament. As we reported previously, in May 2020, Singapore’s Ministry of Communications and Information (“MCI”) and Personal Data Protection Commission (“PDPC”) launched an online public consultation on a draft bill which proposed long-awaited amendments to Singapore’s Personal Data Protection Act 2012 (the “PDPA”),…

In a long-awaited final decision, the UK Information Commissioner’s Office (the “ICO”) has issued a fine of £20m to British Airways (“BA”) following a data breach that took place in 2018.  Although by some way the largest fine ever issued by the ICO, this represents a significant reduction from the £183.39m fine initially proposed by the ICO in July 2019,…

On October 13, 2020, Anna Gressel and Avi Gesser from Debevoise’s Data Strategy and Security Group, along with their special guest, Jon Godfread, North Dakota Commissioner of Insurance and Chair of the National Association of Insurance Commissioners (NAIC) Artificial Intelligence Working Group, had an insightful conversation concerning the NAIC AI Working Group’s Principles on Artificial Intelligence, including: Implementing systematic risk management…