Tag: data protection

1
UK consults on new data protection regime
2
UK unveils plan to diverge from GDPR
3
Reminder for One-Month Deadline to Implement New SCCs in New Contracts
4
Even the Best Fall Down Sometimes: Nine Network suffers large-scale cyber attack
5
City of Oldsmar, Florida narrowly avoids ‘hot water’ in remote cyberattack on its infrastructure
6
Therapy clients become targets of blackmail campaign
7
EU Court of Justice Invalidates Privacy Shield
8
Privacy Professionals download COVIDSafe App
9
It’s Trace Time! The COVIDSafe App is open for business – Part II
10
“This is a public health app, it’s not a surveillance app”: Review finds “nothing particularly disturbing” about the Federal Government’s coronavirus tracing app

UK consults on new data protection regime

By Norin McFadden and Claude-Étienne Armingaud

The UK government has unveiled its much-trailed plans to reform its data protection laws, outlined in a consultation document which is open for public comment until 19 November 2021.

Since Brexit was finalised at the start of 2021, the United Kingdom has retained much of the EU General Data Protection Regulation. The government’s plans, if implemented, would see the UK move away from the EU’s approach in several key ways, which may lead to trouble for the continuation of the adequacy decision granted by the EU in June. If terminated, the adequacy decision, currently permitting free flows of personal data between the EU and the UK, could cause increased costs and bureaucracy for businesses on both sides of the Channel to continue their data transfers. 

Some of the changes to the UK GDPR proposed in the consultation document are:

  • Making the legitimate interests lawful basis easier to use, by publishing a limited, exhaustive list of legitimate interests that organisations can use without having to complete a balancing test.
  • Removal of the right to human review of decisions made on the basis of solely automated data processing.
  • Introducing a fee for responding to subject access requests and allowing organisations to refuse to comply with requests at a lower threshold than “manifestly unfounded”, as allowed in the current legislation.

The proposals also introduce potential changes to the UK’s Privacy and Electronic Communications Regulations, including:

  • Increasing the current maximum penalty of £500,000 for breaches of the direct marketing regulations to the higher of 4% of global turnover or £17.5 million, thereby matching the maximum penalty under UK GDPR.
  • Removing the requirement for websites to obtain consent before serving some analytics cookies.
  • Extending the “soft opt in” for direct marketing to organisations other than businesses, such as charities and political parties.

UK unveils plan to diverge from GDPR

By Norin McFadden and Claude-Étienne Armingaud

The UK government has announced that it intends to consult on a new, post-Brexit data protection regime, potentially moving away from the UK General Data Protection Regulation that currently underpins the UK’s data protection legislation. The Digital Secretary, Oliver Dowden, said, “It means reforming our own data laws so that they’re based on common sense, not box-ticking.

A public consultation on the new legislation will follow, but it is clear that the United Kingdom must be careful about any changes it makes to its data regime in order to avoid disrupting the EU-UK adequacy decision with EU GDPR awarded just two months ago. The adequacy decision allows personal data from the European Union to flow freely to the United Kingdom (and vice versa), without businesses needing to put any additional paperwork in place. In granting the adequacy decision, the European Union placed particular emphasis on the fact that the United Kingdom was continuing to base its data protection laws on the same EU GDPR rules that had applied when it was a member of the European Union. A European Commission spokesperson commented that the EU will be closely monitoring any developments in UK data laws and noted that: “In case of problematic developments that negatively affect the level of protection found adequate, the adequacy decision can be suspended, terminated or amended, at any time by the Commission.

It will be interesting to see how far the United Kingdom diverges, particularly as the current trend is that other countries seem to be keen to state that their data protection laws closely follow the EU GDPR.

The UK government also announced that its preferred candidate to be the next Information Commissioner, head of the UK data protection regulator, will be John Edwards, currently in charge of New Zealand’s data regulator, a country that also maintains an EU adequacy decision.

Reminder for One-Month Deadline to Implement New SCCs in New Contracts

By Jake Bernstein and Jane Petoskey

In early June 2021, the European Commission published a new set of standard contractual clauses (SCCs) effective June 27, 2021 for cross-border data transfers and between controllers and processors.  The new SCCs cover changes in data protection laws, including the invalidation of the EU-US Privacy Shield and the fallout from the Court of Justice of the European Union’s (CJEU) Schrems II opinion (regarding US intelligence laws). The new cross-border data transfer SCCs also use a modular approach to allow for more accurate identification of roles and responsibilities of the contracting parties.  In terms of timing, organizations may use the old SCCs in new contracts until September 27, 2021, and contracts existing before September 27, 2021 must change to the new SCCs by December 27, 2022. For additional information on the SCCs, read our K&L Gates EU Data Protection Alert here.

Please do not hesitate to contact the K&L Gates LLP Cybersecurity and Privacy team of attorneys if you need assistance updating new or existing contracts with the new SCCs by the above deadlines.

Even the Best Fall Down Sometimes: Nine Network suffers large-scale cyber attack

By Cameron Abbott, Warwick Andersen, Rob Pulham and Max Evans

Channel Nine has suffered the largest cyber attack on a media company in Australia’s history, according to reports from IT News, the AFR and Nine News.

The cyber attack, reported by Channel Nine as a variation of a ransomware attack, struck early Sunday morning, resulting in television and digital production systems being offline for more than 24 hours. The attack impaired Channel Nine’s ability to broadcast from its Sydney studios, forcing the media outlet to shift operations to its Melbourne studios.

Read More

City of Oldsmar, Florida narrowly avoids ‘hot water’ in remote cyberattack on its infrastructure

By Cameron AbbottRob Pulham and Jacqueline Patishman

News reports have surfaced reporting that a hacker in the US gained access to the Oldsmar’s water treatment plant system in an attempt to release a corrosive chemical into the Oldsmar’s water supply.

Read More

Therapy clients become targets of blackmail campaign

By Cameron Abbott and Keely O’Dowd

Patients of a Finnish psychotherapy centre have become the victims of a blackmail campaign after the centre suffered a data breach. It is reported, the centre’s data was stolen during two attacks, one occurring in November 2018 and the other between the end of November 2018 and March 2019.

A cyber criminal (or criminals) has used the stolen data to contact patients demanding the payment of 200 euros in bitcoin, with this amount increasing to 500 euros if the patient refused to pay within 24 hours. If a patient refused to pay the ransom, the cyber criminal threatened to publish their personal information, including notes from therapy sessions. Around 300 records have been published on the dark web, which suggests patients are refusing to pay the ransom. The centre also received a ransom demand of 500,000 euros for the return of their data, which it has refused to pay.

Read More

EU Court of Justice Invalidates Privacy Shield

By Cameron Abbott, Claude Etienne-Armingaud, Rob Pulham, Michelle Aggromito and Keely O’Dowd

On the morning of 16 July 2020, in a significant decision of the Court of Justice of the European Union (CJEU), the Privacy Shield was held to be invalid.

Read More

Privacy Professionals download COVIDSafe App

By Cameron Abbott, Warwick Andersen, Rob Pulham, Michelle Aggromito and Allison Wallace

A number of legal professionals, with significant experience in the field of privacy law, have signed an open letter to encourage individuals to download the Commonwealth Government’s COVIDSafe App.

Among the privacy lawyers are members of K&L Gates own Australian privacy team (and the authors of this blog post) Cameron Abbott, Rob Pulham, Warwick Andersen, Michelle Aggromito and Allison Wallace.

The open letter is signed by members in their personal capacity, and signals that people who care about privacy a lot can still think that supporting the health and economic objectives of the App is more important at this time.

As at the date of this post, more than 5 million people have downloaded the App, with more needed to reach the Commonwealth Government’s target of 40% of the Australian population.

It’s Trace Time! The COVIDSafe App is open for business – Part II

By Cameron Abbott, Warwick Andersen, Rob Pulham and Michelle Aggromito

In Part I of this blog, we briefly touched on some of the safeguards that the Commonwealth Government has indicated that they will implement to address privacy concerns. Those proposed new safeguards are intended to satisfy many of the privacy concerns. However, there are additional safeguards that have been implemented in connection with the functionality of the App, which we focus on in Part II here.

Read More

“This is a public health app, it’s not a surveillance app”: Review finds “nothing particularly disturbing” about the Federal Government’s coronavirus tracing app

By Cameron Abbott, Rob Pulham, Michelle Aggromito and Rebecca Gill

The Federal Government’s coronavirus tracing app has raised some privacy concerns amongst the Australian public. Even some of our government Ministers have ruled out downloading the app due to such concerns! However, the independent cyber security body tasked with reviewing the app has said that it has found no major concerns with it.

Read More

Copyright © 2019, K&L Gates LLP. All Rights Reserved.