Follow us


See our list of recent developments in data protection and privacy below.

GDPR related articles

New reciprocal adequacy decision allows free flow of personal data between Japan and the EEA

July 2018

On 17 July 2018, the EU Commission (“Commission”) and Japan concluded the negotiations on a reciprocal finding of an adequate level of data protection by both sides. Under the General Data Protection Regulation (“GDPR”) which became effective across Europe on 25 May 2018, an adequacy decision adopted by the Commission is one of the ways which allows personal data to be transferred outside the European Economic Area (“EEA”). An adequacy decision is adopted if the Commission, after its assessment of the level of protection in the recipient jurisdiction, decides that the recipient jurisdiction ensures an adequate level of protection to the personal data of EU data subjects. Read more >


 

Data Protection Bill published: no major surprises for businesses, which should now begin to prepare in earnest for GDPR

September 2017

The Government published the draft Data Protection Bill (the "Bill") on 14 September. The Bill will be debated at its second reading in the House of Lords on 10 October 2017. The Bill will replace the Data Protection Act 1998 (the "1998 Act") and will be supplemented by the EU General Data Protection Regulation ("GDPR") which applies directly from 28 May 2018 until the UK leaves the EU; at that point, the Government intends that the GDPR will be incorporated into the UK's domestic law under the European Union (Withdrawal) Bill. The Bill therefore does not need to replicate the GDPR itself, but instead implements various derogations permitted by the GDPR and also extends the GDPR standards to certain areas of data processing outside EU competence. The Bill also provides for the continuation of the Information Commissioner's role. Read more >


 

EU: Article 29 Working Party provides guidance on processing of employees’ personal data at work

July 2017

The new obligations under the GDPR require employers to embed data protection by design; this may require a more thoughtful approach from employers as to how they introduce monitoring technologies into the workplace to ensure proper protections of employee personal data and privacy. The article also provides nine practical examples of data processing that highlight the potential for technology to jeopardise the privacy of employees in the workplace. Read more >


 

E-privacy refresh for today's electronic communications services: Good intentions but does the proposed regulation strike the right balance?

March 2017

In this article we take a look at some of the main features of the Draft Regulation at this early stage of the European legislative process and the potential impact on organisations in the technology, media and telecoms sectors – in particular whether the draft proposal addresses the balance between improving rights to privacy and being sufficiently practical and consumer and business friendly for today's digital age. Read more >


 

Article 29 Working Party: First GDPR guidance puts data portability in the spotlight

March 2017

The article looks specifically at how the guidelines clarify how organisations should interpret and implement the new GDPR right to data portability and recommend practices and tools that support compliance with this new right. Read more >


 

UK: Data protection – Court of Appeal ruling on subject access requests, prosecution for taking client data to a competitor, and new guidance

February 2017

The last section has links to some resources published by the EU Article 29 Data Protection Working Party, and one by the Information Commissioner's Office. Read more >


 

Big Data Regulation: Coming Soon to a Business Like Yours?

December 2016

The Financial Times recently referred to Big Data as "a vague term for a massive phenomenon that has rapidly become an obsession with entrepreneurs, scientists, governments and the media". And it does seem to appear from the headlines that there isn't a real world situation that Big Data cannot be applied to – for example, in the aftermath of the recent US General Election, questions have been asked to whether there was a failure of Big Data to accurately predict the result. Read more >


 

GDPR: Practical Steps for Employers

November 2016

The General Data Protection Regulation ("GDPR") will apply from 25 May 2018 across all EU Member States, including, at least for a period of time, the UK (as recently confirmed by the UK Government). Read more >


 

UK: Data protection – Why HR needs to know about new EU rules

November 2016

It looks at how the GDPR might affect organisations from a HR perspective and clarifies that it will apply in the UK even if the BRexit process goes through, due to direct effect. The article suggests that any current plans to alter IT systems should be ‘future proofed’ for the new rules, and organisations should be taking steps now to understand the GDPR, particularly since sanctions for non-compliance include fines of up to €20 million or four per cent of a company’s annual worldwide turnover, whichever is greater. Read more >


 

Brexit: The Legal Questions Raised by the Leave Vote

June 2016

Now that the result is in, and the public have voted to leave the European Union, what does that mean for the law? This article was first published in Estates Gazette, 24 June 2016. Read more >


 

Save the Data: EU General Data Protection Regulation to apply from 25 May 2018

May 2016

This briefing gives an overview of some of the key compliance issues for organisations in relation to the GDPR, including as to data security and sanctions which are not only relevant from a pure data protection compliance perspective, but also in the broader context of data issues and cyber security. Read more >


 

Data Superpower? A review of the Privacy Shield documentation

April 2016

This article sets out some key features of the proposed EU-US Privacy Shield for organisations looking to take advantage of this proposed new compliance method for transatlantic data transfers. Read more >


 

EU developments: trade secrets and data protection

April 2016

The European Parliament approved the Trade Secrets Directive aimed at harmonising the definition and protection of trade secrets and undisclosed know-how across Europe and also approved the new General Data Protection Regulation on 14 April 2016. The note discusses what employers will need to consider in terms of the implications for their processing of employee data and prepare for compliance in 2018. Read more >


General Data Protection and Privacy

Court of Appeal confirms Morrisons vicariously liable for employee's deliberate actions in first successful UK class action for data breach

October 2018

The Court of Appeal has today dismissed an appeal against the High Court's decision that Morrisons was vicariously liable for its employee’s misuse of data, despite: (i) Morrisons having done as much as it reasonably could to prevent the misuse; and (ii) the employee's intention being to cause reputational or financial damage to Morrisons itself: Wm Morrisons Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339. Read more >


 

Privacy at work: Limits on employers’ ability to monitor private communications

September 2017

The Grand Chamber of the European Court of Human Rights’ (ECtHR) ruling in Barbulescu v Romania (61496/08) is a timely reminder of the limits of employers’ ability to monitor their employees’ private activity on work IT systems. Read more >


 

UK Government Position Paper on International Transfers of Data – key points

August 2017

Last week the UK Government released its negotiating position paper on international transfers of personal data within the EEA (The Exchange and Protection of Personal Data). Once the UK leaves the EEA it will no longer be subject to the General Data Protection Regulation (the “GDPR”) and would no longer form part of the EU “safe data” zone throughout which personal data may be freely transferred. The GDPR will however continue to apply to UK businesses who provide goods or services to individuals in the EEA. Read more >


 

Digital Economy Act: The pick 'n' mix assortment of provisions receives Royal Assent

June 2017

The Digital Economy Act (the “Act“) finally received Royal Assent on 27 April 2017 and the final text has recently been published. First introduced in the House of Commons in July 2016, it has been the subject of much scrutiny and debate by both Houses of Parliament. With the General Election looming, the legislation was passed in a final sweep as part of the so-called “wash up” period before the dissolution of Parliament. Read more >


 

EU Council publishes Progress Report on draft EU ePrivacy Regulation

June 2017

On 15 May 2017, the Council of the European Union published its progress report (the "Report") on the first draft of the ePrivacy Regulation (the "Draft Regulation"). Read more >


 

EU-US Privacy Shield first annual review announced following a challenging introduction

June 2017

On 12 July 2016, the European Commission adopted an “adequacy decision” allowing for the transatlantic transfer of personal data from the EU to the US in accordance with the framework and principles of the EU-US Privacy Shield (the "Privacy Shield"). Read more >


 

Driverless Cars, Drones and DNA: How to build trust in the data age

May 2017

‘Trust and transparency’ is the theme of this year’s Privacy Awareness Week (15-19 May 2017). This is an annual event held since 2006 to raise awareness across the Asia-Pacific region of the importance of protecting personal information. Read more >


 

Proposed reform of data management practices all in the name of productivity

May 2017

The Productivity Commission’s recommended new legislative data management framework. Read more >


 

One step closer to Australian Data Breach class actions

April 2017

The Privacy Amendment (Notifiable Data Breaches) Act 2016 (Cth), which received assent on 22 February 2017, proposes a number of amendments to the Privacy Act 1988 (Cth) that could act as a trigger for Australian class actions in the data breach space. Read more >


 

E-privacy refresh for today's electronic communications services: Good intentions but does the proposed regulation strike the right balance?

March 2017

In this article we take a look at some of the main features of the Draft Regulation at this early stage of the European legislative process and the potential impact on organisations in the technology, media and telecoms sectors – in particular whether the draft proposal addresses the balance between improving rights to privacy and being sufficiently practical and consumer and business friendly for today's digital age. Read more >


 

New Mandatory Data Breach Reporting Law Passed

February 2017

The Federal Government has today passed the Privacy Amendment (Notifiable Data Breaches) Act 2016 to amend the Privacy Act 1988 to include mandatory notification of eligible data breaches. Read more >


 

Shielded from Attack? Legal challenges to the EU-US Privacy Shield Launched

December 2016

In an arguably predictable data development, the Irish privacy advocacy group, Digital Rights Ireland, has issued proceedings to challenge the EU-US Privacy Shield regime in the European Courts. Read more >


 

General Counsel Update – November 2016

November 2016

This is the latest in our series of general counsel updates which aim to summarise major developments in key areas (See TMT section). Read more >


 

Blue sky thinking: FCA publishes cloud outsourcing guidance

September 2016

In July 2016, the FCA published its final guidance for financial service firms outsourcing to the "cloud" and other third party IT services (the "Guidance"). The guidance confirms that it is possible for firms to outsource to the cloud, including the public cloud, in a manner that is compliant with FCA rules. As such, it is likely to be welcomed by financial services organisations and service providers alike. However, it is not all plain sailing, and firms will need to consider their regulatory compliance carefully in consultation with the guidance before embarking on any cloud outsourcing. Read more >


 

Big Data, Bigger Opportunities? Victorian Commissioner appointed to head un 'big-data' privacy review

July 2016

Victoria’s current Commissioner for Privacy and Data Protection has been appointed by the United Nations to head a global study into big data, under the auspices of the UN Special Rapporteur on the right to privacy. Read more >


 

US Court Ruling Prohibits US Government Seizure of E-mails stored outside the United States

July 2016

A federal appeals court handed a major win to Microsoft when it ruled that US authorities cannot compel US tech companies to disclose e-mail content that they store on servers located outside the United States. Read more >


 

Guide to Big Data and the Australian Privacy Principles

May 2016

In May 2016, the OAIC released the draft Guide to assist entities to undertake big data activities in accordance with privacy laws. Read more >


 

MAS Consults on Regulations for the Provision of Digital Advisory Services

August 2016

In line with its recognition of the rapid expansion of and new products within the fintech sphere, the Monetary Authority of Singapore (MAS) issued a consultation paper on 7 June 2017 on the provision of digital advisory services (ie advice on investment products using automated, algorithm-based tools, also known as “robo-advisory services”). The consultation closed on 7 July 2017. Read more >


Cyber security

Cyber Security Quarterly Round Up - December 2017

December 2017

Our quarterly eBulletin provides a round-up of best practice, news and legislative developments concerning cyber security in Europe, Asia, Australia and the USA. Read more >


 

Cyber Security Quarterly Update – June 2017

June 2017

Our quarterly eBulletin provides a round-up of best practice, news and legislative developments concerning cyber security in Europe, Asia, Australia and the USA. Read more >


 

Cyber Security Quarterly Update – March 2017

March 2017

Our quarterly eBulletin provides a round-up of best practice, news and legislative developments concerning cyber security in Europe, Asia, Australia and the USA. Read more >


 

TalkTalk, no action? UK Information Commissioner issues record fine of £400,000 for TalkTalk's cyber security breach

December 2016

On 5 October 2016, the Information Commissioner's Office issued TalkTalk Telecom Group plc with a record £400,000 monetary penalty notice. Read more >


 

The Digital Single Market: Where Are we Now?

November 2016

The European Commission's Digital Single Market Strategy ("DSM Strategy") was published in May 2015 and included a set of 16 targeted initiatives and actions to be delivered by the end of this year. The aim of the DSM Strategy was to create a Digital Single Market, where the free movement of goods, persons, services and capital is ensured — and where citizens and businesses can seamlessly and fairly access online goods and services: whatever their nationality, and wherever they live. Read more >


 

Cyber Security Quarterly Update – October 2016

October 2016

Our quarterly eBulletin provides a round-up of best practice, news and legislative developments concerning cyber security in Europe, Asia, Australia and the USA. Read more >


 

Cyber Security Quarterly Round-Up

September 2016

Cyber security affects all businesses and industries and is a Board level agenda item.

This article provides a round-up of best practice, news and legislative developments concerning cyber security in Europe, Asia, Australia and the USA. Read more >


 

The impact of Brexit on Data Protection and Cyber Security

July 2016

This article summarises a number of unanswered questions in data protection and cyber security legislation brought on by Brexit. Read more >


 

Battening down the Cyber hatches: EU Council approves Cyber Security Directive

June 2016

On 17 May 2016, the Council of Europe formally adopted the new Network and Information Security Directive (the so-called "Cyber Security Directive"), paving the way for final approval from the European Parliament. Read more >


 

Australia's Website Blocking Laws are Put to the Test

March 2016

Partner Rebekah Gay explains how Australia's website blocking laws are being used for the first time in a case Village Roadshow has launched against a movie piracy website. Read more >


 

Cyber Security: Top Ten Tips for Businesses

January 2016

Andrew Moir, Nick Pantlin, Miriam Everett and Nic Ruesink-Brown of Herbert Smith Freehills LLP look at the growing risk of cyber threats and set out ten steps that businesses can take in order to prepare for, and react to, a cyber attack. Read more >


 

Subscribe to the ‘practical GDPR series’

The GDPR hub

Key contacts

Christine Young photo

Christine Young

Partner, London

Christine Young
Nick Pantlin photo

Nick Pantlin

Partner, Head of TMT & Digital UK & Europe, London

Nick Pantlin
Andrew Moir photo

Andrew Moir

Partner, Intellectual Property and Global Head of Cyber & Data Security, London

Andrew Moir
Duc Tran photo

Duc Tran

Of Counsel, London

Duc Tran
Alison Brown photo

Alison Brown

Executive Partner, EMEA, UK and US, London

Alison Brown
Alexandra Neri photo

Alexandra Neri

Partner, Paris

Alexandra Neri
Moritz Kunz photo

Moritz Kunz

Partner, Germany

Moritz Kunz