Author

Paul Glass

Browsing

In March 2022, U.S. and EU leaders reached an agreement in principle on a new accord to protect data flows entitled the Trans-Atlantic Data Privacy Framework (“EU-U.S. DPF”).  Today, the US Government has taken important steps to implement this critical data flow framework, and strengthen legal certainty for EU to US personal data transfers.   First, President Biden signed an Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities” (“EO”). The EO enhances privacy…

On June 14, 2022, Baker McKenzie held its inaugural Cybersecurity Symposium in New York in conjunction with the Association of Corporate Counsel (ACC). It was a thought-provoking day discussing trends and fresh insights from key players in the government and private sector, the ever-changing regulatory landscape, best practices for cyber-readiness and practical advice to manage cyber-threats, data breach response, insurance and related litigation. The following video provides valuable information and key-takeaways in connection with cybersecurity…

In this episode, Paul Glass, head of Cybersecurity in the UK, is joined by Teresa Michaud, co-chair of the North America Class Action subgroup, and Stephen Reynolds, partner based in Chicago, as they discuss consumer class actions in relation to data breaches and security incidents. Listen in to hear about: overriding themes that have characterized the last year of US class action litigationcybersecurity and data privacy trends and significant developments in the class action space,…

In a recent judgment, the UK Supreme Court unanimously refused to give permission for a litigant to serve a claim form outside of the jurisdiction in respect of a representative action brought against Google. This case, Lloyd v Google, is the latest, and most significant, in a line of recent decisions (see our other updates here and here) which show a general trend of the courts interrogating the type of losses that have been claimed and rejecting claims for…

The new standard contractual clauses for data transfers to third countries (“Ex-EU SCCs”) and standard contractual clauses for controllers and processors in the EU/EEA (“Intra-EU SCCs”) issued by the European Commission provide for, both, chances and challenges for EU service providers supporting EU and non-EU customers, some of which are outlined below. 1. When do the Ex-EU SCCs apply? EU service providers supporting non-EU customers might want to enter into the new Ex-EU SCCs with…

The European Commission (“EC”) recently issued a set of standard contractual clauses for controllers and processors in the EU/EEA (“Intra-EU SCCs”). The Intra-EU SCCs accompany a wider set of clauses issued for extra-EU/EEA personal data transfers (“Extra-EU SCCs”), covering transfers between different types of data processing actors (processors, controllers, sub-processors etc.). Both of them were published in the Official Journal of the European Union on June 7, 2021. The clauses for intra-EU data processing arrangements…

The European Commission (“EC”) recently issued its revised standard contractual clauses for data transfers to third countries (“Ex-EU SCCs”) and a companion set of standard clauses for controllers and processors in the EU/EEA (“Intra-EU SCCs”). Both are now published in the Official Journal. The following is an introduction to the core elements of the Ex-EU SCCs and a brief overview of the Intra-EU SCCs. Legal Context The Ex-EU SCCs are a mechanism that companies can…

The European Data Protection Board (EDPB) recently published the draft Guidelines on Examples Regarding Data Breach Notification, a document that encompasses eighteen examples of data security incidents, on a spectrum of risk and necessary mitigating measures.  Each example concludes with recommended actions based on the identified risks, mainly: recording the incident in the organization’s internal register, notifying the organization’s supervisory authority, and notifying affected individuals.  The Guidelines are currently open for public consultation. The Guidelines…

Brian Hengesbaugh and Partner Paul Glass dissect the recent guidance issued by the ICO in response to the SoldWinds cyber attack. Listen to hear: an overview of what the guidance sayswhy the ICO decided to release guidance in regards to this incidenthow companies should best approach the 72-hour notification rule https://open.spotify.com/episode/5ufO2qYMt4rPOQiVOKHo4n?si=ZMqpxKVpRvKsT8G7jo6o-A

On Christmas Eve the UK and the EU concluded a Trade and Cooperation Agreement in principle.We’ve set out the key points from a data protection perspective below.The key take away is that transfers of personal data from the EEA to the UK can continue without safeguards for a period of up to six months from the end of the transition period while the European Commission considers whether to adopt an adequacy decision in respect of the…