The European Commission proposed its first draft of the cybersecurity legislation, the Cyber Resilience Act (“CRA”), on 15 September 2022. The CRA is one part of a range of EU legislative measures aimed at increasing the overall cyber security and cyber resilience of the EU and businesses operating within it. The CRA will create a new regulatory framework and set of rules for software and hardware products falling under the definition of “products with digital…
Cybercrime is an increasingly pressing problem for societies at large, with digital transformation, remote working and geopolitical issues bringing about increased cyber threats and attacks. In 2016 the European Parliament adopted the Network and Information Security Directive (NISD), the first EU-wide legislation on cybersecurity, and the revised legislation, NIS2, has just been published. NISD required the implementation of certain risk management and reporting obligations on operators of essential services (OES), which included entities maintaining critical…
On December 13, the European Commission (“EC”) announced a draft decision on the adequacy of the U.S data protection regime to protect the personal data of European Union (“EU”) residents, the EU-U.S. Data Privacy Framework (“DPF”). The DPF, which was initially announced in March 2022 as a political agreement between the EU and the U.S., and then bolstered by President Biden’s Executive Order (“EO”) in October 2022, opens the door for an EU-U.S. data transfer…
In March 2022, U.S. and EU leaders reached an agreement in principle on a new accord to protect data flows entitled the Trans-Atlantic Data Privacy Framework (“EU-U.S. DPF”). Today, the US Government has taken important steps to implement this critical data flow framework, and strengthen legal certainty for EU to US personal data transfers. First, President Biden signed an Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities” (“EO”). The EO enhances privacy…
On June 14, 2022, Baker McKenzie held its inaugural Cybersecurity Symposium in New York in conjunction with the Association of Corporate Counsel (ACC). It was a thought-provoking day discussing trends and fresh insights from key players in the government and private sector, the ever-changing regulatory landscape, best practices for cyber-readiness and practical advice to manage cyber-threats, data breach response, insurance and related litigation. The following video provides valuable information and key-takeaways in connection with cybersecurity…
In this episode, Paul Glass, head of Cybersecurity in the UK, is joined by Teresa Michaud, co-chair of the North America Class Action subgroup, and Stephen Reynolds, partner based in Chicago, as they discuss consumer class actions in relation to data breaches and security incidents. Listen in to hear about: overriding themes that have characterized the last year of US class action litigationcybersecurity and data privacy trends and significant developments in the class action space,…
In a recent judgment, the UK Supreme Court unanimously refused to give permission for a litigant to serve a claim form outside of the jurisdiction in respect of a representative action brought against Google. This case, Lloyd v Google, is the latest, and most significant, in a line of recent decisions (see our other updates here and here) which show a general trend of the courts interrogating the type of losses that have been claimed and rejecting claims for…
The new standard contractual clauses for data transfers to third countries (“Ex-EU SCCs”) and standard contractual clauses for controllers and processors in the EU/EEA (“Intra-EU SCCs”) issued by the European Commission provide for, both, chances and challenges for EU service providers supporting EU and non-EU customers, some of which are outlined below. 1. When do the Ex-EU SCCs apply? EU service providers supporting non-EU customers might want to enter into the new Ex-EU SCCs with…
The European Commission (“EC”) recently issued a set of standard contractual clauses for controllers and processors in the EU/EEA (“Intra-EU SCCs”). The Intra-EU SCCs accompany a wider set of clauses issued for extra-EU/EEA personal data transfers (“Extra-EU SCCs”), covering transfers between different types of data processing actors (processors, controllers, sub-processors etc.). Both of them were published in the Official Journal of the European Union on June 7, 2021. The clauses for intra-EU data processing arrangements…
The European Commission (“EC”) recently issued its revised standard contractual clauses for data transfers to third countries (“Ex-EU SCCs”) and a companion set of standard clauses for controllers and processors in the EU/EEA (“Intra-EU SCCs”). Both are now published in the Official Journal. The following is an introduction to the core elements of the Ex-EU SCCs and a brief overview of the Intra-EU SCCs. Legal Context The Ex-EU SCCs are a mechanism that companies can…