Blog

Snap into (ICO) action

Snap, Inc. and Snap Group Limited ("Snap") have received a preliminary enforcement notice from the Information Commissioner's Office ("ICO") over their potential failure to assess the privacy risks associated with the 'My AI' chatbot.  This notice came after an investigation revealing that Snap may not have adequately identified and assessed the risks to millions of 'My AI' users in the UK, including children aged 13 to 17.

Building data bridges: UK extends EU-US Data Privacy Framework

Background

On 21 September, the Department of Science, Innovation and Technology published the Data Protection (Adequacy) (United States of America) Regulations 2023, which are set to come into effect on 12 October 2023. From this date, UK organisations will be able to transfer personal data to US entities certified under the UK Extension to the EU-US Data Privacy Framework (also known as the "UK-US Data Bridge") without the need to implement further transfer safeguards.

In anticipation of the UK-US Data Bridge, on 18 September, the US Attorney General designated the UK as a "qualifying state" under Executive Order 14086 ("Executive Order"). As a result, UK individuals can benefit from the oversight and redress mechanisms for US signals intelligence activities that have been introduced by the Executive Order.

India pushes ahead with new Digital Personal Data Protection Act

On 11 August 2023, India's new data protection legislation – the Digital Personal Data Protection Act 2023 – was enacted and published in the Official Gazette. The Act sets out obligations and rules for entities processing personal data, each referred to a Data Fiduciary, and the rights of individuals in respect of that processing, which the Act refers to as Data Principals.

Capita cyber-attack impacts around 90 organisations

Background

Capita has stated that the widely reported cyber-attack it suffered in March 2023 could cost the outsourcing and professional services company up to £20 million once specialist professional fees, recovery and remediation costs, and investment in strengthened IT systems is accounted for.

UK's regulatory approach to AI continues to shift

The UK’s AI strategy

Rishi Sunak’s Tech Week speech on AI, given on 12 June 2023, continued a policy shift away from an innovation-first approach, in favour of greater regulation in light of growing safety concerns associated with the development and use of Artificial Intelligence ("AI"). However, Mr Sunak stressed that any such regulation would remain balanced, and would be developed alongside leading AI companies. The shift in policy reflects the ongoing tension faced by governments seeking to exploit the benefits of AI whilst ensuring that safety concerns are appropriately managed through regulation.

FTC clamps down on Microsoft over child privacy infringements

Microsoft has reached a settlement with the US Federal Trade Commission ("FTC") regarding a series of charges pertaining to alleged violations of the Children's Online Privacy Protection Act of 1998 ("COPPA"). As part of the settlement, Microsoft has agreed to pay $20 million and implement various measures to ensure its compliance with COPPA.

UK and US announce an agreement in principle for a "data-bridge"

On 8 June 2023, a joint statement was released by the UK Secretary of State for Science, Innovation and Technology and US Commerce Secretary announcing an agreement in principle to establish a "data bridge" (i.e., an adequacy decision) between the UK and the US for transfers of personal data.

GDPR Turns 5!

To celebrate the GDPR's fifth birthday, we asked Bobbie Bickerton, an associate in the international data protection practice at Stephenson Harwood, to talk about her experience over the past five years.

Breaking news: Meta receives largest GDPR fine to date

The results from the Irish Data Protection Commission's investigation are in and it has today been announced that Meta has been fined €1.2 billion – the largest GDPR fine to date – for failures to impose appropriate safeguards on the transfer of personal data to the US.