Ropes & Gray (LexBlog United Kingdom)

On 5 March 2024, the UK data protection regulator (ICO) published guidance on biometric recognition (the Guidance), following a consultation with stakeholders in October 2023. The Guidance clarifies the concept and properties of biometric data and provides practical considerations for organisations contemplating or using biometric recognition systems. Clarifying the concept of biometric data The...

Employee monitoring isn’t new, but its extent and how it has been conducted has seen significant changes in the last few decades; we have come a long way from the punch cards of the 1900s to the current use of video surveillance, e-comms monitoring and AI, among other monitoring tools. Part of this comes from...

Earlier this year, the UK government released an AI white paper outlining its light-touch, pro-business proposal to AI regulation. Eight months on, and the UK appears to be sticking firm with this approach, with Jonathan Camrose (UK First Minister for AI and Intellectual Property) stating in a speech on 16 November 2023 that there will...

The UK Information Commissioner (ICO) was reportedly set to sound a note of caution recently, at Politico’s Global Tech Day, regarding the potential privacy risks that can arise in the context of generative artificial intelligence (AI).   Privacy risks of generative AI While acknowledging the potentially significant advantages and benefits that generative AI can bring,...

The debate concerning the UK’s controversial Online Safety Bill (OSB) has continued to rumble on in recent days, with the UK Government reportedly again being warned that there is a real risk that certain messaging apps could be withdrawn from the UK if compromises cannot be reached on a number of issues.   The OSB,...

A number of encrypted messaging services have signed an open letter calling on the UK Government to reconsider various aspects of the Online Safety Bill (OSB) pending its final reading in the House of Lords, over concerns that the bill could threaten end-to-end encryption. End-to-end encryption currently delivers a strong level of security for electronic...

Introduction Ahead of its much-anticipated guidance on the UK International Data Transfer Agreement / Addendum (IDTA) (the United Kingdom’s version of the EU standard contractual clauses (EU SCCs)), the UK data protection regulator, the Information Commissioner’s Office (ICO), has revised its guidance on international transfers of personal data under the UK GDPR (Transfer Guidance). The...

The United Kingdom and the United States joined forces last week in an initiative to combat ransomware attacks by sanctioning seven Russian nationals believed to be members of a hacking network.  Together with U.S. authorities, the UK’s Foreign Office has reportedly identified the individuals in question, frozen their assets and imposed travel bans in respect of...

The new approach to regulatory and enforcement action adopted by the UK Information Commissioner’s office (ICO) looks set to continue in 2023. The ICO has indicated recently that it is modifying its attitude towards regulatory action in respect of public sector organisations. It has also noted that enforcement does not necessarily equate to fines, but...

International transfers of personal data under the UK GDPR are set to continue to be a key topic in 2023, in particular, regarding new UK adequacy regulations, transatlantic data flows, and updated guidance regarding the UK’s International Data Transfer Agreement (IDTA). While 2022 saw the Department for Digital, Culture, Media & Sport (DCMS) and ICO...

2023 will bring with it updates and reforms in relation to data protection and cybersecurity in the UK. The proposed changes are expected to place tighter restrictions on digital content; increase protection around the internet of things and connected products; and, to the delight of some, lighten compliance burdens with respect to personal data. A...

The UK Government’s vision for a post-Brexit data protection regime includes controversial changes to the remit and workings of the Information Commissioner’s Office.  In a Privacy Laws & Business article on possible ICO reform, Edward Machin considers what its proposed structure, duties and powers means for the independence of the regulator and its standing on the...

On July 18, 2022, the UK Government introduced into Parliament the Data Protection and Digital Information Bill (the Data Reform Bill), which proposes legislation to reform the UK data protection regime.  A recent article in Entertainment Law Review by Ropes & Gray attorneys Rohan Massey, Christopher Foo & Edward Machin analyzes the Data Reform Bill’s...

Security may not be the first word that comes to mind when thinking about GDPR and UK GDPR compliance, but recent matters indicate it should certainly be near the top of any compliance checklist. Security of personal data is fundamental to every organization, and its significance scales depending on the type of data processing that...

On 17 June 2022, the UK government released its much anticipated response to the consultation on the reform of the UK data protection regime. As part of the UK’s post-Brexit national data strategy, the consultation gathered responses on proposals aimed at reforming the UK’s data protection regime to boost the UK economy. In its response,...

Today RopesDataPhiles brings you thoughts from across the pond, with an update on the UK Information Commissioner’s international data transfer agreement and its supporting documentation. — Some days it all comes together.  The sun’s shining in London for what feels like the first time in months.  One of the kids is going on a week-long...

Today RopesDataPhiles brings you thoughts from across the pond, with an update on the UK Information Commissioner’s international data transfer agreement and its supporting documentation. — Some days it all comes together.  The sun’s shining in London for what feels like the first time in months.  One of the kids is going on a week-long...

A recent SEC settlement has again demonstrated the Commission’s continued attention to public companies’ disclosures of cybersecurity incidents and its commitment to a broad notion of what constitutes such an incident. On August 16, the SEC entered a settlement agreement with Pearson plc, a UK-based educational publishing company that is publicly traded on both the London Stock...

There were 887 million reasons why one GDPR story was dominating the press on Friday. But sneaking under the radar was a decision from the English High Court that I reckon should be more interesting to businesses in the UK. In a nutshell, the High Court rejected a £5,000 claim for distress-related damages brought by...

In encouraging news for UK-based organizations involved in the processing of personal data, the European Data Protection Board (EDPB) has adopted two Opinions on the draft UK adequacy decisions which, if approved, would allow the transfer of personal data from the European Economic Area (EEA) to the UK to continue freely. The first Opinion (Opinion...

The UK Information Commissioner (ICO) has launched a new toolkit for organizations which are planning to use personal data for data analytics as part of the ICO’s priority work on artificial intelligence (AI). The toolkit outlines some important personal data protection considerations which organizations should take into account at the beginning of any scheme involving...

The debate surrounding vaccine passports to assist with the easing of lockdown restrictions and controlling the spread of COVID-19 continues to raise a number of concerns in the UK. Although the use of such passports is apparently under consideration, such proposals raise a number of different ethical, scientific and legal issues. A recent Royal Society...

Organizations which fail to implement appropriate technical and organizational security measures to protect personal data and suffer personal data breaches as a result, increasingly may find themselves facing the double whammy of both enforcement action by the UK Information Commissioner’s Office (ICO), (which can include significant financial penalties) and potentially also group-style legal...

Many of the key policy debates that we expected to happen in 2020 seemed to be essentially frozen for the year as we all responded to the horrors of COVID and the seismic political shifts across the globe. So what does this new year hold for us? We hope for a return to normalcy as...

On 17 December 2020, the UK Information Commissioner’s Office (ICO) published its new Data Sharing Code of Practice, as required under the Data Protection Act 2018 (DPA18). The new Code provides practical guidance for controllers that share personal data with other controllers on how to ensure that data sharing complies with applicable data protection requirements....

On 16 October 2020, in a long-awaited decision, the UK Information Commissioner’s Office (ICO) finally announced that it has fined British Airways (BA) £20 million for failing to protect the personal and financial details of over 400,000 customers.  The ICO originally announced in July 2019 its intention to fine BA £183 million in respect of...

Tax partner Andy Howard and Rob Mason, a partner at Forensic Risk Alliance, co-authored a Tax Journal article that examines cum-ex investigations, including the UK impact. Please click here to read the full article.

On 5 May 2020, the Information Commissioner’s Office (ICO) published a blog setting out the Information Commissioner’s new priorities for UK data protection during COVID-19 and beyond. This follows on from the document published on 15 April 2020, in which the ICO promised an “empathetic” approach to its enforcement of data protection laws during the...

In news that will no doubt alarm many of the airline’s passengers, easyJet plc (easyJet) has confirmed that it has suffered a serious data breach affecting nine million customers as the result of a cyber-attack.  In addition to certain personal data including email addresses and travel details, the credit card details of 2,208 customers have...

Following the limited relaxation of lockdown restrictions by the UK Government and the likely return to the workplace of at least some employees, the UK Information Commissioner’s Office (ICO) has published some helpful guidance for employers on the data protection issues raised by workplace testing for coronavirus. The guidance notes that, although data protection law...