Category Archives: General Data Protection Regulation (GDPR)

Regulating the Use of Data in the United Kingdom’s Financial Sector

by Alun Milford

It is just over a year since the European Union’s General Data Protection Regulation came into force. It strengthened Europe’s already highly evolved legal framework for the protection of personal data and provided for much heavier penalties for breaches of those protections than had hitherto been available. For example, under the old law the maximum penalty the United Kingdom’s regulator could impose for a data protection breach was £500,000 whereas under the new law the maximum penalty throughout Europe is the higher of 20,000,000 euros or 4% of the firm’s annual worldwide turnover in the preceding financial year. The prospect of penalties on this scale has concentrated the minds of businesses with European operations, whether headquartered there or not. 

For firms in the United Kingdom’s regulated financial sector a particular concern was the prospect of having to comply with two distinct regulatory frameworks – one for the conduct of business and the other for the protection of personal data – policed by two distinct regulators – the Financial Conduct Authority and the Information Commissioner’s Office – where both regulators now had the power to impose very significant sanctions for the same conduct. In this blog I consider the functions of the respective regulators, the areas of overlap or common interest in their work and the way in which the regulators have indicated they will approach those areas of common interest. Continue reading

GDPR: What Happened To One-Stop-Shop Enforcement?

by Professor Lokke Moerel[1]


Companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU.”

European Commission, at the time of the adoption of the GDPR

At the time of the adoption of the European General Data Protection Regulation (GDPR), the European Commission touted as the benefit for companies that the GDPR would bring a one-stop-shop enforcement mechanism (1SS), whereby in respect to controllers or processors with multiple establishments in the EU, the supervisory authority (SA) of the ‘main establishment’ of such controller or processor in the EU will serve as the ‘lead SA’ for its ‘cross-border processing’ activities.

In the first landmark enforcement decision under the GDPR, the French SA (CNIL) fined Google 50 million euros (the highest fine so far), despite the fact that the complaints (PDF: 1.03 MB) concerned a cross-border processing in the EU, which calls for 1SS enforcement. The CNIL considered that although Google has its EU headquarters in Ireland, this Irish entity ‘did not have a decision-making power’ in relation to the purposes and means of the relevant cross-border data processing activities. For that reason, the CNIL decided that the 1SS mechanism did not apply and that the CNIL was therefore competent to make a decision.[2]

This is noteworthy, as apparently the main complainant[3] filed similar complaints against Instagram, Facebook, and WhatsApp with the SAs of Austria, Belgium, and Germany, which all passed the complaints to the Irish SA (as the ‘lead SA’), as these companies have their EU headquarters in Ireland. Continue reading

Fintech in 2019: Five Trends to Watch

by Steven Gatti, David Adams, Peter Chapman, Laura Nixon, Paul Landless, Jack Hardman, and Brian Harley

Technology continues to have an enormous impact on financial services and the pace of change shows no signs of abating. Following the bold predictions we made last year, we highlight the five stand-out trends for fintech in 2019.


There has been massive growth in the market for cryptoassets such as Bitcoin and tokens issued in initial coin offerings (ICOs), but market participants have faced uncertainty as to whether cryptoassets may be regulated financial products (and subject to scrutiny by regulatory authorities). Enforcement investigations globally have largely focused on issues of fraud, but now, there’s a renewed focus on guarding the regulatory perimeter (i.e. ensuring businesses carrying on regulated activities have the appropriate authorisation) .  Disputes and enforcement cases are arriving in courts across the globe.

What’s next?

Continue reading

AML Information Sharing in a Technology-Enabled and Privacy-Conscious World

by Kevin Petrasic, Paul Saltzman, Jonah Anderson, Jeremy Kuester, John Wagner, Rebecca Copcutt, and John Timmons

Financial firms play an integral role in preventing, identifying, investigating and reporting criminal activity, including terrorist financing, money laundering, and many other finance-related crimes. It is a critical role that depends on financial firms having the information they need to identify and report potentially suspicious activity and provide other relevant information to law enforcement. However, there are significant barriers to information sharing throughout the US anti-money laundering (“AML”) regime. These barriers limit the effectiveness of AML information sharing within a financial institution, among financial institutions, and between financial institutions and law enforcement.

Much has changed in the 17 years following the passage of the USA PATRIOT Act (“Patriot Act”), which, among other things, sought to enable greater information sharing among law enforcement, regulators and financial institutions regarding AML risks. Of note, Section 314(a) of the Patriot Act and its implementing regulations (“Section 314(a)”) enables federal, state, local and European Union law enforcement agencies to reach out to US financial institutions through the US Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) to locate accounts and transactions of persons that may be involved in terrorism or money laundering. Section 314(b) of the Patriot Act and its implementing regulations (“Section 314(b)”) provides a limited safe harbor for financial institutions to share information with one another in order to better identify and report potential money laundering or terrorist activities. Continue reading

2019 Predictions – Top 10 Cybersecurity/Privacy Trends to Prepare for Now

by Avi Gesser, Daniel Forester, Will Schildknecht, Clara Kim, Daniela Dekhtyar-McCarthy, Mikaela Dealissia, Dan Thomson, and Mengyi Xu

2018 was another busy year for lawyers in the privacy/cybersecurity world – GDPR, CCPA, Marriott, New York Department of Financial Service’s cybersecurity rule deadlines, increased SEC enforcement, more data breach lawsuits, more companies doing table top exercises and risk assessments, etc.  But 2019 is looking to be even busier.  Below are our predictions for the Top 10 things that will keep us busy in 2019, and what companies should be preparing for: Continue reading

DOJ Tells Tech Companies to Develop “Responsible Encryption”

by Laura Goodall, Michael Mugmon, and John F. Walsh

On November 29, 2018, in a speech at the Georgetown University Law School, Deputy Attorney General Rod Rosenstein renewed his call for tech companies to build into their products the means for law enforcement to legally access decrypted data, the development of so-called “responsible encryption.”[1] Mr. Rosenstein analogized such encryption to requirements that buildings disable elevators in the event of a fire but still retain firemen’s access, and he beseeched the private sector to work with the government to mitigate the security threats posed by rapid technological advances.

Summary of Mr. Rosenstein’s Address

Detailing the threat of ransomware, Mr. Rosenstein warned that the “malicious use of technology will be more pernicious and pervasive tomorrow than it is today, and even more difficult to combat.” To “forestall those ominous consequences,” he proposed three steps: Continue reading

New Guidance on the GDPR’s Territorial Scope – Are You Covered?

by Jeremy Feigelson, Jane Shvets, and Robert Maddox

The European Data Protection Board (“EDPB”)—a working group of representatives of the EU data protection authorities—has issued Guidelines (PDF: 255 KB) on the territorial scope of the EU General Data Protection Regulation (“GDPR”), which are open for comment until 18 January 2019. The Guidelines clarify one of the main areas of concern for non-EU companies: when will GDPR reach them?

There are five key takeaways from the Guidelines: Continue reading

You Want What?: Responding to Individual Requests Under the GDPR

 by Jeremy Feigelson, Jane Shvets, and Christopher Garrett

With the EU General Data Protection Regulation (“GDPR”) in force for less than two months, many companies are already experiencing an increase in requests from individuals seeking to obtain a copy, or request correction or erasure, of their personal data under Articles 15 to 17 of the GDPR.

Do we have to respond?

Yes. A response is required even if the response is that the company will not honour the request because a relevant exemption applies. Continue reading

The General Data Protection Regulation: A Primer for U.S.-Based Organizations That Handle EU Personal Data

by Caroline Krass, Jason N. Kleinwaks, Ahmed Baladi, and Emmanuelle Bartoli

The General Data Protection Regulation (GDPR), a new European Union data privacy and protection regime, has already entered into force and is slated to become effective on May 25, 2018.  Designed to provide greater protections to the personal data of individuals located in the EU, the GDPR imposes a host of new obligations on both “controllers” and “processors” of such data.  Additionally, the GDPR calls for large penalties when companies fail to comply with these new obligations.  While many U.S. companies have already begun the process of bringing themselves into compliance, the GDPR has such a long reach that it may encompass a large subset of U.S. organizations that would not ordinarily expect to be subject to European data privacy laws.  Smaller organizations or those that deal with a relatively small amount of data originating in the EU may be especially likely to be caught off-guard.  Such organizations must take immediate steps to assess whether they are subject to the new GDPR and to bring themselves into compliance.

In this article, we begin by laying out the global scope of the GDPR and describing which organizations may be required to comply.  Next, we explain the obligations that the GDPR imposes on controllers and processors, as well as the stringent restrictions placed on cross-border data transfers to countries outside of the EU.  We then provide an overview of the various compliance mechanisms and penalties the GDPR includes, and potential deviations in the implementation of the GDPR that might be seen in particular EU member states.  Finally, we conclude with practical advice for organizations transitioning to the new regime. Continue reading