Photo of Stacy Young

Stacy Young

Stacy Young is an associate in the London office. She advises technology and life sciences companies across a range of privacy and regulatory issues spanning AI, clinical trials, data protection and cybersecurity.

Last month, the European Commission published a draft Implementing Regulation (“IR”) under the EU’s revised Network and Information Systems Directive (“NIS2”). The draft IR applies to entities in the digital infrastructure sector, ICT service management and digital service providers (e.g., cloud computing providers, online marketplaces, and online social networks). It sets out further detail on (i) the specific cybersecurity risk-management measures those entities must implement; and (ii) when an incident affecting those entities is considered to be “significant”. Once finalized, it will apply from October 18, 2024.

Many companies may be taken aback by the granular nature of some of the technical measures listed and the criteria to determine if an incident is significant and reportable – especially coming so close to the October deadline for Member States to start applying their national transpositions of NIS2.

The IR is open for feedback via the Commission’s Have Your Say portal until July 25.Continue Reading NIS2: Commission Publishes Long-Awaited Draft Implementing Regulation On Technical And Methodological Requirements And Significant Incidents

Earlier this month, the UK Information Commissioner’s Office (“ICO”) announced a fine in a case that involved inferring health data and using this for marketing. The ICO found that catalogue retailer Easylife Limited (“Easylife”) had profiled 145,400 individuals for inferred health conditions without their consent, based on certain “trigger products” that they had purchased from Easylife’s Health Catalogue.  For example, if a customer bought a jar opener or a dinner tray, Easylife would infer that the customer might have arthritis, and then call them to market glucosamine joint patches. The ICO has fined Easylife £1.48 million: £1.35 million for using customers’ personal information to sell health-related products without their consent, and a further £130,000 for making unsolicited direct marketing calls.Continue Reading ICO Fines Easylife £1.48 Million For Data Protection and E-Marketing Violations

On February 14, 2021, the Abu Dhabi Global Market (“ADGM”), one of two significant financial services free zones in the United Arab Emirates, enacted its new Data Protection Regulations 2021 (the “Regulations”).  The Regulations will come into force and replace the current Data Protection Regulations 2015 following a transition period
Continue Reading Abu Dhabi Global Market Issues New Data Protection Regulations

On February 11, 2021, the European Commission launched a public consultation on its initiative to fight child sexual abuse online (the “Initiative”), which aims to impose obligations on online service providers to detect child sexual abuse online and to report it to public authorities. The consultation is part of the data collection activities announced in the Initiative’s inception impact assessment issued in December last year. The consultation runs until April 15, 2021, and the Commission intends to propose the necessary legislation by the end of the second quarter of 2021.
Continue Reading European Commission Launches Consultation on Initiative to Fight Child Sexual Abuse

On December 18, 2020, the Irish Data Protection Commission (“DPC”) published its draft Fundamentals for a Child-Oriented Approach to Data Processing (the “Fundamentals”). The Fundamentals introduce child-specific data protection principles and measures, which are designed to protect children against data processing risks when they access services, both online and off-line. The DPC notes that all organizations collecting and processing children’s data should comply with the Fundamentals. The Fundamentals are open for public consultation until March 31, 2021.
Continue Reading Irish DPC publishes draft Fundamentals for a Child-Oriented Approach to Data Processing

On October 1, 2020, the Hamburg Data Protection Authority (“Hamburg DPA”) fined H&M, the Swedish clothing company, over €35 million for illegally surveilling employees at its service center in Nuremberg.  This fine is the largest financial penalty issued by a German DPA to date for a violation of the European General Data Protection Regulation (“GDPR”), and the second highest in Europe issued by any DPA (although other DPAs have announced their intention to issue other larger fines).
Continue Reading H&M Receives Record-Breaking Fine for Employee Surveillance in Violation of the GDPR