Photo of Malcolm Dowden

Malcolm Dowden

The EU adequacy decision in favour of the UK allows the free flow of personal data between the UK and the European Economic Area (the EU member states plus Iceland, Liechtenstein and Norway). Both before and since expiry of the Brexit implementation period businesses have emphasised the crucial importance of maintaining that adequacy decision, pointing

Artificial intelligence (AI) depends on the use of “big data” to create and refine the training models from which the AI “learns”. Although concerns have tended to focus on questions such as inherent bias within the training data, or a lack of information in relation to the way in which the AI’s algorithms operate, the

On 8 March 2023 the UK government heralded its new Data Protection and Digital Information (No 2) Bill (the Bill) as a “new common-sense-led version of the EU’s GDPR” that would save the UK economy more than £4 billion over the next 10 years and ensure that privacy and data protection are securely protected”.

The UK’s Electronic Communications (Security Measures) Regulations 2022 (the Regulations) came into force on 1 October 2022, together with the Telecommunications Security Code of Practice (the Code of Practice). The Regulations reflect the increased risk of cyber-attack and data breaches, whether for criminal purposes or by potentially hostile states. They supplement general duties imposed on providers of public electronic communications networks and services by the Communications Act 2003, sections 105A and 105C, and provide Ofcom with new powers to monitor and enforce enhanced obligations affecting:

  • providers of public electronic communications networks (“network providers”); and
  • providers of public electronic communications services (“service providers”).


Continue Reading Protecting Electronic Communications Networks and Services from Cyber-Attack and Data Breach: Enhanced Obligations and Board-level Accountability

In a CLE webinar earlier this week, Malcolm Dowden (Partner, London) and Niloufar Massachi (Associate, Los Angeles) discussed evaluating, drafting, and updating vendor agreements to meet the privacy and security requirements of new US privacy laws and the GDPR.

Continue Reading Malcolm Dowden and Niloufar Massachi Discuss Vendor Contracting Requirements Under New US Privacy Laws and the GDPR

Cross-border data privacy laws have grown much more complicated due to the implementation of so many new and amended laws in jurisdictions globally.  The US and EU are now just the tip of the iceberg.

Here is an article by Allison Grande of Law360 discussing several important ones and quoting our partners Malcolm Dowden (UK)

In a previous blog post, we discussed the European Commission’s criticism of the Dutch data protection authority’s interpretation of legitimate interests as a lawful basis for processing personal data. In that post we noted that the issue would potentially be resolved by the Netherlands’ highest administrative court, the Council of State when it ruled

The UK convenience store giant ‘Southern Co-op’ is facing the possibility of regulatory intervention and legal challenge following a complaint made by UK civil liberties campaign group Big Brother Watch (BBW) regarding the use of surveillance cameras in 35 Southern Co-op stores. Images of customers that a member of staff ‘reasonably expects’ to be committing ‘crime or disorder’ are captured and transformed into biometric data. The data of those ‘identified as an offender’ is then stored and checked against the database of facial recognition technology provider, ‘Facewatch.’
Continue Reading The Southern Co-op – Is the Use of ‘Spy’ Cameras Breaching UK Data Protection Laws?

As part of the UK data protection authority’s new three-year strategy (ICO25), launched on 14 July, UK Information Commissioner John Edwards announced an investigation into the use of AI systems in recruitment. The investigation will have a particular focus on the potential for bias and discrimination stemming from the algorithms and training data

The EU Commission has expressed concerns about the Dutch data protection authority’s strict interpretation of “legitimate interests”, considering it to be “not in line with the GDPR, the guidelines of the Article 29 Working Party/EDPB and the case law of the European Court of Justice (CJEU)”. Those concerns focus on guidance issued by the Autoriteit