ICO issued a guidance for the transfer risk assessment when transferring personal data to the United States. According to official press release, the guidance is for those intending “to make a restricted transfer of personal information to a recipient in the US using an Article 46 transfer mechanism. These are the “appropriate safeguards” listed in Article 46 of the UK GDPR. Examples are the ICO’s International Data Transfer Agreement (IDTA), the Addendum to the EU SCCs (the Addendum) and Binding Corporate Rules (BCRs)”.

Data exporters are also encouraged “to rely on the Department for Science, Innovation and Technology (DSIT)’s published analysis to streamline […] TRA [(transfer risk assessment)] process for US transfers. The DSIT analysis considers US laws related to access and use of personal information by US agencies for the purposes of national security and law enforcement”.

Click here to find out more details.

***

CJEU has issued a judgement clarifying the conditions for awarding compensation for non-material damage relied on by a data subject whose personal data, held by a public agency, were published on the internet following an attack from cybercriminals.

In particular, the courts has clarified the following:

• In the event that the unauthorised disclosure of personal data or unauthorised access to those data has been committed by a ‘third party’ (such as cybercriminals), the controller may be required to compensate the data subjects who have suffered damage, unless it can prove that it is in no way responsible for that damage. 
• The fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of the GDPR is capable, in itself, of constituting ‘non-material damage’.

Click here to find out more details.

***

The EDPB adopted a letter in response to the European Commission regarding the cookie pledge voluntary initiative. 

According to the official press release, “the cookie pledge initiative was developed by the European Commission in response to concerns regarding the so-called “cookie fatigue” phenomenon and consists of a voluntary business pledge to simplify the management of cookies and personalised advertising choices by consumers. On 10 October 2023, the European Commission asked the EDPB to consider whether any of the draft pledge principles would be contrary to the GDPR and the ePrivacy Directive.

The draft pledging principles would ensure that users receive concrete information on how their data is processed, as well as on the consequences of accepting different types of cookies. Users would therefore have greater control over the processing of their data. In addition, with the draft principles, consent should not be asked again for a year once it has been refused, this is an important step towards reducing cookie fatigue”.

Click here to find out more details.