developments from the past …
Time running out for EU SCCs
Introduction of UK international data transfer contracts — the International Data Transfer Agreement and the UK Addendum to the EU SCCs.
Update Terms/Cookie/Privacy notices - Deadline; 21 March 2024
Non-compliance can be identified either in a targeted, general regulatory or contractual audit, or a data subject rights request or complaint.
The contractual risk of relying on the old SCCs endures for a business subject to outside investment; a compliance gap which would be identified in the diligence process.
FCA on “off channel” messaging
UK Financial services firms (esp. those with a U.S. footprint) will be abreast of the regulatory focus on communications monitoring.
The US Securities and Exchange Commission's enforcement, prompted 40> settlements for non retained business communications made via (personal) messaging apps but the UK's Financial Conduct Authority (FCA) has a less ‘keen’ approach, albeit Financial News article here indicates this might change.
UK cookie enforcement
UK ICO statement in the context of it's planned consultation around future regulation of “consent or pay” mechanisms.
A consent or pay model gives online services users a choice between a) consent to personal data access for targeted advertising or b) ad-free (chargeable) access. The ICO is focused on cookie banner compliance (users can accept or reject some or all of the non/essential cookies firing on their device).
ICO wrote to 53 of the 100 UK’s largest websites (Nov ‘23) about potential enforcement action for Cookie non compliance. In early 2024, 38 of the 53 organisations changed their cookie banners, (plus 4 who declared they will do so by April '24).
The ICO threatened to “provide an update on this work in January, including details of companies that have not addressed our concerns , which didn’t happen.
If you’re not among the UK’s largest websites and had delayed addressing cookie practices, perhaps consider doing it now.
Law360 on the Digital Operational Resilience Act, looks into DORA and suggested next steps to address the requirements (non-paywalled link here).
/Passle/65cbd8b7a663ca0e2ed0192d/SearchServiceImages/2024-02-16-13-19-16-245-65cf60d4407dddce2ebed84b.jpg)
/Passle/65cbd8b7a663ca0e2ed0192d/SearchServiceImages/2025-05-16-11-26-51-537-682720fbc74f716b6d1a2ec6.jpg)
/Passle/65cbd8b7a663ca0e2ed0192d/SearchServiceImages/2025-05-09-16-38-16-385-681e2f78233e1ecb8ed52d27.jpg)
/Passle/65cbd8b7a663ca0e2ed0192d/SearchServiceImages/2025-05-09-13-05-57-352-681dfdb5843874eac7468b6d.jpg)