Photo of Malcolm Dowden

Malcolm Dowden

The UK’s Electronic Communications (Security Measures) Regulations 2022 (the Regulations) came into force on 1 October 2022, together with the Telecommunications Security Code of Practice (the Code of Practice). The Regulations reflect the increased risk of cyber-attack and data breaches, whether for criminal purposes or by potentially hostile states. They supplement general duties imposed on providers of public electronic communications networks and services by the Communications Act 2003, sections 105A and 105C, and provide Ofcom with new powers to monitor and enforce enhanced obligations affecting:

  • providers of public electronic communications networks (“network providers”); and
  • providers of public electronic communications services (“service providers”).


Continue Reading Protecting Electronic Communications Networks and Services from Cyber-Attack and Data Breach: Enhanced Obligations and Board-level Accountability

In a CLE webinar earlier this week, Malcolm Dowden (Partner, London) and Niloufar Massachi (Associate, Los Angeles) discussed evaluating, drafting, and updating vendor agreements to meet the privacy and security requirements of new US privacy laws and the GDPR.

Continue Reading Malcolm Dowden and Niloufar Massachi Discuss Vendor Contracting Requirements Under New US Privacy Laws and the GDPR

Cross-border data privacy laws have grown much more complicated due to the implementation of so many new and amended laws in jurisdictions globally.  The US and EU are now just the tip of the iceberg.

Here is an article by Allison Grande of Law360 discussing several important ones and quoting our partners Malcolm Dowden (UK)

In a previous blog post, we discussed the European Commission’s criticism of the Dutch data protection authority’s interpretation of legitimate interests as a lawful basis for processing personal data. In that post we noted that the issue would potentially be resolved by the Netherlands’ highest administrative court, the Council of State when it ruled

The UK convenience store giant ‘Southern Co-op’ is facing the possibility of regulatory intervention and legal challenge following a complaint made by UK civil liberties campaign group Big Brother Watch (BBW) regarding the use of surveillance cameras in 35 Southern Co-op stores. Images of customers that a member of staff ‘reasonably expects’ to be committing ‘crime or disorder’ are captured and transformed into biometric data. The data of those ‘identified as an offender’ is then stored and checked against the database of facial recognition technology provider, ‘Facewatch.’
Continue Reading The Southern Co-op – Is the Use of ‘Spy’ Cameras Breaching UK Data Protection Laws?

As part of the UK data protection authority’s new three-year strategy (ICO25), launched on 14 July, UK Information Commissioner John Edwards announced an investigation into the use of AI systems in recruitment. The investigation will have a particular focus on the potential for bias and discrimination stemming from the algorithms and training data

The EU Commission has expressed concerns about the Dutch data protection authority’s strict interpretation of “legitimate interests”, considering it to be “not in line with the GDPR, the guidelines of the Article 29 Working Party/EDPB and the case law of the European Court of Justice (CJEU)”. Those concerns focus on guidance issued by the Autoriteit

In January 2022, the President of the Personal Data Protection Office (“DPDO“) of Poland fined both a data controller and processor for their failure to implement appropriate technical and organisational measures to ensure the security of personal data. In particular, the data controller failed to exercise its GDPR right to audit and inspect

Ransomware and DDoS attacks are costly to organisations that fall victim in terms of reputational damage, picking up the pieces as well as potential enforcement from the ICO and compensation claims by data subjects.
Continue Reading Double Trouble: Why Organisations Need to Consider the Legal Consequences of Ransomware and DDoS Attacks

On 25 March the US and EU announced “agreement in principle” on a new legal framework for GDPR-compliant transfers of EU personal data to the United States. The agreement reflects US commitment to implementing new safeguards designed to address concerns that led to the July 2020 Schrems II decision of the European Court of Justice