Rachel de Souza

US: Department of Justice issues final rule restricting the transfer of Sensitive Personal Data and United States Government-Related Data to “countries of concern”

By Morven Henderson, Hayley Curry & Rachel de Souza on April 16, 2025

Posted in Cyber security, Data transfers, New laws, Privacy Law

On April, 8 2025, the Department of Justice’s final rule, implementing the Biden-era Executive Order 14117 restricting the transfer of Americans’ Sensitive Personal Data and United States Government-Related Data to countries of concern (the “Final Rule“), came into force. The Final Rule imposes new requirements on US companies when transferring certain types…

UK: Consultation on Ransomware payments

By Jules Toynton & Rachel de Souza on January 23, 2025

Posted in Cyber security, Cyber-crime, Ransomware

On 14 January 2025, the UK Home Office published a consultation paper focusing on legislative proposals to reduce payments to cyber criminals and increasing incident reporting.

The proposals set out in the consultation paper aim to protect UK businesses, citizens, and critical infrastructure from the growing threat of ransomware, by reducing the financial incentives for…

EU: DLA Piper GDPR Fines and Data Breach Survey: January 2025

By Rachel de Souza on January 21, 2025

Posted in Data security and breaches, Enforcement, EU privacy, General Data Protection Regulation, Privacy Law

The seventh annual edition of DLA Piper’s GDPR Fines and Data Breach Survey has revealed another significant year in data privacy enforcement, with an aggregate total of EUR1.2 billion (USD1.26 billion/GBP996 million) in fines issued across Europe in 2024.

Ireland once again remains the preeminent enforcer issuing EUR3.5 billion (USD3.7 billion/GBP2.91 billion) in fines since…

EU: EDPB Opinion on AI Provides Important Guidance though Many Questions Remain

By James Clark, Heidi Waem, John Magee & Rachel de Souza on January 14, 2025

Posted in Artificial Intelligence, EDBP (European Data Protection Board), Privacy Law

A much-anticipated Opinion from the European Data Protection Board (EDPB) on AI models and data protection has not resulted in the clear or definitive guidance that businesses operating in the EU had hoped for. The Opinion emphasises the need for case-by-case assessments to determine GDPR applicability, highlighting the importance of accountability and record-keeping…

EU: Cyber Resilience Act published in EU Official Journal

By Rachel de Souza & Philipp Adelberg on November 21, 2024

Posted in Cyber security, Digital Decade, Digital transformation, EU data governance, EU privacy, New laws

On 20 November 2024, the EU Cyber Resilience Act (CRA) was published in the Official Journal of the EU, kicking off the phased implementation of the CRA obligations.

What is the CRA?

The CRA is a harmonising EU regulation, the first of its kind focusing on safeguarding consumers and businesses from cybersecurity threats. …

UK: Data (Use and Access) Bill: newcomer or a familiar face?

By Rachel de Souza, Andrew Dyson & James Clark on November 5, 2024

Posted in New laws, Privacy Law, UK

Déjà vu in the world of UK data law: the Labour government has proposed reforms to data protection and e-privacy laws through the new Data (Use and Access) Bill (“DUAB“). The DUAB follows the previous government’s unsuccessful attempts to reform these laws post-Brexit, which led to the abandonment of the Data Protection…

EU: NIS2 Member State implementation deadline has arrived

By Rachel de Souza on October 17, 2024

Posted in Digital Decade, EU data governance, Network and Information Security Directive

Today marks the deadline for EU Member State implementation of the Network and Information Systems Directive II (“NIS2“) into national law.

NIS2 is part of the EU’s Cybersecurity Strategy and repeals and replaces the original NIS Directive which entered into force in 2016 (with Member State implementation by 9 May 2018). Much like…

EU: CJEU Insight

By Rachel de Souza, Philipp Schmechel, Radha Pull ter Gunne & Lorcan Moylan Burke on October 15, 2024

Posted in CJEU, EU privacy, General Data Protection Regulation

October has already been a busy month for the Court of Justice of the European Union (“CJEU”), which has published a number of judgments on the interpretation and application of the GDPR, including five important decisions, all issued by the CJEU on one day – 4 October 2024.

This article provides an overview…

UK: The UK Cybersecurity and Resilience Bill – a different approach to NIS2 or a British sister act?

By Nicholas De Lacy-Brown, Henry Kilding, James McGachie & Rachel de Souza on October 1, 2024

Posted in Cyber security, Digital Decade, EU data governance, EU privacy, New laws, Privacy Law, UK

In the much anticipated first King’s Speech of the new Labour Government on 17 July 2024, the monarch announced that the long anticipated Cybersecurity and Resilience Bill (CS&R Bill) would be amongst those new laws making their way onto Parliament’s schedule for the next year. Six years on from the implementation of the …

EU: European Supervisory Authorities issue second batch of technical standards under DORA

By Susan McKiernan & Rachel de Souza on July 18, 2024

Posted in Uncategorized

On 18^th July, the European Supervisory Authorities (“ESAs“) published the final versions of the second batch of their draft regulatory technical standards (RTS) and implementing technical standards (ITS), developed under the Digital Operational Resilience Act (DORA), as well as two sets of Guidelines.

Summary of draft …