Research participants must identify which data sets constitute personal data to ensure compliance with the GDPR.

By Frances Stocks Allen and Mihail Krepchev

The UK Medical Research Council (MRC) has published a useful guidance note on the identifiability, anonymisation, and pseudonymisation of personal data in the context of research activities (the Guidance). The Guidance reminds research organisations that the General Data Protection Regulation (GDPR) applies to health data used in research and contains a number of recommendations that participants in the research process, particularly clinical trial sponsors, should bear in mind. The Guidance has been developed with the participation of the UK privacy regulator, the Information Commissioner’s Office (ICO).

Update confirms the introduction of an active “duty of care” and a dedicated regulator, as part of a comprehensive new online regulatory regime.

By Alain Traill, Rachael Astin, Gail E. Crawford, and Patrick Mitchell

Following a wave of commentary from industry, the social sector, and other organisations, on 11 February 2020 the UK government set out preliminary details of a new regulatory regime to govern content posted on online platforms. The details were released in an initial response to last year’s online harms white paper, with a full response expected this spring. While some changes have been made to the white paper proposals, seemingly in response to concerns raised by industry and other stakeholders, the government has confirmed that it will introduce an active “duty of care” on organisations to prevent certain content from appearing on their platforms.

The proposed new regime mirrors similar steps taken in other jurisdictions, e.g., Australia, to protect against harmful content online. It is also in-line with the direction of travel of platform regulation at a European level, taking into account, for example, changes to the AVMS Directive (EU) 2018/1808 (AVMSD) to regulate video-sharing platform services (VSPs) in relation to protection of minors and harmful content, and the planned EU Digital Services Act, which is likely to introduce changes to EU law regarding the liability of platform providers for content posted using their services.

Insights from Latham’s flagship event: Managing the risk and promise of digitisation in financial services.

By Fiona Maclean, Stuart Davis, and Alistair Wye

In a bid to keep pace with rapid advances in cloud adoption across financial services, regulators have published a raft of new guidance in the past year. Most recently, the European Insurance and Occupational Pensions Authority launched guidelines for insurers and reinsurers on outsourcing to cloud providers in July 2019, while the European Banking Authority (EBA) published updated guidance on outsourcing that came into effect on 30 September 2019, covering both cloud and other outsourcings.

We discussed some of the challenges facing financial institutions in the evolving area of cloud compliance at our recent event entitled Balancing the Scales: Managing the Risk and Promise of Digitisation in Financial Services. One key issue highlighted in the discussion is that the new EBA guidelines do not contain an overarching split between cloud and non-cloud arrangements, and there are no general exclusions or exceptions for new entrants or FinTech providers. Entities subject to the EBA guidelines will therefore face additional administrative burdens that they must balance with the need to stay ahead of the competition.

How can private equity firms identify and mitigate inherited liability risk from vulnerable portfolio companies?

By Tom Evans, Gail Crawford, Fiona Maclean, David Walker, Katie Peek, Catherine Campbell, and Amy Smyth

Ongoing big ticket regulatory fines coupled with high profile corporate veil cases indicate that private equity deal teams must remain alert to the risk of buyout firms inheriting liabilities from vulnerable portfolio companies. Increasing GDPR fine activity, including the UK Information Commissioners’ intention to fine British Airways £183 million and an international hotel group £99 million for GDPR failings, is of particular concern. In parallel, the UK Supreme Court recently examined the circumstances in which a parent company can be held accountable for its subsidiary’s actions. In our view, private equity firms should take careful but active steps to identify and mitigate this inherited liability risk; there is no doubt that PE funds are increasingly in the firing line.


GDPR and PSD2 are two legal initialisms that have both generated a great deal of press coverage in recent months, but they are seldom considered together.

By Christian F. McDermott, Calum Docherty and Brett Carr

There were around 122 billion non-cash payments in the European Union (EU) in 2016, with card payments accounting for 49% of all transactionsi and the trend is continuing: UK Finance recently reported that UK debit card payments overtook the number of cash transactions for the first time in the final quarter of 2017. As Europeans increasingly swap cash for cards and live their lives online, businesses have tremendous opportunities to take advantage of the vast amount of personal data generated by the increased use of payment services.

In the EU, activities in the payments sector are subject to the revised Payment Services Directive (2015/2366, known as PSD2). PSD2 was transposed in the UK primarily by the Payment Services Regulations 2017, the majority of which came into force on 13 January 2018.

FCA Chair hints that new regulation addressing data ethics in the FinTech space may be on the horizon.

By Nicola Higgs, Fiona Maclean and Terese Saplys

Will societies of the future be ruled by algocracy, in which algorithms decide how humans are governed? Charles Randell, Chair of the Financial Conduct Authority (FCA) and Payment Systems Regulator, addressed how to avoid this hypothetical scenario in a broad-ranging speech on that he delivered on 11 July 2018 in London.

Randell’s Remarks

Contributing Factors to an Algocracy

According to Randell, the following three conditions could collectively give rise to a future algocracy:

  • If a small number of major corporations were to hold the largest datasets for a significant number of individuals (as is currently the case)
  • Continuing vast and rapid improvements in artificial intelligence and machine learning that allows firms to mine Big Data sets with greater ease and speed
  • Further developments in behavioural science allowing firms to target their sales efforts by exploiting consumers’ decision-making biases

By Gail Crawford, Hayley Pizzey, Mark Sun, and Calum Warren

Click for larger image.

As European data protection regulators prepare to enforce the General Data Protection Regulation (GDPR) from May 2018, private equity firms must act to minimise the risk of becoming financially liable for the data protection failings of portfolio companies. After a recent spate of high-profile data breaches, the risks for financial sponsors are high.

Why is a Data Protection Failing at Portfolio Company Level a Serious Concern for a Buyout Firm?

The GDPR sets out defined obligations and extends EU data protection law’s territorial reach, catching any business that operates in the EU, or offers goods and services to — or monitors the behaviour of — EU data subjects (whether in the EU or not). Fines for noncompliance can be substantial — up to the higher of €20 million or 4% of an undertaking’s global annual turnover. The regime defers to the EU antitrust concept of “undertaking”, which in our view means fines may be calculated by reference to the combined revenue of an offending portfolio company and the buyout firm (including the firm and all other portfolio companies within its group). This leaves open the possibility of data protection regulators directly fining buyout firms for the failures of portfolio companies.

By Gail Crawford, Mark Sun and Katie Campbell

Click for larger image

Amid a growing number of high-profile corporate data breaches, cybersecurity is now a key issue for strategic acquirers. The hack of Yahoo, which came to light midway through its 2016 takeover by Verizon, resulted in a US$350 million purchase price reduction. The true extent of the hack has only recently been uncovered, demonstrating how damaging a large-scale data leak can be. With state-sponsored actors and opportunist hackers at work, and recent cyberattacks specifically aimed at obtaining inside information about transactions, a target’s cybersecurity must be front of mind. In our view, deal teams must consider how a data breach could impact a potential acquisition, before, during and after a deal.

Preparing for a Transaction — What Should M&A Deal Teams Scrutinise?

M&A deal teams must identify a target’s cyber assets and review security protocols and cyber defences, emphasising thorough technical due diligence. Diligence should include how data is stored and managed, where it is handled, and the data security measures implemented by third-party service providers. Acquirers should assess data sets including personal information, focusing on why information is being stored and whether storage is necessary and proportionate.

Acquirers should be alert to red flag issues; for example, lack of awareness about data protection and cyber issues; poor employee training on data security; failure to keep records of historic breaches; and regulatory investigations. Addressing poor practices post-close requires time and resources — buyers may prefer to factor costs into the purchase price, or require pre-closing remediation.

By Deborah Kirk

The European Commission (EC) has released a position paper on its objectives for the Article 50 Brexit negotiations with the UK regarding Intellectual Property Rights (IPRs). The EC has effectively set out six key principles for the Withdrawal Agreement, including:

    1. Continued legal protection for certain IPRs: Any IPR with unitary character (e.g., EU trademarks, Community designs) granted before the withdrawal date should automatically be treated in the UK as having the same rights that the UK currently enforces under the EU regime, at no extra cost to the IPR holder. This continued protection will also include geographical indications. The EC would require the UK to implement domestic legislation to achieve this when necessary.
    2. Continued priority benefits for certain IPRs: From a procedural prospective, any IPR applications placed before the withdrawal date that have unitary character and are still under prosecution (i.e., ongoing) at the time of withdrawal, are to maintain any priority benefit they have when applying to receive the equivalent recognition in the UK.
    3. Continued protection for supplementary protection certificate or paediatric extensions: Similarly, after withdrawal it should be possible in the UK to receive a supplementary protection certificate or paediatric extensions if an application was submitted before and is ongoing at the withdrawal date. In addition, any protection in the UK should be equivalent to the protection afforded under the EU regime.
    4. Continued protections for database rightsholders: Database rightsholders should continue to enjoy the same protections after the withdrawal date in the EU27 and in the UK in relation to those databases. Conversely, the UK should not exclude EU27 nationals and companies from enjoying database protection in the UK on the grounds of nationality or establishment.
    5. Continued application of exhaustion: Any IPRs that were exhausted in the EU before withdrawal should remain exhausted in the EU27 and the UK. The conditions for exhaustion should be those defined by EU law.
    6. EU27/UK registry cooperation and data transfers: In order to facilitate the principals regarding IPRs with unitary character, the Withdrawal Agreement should encourage cooperation and data transfers between the IPR registries of the EU27 and the UK.

By Gail Crawford and Calum Docherty

Her Majesty’s Government last week published a position paper outlining its preferred post-Brexit landscape for data protection. The high-level takeaways are hardly surprising: the government stresses that it intends to “remain a global leader on data protection” and, as we already know, the UK’s Data Protection Bill, announced in the Queen’s Speech, will implement the EU’s General Data Protection Regulation (GDPR).

The paper’s top priority is the frictionless movement of personal data between the UK and the EU. The government sets out the Schrems test – i.e., that standards in a non-EU country must be “essentially equivalent” to those applied in the EU – and emphasises that the UK will be in an “unprecedented position” at Brexit, as the UK will have fully implemented the GDPR and so have the same data protection standards as the remaining EU member states. The government priority, then, is for the UK and the EU “to agree early in the process to mutually recognise each other’s data protection frameworks” to allow the free flow of personal data to continue at the time of Brexit. This bespoke interim solution would be followed up with agreed timelines about longer-term arrangements, with the paper suggesting that the UK will ultimately seek an adequacy decision.