Skip to main content


Global Data and Cyber News – April 2020

This is a two-monthly update on legal and regulatory developments affecting data and cyber security. In this edition, we look at:

  • Current developments
  • Laws and regulations
  • Court rulings
  • Fines

Please pay particular attention to our new series of blog posts on tracing apps to control the COVID-19 pandemic, which will be continually updated in the coming weeks. For further materials on legal issues related to COVID-19, see our Coronavirus alert Hub.

Current developments

Biometric data

Guidance on biometrics by the Canadian Centre for Cyber Security. The guidance offers a definition of biometrics, outlines relevant privacy concerns and describes methods to stay safe.


UK ‘adequacy’ process continues. The UK government has published documents setting out the UK data protection regime, which are aimed at helping the EU Commission to issue an adequacy decision for the UK. The EU has previously said that it will aim to adopt an adequacy decision - ‘if the applicable conditions are met’ - by the end of 2020, when the Brexit transition period is due to end.


French DPA’s BYOD best practices guide. The guide outlines best-practice security measures when implementing BYOD policies.


EU DPAs guidelines on cookies and other tracking technologies. Both the Greek and the Irish DPAs have issued guidance on cookies that gives concrete advice on how to obtain valid consent and be compliant.


Contact tracing apps. Governments around the globe are deploying and developing apps to fight the pandemic. For an overview of the different contact tracing apps worldwide, please see our new series of blog posts. In this series we will also analyse what companies need to do if they want to use contact tracing, and whether companies are required to use contact tracing.

Guidance on COVID-19. Many authorities have issued general and more specific guidance on data protection and COVID-19. For a global overview of such guidance and further insights into how to manage data protection requirements in times of COVID-19, please read our blog which is regularly updated.


Spanish DPA’s model data protection impact assessment.
The model helps organisations carry out DPIAs by listing all aspects and criteria that need to be considered.


Guidance on employees’ privacy (fourth edition) issued by the DPA of Baden-Wurttemberg. The guidance contains information on privacy in an employment context and discusses various case studies.

Legal basis

French DPA’s guidance on contract as a legal basis for data processing. The guidance discusses how and when a contract can be a legal basis for processing under GDPR. It also outlines other issues such as the consequences of ending a contract.


Guidance on e-marketing issued by the Office of the Privacy Commissioner of Canada. The guidance should help businesses to comply with the Personal Information Protection and Electronic Act (PIPEDA) in relation to address harvesting and e-marketing activities.

Laws and regulations

EU common approach for COVID-19 contact tracing apps. Following the EU Commission’s recommendation on the steps and measures that should be taken to develop a common EU approach for the use of COVID-19 contact tracing apps, the Member States have adopted a toolbox for voluntary and data privacy compliant tracing apps. This is accompanied by the Commission’s guidance on data protection apps fighting the pandemic. For details on the apps being rolled out in Member States (and across the globe), and for our exploration of the various legal consequences, click here.

Court rulings


UK Supreme Court

The UK Supreme Court has held that an employer was not liable for a data breach committed by a rogue employee who was acting outside the course of his employment. The facts of the case were fairly extreme, as the employee was clearly acting with a view to damaging his employer – but this decision will provide some comfort to businesses.

UK High Court

The UK High Court has held that a verbal disclosure of health data was not ‘data processing’ under UK data protection law. Although the decision isn’t surprising, it’s helpful to have this principle confirmed by the courts.


For a global overview of data protection fines imposed, click here.