The recent attack on UK retailer Marks & Spencer, which allegedly cost the business £43 million a week in lost sales and potentially divulged the personal data of 9.4 million active customers, highlights the proliferation of ransomware groups and the risks inherent in storing and processing data.
The evolution of hacking has far outpaced regulation, but governments, the courts, and the private sector are starting to catch up, with significant implications for highly sensitive financial and health data.
The Payment Card Industry Data Security Standard (PCI DSS) 4.0.1 came into effect in April and applies globally, so any organisation that stores, processes, or transmits cardholder data for the card brands must comply with it. Several jurisdictions explicitly reference or incorporate PCI DSS within their own statutory or regulatory frameworks. The United States Data Security Program also came into effect in April, regulating the transfer of, or provision of access to, bulk US sensitive personal data and US Government-related data to “countries of concern.”
The European Digital Identity Framework Regulation (eIDAS 2.0), which came into effect at the end of 2024, introduces a standardised framework for digital identity and trust services across all EU Member States, massively benefiting anti-money laundering efforts while still protecting individuals’ personal data.
The European Data Protection Board issued draft guidelines on data pseudonymisation in January, followed by the UK Information Commissioner’s Office releasing new guidance on data anonymisation in March, and the European Union is keenly awaiting the outcome of an appeal to the European Court of Justice on the subjects of anonymisation and pseudonymisation.
A number of US states have enacted, or are in the process of enacting, broad-based consumer privacy laws. Although welcome, these create a complex web of rules that present a challenge for companies wanting to take advantage of cheaper overseas labour to reduce administrative costs.
While there is an undeniably strong trend towards the protection of personal data, it’s also disheartening to see existing protections being eroded. McDermott was proud to advise on a recent amicus brief filed by LGBT Tech urging the California Supreme Court to overturn a Court of Appeal’s decision that would erode the protections of the Stored Communications Act (SCA). The California Court’s decision will determine whether hundreds of millions of social media users will continue to enjoy the privacy protections over their electronic communications set forth in the SCA.
