Few areas of regulation are advancing as quickly in Asia as data privacy regulation. This year marks the tenth anniversary of the APEC Privacy Framework and we now see “European style” comprehensive data privacy regimes in a dozen jurisdictions across the Asia-Pacific region. Hogan Lovells data protection lawyers Mark Parsons and Eugene Low recently hosted in-person seminars at Hogan Lovells’ offices in Hong Kong to take stock of where Asia is in terms of data privacy regulation, and to help chart a roadmap to compliance. The focus of these discussions was on identifying “hot spots” for businesses operating across the region and pointing to practical measures and points of prioritisation. The discussions also considered steps to be taken to prepare for and react to data breach events, with a seasoned view of regulatory attitudes and approaches to enforcement and remediation.
Following on from the Article 29 Working Party’s Opinion in June, the European Data Protection Supervisor has now published his own recommendations for the proposed General Data Protection Regulation. Unsurprisingly, given that the EDPS is a member of the Working Party, the views expressed are in line with that Opinion. At this point you may be tempted to stop reading, but wait, there is more. In addition to expressing his vision of the GDPR (more on which below) and producing his own recommendations for every single article of the GDPR, the EDPS has demonstrated his commitment to practicality by making this all available as a mobile app. The app allows you to select which of the drafts you wish to see side by side, scroll rapidly through the contents to select a particular article, or search on the whole text so you can see at a glance what each version says, for example, about pseudonymisation or profiling. Whilst the app may have limited appeal, and is unlikely to keep small children entertained on long car journeys, it will be a thing of joy for its target audience.
Making the UK a safe place to live and prosper is not a small matter. Whatever the root causes, the threats to public safety are real and a political priority for government and opposition alike. This huge responsibility combined with the complexities of 21st century communications has resulted in a succession of laws aimed at legitimising the ability of law enforcement and intelligence agencies to tap into our digital lives. Just like technology itself, this is a moving target and policy decisions in this area have come thick and fast – not just in the UK but in many other democracies around the world.
Spain is well known for having one of the most restrictive data protection regimes in the European Union. It also counts with some of the highest penalties (fines are up to € 600,000 per infringement), and a data protection authority – the Spanish Data Protection Agency – with a reputation for being one of the fiercest of the EU. Moreover, the penalties envisaged are not only on paper; they are applied on a regular basis by the AEPD. For instance, in the past few years, it has imposed fines of € 450,000, € 900,000 and € 1,400,000.
The mobile Health sector is rapidly developing and revolutionising the healthcare market. More and more consumers share information such as medical and physiological conditions, lifestyles, daily activity and geolocation via all kinds of health-related mobile applications and devices. The growing success of mHealth, however, inevitably casts a spotlight on compliance with privacy protection laws. Data protection agencies and supervisory bodies in the EU recently raised concerns about the collection, processing and use of customers’ data by mHealth apps and mobile devices. This blog introduces the key hot spots involving mHealth and data protection laws, before we dig deeper on other issues in a series of consecutive posts on this blog in the upcoming weeks.
The enactment of the USA FREEDOM Act was news unto itself. However, the impact that the surveillance reform legislation may have on cross-border data transfers could turn out to be newsworthy as well. In this post, we summarize some important elements of the legislation and explore the USA FREEDOM Act’s potential to influence more than government surveillance practices.
Data privacy in an employment context remains an important challenge for companies. On the one hand, employers have a strong interest in monitoring personnel conduct or performance; few controllers are likely to have collected more personal data about an individual than their employer. On the other hand, employees have a legitimate expectation of privacy – including at their workplace. This inherent conflict of interests has created a considerable volume of case law regarding employee monitoring in several member states, relating to the permissibility of internal investigations and compliance controls. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”
One of the major purposes of the Regulation is to ensure a consistent application of data protection law throughout the EU, not only to provide a high level of data protection but also to guarantee legal certainty for businesses when handling personal data. This has presented legislators with one of their biggest challenges: how to maintain the existing network of independent national DPAs, whilst ensuring that they promote a consistent interpretation of the Regulation and minimising the number of different DPAs which a controller has to deal with. It remains to be seen whether they have devised a workable solution. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”
The Data Protection Directive and the Regulation both impose restrictions on the transfer of personal data by EU based businesses to destinations outside the EEA. The of the Data Protection Directive, however, have not been uniformly implemented by EU Member States. In some Member States additional requirements apply, such as prior notification to or approval by the local DPA, particularly where companies wish to rely on EU Model Clauses, BCRs or the U.S.-EU Safe Harbor Framework. This approach is essentially set to continue under the Regulation with some variations. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”
The General Data Protection Regulation will have a significant impact on service providers/vendors (i.e. data “processors”) and organisations that engage them by imposing a number of detailed obligations and restrictions directly on processors, unlike the current Directive that only applies to data controllers. The new rules for processors are considered in detail in the attached entry. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”
Telematics-based pay-as-you-drive insurance is a new, innovative and not yet proven product from the insurance industry. This new product collects information about the driving behavior associated with the vehicle and therefore raises privacy issues for the drivers. The Commissioner for Data Protection and Freedom of Information for North Rhine-Westphalia is the first German data protection authority to evaluate a pay-as-you-drive product and has recently published its requirements for data protection and data security compliance.
Accountability has been described by the Article 29 Working Party as a way of “showing how responsibility is exercised and making this verifiable”. Accountability is far from being a new concept. It was introduced back in 1980 in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”
Profiling and Big Data analytics are set to play a pivotal role in the growth of the digital economy. From cookie-based tracking to people’s interaction through social media, the size and the degree of granularity of our digital footprints have created unprecedented opportunities for business development and service delivery. The scale of data collection, data sharing and data analysis has not gone unnoticed to public policy makers and this has led to the inclusion of special rules addressing profiling in the Regulation. In fact, from the point of view of those businesses seeking to benefit from data analytics, the provisions dealing with profiling are likely to become the most crucial aspect of the entire Regulation. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data portability, the right to be forgotten, and certain rights in relation to profiling. In this chapter we look at each of these rights in turn and assess the likely practical impact that the changes brought about by the Regulation will have on organisations. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”
Under the Data Protection Directive, each instance of data processing requires a legal justification – a “ground for processing”. This fundamental feature of EU data protection law remains unchanged under the draft Regulation. However, the bar for showing the existence of certain grounds for processing will be set higher, particularly in relation to consent. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”
Along with the concept of personal data, as opposed to anonymous data, the Regulation introduces a third category, that of pseudonymous data. Pseudonymous data is information that no longer allows the identification of an individual without additional information and is kept separate from it. In exchange for the lower level of privacy intrusion, the applicable requirements are less stringent. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”
When the General Data Protection Regulation becomes law, it will apply immediately throughout the EU due to its direct effect. It is absolutely crucial for organisations to know if they are or are not subject to the Regulation. Since the Regulation strengthens data protection principles, requires organisations to demonstrate compliance and ushers in greater enforcement powers for regulators, it is essential for all organisations, public and private, local, national or global, to understand in what circumstances the Regulation will apply to their use of personal data. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”
It’s been a long way and the task is not over yet. However, there is light at the end of the EU data protection reform tunnel. The modernisation of European privacy laws has reached a critical milestone and we can now safely assume that this process will culminate in a radical new framework in a matter of months. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”
If the EU data protection legislative reform was a marathon, we would now be approaching the 20-mile mark. That is the critical point where one can start to think that the finish line is within reach in the knowledge that the hardest part is yet to come. At present, the EU legislative process that started more than three years ago is about to reach a crucial milestone: On 15 and 16 June, the Council of the EU—which shares legislative powers with the European Parliament—is due to reach an agreement on its own preferred draft for the General Data Protection Regulation.
On 16 April 2015, the French data protection authority, the CNIL, published its annual report for 2014. The CNIL’s annual report is an opportunity for the authority to report on its activities over the previous year as well as set out its priorities for the coming year. Significantly, a number of new technologies such as connected cars and smart cities were included in the list of priorities that the CNIL will tackle in coming months.
On 26 May, the Netherlands First Chamber passed a bill requiring companies to notify the Dutch Data Protection Authority and affected individuals of certain breaches of personal data. As we reported earlier this year, when the bill becomes law, it will be mandatory for all types of data controllers to provide these breach notifications. Failure to notify will be punishable by a maximum fine of 810,000 euros or 10% of the company’s annual turnover (i.e., revenue), whichever is greater. Importantly, the fines may not be limited only to a company’s revenue in the Netherlands, but could be calculated based on its global revenue. Companies should be aware of these increased sanctions and new mandatory notification requirements when addressing a data breach that may involve the personal data of Dutch citizens.
It’s been said before but the CJEU’s decision on the Google Spain v. AEPD case was a real game changer. Every law student on the planet learns that there are a number of sources that contribute to the legal system of a given jurisdiction. First and foremost are the statutes adopted by – in the best of cases – democratically elected parliaments. Then there are a myriad of legal obligations that arise from various sources ranging from regulatory guidance to market practices. Ultimately, the most authoritative source is the case law that is constantly emerging from courts’ decisions. Data protection law is no exception and the CJEU has emerged as the ultimate interpreter of the legislator’s will.
The fact that the Safe Harbor framework is permanently in the firing line is not particularly earth-shattering, but the prospect of the top European court declaring its inadequacy later this year could have dramatic consequences. This prospect became all the more possible after a hearing at the Court of Justice of the European Union (CJEU) in Luxembourg in March. In an article published in the May 2015 issue of Privacy Laws & Business International Report, Eduardo Ustaran, Partner in Hogan Lovells’ Global Privacy and Information Management Practice, explores the policy climate that led to the CJEU’s potential reckoning of the Safe Harbor and the potential consequences of the eventual ruling.
On 9 March, the Council of the EU issued a partial general approach on a key chapter of the EU Data Protection Regulation which has implications for the regulation of health data. The Council’s stance has been welcomed by a number of healthcare commentators as it promotes a more flexible approach to the use of health data and accords with the tenor of the revised version of the draft Regulation that emerged from the Council in December last year.