A number of data protection authorities around the globe have issued press releases confirming their involvement in the 2016 global privacy “sweep”, which kicked off on April 11th. This year’s initiative involves a coordinated investigation by 29 DPAs into the practices of internet-connected devices, such as fitness and health trackers, thermostats, smart meters and TVs and connected cars. The work is being coordinated by the Global Privacy Enforcement Network under the leadership of the UK Information Commissioner’s Office.
On 12 April 2016, the European Commission launched a public consultation on the ePrivacy Directive. Interested parties who wish to participate have until 5 July 2016 to submit responses to the Commission’s 33 questions.
From the moment that the Chairman of the Article 29 Working Party, Isabelle Falque-Pierrotin, announced at a press conference on 3rd February this year that the Working Party would assess the standing of the EU-US Privacy Shield under EU law, privacy professionals have been waiting to see what the Working Party’s view would be. Earlier this week, on 13th April, the Working Party provided their initial opinion. On the one hand, the Working Party welcomed the significant improvements of the Privacy Shield as a positive step forward. Yet, on the other hand, the Working Party set out their strong concerns on the commercial aspects of the Privacy Shield and the ability for US public authorities to access data transferred under the Privacy Shield. The opinion concluded by urging the European Commission to resolve these concerns and improve the Privacy Shield.
Last Friday, the EU Council has adopted its position at first reading on the data protection reform. This prepares the way for the final adoption of the legislative package which includes the General Data Protection Regulation by the European Parliament on 14 April 2016. This formal adoption by the EU Council comes after the compromise agreed with the European Parliament on 15 December 2015.
In a thorough legal analysis of the EU-U.S. Privacy Shield framework, a report from Hogan Lovells says the framework would stand up in the Court of Justice of the European Union, and the true level of data protection afforded by the Privacy Shield framework will only be demonstrated by its functioning and the practices of its participants.
The February 29, 2016 announcement of the new EU-U.S. data transfer framework—the Privacy Shield—was accompanied by over 130 pages of documentation and significantly more operational details than its predecessor, Safe Harbor. We have reviewed the Privacy Shield materials and published a comprehensive breakdown of the changes from Safe Harbor to Privacy Shield and the practical impact on business: Inside the New and Improved EU-U.S. Data Transfer Framework.
Significant changes are afoot for processors. With the text of the European Union General Data Protection Regulation now published, processors will need to begin to acclimatise to the new regime under the GDPR. Although the GDPR still places the lion’s share of compliance responsibilities on controllers, it also extends direct application of the law to processors and renders them subject to fines, in an effort to allocate responsibility between the parties.
On February 29, 2016 and after more than two years of negotiations with the U.S. Department of Commerce, the European Commission released its draft Decision on the adequacy of the new EU–U.S. Privacy Shield program, accompanied by new information on how the Program will work. The Privacy Shield documentation is significantly more detailed than that associated with its predecessor, the EU-U.S. Safe Harbor, as it describes more specifically the measures that organizations wishing to use the Privacy Shield must implement. Importantly, the Privacy Shield provides for additional transparency and processes associated with U.S. government access to the personal data of EU individuals.
On 26 January, Hong Kong’s Privacy Commissioner for Personal Data published his annual report on 2015 complaints and enforcement activity under the Personal Data Privacy Ordinance. The report reveals that 871,000 Hong Kong individuals were affected by data breaches in 2015, compared with 47,000 in 2014. The report is noteworthy that the number of reported breaches continues to increase at a rapid pace notwithstanding the fact that Hong Kong’s data breach notification regime is at the moment a voluntary one. The report is also notable for setting out the Commissioner’s statement of priorities for 2016.
A bill, passed by the French National Assembly on 26th January 2016, and now before the French Senate, would amend Article 47 of the French Data Protection Act to give the French Data Protection Authority (the CNIL) the power to impose penalties for breaches of data protection law of up to 20 million euros or up to 4% of an organization’s total worldwide annual turnover (the Digital Republic Bill). Up until now, the CNIL could only issue penalties of up to 150 000 euros.
Connected cars can generate large volumes of data, including data on engine performance, location, and driver behaviour. The European Commission has convened multi-stakeholder groups to figure out how to organize access to that data in a safe, competitively neutral, and privacy-friendly way. Two recent reports shed light on the principles under consideration for data sharing infrastructures in the EU. And legislative and regulatory developments in the EU will likely have a substantial impact on connected car deployments.
In mid-January, the territorial divisions of Russia’s Data Protection Authority, Roskomnadzor, uploaded their 2016 plans for conducting inspections of local companies’ compliance with Russia’s data localization requirements, and there are a number of prominent multi-national companies on the list.
Following the announcement by the European Commission of the newly agreed EU-US Privacy Shield, the missing piece of the jigsaw was the Article 29 Working Party’s stance on the adequacy of the existing mechanisms in place—in particular, standard contractual clauses and binding corporate rules. So after two days of intense discussions, the Working Party has issued a statement with its latest position, which is the follow up to their original reaction to the invalidation of Safe Harbor last October. The bottom line: the Working Party still does not view US government surveillance laws as sufficiently protective of privacy—a position which calls all transfers of personal data to the US in question, regardless of the methods used to legitimise the transfer—but they will reconsider this position in light of the Privacy Shield in the coming months.
The European Commission has announced an agreement today with the United States Department of Commerce to replace the invalidated Safe Harbor agreement on transatlantic data flows with a new EU-U.S. “Privacy Shield.” The Privacy Shield aims to address the requirements set out by the European Court of Justice in its Oct. 6, 2015 ruling by imposing stronger obligations on companies, providing stronger monitoring and enforcement by the DOC and Federal Trade Commission , and making commitments regarding access to information on the part of public authorities. In announcing the agreement, Vice-President Ansip noted his belief that the Privacy Shield will benefit both European businesses and citizens, and will prove to be a “much better” solution for transatlantic data flows.
It’s close to 7pm on a Friday evening and my team are trying their best to manage our clients’ stress and frantic desperation. Jokes about how much they love Max Schrems are shared by email. In the meantime, we are diligently working our way through endless charts of dataflows and attempting to cover every single […]
To say that the EU General Data Protection Regulation (GDPR) will change the existing data protection framework in Europe is an understatement. After an intense legislative process of more than 4 years, an ambitious, complex and strict new law that is set to transform the way in which personal information is collected, shared and used globally. Eduardo Ustaran highlights the GDPR’s significant changes in this article published in the Privacy and Data Protection Journal.
The EU General Data Protection Regulation has been called the most lobbied piece of legislation in the history of the EU. Before Christmas last year, what is likely to be the final text of the GDPR emerged from the EU trilogue negotiations. Victoria Hordern, Senior Associate at Hogan Lovells, explores what the new GDPR will mean for those collecting and handling health data, and examines a number of the provisions and themes that impact the use of health data.
A legal tsunami of overwhelming proportions. A ground breaking piece of legislation. A sweeping digital-privacy regime. A strict new legal framework that will have ripple effects globally. These are all hyperbolic expressions used to describe the impact of the newly agreed EU General Data Protection Regulation (GDPR). Anyone who has read and digested the GDPR […]
The Right to be Forgotten Law imposes an obligation on search engines that disseminate adverts targeted at consumers located in Russia to remove search results listing information on individuals where such information is unlawfully disseminated, untrustworthy, outdated, or irrelevant (i.e. the information is no longer substantially relevant to the individual in question due to subsequent events or the actions of individuals). The Law includes exemptions where a search engine does not have to comply – (i) information on events reporting a crime where the limitation period for criminal liability has not expired; as well as (ii) crimes committed by an individual where their conviction record has not been erased.
The Colombian Data Protection Authority (the Superintendence of Industry and Commerce, or SIC) has issued regulations requiring all data controllers that are (i) private legal entities registered in Chambers of Commerce in Colombia (i.e., incorporated in Colombia) or (ii) partially government owned corporations (“sociedades de economía mixta”) to register their databases by November 8th, 2016. The regulations were issued on November 3, 2015, and the National Database Registry (the “Registry”) required by Colombian data protection laws was enabled on November 9, 2015. Read our post to learn about the registration requirements and potential penalties for noncompliance.
It has finally happened. Like that train you are waiting for that keeps getting delayed but eventually arrives. The all-powerful trio comprising the European Parliament, the Council of the EU and the European Commission arrived at their destination after a journey of four years, and on December 15th, 2015, agreed the final text of the EU General Data Protection Regulation. Once formally adopted in the coming weeks, the GDPR will create a completely new legal framework for the collection, use and sharing of personal information that will apply well beyond Europe.
At a trialogue meeting on December 7, the Luxembourg Presidency of the Council of the European Union reached agreement with the European Parliament on common rules to strengthen network and information security (NIS) across the EU. The new directive will set out the first ever EU-wide cybersecurity obligations for operators of essential services and digital […]
The need for proper and legitimate powers to enable intelligence and law enforcement agencies to do their job and to keep everyone safe requires little justification. However, in our data-rich and uber-connected way of life, those powers necessarily involve a substantial degree of intrusion into our digital comings and goings, and that makes things complicated. In a show of political awareness and legislative dexterity, in November 2015, the UK government presented its draft Investigatory Powers Bill—an attempt to strike a balance between intelligence and law enforcement needs with the protection of ordinary citizens’ privacy. The Bill seeks to adopt a comprehensive and sophisticated framework of modern law enforcement and intelligence gathering powers. It is currently being scrutinized by a parliamentary committee and subject to public consultation.
On 9 October 2015, the Privacy Commissioner for Personal Data published a Guidance Note on “Data Breach Handling and the Giving of Breach Notifications”, a revised version of its June 2010 edition. The Guidance Note gives guidance to data users on how to deal with data breaches. In particular, the Guidance Note provides more of a focus on the relationship between data users and data processors. A data user engaging a data processor must adopt contractual or other means to ensure personal data security.