Yesterday, Russian President Vladimir Putin signed the law “On introducing amendments to the Federal law ‘on fighting terrorism’ and other legislative acts of the Russian Federation related to establishment of additional measures against terrorism and ensuring public security” (the “Law”). Specifically, the Law introduces amendments to the Russian Law on Communications and the Russian Law On Information, Information Technologies and Protection of Information.
Please join us for our July 2016 Privacy and Cybersecurity Events.
The people of the UK have spoken and our collective choice is to leave the European Union. Some are dreading the likely tsunami of economic hardship. Others are excited about what may lie ahead. Most of us are shocked. But as numbing as the verdict of the UK electorate may be, there are crucial political, legal and economic decisions to be made. The ‘To Do’ list of the UK government will be overwhelming, not least because of the dramatic implications that each of the items on the list will have for the future of the country and indeed the world. Steering the economy will be a number one priority and with that, the direction of travel of the digital economy – which, at the end of the day, is one of the pillars of prosperity in the UK and everywhere else. Continue Reading
We last reported on Russia’s data localization law earlier this year when the Russian data protection authority, Roskomnadzor, released its inspection plan for 2016. Since then, Roskomnadzor has been conducting compliance inspections both according to the plan and in individual cases when it has reason to do so. The results of those inspections and recent comments by the Head of Roskomnadzor all yield insights into the regulatory expectations and the risk of noncompliance with the data localization law.
Security is a critical piece of the data protection jigsaw. Clear comprehensive privacy notices, rights to access and port data, and the protections offered by the principle of purpose limitation and restrictions on data transfers have little value to consumers if their data is not secure. Lack of consumer confidence has been identified as a key risk for the development of the digital single market, and a series of high profile breaches has exacerbated the situation. So it was inevitable that data protection reform would need to demonstrate that regulators were serious about data security and the Regulation does this by introducing three critical changes:
- Obligations to have appropriate security in place will apply directly to data processors for the first time.
- There will be mandatory reporting of data breaches to data protection authorities.
- There will also be mandatory reporting of data breaches to data subjects in certain situations.
There have been some pretty big claims about the potential of mHealth. One 2012 study predicted that in 2017 mHealth could potentially save a total of USD $99 billion in healthcare costs across the EU. The European Commission has also actively promoted the importance of mHealth following their 2014 consultation. One of the initiatives to emerge from the Commission has been the Privacy Code of Conduct for mHealth apps. The Code was drafted by a working group set up in January this year and the final draft was published on 7th June and submitted to the Article 29 Working Party for their consideration and approval. If and when it receives the Working Party’s approval it could then be relied upon by app developers wishing to demonstrate a good standard of data protection compliance. The Code is an example of the type of initiative that is increasingly likely to develop under the forthcoming EU General Data Protection Regulation (GDPR).
Data privacy in an employment context remains a challenge for companies. On the one hand, employers have a strong interest in monitoring personnel conduct or performance. Few controllers are likely to have collected more personal data about an individual than their employer. On the other hand, employees have a reasonable expectation of privacy – including in their workplace. This inherent conflict of interests has created a considerable volume of case law regarding employee monitoring in several Member States, e. g. relating to the permissibility of monitoring internal investigations and compliance controls.
Modern technology offers advanced technical options to monitor employee performance and conduct. Even standard IT applications may be used to control or record personnel behaviour in the workplace. Where previously the degree of employee supervision was limited by what the technology could do, rapid technological advancements mean that data protection laws are now the principal limitation in the EU. The Regulation is due to play a major role in this respect. As a consequence, employee data privacy has been one of the most hotly debated aspects of the Regulation. This area of data privacy will remain less harmonised than other fields of data protection. Continue Reading
One of the major purposes of the Regulation is to ensure a consistent application of data protection law throughout the EU, not only to provide a high level of data protection but also to guarantee legal certainty for businesses when handling personal data. This has presented legislators with one of their biggest challenges: how to maintain the existing network of independent national DPAs, whilst ensuring that they promote a consistent interpretation of the Regulation and minimising the number of different DPAs which a controller has to deal with. It remains to be seen whether they have devised a workable solution. Continue Reading
The Data Protection Directive and the Regulation both impose restrictions on the transfer of personal data by EU based businesses (whether those businesses are data controllers or data processors) to destinations outside the EEA.
Recap on current framework
Transfers of personal data to a third country outside the EEA are allowed under the current Data Protection Directive only if one of the following requirements has been met:
- the Commission has established that the third country ensures an adequate level of data protection by reason of its domestic law or as a result of the international commitments it has entered into. The Commission has so far recognised eleven countries as providing adequate protection
- adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights have been adduced, such as:
- where the transfer is based on the EU Model Clauses
- where other transfer mechanisms recognised by European DPAs under the Data Protection Directive (such as Binding Corporate Rules (“BCRs”)) are in place
- one of the derogations under the Data Protection Directive applies, such as where the data subject has consented to the transfer.
These restrictions, however, have not been uniformly implemented by EU Member States. In some Member States additional requirements apply, such as prior notification to or approval by the local DPA, particularly where companies wish to rely on EU Model Clauses or BCRs. This approach is essentially set to continue with some variations. Continue Reading
The Regulation will have a significant impact on service providers/vendors (i.e. data “processors”) and organisations that engage them because:
- The Regulation imposes a number of detailed obligations and restrictions directly on processors, unlike the current Directive that only applies to data controllers
- A processor will be fully liable for the actions of any sub-processor that it uses to provide its services and will be required to flow down its obligations under the Regulation to the sub-processor
- There are significant penalties which can be imposed on processors for failure to comply with their increased responsibilities and individuals have enhanced rights to seek compensation directly from service providers
- The new law is much more prescriptive about the contractual arrangements that must be in place between controllers and processors than under the current Directive
- The new rules are considered in further detail below and will be triggered where:
- The processor is established in the EU (even if the actual processing takes place outside the EU)
- Where the processor offers goods or services or monitors the behaviour of EU-based individuals (even if the processor is not established in the EU). In such circumstances the non-EU based processor must designate an EU representative, unless the data processing is occasional, does not involve sensitive data processing or is not high risk to the individual