The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data portability, the right to be forgotten, and certain rights in relation to profiling. In this chapter we look at each of these rights in turn and assess the likely practical impact that the changes brought about by the Regulation will have on organisations. Continue Reading
Currently, under the Data Protection Directive, each instance of data processing requires a legal justification – a “ground for processing”. This fundamental feature of EU data protection law will remain unchanged under the Regulation. However, the bar for showing the existence of certain grounds for processing will be set higher. This is especially true with regards to consent. Continue Reading
Please join us for our June 2016 Privacy and Cybersecurity Events.
Along with the concept of personal data, as opposed to anonymous data, the Regulation introduces a third category, that of pseudonymous data. Pseudonymous data is information that no longer allows the identification of an individual without additional information and is kept separate from it. Pseudonymisation, while granting higher data security, also enhances data utility. In exchange for the lower level of privacy intrusion, and in order to encourage data controllers to resort to pseudoanonymisation, certain requirements are less stringent. Continue Reading
Unlike EU ‘directives’, EU ‘regulations’ are by nature directly effective in EU Member States and so do not require further implementation into national laws. Previously, European data protection law was governed by the Data Protection Directive. It was the responsibility of Member States to implement the Data Protection Directive into their national law. When the Regulation becomes law, it will apply immediately throughout the EU due to its direct effect. As a consequence, national data protection acts will cease to be relevant for all matters falling within the scope of the Regulation.
Why does this matter?
It is absolutely crucial for organisations to know if they are or are not subject to the Regulation. Since the Regulation strengthens data protection principles, requires organisations to demonstrate compliance and ushers in greater enforcement powers for regulators, it is essential for all organisations, public and private, local, national or global, to understand in what circumstances the Regulation will apply to their use of personal data. Continue Reading
Debated in Parliament since 9 December 2015, the French Digital Bill was subject to a Senate vote on 3 May 2016, two weeks before publication of the General Data Protection Regulation (GDPR) in the EU’s Official Journal.
The Digital Bill as voted for by the French Senate on 3 May 2016 includes a data localization provision: “Data shall be stored in a data center located within any EU Member State territory, without prejudice to international agreements to which France and the EU are parties. They cannot be subject to a transfer to a third country“. The Bill’s data localization provision may be incompatible with Article 44 of the GDPR and perhaps the current Data Protection Directive 95/46, as it places stricter requirements on the transfer of personal data outside of the EU than provided for under those documents. Continue Reading
It has taken several years but we have finally made it to the start line. The modernisation of European privacy laws has reached a critical milestone and with the formal adoption of the new data protection framework, we can now begin to lay the foundations for the future.
Influenced by overwhelming technological advances and the Snowden revelations, the EU Data Protection Regulation introduces new accountability obligations, stronger rights and ongoing restrictions on international data flows. Overall, the new framework is ambitious, complex and strict. Businesses operating in Europe or targeting European customers need to get their act together and start preparing for the new regime. At stake are not only the consequences of non-compliance, but also the ability to take advantage of new technologies, data analytics and the immense value of personal information. From determining when European law applies to devising a workable cooperation strategy with national regulators, there are many intricate novelties to understand and address.
Our guide “Future-proofing privacy” aims to be a useful starting point. 24 authors from 10 European Hogan Lovells offices have contributed their knowledge, efforts and advice to compile a unique resource of practical guidance. We have identified the key issues and explained why they matter. Crucially, we have approached the new framework with a practical mindset, providing concrete suggestions for actions to take now. Continue Reading
Unveiled February 29, 2016, the new EU-U.S. Privacy Shield attempts to address the shortcomings of the Safe Harbor arrangement identified originally by the European Commission and later by the Court of Justice of the European Union (CJEU) in its Schrems decision. The Privacy Shield proposes improved data protection principles, better enforcement by the US Department of Commerce and the Federal Trade Commission, redress mechanisms for EU citizens, and safeguards surrounding law enforcement and intelligence activities. Continue Reading
While many of the recent most highly publicized data breaches have involved high-profile consumer brands, the life sciences sector is an increasingly attractive target for a cyber attack. Criminal attackers are targeting the health sector as part of industrial espionage programs and to obtain patient information that can fetch premium prices on the black market. In developing a cybersecurity strategy to combat potential threats, life sciences companies should employ a comprehensive strategy involving an assessment and analysis of likely risks, and active and continuing planning, training, and updating of cybersecurity strategies. Regulators have already signaled that cybersecurity risk assessments are foundational to meeting legal requirements and can define the baseline for what constitutes reasonable security measures within an organization.
In an April 15, 2016 report, the French Data Protection Authority, the CNIL, provided details about its little-known responsibility as overseer of the French police’s website-blocking powers. The French legislature gave the CNIL this new role in a November 13, 2014 law designed to enhance French police powers against terrorism. The 2014 law increased French police and intelligence agencies’ powers to collect data without a court order. A lesser-known aspect of the November 2014 law is the provision that allows the French police to order ISPs to block websites that either provoke terrorist acts or support (provide an “apologia” or defense for) terrorism. When the French police identify online content that violates these rules, they may order ISPs to block access. The police also have this power with regard to child pornography. Search engines can also be ordered to delist content from search results. Continue Reading