After the recent release of the discussion draft of its Framework for Cyber-Physical Systems (CPS), the National Institute for Standards and Technology (NIST) has continued its push to facilitate the development of a more secure interconnected environment by convening a workshop on cybersecurity for smart cities. Co-hosted by the Cyber Security Research Alliance (CSRA) and titled “Designed-in Cybersecurity for Smart Cities: A Discussion of Unifying Architectures, Standards, Lessons Learned and R&D Strategies,” the workshop brought together representatives of government, industry, and academia to discuss how cybersecurity and privacy might be designed into the infrastructure of smart cities. Continue Reading
What’s the deal?
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data portability, the right to be forgotten, and certain rights in relation to profiling. In this chapter we look at each of these rights in turn and assess the likely practical impact that the changes brought about by the Regulation will have on organisations. Continue Reading
Grounds for processing
Under the Data Protection Directive, each instance of data processing requires a legal justification – a “ground for processing”. This fundamental feature of EU data protection law remains unchanged under the draft Regulation. However, the bar for showing the existence of certain grounds for processing will be set higher, particularly in relation to consent. Continue Reading
Pseudonymisation enters the stage
Along with the concept of personal data, as opposed to anonymous data, the Regulation introduces a third category, that of pseudonymous data. Pseudonymous data is information that no longer allows the identification of an individual without additional information and is kept separate from it. In exchange for the lower level of privacy intrusion, the applicable requirements are less stringent. Continue Reading
What difference does a Regulation make?
Unlike EU ‘directives’, EU ‘regulations’ are by nature directly effective in EU Member States and so do not require further implementation into national laws. Previously, European data protection law was governed by the Data Protection Directive. It was the responsibility of Member States to implement the Data Protection Directive into their national law. When the Regulation becomes law, it will apply immediately throughout the EU due to its direct effect. As a consequence, national data protection acts will cease to be relevant for all matters falling within the scope of the Regulation. Continue Reading
It’s been a long way and the task is not over yet. However, there is light at the end of the EU data protection reform tunnel. The modernisation of European privacy laws has reached a critical milestone and we can now safely assume that this process will culminate in a radical new framework in a matter of months.
Influenced by overwhelming technological advances and the Snowden revelations, the resulting EU Data Protection Regulation is set to introduce new accountability obligations, stronger rights and ongoing restrictions on international data flows. Overall, the new framework will be ambitious, complex and strict. Continue Reading
If the EU data protection legislative reform was a marathon, we would now be approaching the 20-mile mark. That is the critical point where one can start to think that the finish line is within reach in the knowledge that the hardest part is yet to come. At present, the EU legislative process that started more than three years ago is about to reach a crucial milestone: On 15 and 16 June, the Council of the EU—which shares legislative powers with the European Parliament—is due to reach an agreement on its own preferred draft for the General Data Protection Regulation (GDPR). Continue Reading
On Monday, June 1, a District Court in the Northern District of California granted AOL’s motion to dismiss plaintiff Nicholas Derby’s putative TCPA class action complaint on the grounds that the complaint failed to allege facts sufficient to establish that the AOL Instant Messenger (AIM) service was an automatic telephonic dialing system (ATDS) under the Act. Notably, the court did not wait until discovery had been conducted to determine whether the AIM service qualified as an ATDS. Continue Reading
On 16 April 2015, the French data protection authority, the CNIL (Commission Nationale de l’Informatique et des Libertés), published its annual report for 2014. The CNIL’s annual report is an opportunity for the authority to report on its activities over the previous year as well as set out its priorities for the coming year. Significantly, a number of new technologies such as connected cars and smart cities were included in the list of priorities that the CNIL will tackle in coming months. Continue Reading
On 26 May, the Netherlands First Chamber passed a bill requiring companies to notify the Dutch Data Protection Authority (DPA) and affected individuals of certain breaches of personal data. As we reported earlier this year, when the bill becomes law, it will be mandatory for all types of data controllers to provide these breach notifications. Failure to notify will be punishable by a maximum fine of 810,000 euros or 10% of the company’s annual turnover (i.e., revenue), whichever is greater. Importantly, the fines may not be limited only to a company’s revenue in the Netherlands, but could be calculated based on its global revenue. Companies should be aware of these increased sanctions and new mandatory notification requirements when addressing a data breach that may involve the personal data of Dutch citizens.