The EU’s General Data Protection Regulation (GDPR), which comes into force in May 2018, is generally designed to align data protection requirements across the EU. However, its opening clauses offer countries some freedom in their implementation of the Regulation and, thus, room to differ. In August 2016, the German Ministry of the Interior (BMI) released its first GDPR implementation proposal to widespread criticism from both experts and data protection authorities. Recently, the BMI published a revised proposal, a new Federal Data Protection Act (Bundesdatenschutzgesetz, or BDSG). The draft BDSG provides further details regarding the scope and implementation of existing GDPR provisions and also contains additional data protection requirements beyond those provided for in the Regulation. We explore notable specifications to and deviations from the GDPR, below.
Last Wednesday, President Trump signed an immigration-related Executive Order (EO) titled “Enhancing Public Safety in the Interior of the United States” that, among other things, removed the ability of federal agencies to extend protections under the Privacy Act to anyone other than U.S. citizens or legal permanent residents. Some initial observers have suggested that this means that the U.S. government is pulling back from its commitments to provide privacy protections to EU citizens, thus putting in peril the EU-U.S. Privacy Shield Framework. Upon closer examination, however, the EO does not impact any of the U.S. commitments under the Privacy Shield, nor does it revoke protections for EU citizens under the Privacy Act provided pursuant to the Judicial Redress Act.
In the past month, the National Institute of Standards and Technology (NIST) has issued a draft update to its flagship cybersecurity framework as well as new standalone guidance on how organizations can plan to recover from cybersecurity events. The publication of these documents demonstrates NIST’s ongoing focus on providing substantive guidance to the private and public sectors alike on cybersecurity risk management. In this post we summarize the highlights of each of these new NIST publications.
On January 10, 2017, the European Commission released a Communication, a fact sheet, a working document and a public consultation relating to Europe’s “data economy”. The fact sheet states that “data is a new type of economic asset”, which is essential for innovation and growth. The Commission’s objective is to remove “unjustified restrictions” and “legal uncertainties” in order to facilitate data sharing and innovation.
After all of the 2016 drama, the start of a brand new year is a welcome development in itself – a clean sheet for a script yet to be written. However, 2017 will not be without challenges and the same applies to the world of privacy and data protection. Many of the big issues that arose during 2016 will need to be addressed in 2017. In addition, new questions will no doubt emerge. Here is an overview of the privacy challenges that lie ahead and what can be done about them.
At the end of 2016, territorial divisions of the Russian Data Protection Authority, Roskomnadzor, published their 2017 plans for conducting inspections of local companies’ compliance with Russian data privacy requirements, including data localization. The inspection plans contain a number of prominent multi-national and Russian companies.
On January 5, 2017 Paris Law School Panthéon-Assas launched its first university degree (diplôme d’université) aimed at training future Data Protection Officers (DPOs) under the new European General Data Protection Regulation (GDPR), which becomes effective across the EU on May 25th, 2018. Created by Paris University Professor Bénédicte Fauvarque-Cosson and Hogan Lovells partner Winston Maxwell, the new program will include courses in law, cybersecurity, data analytics, management and ethics. The faculty will include professors from various law schools, as well as practicing DPOs, information security specialists, lawyers and regulators from the CNIL (the French data protection authority), and major companies including Sanofi, Renault, GE, Axa, Lagardère, Google, Microsoft, Schneider Electric, BNP Paribas and the Banque Postale.
Speaking at the opening ceremony, Professor Fauvarque-Cosson commented: “This is an exciting time because data protection law is being created before our eyes. The new European regulation is just the start.” Winston Maxwell underlined the difficulties of the DPO role under the GDPR: “The DPO is an important management position, but it will not be easy.”
Information about the new program is available here.
To see Professor Fauvarque-Cosson’s and Winston Maxwell’s video, click here.
The European Commission has released its proposal for a new EU e-Privacy Regulation that will replace the existing e-Privacy Directive. The high level aim of the draft e-Privacy Regulation is to harmonise the specific privacy framework relating to electronic communications within the EU and ensure consistency with the GDPR. Compared to the existing Directive, the draft e-Privacy Regulation has broader territorial reach and applies generally to the provision of electronic communications services to end users in the EU and to the use of such services. It is also concerned with the protection of information related to the devices of end users located in the EU.
In this particular respect, the draft e-Privacy Regulation introduces revised and complex rules affecting end users’ terminal equipment and how data is collected in that context. Our high level assessment of the notice and consent requirements affecting various data activities involving users’ devices can be found here.
The consequences for non-compliance follow a two-tier approach as follows:
- Breaches of the rules regarding notice and consent, default privacy settings, publicly available directories and unsolicited communications may be punished with fines of up to EUR 10 million or 2% of the total worldwide annual turnover, whichever is higher.
- Breaches of the rules regarding the confidentiality of communications, permitted processing of electronic communications data and the time limits for erasure of data may be punished with fines of up to EUR 20 million or 4% of the total worldwide annual turnover, whichever is higher.
This is the beginning of the formal legislative process and now the draft is in the hands of the European Parliament and the Council of the EU.
Sam Choi, a trainee solicitor in our London office, contributed to this entry.
Please join us for our January 2017 Privacy and Cybersecurity Events.
|January 31-February 1||
The New York Department of Financial Services (NYDFS) just issued major revisions to the cybersecurity regulations for financial institutions that were due to come into effect on January 1, 2017. To allow covered institutions more time to implement the rules, the effective date will now be March 1, 2017, with a series of staggered implementation dates beyond this. There are several notable substantive changes in the revised rules.
Click here to learn more about the major changes to the proposed rules, timing and implementation details, and how to prepare for the new requirements as well as other related cybersecurity developments.
For more details on the NYDFS cybersecurity regulations for financial institutions, please see our previous blog post.