On Monday, June 12, South Korea became the latest country approved to officially join the Asia-Pacific Economic Cooperation’s Cross-Border Privacy Rules system. It is the fifth APEC economy to participate in the system, joining the United States, Canada, Japan, and Mexico. To date, twenty companies—including Apple, Cisco, HP, IBM, Rackspace, and Workday—have been certified under CBPR.
“A new law will ensure that the United Kingdom retains its world-class regime protecting personal data”. This is today’s strong statement by Her Majesty The Queen reflecting the level of priority given by the UK government to privacy and data protection. Aside from the political controversies surrounding the recent general Election and the prospect of Brexit, the Queen has confirmed that during this Parliament the government intends to pass a new Data Protection Act replacing the existing one.
The Digital Economy Bill passed into UK law last Thursday 27 April 2017 amidst the flurry of activity known as the ‘wash up’ period before the dissolution of Parliament and ahead of the early general election in the UK to be held on 8 June. The Digital Economy Act introduces measures to “modernise the UK for enterprise,” and includes plans for public sector data sharing, direct marketing and age verification for online pornography, amongst other measures. An overview of these measures is set forth in this post.
On 27 April 2017 the German Parliament passed an entirely new Federal Data Protection Act. The new BDSG replaces the old BDSG, which has been in force for the last 40 years. The new BDSG shall adapt the German law to the provisions of the EU General Data Protection Regulation. The new BDSG will now form the basis for the adaption of German acts to the GDPR. Further acts concerning special processing situations like social security data protection are likely to follow.
The steady trickle of GDPR guidance from the Article 29 Working Party continues. Fresh from finalising its guidance on data portability, lead supervisory authorities and data protection officers, the Working Party has published draft guidance on data protection impact assessments, the full text of which is available on the Working Party website. Comments can be submitted to the Working Party by 23 May 2017, after which the guidance will be finalised.
On 19 April 2017, the UK Government’s Department for Culture, Media and Sport (DCMS) published a report on cyber security breaches and how they affected UK companies in the last year. The report indicates that a number of UK companies have not implemented comprehensive cybersecurity policies or implemented strong safeguards to protect against cyber attacks. The General Data Protection Regulation — in particular the requirement to ensure all personal data is protected by appropriate technical and organisational measures — provides a real opportunity for any organisation to build a new cyber security strategy. Documenting the decisions taken on these measures will be useful for showing compliance with the new requirements for data protection by design and by default.
Last week, the UK’s Information Commissioner’s Office published a monetary penalty notice, which fined a private healthcare company, HCA International, £200,000 for its failure to keep sensitive data secure.
Please join us for our March 2017 Privacy and Cybersecurity Events.
On 13 February 2017, the Australian Senate passed into law the Privacy Amendment Bill 2016. This law amends the primary privacy and data protection legislation in Australia, Privacy Act 1988, to introduce the long-anticipated mandatory data breach notification scheme. Under this scheme, all agencies and businesses that are regulated by the Privacy Act are required to provide notice to the Australian Information Commissioner and affected individuals of certain data breaches that are likely to result in “serious harm.”
The Polish Data Protection Authority has just released its inspection plans for 2017. This year, the GIODO has decided to target its review of compliance with data protection laws on the health services sector, as well as on the consumer sector, with particular attention to certain profiling activities taking place in stores and shopping malls.
On 7 February 2017, the Russian President signed into law a bill introducing amendments to the Russian Code on Administrative Offences that increases the amount of the fines imposed for violating Russian data protection laws and differentiates the relevant offences’ types. The greatest increase raises maximum fines for certain violations from RUB 10,000 to 75,000 (approx. USD 170 to 1,260).The law will come into force on 1 July 2017.
Recent changes to Japan’s Act on the Protection of Personal Information and the establishment of a new Personal Information Protection Commission have raised questions about how the world’s third-largest economy plans to implement new domestic requirements and engage internationally on cross-border data transfers, APEC, new technologies, and more. Hogan Lovells recently hosted some of Japan’s senior data privacy regulators and advisors for a special briefing in our Washington, D.C. offices.
Please join us for our February 2017 Privacy and Cybersecurity Events.
Please join us for our December 2016 Privacy and Cybersecurity Events.
We are pleased to announce that Hogan Lovells Frankfurt-based Partner Tim Wybitul has published a handbook – EU-Datenschutz-Grundverordnung im Unternehmen: Praxisleitfaden – to assist organizations with compliance with the European General Data Protection Regulation. Written in German, the handbook includes plain-language summaries of GDPR requirements as well as project-planning and other checklists and examples to aid companies in complying with the Regulation. The handbook draws upon case studies to present lessons learned by several companies in their efforts to develop GDPR-compliant programs and is designed to be a useful resource for companies of all sizes.
Please join us for our October 2016 Privacy and Cybersecurity Events.
The Philippines’ first comprehensive data protection law, the Data Privacy Act of 2012, took effect on 8 September 2012. The Act mandated the creation of a National Privacy Commission to implement, enforce and monitor compliance with the Act, with one of its duties to promulgate rules and regulations to effectively implement the provisions of the Act. It was not until March 2016 that the NPC was officially formed, and soon after issued draft implementing rules and regulations of the Act. Following a period of public consultation, the implementing rules and regulations were finalised and formally promulgated on 24 August 2016 and will come into effect today, 9 September 2016.
Please join us for our September 2016 Privacy and Cybersecurity Events.
Thank you to everyone who participated in last week’s webinar “Privacy Shield: What You Need to Know,” in which we explored how companies demonstrate compliance with the Privacy Shield principles, what it takes to move from Safe Harbor to Privacy Shield, and more. A copy of the slide deck and recorded webinar are now available on our blog.
The free flow of data is essential to an ever-growing segment of the global economy. Yet some policymakers and advocates, citing privacy concerns, have called for shutting off the faucet and restricting data flow, to the detriment of European consumers and European businesses, both small and large. After much debate, a major European court opinion, and at least one act of Congress to address the issue, a solution is at hand that will enhance real, enforceable privacy protections on both sides of the Atlantic.
Please join us for July 2016 events and speaking engagements led by members of the Hogan Lovells Privacy and Cybersecurity team, detailed in this post.
The people of the UK have spoken and our collective choice is to leave the European Union. Some are dreading the likely tsunami of economic hardship. Others are excited about what may lie ahead. Most of us are shocked. But as numbing as the verdict of the UK electorate may be, there are crucial political, legal and economic decisions to be made. The ‘To Do’ list of the UK government will be overwhelming, not least because of the dramatic implications that each of the items on the list will have for the future of the country and indeed the world. Steering the economy will be a number one priority and with that, the direction of travel of the digital economy – which, at the end of the day, is one of the pillars of prosperity in the UK and everywhere else.
In an April 15, 2016 report, the French Data Protection Authority, the CNIL, provided details about its little-known responsibility as overseer of the French police’s website-blocking powers. The French legislature gave the CNIL this new role in a November 13, 2014 law designed to enhance French police powers against terrorism. The 2014 law increased French police and intelligence agencies’ powers to collect data without a court order. A lesser-known aspect of the November 2014 law is the provision that allows the French police to order ISPs to block websites that either provoke terrorist acts or support (provide an “apologia” or defense for) terrorism. When the French police identify online content that violates these rules, they may order ISPs to block access. The police also have this power with regard to child pornography. Search engines can also be ordered to delist content from search results.
Undoubtedly one of the more mind-bending exemptions to apply under the Freedom of Information Act 2000 (FOIA) is the exemption for personal information (s.40) (although sections 30 and 36 are also up there!). This is partly due to s. 40’s close link with the Data Protection Act 1998 (DPA). Not one to hog the limelight, the DPA has typically been cited in past litigation as a secondary or even tertiary issue to the main action when there is a claim for breach of confidence or breach of privacy. This led to a scarcity of judicial rulings on the DPA prior to the FOIA. However, in the Tribunal and higher court decisions flowing from the FOIA, certain aspects of the DPA have frequently been examined when public authorities seek to rely on the s. 40 exemption. Consequently there have been a number of rulings on the scope of personal data and on the ‘legitimate interests’ ground as a legal basis for disclosing such information. These rulings have been based on the DPA which itself implements the EU Data Protection Directive 95/46/EC. But the Directive is due to be replaced by an EU Regulation in the next few years. What will this mean for how the s. 40 exemption under FOIA is interpreted?