The UK Information Commissioner’s Office has just published draft guidance on consent under GDPR. This is an interesting move given that the Article 29 Working Party has promised guidance on the same topic later this year, but reading the guidance makes it clear why the ICO decided to prioritise it: many of the practices which it identifies as unacceptable are fairly common in the UK, meaning many companies are going to have to re-think their approach to legitimising their data processing.
Last week, the UK’s Information Commissioner’s Office published a monetary penalty notice, which fined a private healthcare company, HCA International, £200,000 for its failure to keep sensitive data secure.
Please join us for our March 2017 Privacy and Cybersecurity Events.
Data brokers are organisations that obtain data from a variety of sources and then sell or license it to third parties. Many trade in personal data, which is purchased by their customers for several purposes, most commonly to support marketing campaigns. The UK data protection regulator has for some time been actively enforcing against organisations who buy individuals’ personal data for direct marketing purposes without first conducting appropriate due diligence to ensure that those individuals have adequately consented to receiving marketing communications. However, in a recently issued monetary penalty notice, the ICO indicated that it may be shifting its enforcement strategy. This post discusses the latest developments.
On 1 February 2017, the German federal cabinet adopted a draft data protection bill. The planned implementation statute aims to supplement and further define the EU General Data Protection Regulation, which will come into force in 2018. The Chronicle of Data Protection’s summary of the most relevant aspects of the draft bill can be found here. We turn now to a preliminary assessment and explanation of proposed bill, provided by German Data Protection and Freedom of Information Officer Dr. Stefan Brink, European Parliament member Jan Albrecht, and Hogan Lovells partner Tim Wybitul.
Please join us for our February 2017 Privacy and Cybersecurity Events.
The EU’s General Data Protection Regulation, which comes into force in May 2018, is generally designed to align data protection requirements across the EU. However, its opening clauses offer countries some freedom in their implementation of the Regulation and, thus, room to differ. In August 2016, the German Ministry of the Interior released its first GDPR implementation proposal to widespread criticism from both experts and data protection authorities. Recently, the BMI published a revised proposal, a new Federal Data Protection Act. The draft provides further details regarding the scope and implementation of existing GDPR provisions and also contains additional data protection requirements beyond those provided for in the Regulation. We explore notable specifications to and deviations from the GDPR.
After all of the 2016 drama, the start of a brand new year is a welcome development in itself – a clean sheet for a script yet to be written. However, 2017 will not be without challenges and the same applies to the world of privacy and data protection. Many of the big issues that arose during 2016 will need to be addressed in 2017. In addition, new questions will no doubt emerge. Here is an overview of the privacy challenges that lie ahead and what can be done about them.
On January 5, 2017 Paris Law School Panthéon-Assas launched its first university degree aimed at training future Data Protection Officers under the new European General Data Protection Regulation, which becomes effective across the EU on May 25th, 2018. Created by Paris University Professor Bénédicte Fauvarque-Cosson and Hogan Lovells partner Winston Maxwell, the new program will include courses in law, cybersecurity, data analytics, management and ethics. The faculty will include professors from various law schools, as well as practicing DPOs, information security specialists, lawyers and regulators from the CNIL, and major companies including Sanofi, GE, Axa, Lagardère, Google, Microsoft, Schneider Electric, BNP Paribas and the Banque Postale.
Please join us for our January 2017 Privacy and Cybersecurity Events.
No one could accuse the EU Article 29 Working Party of not delivering as promised. Following its recently held December plenary meeting, the WP29 has released three separate guidelines with their interpretation of some key aspects of the General Data Protection Regulation, namely: data portability, data protection officers, and lead supervisory authorities. At the same time, the WP29 has confirmed its role as the “EU centralised body” for handling individual complaints under the Privacy Shield and the re-establishment of its enforcement subgroup in charge of coordinating cross-border enforcement actions. We explore the three guidelines in this post.
To coincide with the London Conference on Cyberspace, the UK Government published its first UK Cyber Security Strategy paper in November 2011. Five years later in November 2016, the National Cyber Security Strategy 2016 was published listing three key objectives: defend, detect, develop.
We are pleased to announce that Hogan Lovells Frankfurt-based Partner Tim Wybitul has published a handbook – EU-Datenschutz-Grundverordnung im Unternehmen: Praxisleitfaden – to assist organizations with compliance with the European General Data Protection Regulation. Written in German, the handbook includes plain-language summaries of GDPR requirements as well as project-planning and other checklists and examples to aid companies in complying with the Regulation. The handbook draws upon case studies to present lessons learned by several companies in their efforts to develop GDPR-compliant programs and is designed to be a useful resource for companies of all sizes.
In less than one week, on August 1, U.S. companies may begin to submit self-certifications to the EU-U.S. Privacy Shield framework at www.privacyshield.gov. Those companies that previously certified to the predecessor Safe Harbor framework are in a particularly good position to certify to the Privacy Shield, which built upon Safe Harbor’s core principles by adding meaningful substantive and procedural privacy protections for EU individuals.
Part 12 of Future-Proofing Privacy: Security is a Critical Piece. Security is a critical piece of the data protection jigsaw. Lack of consumer confidence has been identified as a key risk for the development of the digital single market, and a series of high profile breaches has exacerbated the situation. So it was inevitable that data protection reform would need to demonstrate that regulators were serious about data security and the Regulation does this by introducing three critical changes: obligations to have appropriate security in place will apply directly to data processors for the first time; there will be mandatory reporting of data breaches to data protection authorities; and there will also be mandatory reporting of data breaches to data subjects in certain situations.
The European Commission has actively promoted the importance of mHealth following their 2014 consultation. One of the initiatives to emerge from the Commission has been the Privacy Code of Conduct for mHealth apps. The Code was drafted by a working group set up in January this year and the final draft was published on 7th June and submitted to the Article 29 Working Party for their consideration and approval. If and when it receives the Working Party’s approval it could then be relied upon by app developers wishing to demonstrate a good standard of data protection compliance. The Code is an example of the type of initiative that is increasingly likely to develop under the forthcoming EU General Data Protection Regulation.
Part 11 of Future-Proofing Privacy: Data Protection in the Workplace. Modern technology offers advanced technical options to monitor employee performance and conduct. Even standard IT applications may be used to control or record personnel behaviour in the workplace. Where previously the degree of employee supervision was limited by what the technology could do, rapid technological advancements mean that data protection laws are now the principal limitation in the EU. The Regulation is due to play a major role in this respect. As a consequence, employee data privacy has been one of the most hotly debated aspects of the Regulation. This area of data privacy will remain less harmonised than other fields of data protection.
Part 10 of Future-Proofing Privacy: Enforcement and the Risk of Non-Compliance. One of the major purposes of the Regulation is to ensure a consistent application of data protection law throughout the EU, not only to provide a high level of data protection but also to guarantee legal certainty for businesses when handling personal data. This has presented legislators with one of their biggest challenges: how to maintain the existing network of independent national DPAs, whilst ensuring that they promote a consistent interpretation of the Regulation and minimising the number of different DPAs which a controller has to deal with. It remains to be seen whether they have devised a workable solution.
Part 9 of Future-Proofing Privacy: Future-Proofing Privacy: International Data Transfers 2.0. The Data Protection Directive and the Regulation both impose restrictions on the transfer of personal data by EU based businesses (whether those businesses are data controllers or data processors) to destinations outside the EEA. These restrictions, however, have not been uniformly implemented by EU Member States. In some Member States additional requirements apply, such as prior notification to or approval by the local DPA, particularly where companies wish to rely on EU Model Clauses or BCRs. This approach is essentially set to continue
with some variations.
Part 8 of Future-Proofing Privacy: Data Processors’ New Obligations. The Regulation will impose a number of compliance obligations and possible sanctions directly on service providers. This is a significant change as currently service providers do not have any direct obligations to comply with EU data protection law (their obligations derive from their contracts with controllers). Future proof deals being negotiated now. Controllers and processors should carefully document the responsibilities of the parties and specifically take into account the forthcoming changes when deciding on providing consent for subprocessors, pricing, security standards and risk allocation.
Part 7 of Future-Proofing Privacy: The New Accountability Regime. Accountability is about demonstrating compliance and being transparent about such compliance. The Data Protection Directive already includes a number of obligations and recommendations for data controllers which echo the accountability principle, but new obligations in the Regulation formalise the requirement. Compliance with the accountability provisions of the Regulation will entail conducting audits, implementing internal and external policies and processes, privacy impact assessments and security measures and appointing a DPO.
Part 6 of Future-Proofing Privacy: Profiling Restrictions versus Big Data. Profiling and big data analytics are set to play a pivotal role in the growth of the digital economy. From cookie-based tracking to people’s interaction through social media, the size and the degree of granularity of our digital footprints have created unprecedented opportunities for business development and service delivery. The scale of data collection, data sharing and data analysis has not gone unnoticed to public policy makers and this has led to the inclusion of special rules addressing profiling in the Regulation. In fact, from the point of view of those businesses seeking to benefit from data analytics, the provisions dealing with profiling are likely to become the most crucial aspect of the entire Regulation.
Part 5 of Future-Proofing Privacy: New and Stronger Rights. The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data portability, the right to be forgotten, and certain rights in relation to profiling. In this chapter we look at each of these rights in turn and assess the likely practical impact that the changes brought about by the Regulation will have on organisations.
Part 4 of Future-Proofing Privacy: Justifying Data Uses – From Consent to Legitimate Interests. Currently, under the Data Protection Directive, each instance of data processing requires a legal justification – a “ground for processing”. This fundamental feature of EU data protection law will remain unchanged under the Regulation. However, the bar for showing the existence of certain grounds for processing will be set higher. This is especially true with regards to consent.