Many companies have been struggling with GDPR implementation over the past two years, putting much effort into new roles, privacy concepts, and workflows. Now that the dust of the immediate GDPR compliance rush is settling, the first details of fines imposed under the GDPR and the number of cases pending with Data Protection Authorities (DPAs) in Europe are being made public. In Germany, DPAs are investigating a broad range of non-compliance issues and showing a tendency toward increasing their enforcement activities, to the point that we expect an announcement of increasing GDPR sanctions and fines in Germany in the near future. Continue Reading
Article 83 of the GDPR provides for two levels of administrative fines: a lower level – maximum of €10 million or 2% of the global turnover – for violations relating to record-keeping, data security, data protection impact assessments, data protection by design and default, and data processing agreements; and a higher level – maximum of €20 million or 4% of the global turnover – for violations relating to data protection principles, the legal basis for processing, information to data subjects, the prohibition of processing sensitive data, denial of data subjects’ rights, and data transfers to non-EU countries.
In addition to setting two levels of administrative fines, Article 83 of the GDPR provides criteria that national supervisory authorities must apply when setting administrative fines. On 3 October 2017, the Article 29 Working Party – a body now called the European Data Protection Board (“EDPB”) – issued guidelines (“EDPB Guidelines”) on the setting of administrative fines.
In an article written for La Revue Des Juristes De Sciences Po, Hogan Lovells partners Winston Maxwell and Christine Gateau consider the criteria for setting administrative fines under Article 83 of the GDPR in light of the EDPB Guidelines, case law of the CJEU and national courts. Where applicable, Maxwell and Gateau compare the criteria in Article 83(2) of the GDPR with those used in setting administrative fines for competition law violations, as well as with the methodology used by authorities in the United States for setting fines. Maxwell and Gateau also consider procedural safeguards under Article 6 of the European Convention on Human Rights. Continue Reading
A draft act on adjusting the Polish legal system to the provisions of the GDPR is under way in the lower house of the Polish Parliament (Sejm).
The draft act (in Polish) contains, among others, provisions amending the rules for processing personal data by banks, credit institutions, loan companies and other entities regulated by Polish banking law.
Particular controversy has been caused by the government’s proposal to limit the scope of data on which the credit risk scoring may be based, to only those categories of data which are expressly indicated in the draft act. In its current version, the proposed data catalogue is limited solely to identification data, data concerning marital status and matrimonial regime, information about financial and work situation, as well as credit history. Continue Reading
With the coming into effect of the General Data Protection Regulation (GDPR), those conducting clinical trials in the EU face a complex set of rules ranging from lawful grounds for processing and transparency to restrictions on data transfers and secondary uses. To assist with this task the European Commission is in the process of adopting a Q&A document on which it has sought the advice from the European Data Protection Board (EDPB).
As the EDPB puts it, the information provided in the Q&A document will constitute a good basis for a GDPR compliant clinical trial. So, with that in mind, the EDPB has issued an influential opinion on the lawful grounds for the processing of personal data in the context of clinical trials. The opinion covers the justification for both the primary use of data for the clinical trial protocol itself and the secondary use of such data for other scientific purposes.
An added complexity of personal data processing for clinical trials is that this will necessarily involve the use of ‘data concerning health,’ which is regarded as a special category of personal data. In practice, this means that for the purposes of complying with the GDPR, it will be necessary to meet one of the grounds of Article 6 as well as one of the conditions of Article 9. Continue Reading
This is the eleventh installment in Hogan Lovells’ series on the California Consumer Privacy Act.
Much of the focus on the California Consumer Protection Act (“CCPA”) has been on the new rights that it affords California consumers, including the rights to access, delete, and opt out of the sale of their personal information. But arguably the greatest risk to covered businesses involves data security, as the CCPA creates for the first time a private right of action with substantial statutory penalties for breaches involving California consumers’ personal information.
This installment of the Hogan Lovells’ CCPA series explains the CCPA’s security requirement and consequences for non-compliance, and describes security controls that most organizations can implement to mitigate this risk. Continue Reading
On 23 January, the European Commission announced that it had adopted an adequacy decision in relation to Japan, to enter into force immediately. The mutual agreement, which covers Japan’s 127m citizens as well as the whole of the EU, allows personal data to be transferred between Japan and the EU without the need for additional safeguards such as Standard Contractual Clauses, and creates the largest area of safe data transfers in the world. Continue Reading
The California Department of Justice has announced a March 8, 2019 deadline for submitting written pre-rulemaking comments on the California Consumer Privacy Act (CCPA). The March 8 deadline is an extension from the previously set end-of-February deadline.
Pursuant to section 1798.185(a) of the CCPA, the California Attorney General (AG) is obligated to solicit broad public participation and adopt regulations to further the purposes of the CCPA. The CCPA sets out seven specific areas for AG rulemaking: Continue Reading
The Illinois Supreme Court ruled on January 25 in Rosenbach v. Six Flags Entertainment Corp. that a plaintiff can allege a violation of rights under the state’s Biometric Information Protection Act (BIPA) even without alleging “injury or damage beyond infringement of the rights afforded them under the law.” The court decided the issue solely as a matter of statutory construction under Illinois law. This decision will have a major impact on a number of pending BIPA lawsuits and is likely to result in increased BIPA litigation given the availability of statutory damages and attorneys’ fees under the law. Continue Reading
“There is a cliff, whose high and bending head looks fearfully in the confined deep. Bring me but to the very brim of it” says the blinded Earl of Gloucester in Shakespeare’s King Lear, thinking that he is at the edge of the famous white cliffs of Dover.
Right now, the whole of the UK appears to be on the same spot looking over a precipice. However, this is not the moment to be blind. As politicians struggle to find a magic formula for a prosperous Brexit, businesses are stepping up their efforts to mitigate the damage of a possible “no-deal Brexit.” The data protection community is no different.
The proposed withdrawal agreement would have preserved the status quo in data protection terms, at least until the end of the transition period in December 2020. However, if the UK leaves the EU without a deal, the implications for international data flows and privacy compliance generally will be severe. Therefore, British pragmatism demands an urgent and thorough approach to preparing for the eventuality of a no-deal Brexit.
A comprehensive action plan in this situation should consider the following: Continue Reading
Increasing numbers of initiatives, devices, and solutions related to the Internet of Things (IoT) are substantially impacting the development of cybersecurity and data privacy regulations throughout Asia. After the implementation of the General Data Protection Regulation (GDPR) in Europe, for example, Asian lawmakers are considering strengthening their own data protection laws. The region is also characterized by a push in a number of jurisdictions towards data localization requirements driven more by “cyber sovereignty,” national security considerations, and protectionist impulses than data protection considerations. Restrictions on the collection and free use of data may pose a challenge for IoT models, particularly if data is required to be kept onshore.
At the same time, it is clear that many Asian jurisdictions see IoT as a key driver for economic growth. A number of jurisdictions have “smart city” initiatives and interests in areas such as automotive telematics. Japan, South Korea, and China, in particular, have strong automotive sectors and are focused on maintaining technological leadership. Unmanned aerial vehicles (UAV) are also an area of focus, both in terms of the supply of vehicles and components and in terms of their deployment as part of these “smart” initiatives.
In this hoganlovells.com interview, Mark Parsons, a Hogan Lovells partner based in Hong Kong, summarizes the current status of IoT-related policies in the Asia-Pacific region and discusses changes anticipated in 2019. Continue Reading