Clinical trials in the EU include the collection of sensitive health data from patients. Trial sponsors are obliged to reconcile their respect of regulations governing data protection with regulations governing the conduct of clinical trials. The GDPR¹ could not fully harmonize these rules since this area is already heavily regulated by public health regulations that vary between EU Member States. One of the most disconcerting areas of divergence between EU Member States is the different national positions on whether patient consent is a valid legal ground for processing personal data in clinical trials.
Because clinical trials involve the use of “data concerning health,” controllers must cumulatively respect both the provisions of Article 6 GDPR governing the basis on which data may lawfully be processed and the conditions provided in Article 9 GDPR governing the processing of special categories of personal data, including data concerning health. A basic legal requirement that pharmaceutical and medical device companies conducting clinical trials must always respect when conducting a clinical trial is the obligation to obtain patients’ consent to their participation for clinical trials. Continue Reading
A number of legislative proposals seeking to amend the California Consumer Privacy Act (CCPA) are moving forward following an April 23 hearing before the California Assembly’s Committee on Privacy and Consumer Protection in which the bills were approved. The bills will now advance to the Assembly’s Appropriations Committee before being voted on by the full Assembly and potentially advancing to the California Senate for consideration. Continue Reading
On 19 March 2019, the Dutch Senate approved legislation introducing collective damages actions in the Netherlands (the “Legislation”) which will broaden the regime even further. The Legislation introduces an option to claim monetary damages in a “US style” class action, including for violations of the GDPR. This Legislation together with the mechanisms already available under Dutch law put the Netherlands at the forefront of collective redress in Europe. The Legislation is expected to enter into force in July 2019 and will apply to events which took place on or after 15 November 2016. Continue Reading
The consumer industry is evolving at lightning speed, and the way consumer businesses operate is shifting. From issues in supply chain to the digitalization of the consumer experience, companies are rapidly changing to keep up with consumer demands. Businesses in the consumer industry have seen a wave of unprecedented disruption and transformation that have made privacy and data protection issues a mainstream topic in boardrooms, amongst legislators, and across the wider public. 2019 promises challenges of similar or greater magnitude.
In this year’s edition of Consumer Horizons, the Hogan Lovells global Consumer team identifies trends that will impact food and beverages companies, fashion and luxury goods producers, retailers, consumer electronics manufacturers, and other consumer businesses throughout 2019. Continue Reading
The European Data Protection Board (EDPB) has adopted the narrowest possible interpretation of ‘contractual necessity’ as a ground for processing of personal data. The Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects (adopted on April 9, 2019 and open for consultation until May 24, 2019) provide a detailed assessment of the regulator’s interpretation of the law. Continue Reading
The California legislature is considering significant amendments to the California Consumer Privacy Act (CCPA) ahead of the law’s January 1, 2020 implementation date. Of particular note has been the potential for CCPA amendments to expand the private right of action beyond violations of businesses’ duty to implement and maintain reasonable security procedures to instead cover violations of any CCPA right. Continue Reading
Eduardo Ustaran was featured on the IAPP’s Privacy Advisor Podcast to discuss latest developments of Brexit—including various potential outcomes—and how companies doing business in the United Kingdom are looking ahead to prepare post-Brexit privacy and data protection compliance practices. Eduardo also outlined the state-of-legislation of the European Union’s ePrivacy update and discussed how the anticipated regulation may develop during Romania’s term in the Presidency of the Council of the European Union.
In June of 2018, California passed the California Consumer Privacy Act (CCPA), which seeks to give consumers additional safeguards regarding their personal information. The CCPA will become effective January of 2020 and may impact companies in the education sector, including the larger education technology companies.
While the CCPA does not apply to nonprofit educational institutions, it may apply to certain for-profit educational institutions, third-party service providers, and others in the education space. If an educational entity meets the threshold requirements below or it processes information on behalf of such an entity, it should prepare for CCPA implementation by January 2020. Continue Reading
With the deadline for a no-deal Brexit looming—the UK’s exit date from the European Union is now slated for April 12—companies certified to the EU-U.S. Privacy Shield should update their Privacy Shield privacy policies if they have not done so already to ensure that they are able to lawfully receive personal data from the UK post-Brexit.
The UK Information Commissioner’s Office (ICO) clarified this past December that existing EU adequacy decisions, including the Privacy Shield framework, would remain lawful mechanisms to export personal data outside of the UK. Since then, the U.S. Department of Commerce (DOC) has published Privacy Shield and the UK FAQs, which clarify that organizations certified to Privacy Shield will not only need to maintain their current Privacy Shield certification (including annual recertification) but also add to their public Privacy Shield commitment a separate reference to treat UK-based data transfers as subject to their Privacy Shield certification. Continue Reading
What is in store for data protection and cyber security regulation in Asia Pacific (APAC) in 2019?
2018 was a momentous year for data protection and cyber security regulation globally – the implementation of the European Union’s General Data Protection Regulation (GDPR) was, of course, the main event. The shockwaves of GDPR hit APAC with full force, coupled with the promulgation of an important GDPR-inspired national standard in China and the tabling of a draft data protection law in India that shares the same lineage. Rising public awareness of data protection concerns, due to the ever increasing volume and scale of cyber incidents in APAC, means that these issues are front and centre for organizations in terms of brand values, effective risk management and stewardship of increasingly valuable data assets. Continue Reading