The people of the UK have spoken and our collective choice is to leave the European Union. Some are dreading the likely tsunami of economic hardship. Others are excited about what may lie ahead. Most of us are shocked. But as numbing as the verdict of the UK electorate may be, there are crucial political, legal and economic decisions to be made. The ‘To Do’ list of the UK government will be overwhelming, not least because of the dramatic implications that each of the items on the list will have for the future of the country and indeed the world. Steering the economy will be a number one priority and with that, the direction of travel of the digital economy – which, at the end of the day, is one of the pillars of prosperity in the UK and everywhere else.
We last reported on Russia’s data localization law earlier this year when the Russian data protection authority, Roskomnadzor, released its inspection plan for 2016. Since then, Roskomnadzor has been conducting compliance inspections both according to the plan and in individual cases when it has reason to do so. The results of those inspections and recent […]
Part 12 of Future-Proofing Privacy: Security is a Critical Piece. Security is a critical piece of the data protection jigsaw. Lack of consumer confidence has been identified as a key risk for the development of the digital single market, and a series of high profile breaches has exacerbated the situation. So it was inevitable that data protection reform would need to demonstrate that regulators were serious about data security and the Regulation does this by introducing three critical changes: obligations to have appropriate security in place will apply directly to data processors for the first time; there will be mandatory reporting of data breaches to data protection authorities; and there will also be mandatory reporting of data breaches to data subjects in certain situations.
The European Commission has actively promoted the importance of mHealth following their 2014 consultation. One of the initiatives to emerge from the Commission has been the Privacy Code of Conduct for mHealth apps. The Code was drafted by a working group set up in January this year and the final draft was published on 7th June and submitted to the Article 29 Working Party for their consideration and approval. If and when it receives the Working Party’s approval it could then be relied upon by app developers wishing to demonstrate a good standard of data protection compliance. The Code is an example of the type of initiative that is increasingly likely to develop under the forthcoming EU General Data Protection Regulation.
Part 11 of Future-Proofing Privacy: Data Protection in the Workplace. Modern technology offers advanced technical options to monitor employee performance and conduct. Even standard IT applications may be used to control or record personnel behaviour in the workplace. Where previously the degree of employee supervision was limited by what the technology could do, rapid technological advancements mean that data protection laws are now the principal limitation in the EU. The Regulation is due to play a major role in this respect. As a consequence, employee data privacy has been one of the most hotly debated aspects of the Regulation. This area of data privacy will remain less harmonised than other fields of data protection.
Part 10 of Future-Proofing Privacy: Enforcement and the Risk of Non-Compliance. One of the major purposes of the Regulation is to ensure a consistent application of data protection law throughout the EU, not only to provide a high level of data protection but also to guarantee legal certainty for businesses when handling personal data. This has presented legislators with one of their biggest challenges: how to maintain the existing network of independent national DPAs, whilst ensuring that they promote a consistent interpretation of the Regulation and minimising the number of different DPAs which a controller has to deal with. It remains to be seen whether they have devised a workable solution.
Part 9 of Future-Proofing Privacy: Future-Proofing Privacy: International Data Transfers 2.0. The Data Protection Directive and the Regulation both impose restrictions on the transfer of personal data by EU based businesses (whether those businesses are data controllers or data processors) to destinations outside the EEA. These restrictions, however, have not been uniformly implemented by EU Member States. In some Member States additional requirements apply, such as prior notification to or approval by the local DPA, particularly where companies wish to rely on EU Model Clauses or BCRs. This approach is essentially set to continue
with some variations.
Part 8 of Future-Proofing Privacy: Data Processors’ New Obligations. The Regulation will impose a number of compliance obligations and possible sanctions directly on service providers. This is a significant change as currently service providers do not have any direct obligations to comply with EU data protection law (their obligations derive from their contracts with controllers). Future proof deals being negotiated now. Controllers and processors should carefully document the responsibilities of the parties and specifically take into account the forthcoming changes when deciding on providing consent for subprocessors, pricing, security standards and risk allocation.
Part 7 of Future-Proofing Privacy: The New Accountability Regime. Accountability is about demonstrating compliance and being transparent about such compliance. The Data Protection Directive already includes a number of obligations and recommendations for data controllers which echo the accountability principle, but new obligations in the Regulation formalise the requirement. Compliance with the accountability provisions of the Regulation will entail conducting audits, implementing internal and external policies and processes, privacy impact assessments and security measures and appointing a DPO.
One of Harry Houdini’s most difficult tricks consisted of escaping from a nail-fastened and rope-bound wooden crate with manacles on his hands and feet, while submerged in New York’s East River. That feat is starting to look straightforward when compared to the prospect of lawfully exporting personal data out of the European Union. The restrictions on transfers of data to jurisdictions that do not provide an adequate level of protection have been in place for more than 20 years. And while these restrictions have not prevented the development of the digital economy, judging by this issue’s current direction of travel, we could be facing a situation from which not even the great Houdini could escape.
Part 6 of Future-Proofing Privacy: Profiling Restrictions versus Big Data. Profiling and big data analytics are set to play a pivotal role in the growth of the digital economy. From cookie-based tracking to people’s interaction through social media, the size and the degree of granularity of our digital footprints have created unprecedented opportunities for business development and service delivery. The scale of data collection, data sharing and data analysis has not gone unnoticed to public policy makers and this has led to the inclusion of special rules addressing profiling in the Regulation. In fact, from the point of view of those businesses seeking to benefit from data analytics, the provisions dealing with profiling are likely to become the most crucial aspect of the entire Regulation.
Part 5 of Future-Proofing Privacy: New and Stronger Rights. The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data portability, the right to be forgotten, and certain rights in relation to profiling. In this chapter we look at each of these rights in turn and assess the likely practical impact that the changes brought about by the Regulation will have on organisations.
Part 4 of Future-Proofing Privacy: Justifying Data Uses – From Consent to Legitimate Interests. Currently, under the Data Protection Directive, each instance of data processing requires a legal justification – a “ground for processing”. This fundamental feature of EU data protection law will remain unchanged under the Regulation. However, the bar for showing the existence of certain grounds for processing will be set higher. This is especially true with regards to consent.
Part 3 of Future-Proofing Privacy: The Concept of Personal Data Revisited. Along with the concept of personal data, as opposed to anonymous data, the Regulation introduces a third category, that of pseudonymous data. Pseudonymous data is information that no longer allows the identification of an individual without additional information and is kept separate from it. At the moment the standards according to which data is considered as anonymous or pseudonymous are established by the DPAs at a national level. Once the Regulation comes into force, the requirements and the applicable regime will become more uniform and this will provide greater legal certainty. Genetic data and biometric data are also both defined for the first time.
Part 2 of Future-Proofing Privacy: Scope of the Application of the Law. It is absolutely crucial for organisations to know if they are or are not subject to the Regulation. Since the Regulation strengthens data protection principles, requires organisations to demonstrate compliance and ushers in greater enforcement powers for regulators, it is essential for all organisations, public and private, local, national or global, to understand in what circumstances the Regulation will apply to their use of personal data. Unlike EU ‘directives’, EU ‘regulations’ are by nature directly effective in EU Member States and so do not require further implementation into national laws. Previously, European data protection law was governed by the Data Protection Directive. It was the responsibility of Member States to implement the Data Protection Directive into their national law. When the Regulation becomes law, it will apply immediately throughout the EU due to its direct effect. As a consequence, national data protection acts will cease to be relevant for all matters falling within the scope of the Regulation.
Debated in Parliament since 9 December 2015, the French Digital Bill was subject to a Senate vote on 3 May 2016, two weeks before publication of the General Data Protection Regulation (GDPR) in the EU’s Official Journal. The Digital Bill as voted for by the French Senate on 3 May 2016 includes a data localization […]