The French Data Protection Authority (the CNIL) published its assessment of the first four months of GDPR and several guidelines, including one on how to make a GDPR compliant blockchain. Since the Data Protection Act’s implementation, the CNIL has been very active in guiding French citizens on how to comply with the new legal framework and warning them about threats from new technologies.
The IAPP conference in Munich on 19 September 2018 provided important insights into the work and views of the European Data Protection Board. Isabelle Vereecken and Bas Van Bockel addressed key topics such as data protection impact assessments, international data transfers and the one-stop-shop principle.
Unless there is a political earthquake (some would say a miracle) Brexit will happen on 29 March 2019. Upon Brexit the UK will cease to be an EU Member State and become a so-called ‘third country’. As a result, UK-based organisations, which in the context of transfers of personal data to countries outside the EU have always been exporters, will become importers of data originating from the EU. This is a serious concern because transfers of personal data from the EU to third countries are severely restricted. So a key UK Government objective from day one has been to ensure that the UK is regarded as an adequate jurisdiction, which would allow unconstrained transfers of personal data from the EU. But will it be?
On September 4, the Legislative Decree no. 101 of August 10, 2018 for the national implementation of General Data Protection Regulation (EU) 2016/679 was published in the Official Journal. The Decree integrates the provisions of the GDPR, that were previously left to the autonomy of the Member States and will enter into force on September 19, 2018.
The Department for Digital, Culture, Media and Sport (‘DDCMS’) has today released guidance on “Data protection if there’s no Brexit deal”, which is part of its preparations for if there is a “no deal” scenario when the Article 50 negotiating period comes to an end on 29 March 2019. The UK will become a “third country” on its exit from the European Union, which means that unhindered cross-border transfers of data will no longer automatically be able to take place between the UK and the EU. The guidance confirms that, given the “unprecedented alignment” between the UK and EU data protection regimes, the UK would continue to allow transfers of data from the UK to the EU at the point of exit. However, the Commission has made it clear that they would not make a decision on adequacy until the UK is a third country (that is, after 29 March 2018), and its procedure for reaching a decision typically lasts several months.
India’s Committee of Experts has submitted a draft Data Protection Bill for review by the Ministry of Electronics and Information Technology. The Bill represents an important milestone for India, which has yet to enact comprehensive, principles-based data protection regulation, lagging a trend set in recent years by Singapore, the Philippines and others in the region playing catch up to Hong Kong and Japan, which have both had such regulation in place for years now.
At the Privacy Laws and Business’ International Conference, Eduardo Ustaran evaluated the sorts of activities likely to prompt regulators into exercising their increased fining powers under the GDPR. In this post, we provide links to both a video of his presentation at the conference as well as a detailed report about his presentation.
On June 28, 2018 the European Court of Human Rights decided that the German Supreme Court had correctly denied two individuals their “right to be forgotten” requests in connection with press archives relating to a 1991 murder. The German Supreme court reasoned that the interests of the public in having access to the information outweighed the interference with the plaintiff’s privacy rights. Upon hearing the case, the ECtHR agreed and found that Germany had correctly applied the balancing test relating to right to be forgotten claims.
With the current focus on the coming into effect of the EU General Data Protection Regulation, one could (almost) be forgiven for forgetting about the question of international data flows. However, given the political and legal developments currently affecting the future of international data transfers, that would be a very serious strategic mistake. Legitimising data globalisation remains a top business priority in our uber-digitised world. The coming of age of cloud-based services, the continuous advance of mobile communications and the push by developed and developing countries to reach a global market have made international data transfers more essential than ever. At the same time, the level of regulation affecting those transfers is becoming more impenetrable and politically charged. Against this background, what are the issues that need to be taken into account to develop a solid global data flows legal strategy?
Judging by the number of calls and the intensity of the discussions about how to comply with the cookie consent requirement in a post-GDPR world, this issue has become a top worry for organisations and data protection officers. Partly due to the visibility of the mechanisms used to collect this consent, and partly due to the potential implications of operating a website without cookies, the dilemma around what solution to deploy has become a serious business decision. Different business stakeholders are often at odds with each other and matters are getting escalated to decision makers who had never been involved in the technically complex and largely misunderstood world of cookies. The tension is rising and yet, no approach has emerged as the preferred one among all involved. So everyone is getting anxious to find a way to do what they have always done and comply with the law. Is this panic justified?
2017 was a momentous year for data protection and cyber security regulation globally, and it is noteworthy how significant the developments in the Asia-Pacific region were over the course of the year. Our Asia Pacific Data Protection and Cybersecurity Guide 2018: Shifting landscapes across the Asia-Pacific region provides an overview of regional developments in 2017 and what to look out for in 2018. It features a “heat map” comparing the regulatory environments in Asia’s key jurisdictions, individual country spotlights, and a guide with considerations for businesses setting up compliance programs.
With the coming into effect of the GDPR on 25 May 2018, the modernisation of European privacy laws has reached a critical milestone. Hogan Lovells has updated our guide “Future-proofing privacy,” which aims to be a useful starting point for organisations seeking to understand the GDPR and comply with it. Twenty-four authors from 10 European Hogan Lovells offices have contributed their knowledge, efforts, and advice to compile a unique resource of practical guidance. We have identified the key issues and explained why they matter. Crucially, we have approached the new framework with a practical mindset, providing concrete suggestions for actions to take now.
Data protection authorities set out guidelines for the application of the new EU General Data Protection Regulation. The European Data Protection Board is the joint coordination body of the EU data protection authorities. The EDPB provides guidance on the application of the EU Data Protection Regulation. With the GDPR having come into force, the EDPB thus replaces the Art. 29 Data Protection Working Party which was established under the EU Data Protection Directive and other previously applicable data protection laws.
Class actions are commonplace in the United States but relatively rare in Europe. The European Union wants to change that, by facilitating class actions for mass privacy and data breaches.
The General Data Protection Regulation entered into force on 25 May 2018. In light of the urgency to adapt Law no. 78-17 dated 6 January 1978 to the new European Union law, the French Government has initiated an accelerated procedure. This procedure led to the adoption in final reading by the French National Assembly of the bill on personal data protection on 14 May 2018. However, some French Senators lodged a constitutional complaint against the said law on 16 May 2018.
“European data protection rules will become a trademark people recognise and trust worldwide”. That is how, in January 2012, Viviane Reding – then Vice-President of the European Commission and EU Justice Commissioner – ended her announcement of the widest reform of privacy and data protection law ever attempted. Six years later, this ambitious aim is becoming a reality. Organisations from around the world and well beyond Europe are grappling with the new European General Data Protection Regulation (GDPR) and its impact on their data activities. From Australian banks and South American insurers to US universities and Asian telecoms companies, determining the applicability of the GDPR to their operations has become a critical business decision. As many global companies ponder over the right strategy to privacy compliance, a key question has emerged: which organisations, and under which circumstances, are subject to the territorial scope of the GDPR?
The UK Government has announced a new three-tier charging structure for data controllers to ensure the continued funding of the Information Commissioner’s Office to come into effect on 25 May 2018 to coincide with the GDPR coming into force.
Recently, the Russian Data Privacy Authority, Roskomnadzor, organized an Open Doors Day in honor of the International Data Privacy Day. During the occasion, Roskomnadzor officers presented on the authority’s 2017 enforcement activities. They followed this presentation with an open question and answer period, during which they responded to numerous questions raised by attendees. This post summarizes the key takeaways.
Territoriality will continue to be one of the most vexing problems for data regulation in 2018. One aspect of this debate relates to whether a U.S. judge can compel the disclosure of personal data located in Europe without using international treaty mechanisms. This issue is currently being considered by the United States Supreme Court in the case United States v. Microsoft. The case involves the question of whether a U.S. statute relating to search warrants can be interpreted as extending to a search for data located outside the United States; in this case, the data is located in Ireland. The U.S. Court of Appeals found that, in the absence of express wording in the statute relating to extraterritorial application, the statute should be interpreted as being limited to searches conducted within the territory of the United States. The Supreme Court is currently reviewing the case. In December, 2017, the European Commission filed an amicus brief urging the Supreme Court to give due consideration to the principles of international comity and territoriality when interpreting the U.S. statute.
It is finally here. This is the year of the GDPR. A journey that started with an ambitious policy paper about modernising data protection almost a decade ago – a decade! – is about to reach flying altitude. No more ‘in May next year this, in May next year that’. Our time has come. Given the amount of attention that the GDPR has received in recent times, data protection professionals are in high demand but we are ready. We knew this was coming and we have had years to prepare. However, even the most seasoned practitioners are at risk of being engulfed by the frantic fire-fighting mood out there. The hamster wheel of GDPR compliance is spinning faster and faster, but it is precisely now when we must look up, see the bigger picture and focus on getting the important things right.
To date, the main legacy of the Brexit referendum of 2016 appears to be a country split in half: some badly wish the UK would continue to be a member of the EU and some are equally keen on making a move. Yet, there seems to be at least one thing on which Remainers and Leavers will agree: nobody knows exactly what is going to happen. The same is true of the effect of Brexit on UK data protection. However, as Brexit day approaches, it is becoming imperative for those with responsibility for data protection compliance to make some crucial strategic decisions. To help with that process, here are some pointers about what we know and what we don’t know.
Following the European Commission and European Parliament’s proposed versions of the EU Regulation on Privacy and Electronic Communications, we are now waiting for the Council of the European Union to agree their position before discussions between the three bodies can begin. A discussion paper from the Bulgarian Presidency of the Council dated 11 January 2018 shows that the Council is still considering multiple options in relation to several critical issues.
According to the Constitution of Mexico, the protection of personal data is a fundamental right of all Mexican citizens. Under federal law, individuals also have a right to access, change, oppose, or suppress their personal data. Although all private companies process data, some are not sufficiently familiar with Mexico’s data privacy principles and regulations, and many may not have an up-to-date assessment of their own risk of a data breach. In addition, they may not be aware that the Mexican Supreme Court’s recent shift in perspective regarding personal injury cases may herald a change in the way data privacy breaches are handled in the future. This interview explores the impact of Mexico’s data privacy regulations on private companies, discusses the unique approach of Mexican regulators to data privacy enforcement, and offers advice as to how companies can stay compliant.
Making predictions for the year ahead is possibly as desirable as unreliable. In a world of unlimited data and advanced science, it would be tempting to think that the future is already written. Algorithms and artificial intelligence will show us what lies ahead with immaculate accuracy. Or perhaps not. At least not yet. To say that the world is in turmoil is an understatement and the same is true of the world of privacy and data protection, which makes predicting the future particularly tricky. But since the urge to plan, budget and prepare for what is likely to happen next is so real, now is a good time to pause, reflect about what’s going on, and make some predictions for 2018.