Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Category Archives: International/EU Privacy

Subscribe to International/EU Privacy RSS Feed
Posted in International/EU Privacy

Facial Recognition Challenged by French Administrative Court

In a decision dated 27 February 2020, the French Administrative Court of Marseille invalidated the deliberation of the Provence-Alpes-Côte d’Azur Regional Council which allowed to set up, on an experimental basis, a facial recognition mechanism in two high schools in order to (i) better control and speed up entry of students into the high schools and (ii) control access to premises of occasional visitors. This decision is important as this is the first administrative court decision in France about facial recognition.

Posted in International/EU Privacy

EDPB Signals Efforts on International Data Transfers as CJEU Review of Current Tools Draws Near

The European Court of Justice recently published plans to issue its much awaited decision in CJEU case C-311/18 on July 16. The ruling will impact how organizations lawfully transfer personal data from the EEA to jurisdictions not providing an “adequate” level of data protection in accordance with the GDPR. The ruling will specifically address the validity of the European Commission’s standard contractual clauses and it may also affect operation of the EU-US Privacy Shield. On May 18, the European Data Protection Board published a report on its 2019 activities that may signal whether it plans to influence further development of this area.

Posted in International/EU Privacy

Brazil Update: Congress Sends Bill Delaying LGPD Sanctions but not Effective Date to President

As previously reported, Brazilian lawmakers have been debating a delay to the LGPD, which was scheduled to come into effect August 15, 2020, in response to COVID-19. The Brazilian Senate first passed Bill 1,179/2020, and Brazil’s President later enacted Provisional Measure 959. On May 19, 2020, the Brazilian Congress sent to the President’s desk an amended Bill 1,179/2020 that would maintain the LGPD’s August 15, 2020 effective date but would delay administrative sanctions until August 1, 2021. However, if approved, the Final Bill would still allow the LGPD’s requirements to be enforced through other means.

Posted in International/EU Privacy

New Data Protection-Friendly eCommercial Model Clinical Trial Agreements Now Available

Updated versions of the UK model Clinical Trial Agreement and the Clinical Research Organisation model Clinical Trial Agreement have been published. Given the increasing importance of safe but swift clinical trials in the time of coronavirus, this post outlines the main changes introduced from a data protection perspective and what they mean for contracting parties.

Posted in International/EU Privacy

EDPB Weighs-In on Tools for Fighting the COVID-19 Health Crisis; HL Team Updates Summary of DPA Views

Data protection authorities from around the world are stepping in to provide their input and guidance on the matter of data processing activities and the fight against the coronavirus. Hogan Lovells’ global Privacy and Cybersecurity team maintains a tracker of guidance from 30+ European data protection authorities, which we are making available with this post.

Posted in International/EU Privacy

CNIL’s New Guidelines on HR Processing

The French Data Protection Authority has recently released new guidelines (French only) regarding human resources processing operations. When the GDPR became effective, the CNIL’s previous set of HR Data guidelines became out of date as they did not incorporate new law’s requirements (e.g. obligations relating to records of processing activities and Data Protection Impact Assessments). These new guidelines replace several older HR guidelines issued by the CNIL, including and in particular the well-known Simplified Norm NS-46 and the Notification Exemption for payroll, both of which are no longer applicable.

Posted in International/EU Privacy

Making COVID-19 Apps Data Protection Compliant

The role of COVID-19 contact tracing apps in the exit strategy of the current lockdown that is gripping much of the world is increasingly becoming a focus of attention. While that role is being hotly debated, it is very likely that those apps in combination with other measures will be deployed across many countries. Until now and despite the calls by influential bodies such as the European Data Protection Supervisor for a coordinated approach to the development of single COVID-19 mobile app involving the World Health Organization, different countries have adopted their own strategies.

Posted in International/EU Privacy

Dutch DPA Imposed a Controversial Fine on the Royal Dutch Tennis Association

The Dutch Data Protection Authority recently imposed a fine of EUR 525,000 on the Royal Dutch Tennis Association for sharing the personal data of its members with two of its sponsors in June 2018 on the basis of its commercial legitimate interests. In this blogpost, we describe the main implications of the Dutch DPA’s fine and interpretation of legitimate interests – which could affect processing activities of commercial organizations throughout Europe.

Posted in International/EU Privacy

Brazilian Senate Adopts COVID-19 Emergency Bill That Would Delay LGPD Implementation

In light of the pandemic crisis caused by the COVID-19, Brazilian Officials have sought to enact emergency measures to minimize its impact on regular business practices. One of the latest efforts is Bill 1,179/2020, which would, among other things, delay implementation of Brazil’s General Data Protection Law, or LGPD, until January 1, 2021 so as not to burden companies in the face of the enormous technical economic difficulties arising from the pandemic.

Posted in International/EU Privacy

Hogan Lovells Asia Pacific Data Protection and Cyber Security Guide 2020

Today’s urgent focus on COVID-19 makes it easy to forget that data protection regulation saw significant development in the APAC region through 2019, with important legislative reforms and a number of new laws. What do you need to be doing to prepare your organization for the future? Our Asia Pacific Data Protection and Cyber Security Guide 2020 (linked in this blog post) takes you through the developments and key initiatives of APAC countries and discuss the implications of an ever-shifting landscape.

Posted in International/EU Privacy

Update of Japan’s Privacy Law Approved by Cabinet

On Tuesday, March 10, the Japanese Cabinet approved a bill to revise the Act on the Protection of Personal Information, which would require companies to take certain additional measures to protect personal data of data subjects. The proposed amendment will be submitted to the ordinary session of the Diet for approval. The update comes as part of the Japanese government’s commitment to update Japan’s privacy law every three years. The last update came into force in May 2017.

Posted in International/EU Privacy

AI and the EU – A Proposal for Regulatory Reform

In February, the EU Commission announced its strategy for shaping the digital future of the bloc. This included the publication of its long-awaited white paper on the future of artificial intelligence, with proposals for introducing a regulatory framework to govern the adoption and application of AI in both the commercial and public realms.

Posted in International/EU Privacy

Coronavirus and Data Protection: Europe’s Data Protection Authorities’ Views

Data protection authorities from around the world are stepping in to provide their input and guidance on the matter of data processing activities and the fight against the coronavirus.  Hogan Lovells’ global Privacy and Cybersecurity team has compiled the guidance from various European authorities, which we are making available with this post.

Posted in International/EU Privacy

Open Regulatory Consultations in the UK and the EU – Have Your Say

As highlighted by our new Privacy 2040 initiative, there have never been more opportunities to shape the existing and future privacy and cybersecurity legal framework. Consultations on draft guidance and surveys of various stakeholders are an important step in the production of new rules and materials, and the UK Information Commissioner’s Office and the European Data Protection Board currently have a number of open consultations. The consultation process provides an opportunity to contribute to and to influence regulatory direction. This post lists and discusses a number of consultations which are currently open.

Posted in International/EU Privacy

Hong Kong’s Reform of the Personal Data (Privacy) Ordinance (the “PDPO”): Bridging Troubled Waters

On Monday 20 January, the Constitutional and Mainland Affairs Bureau, jointly with the Privacy Commissioner for Personal Data, presented a paper outlining topics for review of the PDPO to the members of the Legislative Council Panel on Constitutional Affairs.  The CMAB and the PCPD are expected to take panel members’ feedback on the PDPO Review Paper and undertake further in-depth study of the issues with a view to making specific proposals for legislative reform in due course.

Posted in International/EU Privacy

The Future of UK Data Protection

As with anything Brexit-related, the UK government is facing a dilemma in relation to data protection law. Shall we follow the direction of travel of the past 25 years and opt for the continuity and certainty provided by the GDPR or shall we use the departure from the EU to make radical changes to the regulation of data uses and privacy? On the one hand, it would be reassuring to know that despite Brexit’s uncertainties, the current framework is here to stay and it will develop in a familiar way. On the other hand, it must be tempting to use this opportunity to completely re-think what is in the best national interest. For an area of law and policy that is so closely related to technological development and prosperity, it would be foolish not to consider whether a different formulation would lead to better outcomes. A dilemma indeed.

Posted in International/EU Privacy

AG Says ePrivacy Applies to Government Access to Communications Data

On January 15, the Court of Justice of the European Union’s (CJEU) Advocate General (AG) Manuel Campos Sánchez-Bordona delivered his Opinion on four references for preliminary rulings on the topic of retention of and access to communications data. Of the four references, two originated from France, one from Belgium, and one from the Investigatory Powers Tribunal (IPT) in the United Kingdom. The latter arose from a challenge by Privacy International to the UK Security and Intelligence Agencies’ (SIAs) powers under the Telecommunications Act 2014 and the Data Retention and Investigatory Powers Act 2014.

Posted in International/EU Privacy

Whistleblowing Schemes: New Guidelines Issued by the CNIL

The French Data Protection Authority published new Guidelines on December 10, 2019 applicable to whistleblowing schemes, following a public consultation process. The Guidelines replace the former Single Authorization AU-004, which has not applied since arrival of the General Data Protection Regulation. The CNIL has also published a useful Frequently Asked Questions webpage regarding the Guidelines. The CNIL’s new Guidelines import certain aspects of its former position on whistleblowing schemes.

Posted in International/EU Privacy

Should I Be Worried About the GDPR? – EDPB’S Guidelines on the GDPR’S Territorial Scope

Does the GDPR really apply to my company? From a data protection standpoint, this is the first thing that comes to mind within non-EU companies. In many cases, the GDPR seems like an issue of the Old Continent, so it does not affect non-EU companies. In others, companies apply the GDPR to all their processing activities just to avoid the possibility of being addressed by EU authorities. Neither decision is per se correct.

Posted in International/EU Privacy

Recent Developments on Cookies – a Pan-European Overview

In the last few months, there have been interesting developments concerning the use of cookies. Upon investigating 175 websites, the Dutch DPA concluded that half of those websites did not comply with cookie requirements. The Bavarian DPA initiated a similar investigation and the Spanish DPA has issued two fines for not complying with cookie requirements. In addition to these investigations and fines, various DPAs have published guidelines with very different interpretations. Cookie compliance seems to have become a high priority for DPAs. In this blog post, we help navigate through the EU cookie landscape by focusing on how European DPAs are approaching cookie consent and transparency in light of the Planet49 decision.

Posted in International/EU Privacy

Getting Cookie Consent Right

One could be forgiven for thinking that knowing how to comply with a legal obligation that has been in place for nearly a decade would be clear cut. However, widespread practice tells us that this is far from the truth. In November 2009, as part of wider reforms to the European telecommunications regulatory framework, the European Union introduced various amendments to the existing Directive 2002/58/EC (e-Privacy Directive), including to the provisions regulating the use of cookies.

Posted in International/EU Privacy

Russia Update: Law Increasing Fines for Violation of Data Protection Laws Comes Into Force

Update: On 3 December 2019 the law imposing multi-million Ruble fines for infringing Russian data localization and information security laws has come into force. Since the law has already come into force, new fines may be imposed on companies based on results of Roskomnadzor’s inspections in 2020. Roskomnadzor has already identified the entities it plans to inspect in 2020 but may initiate unplanned inspections as well based, for example, on data subject complaints or its online monitoring of company activity.