On June 13, 2019, a new draft bill imposing multi-million ruble fines for infringing Russian data localization and information security laws—multiplying the maximum penalty under current law by a magnitude of 240—was submitted to the State Duma (the lower chamber of Russian Parliament). This would supplement existing fines, which we reported were previously increased in 2017.
On 6 June, 2019, the Privacy Commissioner for Personal Data issued an enforcement notice against Cathay Pacific Airways (and its affiliate Hong Kong Dragon Airlines) (together, “Cathay Pacific”) in respect of a data breach concerning unauthorized access to the personal data of some 9.4 million Cathay Pacific customers.
July is set to be a busy month in Luxembourg. On the first and second of the month, the General Court of the European Union (which is part of the Court of Justice of the European Union) will hear a case against the EU-U.S. Privacy Shield brought by three French NGOs, La Quadrature du Net, French Data Network and Fédération FDN. A week later, on 9 July, the CJEU will hear arguments in Schrems II, in which the Irish High Court has referred 11 questions relating to whether the European Commission’s Standard Contractual Clauses provide an adequate level of protection for personal data which is transferred to the US.
On May 28, 2019, the Cyberspace Administration of China released the draft Measures on the Administration of Data Security for public consultation. This Data Security Measures will be a great leap forward in China’s current data protection landscape, which mainly consists of scattered provisions contained in various pieces of legislations and standards, such as the Cyber Security Law, the E-Commerce Law, the Consumer Rights Protection Law as well as the Personal Information Security Specification, the most comprehensive yet non-binding national standard with respect to data protection. The Data Security Measures, once officially promulgated, will be the first binding administrative regulation in China to specifically and systematically set out explicit protection for personal data and important data collected and processed through the use of cyber technologies, following the effectiveness of the Cyber Security Law in 2017.
Following the one-year anniversary of the coming into effect of the GDPR, Hogan Lovells’ Privacy and Cybersecurity practice has prepared summaries of key GDPR-related developments of the past 12 months. The summaries cover regulatory guidance, enforcement actions, court proceedings, and various reports and materials.
The sky has not fallen. The Internet has not stopped working. The multi-million euro fines have not happened (yet). It was always going to be this way. A year has gone by since the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) became effective and the digital economy is still going and growing. The effect of the GDPR has been noticeable, but in a subtle sort of way. However, it would be hugely mistaken to think that the GDPR was just a fad or a failed attempt at helping privacy and data protection survive the 21st century. The true effect of the GDPR has yet to be felt as the work to overcome its regulatory challenges has barely begun. So what are the important areas of focus to achieve GDPR compliance?
Although South Africa’s first comprehensive piece of data protection legislation, the Protection of Personal Information Act, was originally signed into law in November 2013, the substantive provisions of the law have not yet taken legal effect. That is likely to change since South Africa’s data protection authority, the Information Regulator, published the final draft of its POPIA regulations in December 2018.
Clinical trials in the EU include the collection of sensitive health data from patients. Trial sponsors are obliged to reconcile their respect of regulations governing data protection with regulations governing the conduct of clinical trials. The GDPR¹ could not fully harmonize these rules since this area is already heavily regulated by public health regulations that vary between EU Member States. One of the most disconcerting areas of divergence between EU Member States is the different national positions on whether patient consent is a valid legal ground for processing personal data in clinical trials.
On 19 March 2019, the Dutch Senate approved legislation introducing collective damages actions in the Netherlands (the “Legislation”) which will broaden the regime even further. The Legislation introduces an option to claim monetary damages in a “US style” class action, including for violations of the GDPR. This Legislation together with the mechanisms already available under […]
The European Data Protection Board has adopted the narrowest possible interpretation of ‘contractual necessity’ as a ground for processing of personal data. The Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects (adopted on April 9, 2019 and open for consultation until May 24, 2019) provide a detailed assessment of the regulator’s interpretation of the law.
Eduardo Ustaran was featured on the IAPP’s Privacy Advisor Podcast to discuss latest developments of Brexit—including various potential outcomes—and how companies doing business in the United Kingdom are looking ahead to prepare post-Brexit privacy and data protection compliance practices. Eduardo also outlined the state-of-legislation of the European Union’s ePrivacy update and discussed how the anticipated regulation may develop during Romania’s term in the Presidency of the Council of the European Union.
With the deadline for a no-deal Brexit looming—the UK’s exit date from the European Union is now slated for April 12—companies certified to the EU-U.S. Privacy Shield should update their Privacy Shield privacy policies if they have not done so already to ensure that they are able to lawfully receive personal data from the UK post-Brexit.
2018 was a momentous year for data protection and cyber security regulation globally – the implementation of the European Union’s General Data Protection Regulation (GDPR) was, of course, the main event. The shockwaves of GDPR hit APAC with full force, coupled with the promulgation of an important GDPR-inspired national standard in China and the tabling of a draft data protection law in India that shares the same lineage. Rising public awareness of data protection concerns, due to the ever increasing volume and scale of cyber incidents in APAC, means that these issues are front and centre for organizations in terms of brand values, effective risk management and stewardship of increasingly valuable data assets. Our Guide provides a practical toolkit for organizations seeking to create an effective data protection and cyber security compliance program.
The President of the Personal Data Protection Office in Poland imposed a fine amounting to PLN 943,470 for failing to fulfil the company’s transparency obligations towards over six million data subjects under Article 14 of Europe’s General Data Protection Regulation. This is the first fine imposed by the Polish DPA under the GDPR and Poland’s Act on Personal Data Protection of 10 May 2018 implementing the GDPR. The decision provides some limited insights into the interpretation of the term “disproportionate effort” within the meaning of Article 14(5)(b) of the GDPR.
It’s no secret that a hot topic, perhaps the hot topic, in the European data protection world at present is the interplay between the GDPR and the e-Privacy Directive, in particular how it affects online advertising involving cookies. The European Data Protection Board recently released an opinion on this topic, and on 21 March the Court of Justice of the European Union released Advocate-General Szpunar’s opinion in the case of Planet49, which discusses the requirements for valid consent, in the context of both cookies under the e-Privacy Directive and more general data processing under the GDPR.
On 12 March 2019 at its Eighth Plenary Session, the European Data Protection Board adopted its Opinion 5/2019 on the interplay between the ePrivacy Directive and the General Data Protection Regulation. The Belgian Data Protection Authority had, on 3 December 2018, requested that the EDPB examine the overlap between the two laws and in particular the competence, tasks, and powers of data protection authorities. The EDPB adopted its Opinion in response to this request and in order to promote the consistent interpretation of the boundaries of the competences, tasks, and powers of DPAs.
On 14 March 2019, the Dutch data protection authority announced its fining structure for violations of the European General Data Protection Regulation and the Dutch law implementing the GDPR.
The European Telecommunications Standards Institute has published a new standard for cybersecurity in relation to consumer IoT products. The standard builds on the UK’s Code of Practice for Consumer IoT Security, published in October last year. The Code of Practice was developed by the UK Government following publication of a draft code as part of the Secure by Design report published by the Government in March 2018 and after consultation with industry, consumer associations, and academics. The UK Code is voluntary but the UK Government was keen to work with ETSI to develop it into a global standard.
On 7 March 2019 the Dutch Data Protection Authority published guidance that it considers “cookie walls” to violate the GDPR. A cookie wall is a pop-up on a website that blocks a user from access to the website until he or she consents to the placing of tracking cookies or similar technologies. Under current Dutch cookie law, functional and analytical cookies can be used without consent. Tracking cookies like those used for advertising may only be used if a visitor has given consent. According to the Dutch DPA, the use of a cookie wall results in a “take it or leave it” approach. The Dutch DPA explains that this practice is not compliant with the GDPR as consent resulting from a cookie wall is not freely given, because withholding consent has negative consequences for the user as the user is not allowed access to the website.
Vietnam’s new Law on Cybersecurity has garnered much attention due to its sweeping attempt to regulate online content available to internet users in Vietnam. Among its more controversial provisions are the requirements that both foreign and domestic online service providers store personal data of Vietnamese end-users in Vietnam, surrender such data to Vietnamese government authorities upon request, and supervise user posts to remove “prohibited” content (defined to include content viewed as disparaging of the Vietnamese government and/or government officials or state agencies). The law also requires offshore service providers to open branches or representative offices in Vietnam, presumably to facilitate enforcement of the Cybersecurity Law against them.
Subject to the deadlock in parliament being broken, or an extension of the Article 50 Brexit process, the UK’s 46-year European Union membership will cease in a matter of days. In the privacy world, the primary focus for most companies to date has, quite rightly, been on ensuring that data flows in and out of the UK can continue lawfully after that date. But for companies operating across Europe, and indeed across the world, with establishments or customers in the UK, Brexit also has implications in terms of the applicability of the UK data protection framework to their operations. The UK government has published its catchily-titled draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, which amend the territorial applicability provisions of the UK’s Data Protection Act 2018 to ensure the law applies appropriately after the exit day.
Many companies have been struggling with GDPR implementation over the past two years, putting much effort into new roles, privacy concepts, and workflows. Now that the dust of the immediate GDPR compliance rush is settling, the first details of fines imposed under the GDPR and the number of cases pending with Data Protection Authorities (DPAs) in Europe are being made public. In Germany, DPAs are investigating a broad range of non-compliance issues and showing a tendency toward increasing their enforcement activities, to the point that we expect an announcement of increasing GDPR sanctions and fines in Germany in the near future.
Article 83 of the GDPR provides for two levels of administrative fines: a lower level – maximum of €10 million or 2% of the global turnover – for violations relating to record-keeping, data security, data protection impact assessments, data protection by design and default, and data processing agreements; and a higher level – maximum of €20 million or 4% of the global turnover – for violations relating to data protection principles, the legal basis for processing, information to data subjects, the prohibition of processing sensitive data, denial of data subjects’ rights, and data transfers to non-EU countries.
A draft act on adjusting the Polish legal system to the provisions of the GDPR is under way in the lower house of the Polish Parliament (Sejm). The draft act contains, among others, provisions amending the rules for processing personal data by banks, credit institutions, loan companies and other entities regulated by Polish banking law.