In a decision dated 27 February 2020, the French Administrative Court of Marseille invalidated the deliberation of the Provence-Alpes-Côte d’Azur Regional Council which allowed to set up, on an experimental basis, a facial recognition mechanism in two high schools in order to (i) better control and speed up entry of students into the high schools and (ii) control access to premises of occasional visitors. This decision is important as this is the first administrative court decision in France about facial recognition.
The European Court of Justice recently published plans to issue its much awaited decision in CJEU case C-311/18 on July 16. The ruling will impact how organizations lawfully transfer personal data from the EEA to jurisdictions not providing an “adequate” level of data protection in accordance with the GDPR. The ruling will specifically address the validity of the European Commission’s standard contractual clauses and it may also affect operation of the EU-US Privacy Shield. On May 18, the European Data Protection Board published a report on its 2019 activities that may signal whether it plans to influence further development of this area.
As previously reported, Brazilian lawmakers have been debating a delay to the LGPD, which was scheduled to come into effect August 15, 2020, in response to COVID-19. The Brazilian Senate first passed Bill 1,179/2020, and Brazil’s President later enacted Provisional Measure 959. On May 19, 2020, the Brazilian Congress sent to the President’s desk an amended Bill 1,179/2020 that would maintain the LGPD’s August 15, 2020 effective date but would delay administrative sanctions until August 1, 2021. However, if approved, the Final Bill would still allow the LGPD’s requirements to be enforced through other means.
Updated versions of the UK model Clinical Trial Agreement and the Clinical Research Organisation model Clinical Trial Agreement have been published. Given the increasing importance of safe but swift clinical trials in the time of coronavirus, this post outlines the main changes introduced from a data protection perspective and what they mean for contracting parties.
On April 29, The Brazilian Federal Government issued an executive order, Provisional Measure, which would postpone the implementation of LGPD until May 3, 2021 if approved by Brazil’s legislature in the next couple of weeks.
Data protection authorities from around the world are stepping in to provide their input and guidance on the matter of data processing activities and the fight against the coronavirus. Hogan Lovells’ global Privacy and Cybersecurity team maintains a tracker of guidance from 30+ European data protection authorities, which we are making available with this post.
The French Data Protection Authority has recently released new guidelines (French only) regarding human resources processing operations. When the GDPR became effective, the CNIL’s previous set of HR Data guidelines became out of date as they did not incorporate new law’s requirements (e.g. obligations relating to records of processing activities and Data Protection Impact Assessments). These new guidelines replace several older HR guidelines issued by the CNIL, including and in particular the well-known Simplified Norm NS-46 and the Notification Exemption for payroll, both of which are no longer applicable.
The role of COVID-19 contact tracing apps in the exit strategy of the current lockdown that is gripping much of the world is increasingly becoming a focus of attention. While that role is being hotly debated, it is very likely that those apps in combination with other measures will be deployed across many countries. Until now and despite the calls by influential bodies such as the European Data Protection Supervisor for a coordinated approach to the development of single COVID-19 mobile app involving the World Health Organization, different countries have adopted their own strategies.
The Dutch Data Protection Authority recently imposed a fine of EUR 525,000 on the Royal Dutch Tennis Association for sharing the personal data of its members with two of its sponsors in June 2018 on the basis of its commercial legitimate interests. In this blogpost, we describe the main implications of the Dutch DPA’s fine and interpretation of legitimate interests – which could affect processing activities of commercial organizations throughout Europe.
In light of the pandemic crisis caused by the COVID-19, Brazilian Officials have sought to enact emergency measures to minimize its impact on regular business practices. One of the latest efforts is Bill 1,179/2020, which would, among other things, delay implementation of Brazil’s General Data Protection Law, or LGPD, until January 1, 2021 so as not to burden companies in the face of the enormous technical economic difficulties arising from the pandemic.
Today’s urgent focus on COVID-19 makes it easy to forget that data protection regulation saw significant development in the APAC region through 2019, with important legislative reforms and a number of new laws. What do you need to be doing to prepare your organization for the future? Our Asia Pacific Data Protection and Cyber Security Guide 2020 (linked in this blog post) takes you through the developments and key initiatives of APAC countries and discuss the implications of an ever-shifting landscape.
On Tuesday, March 10, the Japanese Cabinet approved a bill to revise the Act on the Protection of Personal Information, which would require companies to take certain additional measures to protect personal data of data subjects. The proposed amendment will be submitted to the ordinary session of the Diet for approval. The update comes as part of the Japanese government’s commitment to update Japan’s privacy law every three years. The last update came into force in May 2017.
In February, the EU Commission announced its strategy for shaping the digital future of the bloc. This included the publication of its long-awaited white paper on the future of artificial intelligence, with proposals for introducing a regulatory framework to govern the adoption and application of AI in both the commercial and public realms.
Data protection authorities from around the world are stepping in to provide their input and guidance on the matter of data processing activities and the fight against the coronavirus. Hogan Lovells’ global Privacy and Cybersecurity team has compiled the guidance from various European authorities, which we are making available with this post.
On January 17, The Belgian Data Protection Authority published Recommendation no 01/2020 providing Guidance on direct marketing. The Recommendation provides a methodology on how to comply with the General Data Protection Regulation when conducting direct marketing.
As highlighted by our new Privacy 2040 initiative, there have never been more opportunities to shape the existing and future privacy and cybersecurity legal framework. Consultations on draft guidance and surveys of various stakeholders are an important step in the production of new rules and materials, and the UK Information Commissioner’s Office and the European Data Protection Board currently have a number of open consultations. The consultation process provides an opportunity to contribute to and to influence regulatory direction. This post lists and discusses a number of consultations which are currently open.
On Monday 20 January, the Constitutional and Mainland Affairs Bureau, jointly with the Privacy Commissioner for Personal Data, presented a paper outlining topics for review of the PDPO to the members of the Legislative Council Panel on Constitutional Affairs. The CMAB and the PCPD are expected to take panel members’ feedback on the PDPO Review Paper and undertake further in-depth study of the issues with a view to making specific proposals for legislative reform in due course.
As with anything Brexit-related, the UK government is facing a dilemma in relation to data protection law. Shall we follow the direction of travel of the past 25 years and opt for the continuity and certainty provided by the GDPR or shall we use the departure from the EU to make radical changes to the regulation of data uses and privacy? On the one hand, it would be reassuring to know that despite Brexit’s uncertainties, the current framework is here to stay and it will develop in a familiar way. On the other hand, it must be tempting to use this opportunity to completely re-think what is in the best national interest. For an area of law and policy that is so closely related to technological development and prosperity, it would be foolish not to consider whether a different formulation would lead to better outcomes. A dilemma indeed.
On January 15, the Court of Justice of the European Union’s (CJEU) Advocate General (AG) Manuel Campos Sánchez-Bordona delivered his Opinion on four references for preliminary rulings on the topic of retention of and access to communications data. Of the four references, two originated from France, one from Belgium, and one from the Investigatory Powers Tribunal (IPT) in the United Kingdom. The latter arose from a challenge by Privacy International to the UK Security and Intelligence Agencies’ (SIAs) powers under the Telecommunications Act 2014 and the Data Retention and Investigatory Powers Act 2014.
The French Data Protection Authority published new Guidelines on December 10, 2019 applicable to whistleblowing schemes, following a public consultation process. The Guidelines replace the former Single Authorization AU-004, which has not applied since arrival of the General Data Protection Regulation. The CNIL has also published a useful Frequently Asked Questions webpage regarding the Guidelines. The CNIL’s new Guidelines import certain aspects of its former position on whistleblowing schemes.
Does the GDPR really apply to my company? From a data protection standpoint, this is the first thing that comes to mind within non-EU companies. In many cases, the GDPR seems like an issue of the Old Continent, so it does not affect non-EU companies. In others, companies apply the GDPR to all their processing activities just to avoid the possibility of being addressed by EU authorities. Neither decision is per se correct.
Update: On 3 December 2019 the law imposing multi-million Ruble fines for infringing Russian data localization and information security laws has come into force. Since the law has already come into force, new fines may be imposed on companies based on results of Roskomnadzor’s inspections in 2020. Roskomnadzor has already identified the entities it plans to inspect in 2020 but may initiate unplanned inspections as well based, for example, on data subject complaints or its online monitoring of company activity.