Data protection authorities from around the world are stepping in to provide their input and guidance on the matter of data processing activities and the fight against the coronavirus. Hogan Lovells’ global Privacy and Cybersecurity team maintains a tracker of guidance from 30+ European data protection authorities, which we are making available with this post.
The French Data Protection Authority has recently released new guidelines (French only) regarding human resources processing operations. When the GDPR became effective, the CNIL’s previous set of HR Data guidelines became out of date as they did not incorporate new law’s requirements (e.g. obligations relating to records of processing activities and Data Protection Impact Assessments). These new guidelines replace several older HR guidelines issued by the CNIL, including and in particular the well-known Simplified Norm NS-46 and the Notification Exemption for payroll, both of which are no longer applicable.
Update: On 3 December 2019 the law imposing multi-million Ruble fines for infringing Russian data localization and information security laws has come into force. Since the law has already come into force, new fines may be imposed on companies based on results of Roskomnadzor’s inspections in 2020. Roskomnadzor has already identified the entities it plans to inspect in 2020 but may initiate unplanned inspections as well based, for example, on data subject complaints or its online monitoring of company activity.
The European Data Protection Board has adopted the narrowest possible interpretation of ‘contractual necessity’ as a ground for processing of personal data. The Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects (adopted on April 9, 2019 and open for consultation until May 24, 2019) provide a detailed assessment of the regulator’s interpretation of the law.
With the coming into effect of the General Data Protection Regulation (“GDPR”), those conducting clinical trials in the EU face a complex set of rules ranging from lawful grounds for processing and transparency to restrictions on data transfers and secondary uses. To assist with this task the European Commission is in the process of adopting a Q&A document on which it has sought the advice from the European Data Protection Board (“EDPB”).
Although Brazil’s new General Data Privacy Law (LGPD) significantly expands Brazil’s data protection framework and places the country among one of the few jurisdictions to provide similar data privacy protections as those offered in the European Union, the new law did not create a data protection authority. On 28 December 2018, outgoing President Michel Temer signed Medida Provisória no. 869/18, a last-minute executive order that made important changes to the LGPD and most notably created the Brazilian National Data Protection Authority (ANPD).
The General Data Protection Regulation entered into force on 25 May 2018. In light of the urgency to adapt Law no. 78-17 dated 6 January 1978 to the new European Union law, the French Government has initiated an accelerated procedure. This procedure led to the adoption in final reading by the French National Assembly of the bill on personal data protection on 14 May 2018. However, some French Senators lodged a constitutional complaint against the said law on 16 May 2018.
“European data protection rules will become a trademark people recognise and trust worldwide”. That is how, in January 2012, Viviane Reding – then Vice-President of the European Commission and EU Justice Commissioner – ended her announcement of the widest reform of privacy and data protection law ever attempted. Six years later, this ambitious aim is becoming a reality. Organisations from around the world and well beyond Europe are grappling with the new European General Data Protection Regulation (GDPR) and its impact on their data activities. From Australian banks and South American insurers to US universities and Asian telecoms companies, determining the applicability of the GDPR to their operations has become a critical business decision. As many global companies ponder over the right strategy to privacy compliance, a key question has emerged: which organisations, and under which circumstances, are subject to the territorial scope of the GDPR?
The UK Government has announced a new three-tier charging structure for data controllers to ensure the continued funding of the Information Commissioner’s Office to come into effect on 25 May 2018 to coincide with the GDPR coming into force.
Nothing challenges the effectiveness of data protection law like technological innovation. You think you have cracked a technology neutral framework and then along comes the next evolutionary step in the chain to rock the boat. It happened with the cloud. It happened with social media, with mobile, with online behavioural targeting and with the Internet of Things. And from the combination of all of that, artificial intelligence is emerging as the new testing ground. 21st century artificial intelligence relies on machine learning, and machine learning relies on…? You guessed it: Data. Artificial intelligence is essentially about problem solving and for that we need data, as much data as possible. Against this background, data privacy and cybersecurity legal frameworks around the world are attempting to shape the use of that data in a way that achieves the best of all worlds: progress and protection for individuals. Is that realistically achievable?
According to the Constitution of Mexico, the protection of personal data is a fundamental right of all Mexican citizens. Under federal law, individuals also have a right to access, change, oppose, or suppress their personal data. Although all private companies process data, some are not sufficiently familiar with Mexico’s data privacy principles and regulations, and many may not have an up-to-date assessment of their own risk of a data breach. In addition, they may not be aware that the Mexican Supreme Court’s recent shift in perspective regarding personal injury cases may herald a change in the way data privacy breaches are handled in the future. This interview explores the impact of Mexico’s data privacy regulations on private companies, discusses the unique approach of Mexican regulators to data privacy enforcement, and offers advice as to how companies can stay compliant.
The complexity of the EU General Data Protection Regulation is often alleviated by the guidance of regulatory authorities who contribute their practical interpretation of the black letter of the law and provide welcome certainty. However, the latest draft guidelines issued by the Article 29 Working Party on automated decision-making has thrown up a particular curve ball which bears further investigation. It relates to whether Article 22(1) of the GDPR should be read as a right available to data subjects or as a straightforward prohibition for controllers.
On September 13, the U.K. government introduced in Parliament the Data Protection Bill. The main aim of the bill is to implement the General Data Protection Regulation (EU) 2016/679 into U.K. domestic law. However, as perhaps reflected in the length and complexity of the bill, it is also intended to do several other things. This post outlines key observations on the structure and content of the bill.
On September 5, the European Court of Human Rights issued a ruling in the case of Bărbulescu v. Romania that affirms employees’ right to privacy in the use of communications tools in the workplace. Although the ruling is strict, it aligns with the positions taken by the national courts of certain European Union Member States (e.g., Germany) and guidance issued by data protection authorities. And the criteria that the ECHR adopts for assessing the lawfulness of monitoring generally aligns with the requirements under the General Data Protection Regulation, which takes full effect on May 25, 2018. In our post, we summarize the ruling and identify key takeaways for companies that monitor workforce use of information systems and tools in the EU.
The steady trickle of GDPR guidance from the Article 29 Working Party continues. Fresh from finalising its guidance on data portability, lead supervisory authorities and data protection officers, the Working Party has published draft guidance on data protection impact assessments, the full text of which is available on the Working Party website. Comments can be submitted to the Working Party by 23 May 2017, after which the guidance will be finalised.
The UK Information Commissioner’s Office has just published draft guidance on consent under GDPR. This is an interesting move given that the Article 29 Working Party has promised guidance on the same topic later this year, but reading the guidance makes it clear why the ICO decided to prioritise it: many of the practices which it identifies as unacceptable are fairly common in the UK, meaning many companies are going to have to re-think their approach to legitimising their data processing.
The Article 29 Working Party has issued a revealing statement about the so-called EU-U.S. Umbrella Agreement, which is aimed at creating a high-level data protection framework in the context of transatlantic cooperation on criminal law enforcement. As a sign of support for the deal, the Working Party welcomes the initiative to set up a general data protection framework in relation to law enforcement cooperation. In a fairly positive tone, the Working Party states that the Umbrella Agreement “considerably strengthens the safeguards in existing law enforcement bilateral treaties with the US, some of which were concluded before the development of the EU data protection framework.” This statement by the Working Party follows its recent announcement that it had created a working group for enforcement actions on organisations targeting several member states, which is yet another sign of the growing international ambitions of the EU data protection authorities.
Under the Data Protection Directive, each instance of data processing requires a legal justification – a “ground for processing”. This fundamental feature of EU data protection law remains unchanged under the draft Regulation. However, the bar for showing the existence of certain grounds for processing will be set higher, particularly in relation to consent. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”