On October 17, the Spanish data protection authority published the Guide to Privacy by Design. While Privacy by Design first became a legal requirement in the EU with implementation of the General Data Protection Regulation, it is a well-known concept among privacy professionals that dates back to the 1990s. PbD should be construed as “the need to consider privacy and the principles of data protection from the inception of any type of processing.” It is a concept focused on risk management and accountability that aims to incorporate privacy protections throughout the life cycle of systems, services, products, and processes. It involves the application of measures for privacy protection among all business processes and practices associated to personal data.
On 9 July 2019 the UK data protection authority updated its Data Sharing Code of Practice (first published in 2011). On the same day, the ICO also announced its intention to fine Marriott International just over £99m for infringements of the General Data Protection Regulation, highlighting the importance of due diligence in the context of data sharing.
The President of the Personal Data Protection Office in Poland imposed a fine amounting to PLN 943,470 for failing to fulfil the company’s transparency obligations towards over six million data subjects under Article 14 of Europe’s General Data Protection Regulation. This is the first fine imposed by the Polish DPA under the GDPR and Poland’s Act on Personal Data Protection of 10 May 2018 implementing the GDPR. The decision provides some limited insights into the interpretation of the term “disproportionate effort” within the meaning of Article 14(5)(b) of the GDPR.
On 7 March 2019 the Dutch Data Protection Authority published guidance that it considers “cookie walls” to violate the GDPR. A cookie wall is a pop-up on a website that blocks a user from access to the website until he or she consents to the placing of tracking cookies or similar technologies. Under current Dutch cookie law, functional and analytical cookies can be used without consent. Tracking cookies like those used for advertising may only be used if a visitor has given consent. According to the Dutch DPA, the use of a cookie wall results in a “take it or leave it” approach. The Dutch DPA explains that this practice is not compliant with the GDPR as consent resulting from a cookie wall is not freely given, because withholding consent has negative consequences for the user as the user is not allowed access to the website.
Many companies have been struggling with GDPR implementation over the past two years, putting much effort into new roles, privacy concepts, and workflows. Now that the dust of the immediate GDPR compliance rush is settling, the first details of fines imposed under the GDPR and the number of cases pending with Data Protection Authorities (DPAs) in Europe are being made public. In Germany, DPAs are investigating a broad range of non-compliance issues and showing a tendency toward increasing their enforcement activities, to the point that we expect an announcement of increasing GDPR sanctions and fines in Germany in the near future.
The IAPP conference in Munich on 19 September 2018 provided important insights into the work and views of the European Data Protection Board. Isabelle Vereecken and Bas Van Bockel addressed key topics such as data protection impact assessments, international data transfers and the one-stop-shop principle.
With the coming into effect of the GDPR on 25 May 2018, the modernisation of European privacy laws has reached a critical milestone. Hogan Lovells has updated our guide “Future-proofing privacy,” which aims to be a useful starting point for organisations seeking to understand the GDPR and comply with it. Twenty-four authors from 10 European Hogan Lovells offices have contributed their knowledge, efforts, and advice to compile a unique resource of practical guidance. We have identified the key issues and explained why they matter. Crucially, we have approached the new framework with a practical mindset, providing concrete suggestions for actions to take now.
The Information Commissioner’s Officer ruled, on 3 July 2017, that the Royal Free NHS Foundation Trust had failed to comply with the Data Protection Act 1998 when it provided 1.6 million patient details to Google DeepMind as part of a trial diagnosis and detection system for acute kidney injury, and required the Trust to sign an undertaking. The investigation brings together some of the most potent and controversial issues in data privacy today; sensitive health information and its use by the public sector to develop solutions combined with innovative technology driven by a sophisticated global digital company. This analysis provides insight on the investigation into Google DeepMind with focus on how the General Data Protection Regulation may impact the use of patient data going forward.
You may not have noticed it, but despite all of the distractions caused by Brexit and the General Data Protection Regulation (Regulation (EU) 2016/679), the UK Information Commissioner’s Office has been extremely active on the enforcement front in recent times. One of the features of this activity has been the variety of infringements targeted and, in particular, the focus on e-mail marketing. More specifically, the ICO has taken enforcement action by way of monetary penalties against well-known consumer brands such as Flybe, Honda, Morrisons and Moneysupermarket, for practices that might not have been seen as so out of order in the past. However, given the current tough stance taken by the ICO in connection with direct marketing practices, it would not be surprising to see future enforcement actions in this area.
On 7 August 2017, the UK Department for Culture, Media and Sport published its Statement of Intent on a proposed Data Protection Bill, which will replace the current UK Data Protection Act 1998. The Bill is designed to fully implement the two new laws emanating from the EU – the General Data Protection Regulation and the Data Protection Law Enforcement Directive – in an effort to make the UK’s transition out of the EU as smooth as possible from a data protection perspective and to ensure that both commercial and law enforcement data flows ‘remain uninterrupted after the UK’s exit from the EU’.
Last week, the UK’s Information Commissioner’s Office published a monetary penalty notice, which fined a private healthcare company, HCA International, £200,000 for its failure to keep sensitive data secure.
The Polish Data Protection Authority has just released its inspection plans for 2017. This year, the GIODO has decided to target its review of compliance with data protection laws on the health services sector, as well as on the consumer sector, with particular attention to certain profiling activities taking place in stores and shopping malls.
Earlier this week, Bret Cohen and Sian Rudgard from the Hogan Lovells Privacy & Cybersecurity practice were interviewed as follows by Varonis’ The Inside Out Security Blog about data security requirements in the EU General Data Protection Regulation.
Part 12 of Future-Proofing Privacy: Security is a Critical Piece. Security is a critical piece of the data protection jigsaw. Lack of consumer confidence has been identified as a key risk for the development of the digital single market, and a series of high profile breaches has exacerbated the situation. So it was inevitable that data protection reform would need to demonstrate that regulators were serious about data security and the Regulation does this by introducing three critical changes: obligations to have appropriate security in place will apply directly to data processors for the first time; there will be mandatory reporting of data breaches to data protection authorities; and there will also be mandatory reporting of data breaches to data subjects in certain situations.
Part 10 of Future-Proofing Privacy: Enforcement and the Risk of Non-Compliance. One of the major purposes of the Regulation is to ensure a consistent application of data protection law throughout the EU, not only to provide a high level of data protection but also to guarantee legal certainty for businesses when handling personal data. This has presented legislators with one of their biggest challenges: how to maintain the existing network of independent national DPAs, whilst ensuring that they promote a consistent interpretation of the Regulation and minimising the number of different DPAs which a controller has to deal with. It remains to be seen whether they have devised a workable solution.
The roller coaster of developments affecting the Safe Harbor framework shows no signs of slowing down. It has taken a couple of years since Edward Snowden’s revelations for the train to reach to its highest point, but once the European Court of Justice ruled on the Schrems case, we knew it would be a bumpy ride. In the past weeks, most of the attention has focused on the EU data protection authorities, which are now more emboldened than ever and keen to capitalize on the ECJ’s decision to tighten the regime affecting international dataflows. The European Commission’s communication of 6 November to the European Parliament and the Council of the EU, coupled with its practical guidance, represents yet another turn in this uncertain journey. At the same time, the Commission’s intervention is helpful in terms of the decision-making process that many organisations—for which transatlantic transfers are vital—are trying to grapple with.
On November 6, 2015, the European Commission issued its widely anticipated Communication to the European Parliament and Council about the effect of the Court of Justice of the European Union’s Schrems decision, which invalidated the U.S.-EU Safe Harbor framework. The Commission expresses a commitment to negotiate with the U.S. Government a new framework for cross-border transfers of personal data. The Commission also emphasizes that the Communication does not have binding legal effect, but concludes that companies should rely on “alternative tools” for authorizing data flows to third countries like the United States.
On Tuesday November 3, the Spanish data protection authority, Agencia Española de Protección de Datos, sent a letter all companies operating in Spain that had previously notified the AEPD of cross-border data transfers to Safe Harbor certified companies. The letter warns companies that because Safe Harbor certifications are no longer recognized as valid, they must take steps to ensure that alternative mechanisms are implemented in order to continue transferring data to Safe Harbor certified companies in the United States. In particular, the AEPD is requiring of all companies that received the letter to inform it not later than January 29, 2016 of any mechanisms that have been implemented to ensure adequate protections for personal data transferred to importers in the United States.
The mobile Health sector is rapidly developing and revolutionising the healthcare market. More and more consumers share information such as medical and physiological conditions, lifestyles, daily activity and geolocation via all kinds of health-related mobile applications and devices. The growing success of mHealth, however, inevitably casts a spotlight on compliance with privacy protection laws. Data protection agencies and supervisory bodies in the EU recently raised concerns about the collection, processing and use of customers’ data by mHealth apps and mobile devices. This blog introduces the key hot spots involving mHealth and data protection laws, before we dig deeper on other issues in a series of consecutive posts on this blog in the upcoming weeks.
It’s been a long way and the task is not over yet. However, there is light at the end of the EU data protection reform tunnel. The modernisation of European privacy laws has reached a critical milestone and we can now safely assume that this process will culminate in a radical new framework in a matter of months. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”
On January 27, the European Agency for Fundamental Rights, an official agency of the European Union, released its report on Access to Data Protection Remedies in EU Member States. As detailed below, the FRA concluded that redress mechanisms for data protection violations in the EU need improvement. More specifically, the FRA found that data protection authorities do not have sufficient powers or resources, there are not enough judges and lawyers with adequate knowledge of data protection issues, civil society organizations (e.g., consumer interest and privacy advocacy groups) have difficulty bringing suits on behalf of victims of data protection breaches, the costs and burdens of proof associated with data protection suits are too high, and Europeans lack awareness of remedies for data protection violations.
On 16 October 2013, the Polish Ministry of Economy published draft amendments to Poland’s data protection law, the Polish Act of 29 August 1997 on the Protection of Personal Data (“PPD”), aimed at easing administrative obligations regarding the compulsory hiring of data protection officers and registration of data filing systems with the Polish Data Protection Authority (“DPA”). Under the proposed legislation, companies would have the flexibility to decide whether to appoint an administrator of information security (“AIS”), currently a legal requirement. A data controller regulated under the PPD would be able to strategically choose whether to appoint an AIS, a move that would increase its compliance obligations and the company’s visibility to regulators in return for reduced external filing obligations.
At this week’s IAPP Privacy Academy in Seattle, Washington, Harriet Pearson, Partner in the Hogan Lovells Privacy and Information Practice, hosted a breakout session entitled How to work with Your European Data Protection Authority. The Session featured Billy Hawkes, Data Protection Commissioner of Ireland, and focused on providing privacy practitioners with practical advice on how to approach a Data Protection Authority (DPA) and earn their trust. The session also addressed practical compliance questions for European markets, gave advice on making successful regulatory filings, and gave tips for handling complaints and other challenging situations.
Elisabethann Wright, a Partner in our Brussels Office, presented at the 33d International Congress of Data Protection and Privacy Commissioners in Mexico City last week. In this entry, she shares some reflections from her participation.