The European Court of Justice recently published plans to issue its much awaited decision in CJEU case C-311/18 on July 16. The ruling will impact how organizations lawfully transfer personal data from the EEA to jurisdictions not providing an “adequate” level of data protection in accordance with the GDPR. The ruling will specifically address the validity of the European Commission’s standard contractual clauses and it may also affect operation of the EU-US Privacy Shield. On May 18, the European Data Protection Board published a report on its 2019 activities that may signal whether it plans to influence further development of this area.
We currently live in a world where the rapid spread of COVID-19 has provoked the urge to initiate the search for an effective vaccine or medicines to fight against it. In this context, the EDPB has recently published its Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak with the clear objective of ensuring that patients’ and trial subjects’ privacy is not disregarded while clinical trials are carried out.
Data protection authorities from around the world are stepping in to provide their input and guidance on the matter of data processing activities and the fight against the coronavirus. Hogan Lovells’ global Privacy and Cybersecurity team maintains a tracker of guidance from 30+ European data protection authorities, which we are making available with this post.
The role of COVID-19 contact tracing apps in the exit strategy of the current lockdown that is gripping much of the world is increasingly becoming a focus of attention. While that role is being hotly debated, it is very likely that those apps in combination with other measures will be deployed across many countries. Until now and despite the calls by influential bodies such as the European Data Protection Supervisor for a coordinated approach to the development of single COVID-19 mobile app involving the World Health Organization, different countries have adopted their own strategies.
Data protection authorities from around the world are stepping in to provide their input and guidance on the matter of data processing activities and the fight against the coronavirus. Hogan Lovells’ global Privacy and Cybersecurity team has compiled the guidance from various European authorities, which we are making available with this post.
As highlighted by our new Privacy 2040 initiative, there have never been more opportunities to shape the existing and future privacy and cybersecurity legal framework. Consultations on draft guidance and surveys of various stakeholders are an important step in the production of new rules and materials, and the UK Information Commissioner’s Office and the European Data Protection Board currently have a number of open consultations. The consultation process provides an opportunity to contribute to and to influence regulatory direction. This post lists and discusses a number of consultations which are currently open.
Does the GDPR really apply to my company? From a data protection standpoint, this is the first thing that comes to mind within non-EU companies. In many cases, the GDPR seems like an issue of the Old Continent, so it does not affect non-EU companies. In others, companies apply the GDPR to all their processing activities just to avoid the possibility of being addressed by EU authorities. Neither decision is per se correct.
Anonymisation has always been (and still is) a real challenge for those carrying out clinical research. To shed some light on this matter, the Medical Research Council – which is part of UK Research and Innovation – has recently published guidance on Identifiability, anonymisation and pseudonymisation. Although the guidance itself states that it has been developed with the participation of the Information Commissioner’s Office, it is not ICO-approved and so institutes and organisations should be cautious when relying on the criteria set out in the guidance.
The French Data Protection Authority has made targeted online advertising a priority topic in its 2019-2020 agenda and has changed its position on cookie consent. Although the ePrivacy Regulation is still being debated by EU legislators and is far from being finalised, the CNIL has withdrawn its 2013 cookie recommendation and announced that it will publish new guidelines (announcements are available in English on the CNIL’s website here and here). These explicitly rule out the use of implied or “soft” consent to place cookies on users’ devices.
Clinical trials in the EU include the collection of sensitive health data from patients. Trial sponsors are obliged to reconcile their respect of regulations governing data protection with regulations governing the conduct of clinical trials. The GDPR¹ could not fully harmonize these rules since this area is already heavily regulated by public health regulations that vary between EU Member States. One of the most disconcerting areas of divergence between EU Member States is the different national positions on whether patient consent is a valid legal ground for processing personal data in clinical trials.
The European Data Protection Board has adopted the narrowest possible interpretation of ‘contractual necessity’ as a ground for processing of personal data. The Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects (adopted on April 9, 2019 and open for consultation until May 24, 2019) provide a detailed assessment of the regulator’s interpretation of the law.
On 12 March 2019 at its Eighth Plenary Session, the European Data Protection Board adopted its Opinion 5/2019 on the interplay between the ePrivacy Directive and the General Data Protection Regulation. The Belgian Data Protection Authority had, on 3 December 2018, requested that the EDPB examine the overlap between the two laws and in particular the competence, tasks, and powers of data protection authorities. The EDPB adopted its Opinion in response to this request and in order to promote the consistent interpretation of the boundaries of the competences, tasks, and powers of DPAs.
Article 83 of the GDPR provides for two levels of administrative fines: a lower level – maximum of €10 million or 2% of the global turnover – for violations relating to record-keeping, data security, data protection impact assessments, data protection by design and default, and data processing agreements; and a higher level – maximum of €20 million or 4% of the global turnover – for violations relating to data protection principles, the legal basis for processing, information to data subjects, the prohibition of processing sensitive data, denial of data subjects’ rights, and data transfers to non-EU countries.
With the coming into effect of the General Data Protection Regulation (“GDPR”), those conducting clinical trials in the EU face a complex set of rules ranging from lawful grounds for processing and transparency to restrictions on data transfers and secondary uses. To assist with this task the European Commission is in the process of adopting a Q&A document on which it has sought the advice from the European Data Protection Board (“EDPB”).
On 23 January, the European Commission announced that it had adopted an adequacy decision in relation to Japan, to enter into force immediately. The mutual agreement, which covers Japan’s 127m citizens as well as the whole of the EU, allows personal data to be transferred between Japan and the EU without the need for additional safeguards such as Standard Contractual Clauses, and creates the largest area of safe data transfers in the world.
The EU General Data Protection Regulation is now a fully functioning six-month old creature, which has brought with it significant evolutionary changes. One of the most notable innovations of the new European data protection framework is its ambitious extra-territorial application. The introduction of brand new grounds for the applicability of the law was a major development. As a result, and as essential as this is, the GDPR’s territorial scope of application has become one of the most difficult issues to pin down. Therefore, the publication of the European Data Protection Board’s draft guidelines on the territorial scope of the GDPR marks an important milestone in understanding the implications of this influential framework.
The European Data Protection Board (EDPB) has recently published its Opinion on the (United Kingdom) Information Commissioner’s list of processing activities which would require a Data Protection Impact Assessment under the GDPR. In its Opinion, the EDPB appears to be moving away from the idea that processing of genetic or location data, on its own, might be enough to trigger the mandatory DPIA requirements of the GDPR. This news will perhaps come as a relief to organisations currently struggling to come to grips with the “new” DPIA process and the resources and time that it demands. But, should we be surprised by the EDPB’s Opinion and will it have a significant impact in practice on the way organisations consider and conduct DPIAs?
The draft text of the EU-UK withdrawal agreement was published by the UK Government and the European Union yesterday, providing some of the first concrete indicators of the possible direction of travel in the area of data protection. In this post, we discuss ten initial conclusions from the draft text.
The IAPP conference in Munich on 19 September 2018 provided important insights into the work and views of the European Data Protection Board. Isabelle Vereecken and Bas Van Bockel addressed key topics such as data protection impact assessments, international data transfers and the one-stop-shop principle.
Data protection authorities set out guidelines for the application of the new EU General Data Protection Regulation. The European Data Protection Board is the joint coordination body of the EU data protection authorities. The EDPB provides guidance on the application of the EU Data Protection Regulation. With the GDPR having come into force, the EDPB thus replaces the Art. 29 Data Protection Working Party which was established under the EU Data Protection Directive and other previously applicable data protection laws.
To date, the main legacy of the Brexit referendum of 2016 appears to be a country split in half: some badly wish the UK would continue to be a member of the EU and some are equally keen on making a move. Yet, there seems to be at least one thing on which Remainers and Leavers will agree: nobody knows exactly what is going to happen. The same is true of the effect of Brexit on UK data protection. However, as Brexit day approaches, it is becoming imperative for those with responsibility for data protection compliance to make some crucial strategic decisions. To help with that process, here are some pointers about what we know and what we don’t know.