Many companies have been struggling with GDPR implementation over the past two years, putting much effort into new roles, privacy concepts, and workflows. Now that the dust of the immediate GDPR compliance rush is settling, the first details of fines imposed under the GDPR and the number of cases pending with Data Protection Authorities (DPAs) in Europe are being made public. In Germany, DPAs are investigating a broad range of non-compliance issues and showing a tendency toward increasing their enforcement activities, to the point that we expect an announcement of increasing GDPR sanctions and fines in Germany in the near future.
Tag Archives: EU General Data Protection Regulation
An Approach for Setting Administrative Fines Under the GDPR
Article 83 of the GDPR provides for two levels of administrative fines: a lower level – maximum of €10 million or 2% of the global turnover – for violations relating to record-keeping, data security, data protection impact assessments, data protection by design and default, and data processing agreements; and a higher level – maximum of €20 million or 4% of the global turnover – for violations relating to data protection principles, the legal basis for processing, information to data subjects, the prohibition of processing sensitive data, denial of data subjects’ rights, and data transfers to non-EU countries.
Poland: Credit Scoring in Danger?
A draft act on adjusting the Polish legal system to the provisions of the GDPR is under way in the lower house of the Polish Parliament (Sejm). The draft act contains, among others, provisions amending the rules for processing personal data by banks, credit institutions, loan companies and other entities regulated by Polish banking law.
EDPB Advises on Lawful Grounds for Processing Personal Data in Clinical Trials
With the coming into effect of the General Data Protection Regulation (“GDPR”), those conducting clinical trials in the EU face a complex set of rules ranging from lawful grounds for processing and transparency to restrictions on data transfers and secondary uses. To assist with this task the European Commission is in the process of adopting a Q&A document on which it has sought the advice from the European Data Protection Board (“EDPB”).
Brexit – A Data Protection Action Plan
Right now, the whole of the U.K. appears to be on the same spot looking over a precipice. However, this is not the moment to be blind. As politicians struggle to find a magic formula for a prosperous Brexit, businesses are stepping up their efforts to mitigate the damage of a possible “no-deal Brexit.” The data protection community is no different. The proposed withdrawal agreement would have preserved the status quo in data protection terms, at least until the end of the transition period in December 2020. However, if the U.K. leaves the EU without a deal, the implications for international data flows and privacy compliance generally will be severe. Therefore, British pragmatism demands an urgent and thorough approach to preparing for the eventuality of a no-deal Brexit.
Privacy, Cybersecurity, and the Internet of Things in Asia: What to Expect in 2019
In this hoganlovells.com interview, Mark Parsons, a Hogan Lovells partner based in Hong Kong, summarizes the current status of IoT-related policies in the Asia-Pacific region and discusses changes anticipated in 2019.
Are You Ready for Brazil’s New Data Protection Law?
The Brazilian General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”), passed by Congress on 14 August 2018, will come into effect on 15 February 2020. The new data protection law significantly improves Brazil’s existing legal framework by regulating the use of personal data by the public and private sectors. Very similar to the General Data Protection Regulation (“GDPR”) implemented in the European Union, the LGPD imposes strict regulations on the collection, use, processing, and storage of electronic and physical personal data. In conjunction with the passing of the LGPD, the National Data Protection Authority will be created in order to adequately implement the new legislation.
UK Government Aims for Data Protection Continuity Despite No Deal Brexit Prospect
Amid the constitutional and political uncertainties surrounding the Brexit process, the UK Government has provided welcome assurance on the data protection front. Guidance issued by the Department for Digital, Culture, Media & Sport (DCMS) confirms how UK data protection law will work in the event the UK leaves the EU without a deal. Whilst the Government still regards a No Deal Brexit as “unlikely”, given the extremely severe implications of that scenario for transfers of personal data into and out of the UK, the DCMS confirmation is hugely helpful in terms of the preparations needed for that eventuality.
EDPB’s Common Sense Approach to the GDPR’s Territorial Scope
The EU General Data Protection Regulation is now a fully functioning six-month old creature, which has brought with it significant evolutionary changes. One of the most notable innovations of the new European data protection framework is its ambitious extra-territorial application. The introduction of brand new grounds for the applicability of the law was a major development. As a result, and as essential as this is, the GDPR’s territorial scope of application has become one of the most difficult issues to pin down. Therefore, the publication of the European Data Protection Board’s draft guidelines on the territorial scope of the GDPR marks an important milestone in understanding the implications of this influential framework.
DP Impact Assessments: EDPB Differs Slightly from ICO Position
The European Data Protection Board (EDPB) has recently published its Opinion on the (United Kingdom) Information Commissioner’s list of processing activities which would require a Data Protection Impact Assessment under the GDPR. In its Opinion, the EDPB appears to be moving away from the idea that processing of genetic or location data, on its own, might be enough to trigger the mandatory DPIA requirements of the GDPR. This news will perhaps come as a relief to organisations currently struggling to come to grips with the “new” DPIA process and the resources and time that it demands. But, should we be surprised by the EDPB’s Opinion and will it have a significant impact in practice on the way organisations consider and conduct DPIAs?
Busting the Myth: Compliance with the ‘Gold Standard’ of the GDPR Does Not Buy You a ‘Free Pass’ Under China’s New Personal Information Guidelines
On December 29, 2017, the Standardization Administration of China, jointly with the PRC General Administration of Quality Supervision, Inspection and Quarantine, issued the Information Security Technology – Personal Information Security Specification, which officially came into effect on May 1, 2018. The Specification has, in very practical terms, become an important point of reference in evaluating the complex overlay of data protection compliance requirements found in the Cyber Security Law, the Law on the Protection of Consumer Rights and Interests, the e-Commerce Law and other enactments and measures.
Insights from EU Data Protection Regulators – Update from Munich
The IAPP conference in Munich on 19 September 2018 provided important insights into the work and views of the European Data Protection Board. Isabelle Vereecken and Bas Van Bockel addressed key topics such as data protection impact assessments, international data transfers and the one-stop-shop principle.
California Consumer Privacy Act: The Challenge Ahead – A Comparison of 10 Key Aspects of The GDPR and The CCPA
As the most comprehensive privacy law to be enacted in the United States thus far, the California Consumer Privacy Act (CCPA) has inevitably invited comparisons to the European Union’s General Data Protection Regulation (GDPR). At first glance, it is clear that the drafters of the CCPA (and the ballot measure that spurred its passage) drew inspiration from the GDPR. However, the CCPA is not a carbon copy of the GDPR, and a GDPR compliance program will not automatically meet the requirements of the CCPA. As businesses begin their CCPA compliance efforts, awareness of these laws’ similarities and differences will be key to creating efficient and effective compliance programs that capitalize on prior GDPR compliance work but also address the unique nuances of the CCPA.
California Consumer Privacy Act: The Challenge Ahead — Data Mapping and the CCPA
The California Consumer Privacy Act of 2018 (“CCPA”) provides a series of new compliance obligations and operational challenges for companies doing business in California. A vital first step for any company subject to the CCPA and looking to forge a practical path forward is to inventory the personal information (“PI”) that the company collects, stores, and shares with others. As part of our ongoing series on the CCPA and its implications, this post sets out key issues and questions to consider when contemplating a data mapping exercise.
Will the UK Meet the EU Adequacy Test?
Unless there is a political earthquake (some would say a miracle) Brexit will happen on 29 March 2019. Upon Brexit the UK will cease to be an EU Member State and become a so-called ‘third country’. As a result, UK-based organisations, which in the context of transfers of personal data to countries outside the EU have always been exporters, will become importers of data originating from the EU. This is a serious concern because transfers of personal data from the EU to third countries are severely restricted. So a key UK Government objective from day one has been to ensure that the UK is regarded as an adequate jurisdiction, which would allow unconstrained transfers of personal data from the EU. But will it be?
California Consumer Privacy Act: The Challenge Ahead — Key Terms in the CCPA
Words matter. Nowhere is this truer than in legislation, where word choices—often the product of long debate and imperfect compromise—determine the scope and impact of a law. Legislative history can speak volumes about those word choices, and the unique legislative history of the California Consumer Privacy Act of 2018 (CCPA) only highlights the importance of understanding the terms used in the act. We thus focus here on discussing some of the CCPA’s key definitional terms.
GDPR Italian Implementing Decree Has Been Published
On September 4, the Legislative Decree no. 101 of August 10, 2018 for the national implementation of General Data Protection Regulation (EU) 2016/679 was published in the Official Journal. The Decree integrates the provisions of the GDPR, that were previously left to the autonomy of the Member States and will enter into force on September 19, 2018.
Data Protection in the Event of a “No Deal Brexit”
The Department for Digital, Culture, Media and Sport (‘DDCMS’) has today released guidance on “Data protection if there’s no Brexit deal”, which is part of its preparations for if there is a “no deal” scenario when the Article 50 negotiating period comes to an end on 29 March 2019. The UK will become a “third country” on its exit from the European Union, which means that unhindered cross-border transfers of data will no longer automatically be able to take place between the UK and the EU. The guidance confirms that, given the “unprecedented alignment” between the UK and EU data protection regimes, the UK would continue to allow transfers of data from the UK to the EU at the point of exit. However, the Commission has made it clear that they would not make a decision on adequacy until the UK is a third country (that is, after 29 March 2018), and its procedure for reaching a decision typically lasts several months.
California Consumer Privacy Act: The Challenge Ahead — Introduction to Hogan Lovells’ Blog Series
We have heard the California Consumer Privacy Act of 2018 (CCPA) called many things since its enactment on June 28, 2018. Our experience to date has confirmed the compliance challenge ahead for organizations that engage with the residents of the world’s fifth-largest economy. We will explore the ramifications for businesses of this seminal legislation in this multi-part series, “The Challenge Ahead” authored by members of Hogan Lovells’ CCPA team. In this first installment, we describe recent activity to enact so-called “technical” amendments to the CCPA.
Who Will Get the First Big GDPR Fine and How to Avoid It?
At the Privacy Laws and Business’ International Conference, Eduardo Ustaran evaluated the sorts of activities likely to prompt regulators into exercising their increased fining powers under the GDPR. In this post, we provide links to both a video of his presentation at the conference as well as a detailed report about his presentation.
Why the GDPR is Good News for Business
Not many people will remember this but in 2008, Richard Thomas, the former UK Information Commissioner caused a fairly dramatic stir in the privacy world – at least among policy makers and fellow regulators – by unashamedly proclaiming that European data protection law was outdated and ineffective to address the technological and privacy challenges of the 21st century. At first, this was regarded by some as an embarrassing admission that could not possibly be right. But only two years later, the European Commission started a process of wholesale legislative reform that culminated with the adoption of the EU General Data Protection Regulation in April 2016. We all know by now that the GDPR is the result of many political and regulatory compromises caused by the precarious balance created by the various forces at play – the unstoppable development of technology, the increasing value of data, the urgent need to protect people’s digital lives, and the prosperity of Europe and the rest of the work.