Right now, the whole of the U.K. appears to be on the same spot looking over a precipice. However, this is not the moment to be blind. As politicians struggle to find a magic formula for a prosperous Brexit, businesses are stepping up their efforts to mitigate the damage of a possible “no-deal Brexit.” The data protection community is no different. The proposed withdrawal agreement would have preserved the status quo in data protection terms, at least until the end of the transition period in December 2020. However, if the U.K. leaves the EU without a deal, the implications for international data flows and privacy compliance generally will be severe. Therefore, British pragmatism demands an urgent and thorough approach to preparing for the eventuality of a no-deal Brexit.
The draft text of the EU-UK withdrawal agreement was published by the UK Government and the European Union yesterday, providing some of the first concrete indicators of the possible direction of travel in the area of data protection. In this post, we discuss ten initial conclusions from the draft text.
Unless there is a political earthquake (some would say a miracle) Brexit will happen on 29 March 2019. Upon Brexit the UK will cease to be an EU Member State and become a so-called ‘third country’. As a result, UK-based organisations, which in the context of transfers of personal data to countries outside the EU have always been exporters, will become importers of data originating from the EU. This is a serious concern because transfers of personal data from the EU to third countries are severely restricted. So a key UK Government objective from day one has been to ensure that the UK is regarded as an adequate jurisdiction, which would allow unconstrained transfers of personal data from the EU. But will it be?
On September 4, the Legislative Decree no. 101 of August 10, 2018 for the national implementation of General Data Protection Regulation (EU) 2016/679 was published in the Official Journal. The Decree integrates the provisions of the GDPR, that were previously left to the autonomy of the Member States and will enter into force on September 19, 2018.
After all of the 2016 drama, the start of a brand new year is a welcome development in itself – a clean sheet for a script yet to be written. However, 2017 will not be without challenges and the same applies to the world of privacy and data protection. Many of the big issues that arose during 2016 will need to be addressed in 2017. In addition, new questions will no doubt emerge. Here is an overview of the privacy challenges that lie ahead and what can be done about them.
The European Commission has released its proposal for a new EU e-Privacy Regulation that will replace the existing e-Privacy Directive. The high level aim of the draft e-Privacy Regulation is to harmonise the specific privacy framework relating to electronic communications within the EU and ensure consistency with the GDPR. Compared to the existing Directive, the draft e-Privacy Regulation has broader territorial reach and applies generally to the provision of electronic communications services to end users in the EU and to the use of such services. It is also concerned with the protection information related to the devices of end users located in the EU.
Thank you to everyone who participated in last week’s webinar “Privacy Shield: What You Need to Know,” in which we explored how companies demonstrate compliance with the Privacy Shield principles, what it takes to move from Safe Harbor to Privacy Shield, and more. A copy of the slide deck and recorded webinar are now available on our blog.
With attention to connected car cybersecuity issues increasing globally, the European Union Agency for Network and Information Security is leading the EU’s first bloc-wide initiative to identify cybersecurity rules of the road for connected cars. On July 13, ENISA announced a study aimed at creating a comprehensive list of cybersecurity policies, tools, standards, and measures to enhance security in next-generation automobiles.
At the Plenary Session held on July 6th, 2016 in Strasbourg, the European Parliament adopted a position agreed with by the Council on a Directive on common rules of security of network and information systems across the EU on its second reading.
The people of the UK have spoken and our collective choice is to leave the European Union. Some are dreading the likely tsunami of economic hardship. Others are excited about what may lie ahead. Most of us are shocked. But as numbing as the verdict of the UK electorate may be, there are crucial political, legal and economic decisions to be made. The ‘To Do’ list of the UK government will be overwhelming, not least because of the dramatic implications that each of the items on the list will have for the future of the country and indeed the world. Steering the economy will be a number one priority and with that, the direction of travel of the digital economy – which, at the end of the day, is one of the pillars of prosperity in the UK and everywhere else.
The European Commission has actively promoted the importance of mHealth following their 2014 consultation. One of the initiatives to emerge from the Commission has been the Privacy Code of Conduct for mHealth apps. The Code was drafted by a working group set up in January this year and the final draft was published on 7th June and submitted to the Article 29 Working Party for their consideration and approval. If and when it receives the Working Party’s approval it could then be relied upon by app developers wishing to demonstrate a good standard of data protection compliance. The Code is an example of the type of initiative that is increasingly likely to develop under the forthcoming EU General Data Protection Regulation.
Part 3 of Future-Proofing Privacy: The Concept of Personal Data Revisited. Along with the concept of personal data, as opposed to anonymous data, the Regulation introduces a third category, that of pseudonymous data. Pseudonymous data is information that no longer allows the identification of an individual without additional information and is kept separate from it. At the moment the standards according to which data is considered as anonymous or pseudonymous are established by the DPAs at a national level. Once the Regulation comes into force, the requirements and the applicable regime will become more uniform and this will provide greater legal certainty. Genetic data and biometric data are also both defined for the first time.
The thing about referendums is that the consequences of one outcome or another are likely to be rather disparate. If Brexit turns out to be rejected by the majority of the UK electorate, we will simply carry on as normal – quietly enjoying the benefits of the European Union whilst moaning about the threat that […]
Significant changes are afoot for processors. With the text of the European Union General Data Protection Regulation now published, processors will need to begin to acclimatise to the new regime under the GDPR. Although the GDPR still places the lion’s share of compliance responsibilities on controllers, it also extends direct application of the law to processors and renders them subject to fines, in an effort to allocate responsibility between the parties.
On February 29, 2016 and after more than two years of negotiations with the U.S. Department of Commerce, the European Commission released its draft Decision on the adequacy of the new EU–U.S. Privacy Shield program, accompanied by new information on how the Program will work. The Privacy Shield documentation is significantly more detailed than that associated with its predecessor, the EU-U.S. Safe Harbor, as it describes more specifically the measures that organizations wishing to use the Privacy Shield must implement. Importantly, the Privacy Shield provides for additional transparency and processes associated with U.S. government access to the personal data of EU individuals.
A bill, passed by the French National Assembly on 26th January 2016, and now before the French Senate, would amend Article 47 of the French Data Protection Act to give the French Data Protection Authority (the CNIL) the power to impose penalties for breaches of data protection law of up to 20 million euros or up to 4% of an organization’s total worldwide annual turnover (the Digital Republic Bill). Up until now, the CNIL could only issue penalties of up to 150 000 euros.
To say that the EU General Data Protection Regulation (GDPR) will change the existing data protection framework in Europe is an understatement. After an intense legislative process of more than 4 years, an ambitious, complex and strict new law that is set to transform the way in which personal information is collected, shared and used globally. Eduardo Ustaran highlights the GDPR’s significant changes in this article published in the Privacy and Data Protection Journal.
The EU General Data Protection Regulation has been called the most lobbied piece of legislation in the history of the EU. Before Christmas last year, what is likely to be the final text of the GDPR emerged from the EU trilogue negotiations. Victoria Hordern, Senior Associate at Hogan Lovells, explores what the new GDPR will mean for those collecting and handling health data, and examines a number of the provisions and themes that impact the use of health data.
A legal tsunami of overwhelming proportions. A ground breaking piece of legislation. A sweeping digital-privacy regime. A strict new legal framework that will have ripple effects globally. These are all hyperbolic expressions used to describe the impact of the newly agreed EU General Data Protection Regulation (GDPR). Anyone who has read and digested the GDPR […]
At a trialogue meeting on December 7, the Luxembourg Presidency of the Council of the European Union reached agreement with the European Parliament on common rules to strengthen network and information security (NIS) across the EU. The new directive will set out the first ever EU-wide cybersecurity obligations for operators of essential services and digital […]
The roller coaster of developments affecting the Safe Harbor framework shows no signs of slowing down. It has taken a couple of years since Edward Snowden’s revelations for the train to reach to its highest point, but once the European Court of Justice ruled on the Schrems case, we knew it would be a bumpy ride. In the past weeks, most of the attention has focused on the EU data protection authorities, which are now more emboldened than ever and keen to capitalize on the ECJ’s decision to tighten the regime affecting international dataflows. The European Commission’s communication of 6 November to the European Parliament and the Council of the EU, coupled with its practical guidance, represents yet another turn in this uncertain journey. At the same time, the Commission’s intervention is helpful in terms of the decision-making process that many organisations—for which transatlantic transfers are vital—are trying to grapple with.
On November 6, 2015, the European Commission issued its widely anticipated Communication to the European Parliament and Council about the effect of the Court of Justice of the European Union’s Schrems decision, which invalidated the U.S.-EU Safe Harbor framework. The Commission expresses a commitment to negotiate with the U.S. Government a new framework for cross-border transfers of personal data. The Commission also emphasizes that the Communication does not have binding legal effect, but concludes that companies should rely on “alternative tools” for authorizing data flows to third countries like the United States.
The US privacy framework is under attack from officials in the EU following revelations about NSA surveillance. Yesterday, US Department of Commerce General Counsel Cameron Kerry delivered his valedictory address before his departure from his position next week, and focused both on the progress made by the Obama Administration in privacy and offered the strongest […]
According to reports by the German business newspaper Handelsblatt, the German data protection commissioners have sent a letter to the German chancellor Angela Merkel, asking her to push the European Union to suspend the U.S. – EU Safe Harbor regime because of the recently disclosed NSA activities. This letter dates from July 23 and is signed […]