With the coming into effect of the GDPR on 25 May 2018, the modernisation of European privacy laws has reached a critical milestone. Hogan Lovells has updated our guide “Future-proofing privacy,” which aims to be a useful starting point for organisations seeking to understand the GDPR and comply with it. Twenty-four authors from 10 European Hogan Lovells offices have contributed their knowledge, efforts, and advice to compile a unique resource of practical guidance. We have identified the key issues and explained why they matter. Crucially, we have approached the new framework with a practical mindset, providing concrete suggestions for actions to take now.
Join us in June as our Cybersecurity and Privacy team discusses what breach notification looks like under the GDPR and how it will be different from breach notification in the U.S. as well as public policy trends in the cybersecurity space.
Data protection authorities set out guidelines for the application of the new EU General Data Protection Regulation. The European Data Protection Board is the joint coordination body of the EU data protection authorities. The EDPB provides guidance on the application of the EU Data Protection Regulation. With the GDPR having come into force, the EDPB thus replaces the Art. 29 Data Protection Working Party which was established under the EU Data Protection Directive and other previously applicable data protection laws.
The General Data Protection Regulation entered into force on 25 May 2018. In light of the urgency to adapt Law no. 78-17 dated 6 January 1978 to the new European Union law, the French Government has initiated an accelerated procedure. This procedure led to the adoption in final reading by the French National Assembly of the bill on personal data protection on 14 May 2018. However, some French Senators lodged a constitutional complaint against the said law on 16 May 2018.
The European Union’s General Data Protection Regulation is driving a regulatory wave to safeguard data against cyber attacks and privacy breaches, and the automobile industry will feel the impact. Autonomous and connected vehicles are essentially “rolling smart devices,” and as they enter the mainstream in the EU and United States, automakers are increasingly reliant on data for safe, efficient vehicle operations. But security and privacy concerns and penalties for regulatory noncompliance demand that manufacturers review their policies — and perspectives — on data storage and use. In this podcast, we will discuss how cybersecurity, data privacy, and ownership concerns are influencing the development of connected and autonomous vehicles.
With the GDPR about to come into effect, join our experts for a live webinar on May 23 to learn what you should be focusing on now. The GDPR becomes applicable on 25 May and will affect organisations worldwide. It is a complex and strict law with dozens of obligations which will be fiercely enforced. Getting it right will be essential for business success in the digital economy.
“European data protection rules will become a trademark people recognise and trust worldwide”. That is how, in January 2012, Viviane Reding – then Vice-President of the European Commission and EU Justice Commissioner – ended her announcement of the widest reform of privacy and data protection law ever attempted. Six years later, this ambitious aim is becoming a reality. Organisations from around the world and well beyond Europe are grappling with the new European General Data Protection Regulation (GDPR) and its impact on their data activities. From Australian banks and South American insurers to US universities and Asian telecoms companies, determining the applicability of the GDPR to their operations has become a critical business decision. As many global companies ponder over the right strategy to privacy compliance, a key question has emerged: which organisations, and under which circumstances, are subject to the territorial scope of the GDPR?
The UK Government has announced a new three-tier charging structure for data controllers to ensure the continued funding of the Information Commissioner’s Office to come into effect on 25 May 2018 to coincide with the GDPR coming into force.
Don’t miss out on key events from our Privacy and Cybersecurity team in March 2018. This month, our team will be discussing a variety of privacy and cybersecurity issues ranging from autonomous vehicle privacy to GDPR compliance. We hope you can join us!
It is finally here. This is the year of the GDPR. A journey that started with an ambitious policy paper about modernising data protection almost a decade ago – a decade! – is about to reach flying altitude. No more ‘in May next year this, in May next year that’. Our time has come. Given the amount of attention that the GDPR has received in recent times, data protection professionals are in high demand but we are ready. We knew this was coming and we have had years to prepare. However, even the most seasoned practitioners are at risk of being engulfed by the frantic fire-fighting mood out there. The hamster wheel of GDPR compliance is spinning faster and faster, but it is precisely now when we must look up, see the bigger picture and focus on getting the important things right.
Please join us for our Upcoming 2018 Privacy and Cybersecurity Events.
To date, the main legacy of the Brexit referendum of 2016 appears to be a country split in half: some badly wish the UK would continue to be a member of the EU and some are equally keen on making a move. Yet, there seems to be at least one thing on which Remainers and Leavers will agree: nobody knows exactly what is going to happen. The same is true of the effect of Brexit on UK data protection. However, as Brexit day approaches, it is becoming imperative for those with responsibility for data protection compliance to make some crucial strategic decisions. To help with that process, here are some pointers about what we know and what we don’t know.
Following the European Commission and European Parliament’s proposed versions of the EU Regulation on Privacy and Electronic Communications, we are now waiting for the Council of the European Union to agree their position before discussions between the three bodies can begin. A discussion paper from the Bulgarian Presidency of the Council dated 11 January 2018 shows that the Council is still considering multiple options in relation to several critical issues.
Making predictions for the year ahead is possibly as desirable as unreliable. In a world of unlimited data and advanced science, it would be tempting to think that the future is already written. Algorithms and artificial intelligence will show us what lies ahead with immaculate accuracy. Or perhaps not. At least not yet. To say that the world is in turmoil is an understatement and the same is true of the world of privacy and data protection, which makes predicting the future particularly tricky. But since the urge to plan, budget and prepare for what is likely to happen next is so real, now is a good time to pause, reflect about what’s going on, and make some predictions for 2018.
Please join us for our November 2017 Privacy and Cybersecurity Events.
The complexity of the EU General Data Protection Regulation is often alleviated by the guidance of regulatory authorities who contribute their practical interpretation of the black letter of the law and provide welcome certainty. However, the latest draft guidelines issued by the Article 29 Working Party on automated decision-making has thrown up a particular curve ball which bears further investigation. It relates to whether Article 22(1) of the GDPR should be read as a right available to data subjects or as a straightforward prohibition for controllers.
On September 13, the U.K. government introduced in Parliament the Data Protection Bill. The main aim of the bill is to implement the General Data Protection Regulation (EU) 2016/679 into U.K. domestic law. However, as perhaps reflected in the length and complexity of the bill, it is also intended to do several other things. This post outlines key observations on the structure and content of the bill.
The Information Commissioner’s Officer ruled, on 3 July 2017, that the Royal Free NHS Foundation Trust had failed to comply with the Data Protection Act 1998 when it provided 1.6 million patient details to Google DeepMind as part of a trial diagnosis and detection system for acute kidney injury, and required the Trust to sign an undertaking. The investigation brings together some of the most potent and controversial issues in data privacy today; sensitive health information and its use by the public sector to develop solutions combined with innovative technology driven by a sophisticated global digital company. This analysis provides insight on the investigation into Google DeepMind with focus on how the General Data Protection Regulation may impact the use of patient data going forward.
On September 5, the European Court of Human Rights issued a ruling in the case of Bărbulescu v. Romania that affirms employees’ right to privacy in the use of communications tools in the workplace. Although the ruling is strict, it aligns with the positions taken by the national courts of certain European Union Member States (e.g., Germany) and guidance issued by data protection authorities. And the criteria that the ECHR adopts for assessing the lawfulness of monitoring generally aligns with the requirements under the General Data Protection Regulation, which takes full effect on May 25, 2018. In our post, we summarize the ruling and identify key takeaways for companies that monitor workforce use of information systems and tools in the EU.
The German Ministry of Interior affairs has published an English translation of the new Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). On 27 April 2017 the German Parliament passed the BDSG in order to make use of the opening clause provided for in the EU General Data Protection Regulation (GDPR). This bill has been controversial; see here for an interview with Jan Albrecht, Stefan Brink and Tim Wybitul.
The new BDSG replaces its national predecessor, which has been in force for the last 40 years. The new BDSG is the first step toward adapting national German member State law to the provisions of the GDPR. With an effective date of 25 May 2018, the new BDSG will also form the basis for the adaption of further German data privacy acts to the GDPR. We note that several ministries have already indicated that they are preparing specific data privacy provisions concerning special processing situations like social security data protection, and we expect these provisions to follow the implementation of the BDSG.
This overview summarizes the major implications of the BDSG for companies operating in Germany.
On 7 August 2017, the UK Department for Culture, Media and Sport published its Statement of Intent on a proposed Data Protection Bill, which will replace the current UK Data Protection Act 1998. The Bill is designed to fully implement the two new laws emanating from the EU – the General Data Protection Regulation and the Data Protection Law Enforcement Directive – in an effort to make the UK’s transition out of the EU as smooth as possible from a data protection perspective and to ensure that both commercial and law enforcement data flows ‘remain uninterrupted after the UK’s exit from the EU’.
“A new law will ensure that the United Kingdom retains its world-class regime protecting personal data”. This is today’s strong statement by Her Majesty The Queen reflecting the level of priority given by the UK government to privacy and data protection. Aside from the political controversies surrounding the recent general Election and the prospect of Brexit, the Queen has confirmed that during this Parliament the government intends to pass a new Data Protection Act replacing the existing one.
The European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs commissioned a study to assess the European Commission’s draft e-Privacy Regulation, which was published in January 2017. The e-Privacy Regulation aims to harmonise privacy rules across the EU in the area of electronic communications, but the study has found that the draft e-Privacy Regulation does not as far as the GDPR in some respects. This contrasts with many other views expressed publicly, which regarded the Commission’s draft as a tightening of the GDPR regime. A central theme of the study, which was carried out by academics of the IViR Institute for Information Law, University of Amsterdam, is the need to protect privacy of correspondence regardless of medium or any other factor. The EU legislative institutions are urged to pay extra attention to four areas in which it is felt that there is insufficient protection of the right to privacy and confidentiality of communications. We explore these issues in the following post.
Please join us for our June 2017 Privacy and Cybersecurity Events.