After a long period of negotiation, the United Kingdom (UK) and the European Union (EU) have reached a deal on the sharing of personal data, only a few days before the end of the Brexit transition period.

The agreed trade deal allows for the continued free flow of personal data from the EU to the UK for a maximum of six months after the transition period expires. During that time, the UK hopes that the European Commission will issue an adequacy decision in relation to the UK, thus allowing the free flow of personal data to continue beyond the six months. In relation to transfers of personal data outside the UK, the UK has already deemed adequate the 30 EU/European Economic Area countries and the 12 countries that have received EU adequacy decisions, as mentioned in our previous blog post (available here).Continue Reading EU-UK data flows following the Brexit transition period

Background

On October 23, 2019, the European Commission (EC) released its report on a third annual review of the EU-U.S. Privacy Shield. While the report confirms that the U.S. continues to provide an adequate level of protection for personal data transfers in the context of the Privacy Shield, there are some gaps between the expectations of the EC and U.S. authorities, particularly in relation to the lack of transparency concerning U.S. enforcement activities and a lack of co-operation between regulators. You can read our summary on the report via this link.

On Thursday, January 9, 2020, members of the Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) met representatives of the EC and European Data Protection Board to discuss the EC’s 2019 report on the Privacy Shield (link accessible here). An interesting question was raised: Would it be possible for the EC to recognize a single state, e.g., a U.S. state such as California, as an adequate territory for transfers of personal data?Continue Reading The EU-U.S. Privacy Shield: feedback, and potential EU recognition of privacy laws of California and other U.S. states?

On 7 June 2019, Regulation (EU) 2019/881 on ENISA (the European Union Agency for Network and Information Security) and on information and communications technology cybersecurity certification, also known as the Cybersecurity Act, was given the final go-ahead and published in the Official Journal of the European Union.  The Cybersecurity Act will come into force

On 12 March 2019, the European Parliament issued its first position on the text proposed by the European Commission for a Regulation of the European Parliament and of the Council on ENISA (the European Union Agency for Network and Information Security), also known as the EU Cybersecurity Act.

Initiatives to build strong EU-wide cybersecurity

The EU Cybersecurity Act was proposed in 2017 to:

i) Provide a permanent mandate for ENISA (to replace its limited mandate that would have expired in 2020);

ii) Allocate more resources to ENISA to enable it to fulfil its goals; and

iii) Establish an EU framework for cybersecurity certification for products, processes and services that will be valid throughout the EU.

The European Parliament, Council and Commission reached an informal trialogue agreement on the proposal of the EU Cybersecurity Act in December last year. Now that the European Parliament adopted its first-reading position, it is expected that the European Council will adopt the proposed Regulation without further amendments. The Regulation will then be published into the EU Official Journal and will enter into force 20 days following that publication.Continue Reading The European Parliament adopts first stance to proposed EU Cybersecurity Act

On 10 December 2018, the European Parliament, the Council of the European Union, and the European Commission reached agreement on the cybersecurity proposal put forward by the Commission.

The aim of the Commission’s proposal is to build strong cybersecurity standards in the EU, allowing the EU to become a global leader in cybersecurity. The proposal will benefit member states, businesses, and consumers by expanding the mandate of the European Union Agency for Network and Information Security (ENISA) to deal with cyberattacks across the EU and establishing an EU-wide certification process for businesses.

Commissioner Mariya Gabriel, who is in charge of Digital Economy and Society, has explained the motivation behind the proposal by stating: “Enhancing Europe’s cybersecurity, and increasing the trust of citizens and businesses in the digital society is a top priority for the European Union.”

Continue Reading Informal agreement reached on EU cybersecurity proposal

The European Data Protection Supervisor (EDPS) published an Opinion on 5 October 2018 regarding the European Commission’s legislative package “A New Deal for Consumers”. In the Opinion, the EDPS calls for closer alignment between consumer and data protection rules in the EU.

Background

The Commission’s package, adopted earlier this year, includes two legislative proposals:

(1) a Directive on better enforcement and modernisation of EU consumer protection rules; and

(2) a Directive on representative actions for the protection of the collective interests of consumers.

The aim of this package is to modernise existing rules and provide better redress opportunities for consumers.Continue Reading A new deal for consumers: EDPS publishes Opinion

After four years of protracted discussions and negotiations, the General Data Protection Regulation (the “GDPR”) gained final approval from the European Parliament 14 April. It will enter into force 20 days after publication in the Official Journal of the European Union (expected imminently), and it comes into force two years after that date – i.e., mid-2018.

The GDPR replaces the Data Protection Directive 95/46/EC (the “Directive”) and the legislation enacted by Member States to implement it. As a regulation, the GDPR will be directly applicable in all Member States; indeed, one of its core aims is to harmonise legal requirements across the EU, eliminating many of the inconsistencies that developed under the Directive.

The GDPR constitutes the single biggest change to EU data protection rules for 20 years and is considerably more comprehensive and onerous than the regime it replaces. We set out below some of the most significant changes.
Continue Reading The Data Protection Directive Is Dead! Long Live the General Data Protection Regulation!

This post was written by Cynthia O’Donoghue.

In early July, the European Parliament adopted a new directive harmonizing the criminal laws relating to cyberattacks (Directive). It will replace the current nonbinding agreement between EU countries from 2005 (Framework Decision 2005/222/JHA). The Directive aims to harmonise the approach to cybercrime, by requiring all

ENISA, the European Union Agency for Network and Information Security, issued its Annual Incidents Report 2012. The report has been issued under Article 13a of the Common Regulatory Framework Directive (1009/140/EC) for electronic communications networks and services. The report highlights that 18 European Union countries reported 79 significant incidents during 2012. Only