German federal parliament updates Patents Act

Germany is among the world’s leading patent jurisdictions. However, several years after the implementation of the EU Enforcement Directive, the government felt that the Patents Act (PatG) needed updating. Following lengthy consultations and many changes, the reform bill passed the German federal parliament (Bundestag) very early this morning (June 11, 2021). The second chamber of parliament (Bundesrat) is unlikely to raise further objections, so the new provisions will probably come into force rather sooner than later.

Our recent client alert gives detailed insight into the Patent Act and how it may affect companies doing business in Germany.

U.S. Department of Labor issues cybersecurity guidance for protecting ERISA-covered plan data

The U.S. Department of Labor (DOL) announced in April new cybersecurity guidance (the Guidance) for protecting ERISA-covered plan data from internal and external cybersecurity threats. This Guidance is the first of its kind from the DOL and supplements DOL regulations that govern electronic records and disclosures to plan participants and beneficiaries.

The Guidance recognizes that plan sponsors and other fiduciaries have an obligation to mitigate cybersecurity risks, including by prudently selecting and monitoring service providers with strong cybersecurity practices. The Guidance is consistent with cybersecurity measures in existing law and other cybersecurity guidance, standards and best practices; however, it leaves open many questions, including how the Guidance might be used in the future (e.g., DOL enforcement activity and private party litigation).

Our recent client alert goes into detail on the three parts of the Guidance that come in the form of “tips” and “best practices.”

Get your Update on IT & Data Protection Law in our Newsletter (Spring 2021 Edition)

The Spring 2021 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

  1. New cookie rules in Germany will apply as of December 1, 2021
  2. German data protection authorities conduct coordinated audits on international data transfers
  3. Mainz Administrative Court: Data protection requirements for emails sent by individuals with a duty of professional confidentiality
  4. Cologne Court of Appeal: Influencers must also label unpaid product posts as advertising
  5. Saarland Administrative Court of Appeal: Double opt-in by email not suitable for consent to telephone advertising
  6. ECJ: Framing in circumvention of safeguards requires copyright holder’s consent
  7. German Supreme Court: Admissibility of charging a fee for payment when engaging payment service providers

The newsletter also includes multiple recommendations for readings on data protection impact assessments, data portability, tracking, video conferencing services, Schrems II, the metaverse and more.

We hope you enjoy reading it.

European Commission issues New Standard Clauses for data transfers outside the EEA: Act within 18 months

Today the European Commission issued the new and long-awaited Standard Contractual Clauses, available here (SCCs). These new SCCs contain updates for the GDPR, and replace the three sets of SCCs that were adopted under the previous Data Protection Directive. The SCCs released today include the following modules:

  • Controller to controller transfers,
  • Controller to processor transfers,
  • Processor to processor transfers, and
  • Processor to controller transfers.

The draft SCCs had been open to consultation in December of 2020 (more on our previous blog here). The final drafts issued today will come into effect 20 days after publication on the Official Journal of the European Union, which should be sometime between the 25th and 30th of June 2021. Continue Reading

The ICO publishes first chapter of its new draft guidance on anonymisation, pseudonymisation and privacy enhancing technologies

The UK’s data protection authority, the Information Commissioner’s Office (ICO), is calling for views on the first chapter of its anonymisation, pseudonymisation and privacy enhancing technologies guidance, available in draft here.

The guidance will help organisations to identify the issues they need to consider in order to use anonymisation techniques effectively. The guidance will sit alongside the ICO’s data sharing code of practice, which provides guidance on how to lawfully share personal data, and offers organisations an alternative way of using or sharing data through anonymisation.

The first chapter introduces and defines anonymisation and pseudonymisation, and places the concepts within the framework of data protection law in the UK. Continue Reading

Singapore High Court clarifies ‘loss or damage’ in private actions against the Personal Data Protection Act (PDPA)

In Bellingham, Alex v. Reed, Michael [2021] SGHC 125 (Alex v. Reed) The Signapore High Court considered the loss or damage needed for a private action to be brought against an organisation for a breach of the PDPA. In particular, the court found that a mere loss of control over personal data, or emotional distress over such loss of control, was insufficient.

Our recent client alert details the case and the significance of this judgment in clarifying the scope of loss or damage for civil suits arising from contraventions of Singapore’s data protection law.

Storing credit card details for future purchases – EDPB recommends online retailers do so only with consent

On 19 May 2021, the European Data Protection Board (EDPB) adopted Recommendations on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions, available here.

Scope of the recommendations

The recommendations specifically address online providers of goods and services who store credit card data to facilitate future purchases once an individual has provided their credit card data to conclude a transaction online.

The recommendations do not apply to payment institutions operating in online stores or public authorities. They also do not apply where credit card data is stored for a different purpose, for example to comply with a legal obligation or to establish a recurring payment.

Why are these recommendations needed?

As the digital economy and e-commerce continue to develop, the risks of using credit card data online also continue to increase. In addition to ever-present payment fraud risks, there is also an increased risk of credit card data security breaches where the credit card data is stored. Controllers must therefore act to reduce the risk of unlawful processing of this data.

Continue Reading

City A.M. interviews Howard Womersley Smith on London’s start up Fintech scene

City A.M. has interviewed Howard Womersley Smith, an expert Fintech and Data lawyer and partner in Reed Smith’s Technology & Data London team, on London’s current startup FinTech scene.

Sitting down with Womersley Smith, City AM reflected on a range of London Fintechs urging the Financial Conduct Authority (FCA) to break banks’ dominance over the use of consumer data. Womersley Smith sided with Fintechs and has long been saying that the startup scene needs exactly that to properly thrive in 2021. Fintechs have argued that the end of banks dominance would increase competition in the savings, credit, mortgages and pensions markets. However, Womersley Smith believes that we are some way off true portable banking. However, he noted that there is another factor in play, that of trust where banking with a household name provides an element of comfort for consumers which is difficult for challengers to compete with. Continue Reading

Three years on from the implementation of the EU GDPR – Reed Smith tools and solutions to help with compliance

The EU General Data Protection Regulation (GDPR) came into effect on 25 May 2018. It became one of the leading pieces of legislation in the world to offer the highest levels of protection to the personal data of individuals. Many countries followed suit to raise the bar in how organisations handle personal data. The trend continues with China and India next in line to adopt legislation with similar levels of protection which may result in half of the global population enjoying rights similar to what the GDPR offers. The GDPR has definitely had a domino effect.

Organisations continue to take steps towards compliance as this is a reiterative exercise. We also continue to develop new ways of supporting our clients and have built tools and solutions to help clients to be efficient in their GDPR compliance efforts:

  • GDPR toolkit. A toolkit of accountability documents to help organisations meet their GDPR requirements.
  • Datarologie. An innovative service providing a one-stop shop for privacy compliance needs combining technology solutions and consultancy services. The comprehensive offering includes data subject rights management; a tracking tool for personal data breach preparation and response, auditing and benchmarking; outsourced Data Protection Officer services; GDPR representative services in the UK and the EU, as well as the provision of legal advice.
  • Data Transfer Impact Assessment tool. This tool allows organizations to automate and create (1) a risk assessment for data transfers to third countries, whether controller to controller or controller to processor, and (2) automated drafting of a data processing agreement and standard contractual clauses (SCCs). This will become an all-in-one tool to deal with data transfers and cut down on contract review time. This tool should be ready in time when the final EU SCCs are published by the European Commission. This tool will be updated with the new SCCs once issued by the European Commission, which is expected to happen in a number of weeks.
  • GDPR Assessment. An assessment methodology to check GDPR compliance, including compliance with the accountability principle.

Please do not hesitate to contact our team for further information or to discuss your data protection needs. Happy GDPR Anniversary!

European Commission urged to produce clear guidelines on data transfers with the U.S.

In its Schrems II decision (which we reported on here) the Court of Justice of the European Union (CJEU) found that the Privacy Shield framework, which had been used to facilitate data transfers from the EU to the US, did not adequately protect the personal data of EU users. The use of standard contractual clauses (SCCs) for such transfers of personal data to a third country was validated by the ruling, provided that the recipient country’s level of data protection was verified by the EU based entity prior to the data transfer.

Why are these guidelines needed?

In a draft report adopted on Tuesday 19 May 2021 the Civil Liberties Committee has urged the European Commission to assess the impact of this decision on data transfers with the US. The Civil Liberties Committee suggests, and is probably aware, that businesses may struggle to assess the data protection regimes of third countries themselves. The MEPs have therefore called for clear guidelines so companies can make data transfers that can be made GDPR-compliant, acknowledging that certainty and stability is key for businesses.

The report recommends collaboration between the European Commission and the European Data Protection Board (EDPB) to ensure the guidelines are fit for purpose given recent CJEU rulings.

Potential enforcement proceedings against Ireland

MEPs have also called on the European Commission to begin infringement procedures against Ireland for failing to effectively enforce the GDPR. The Irish Data Protection Commission (DPC)’s decision to initiate the Schrems court case instead of triggering enforcement procedures under the GDPR, along with the DPC’s long processing times, were both held to be disappointing by the Civil Liberties Committee.

The draft resolution will be debated in a future plenary session and put to the vote by the full House. While collaboration between the EC and EDPB to issue clear guidelines for businesses sounds appealing, we can only hope that the guidelines are pragmatic as well.