Updates from the European Data Protection Board

The European Data Protection Board (EDPB) met for its seventh plenary session on 12 February 2019. The session covered many areas of discussion, outlined in the agenda.

The four main areas covered, and highlighted in the EDPB’s press release, were:

1. Work programme: The EDPB adopted a two-year work programme, covering 2019-2020. The work programme has been designed based on priority needs for individuals, stakeholders and EU legislators. Examples of activities that the work programme covers include:

i. issuing guidance on topics such as data protection by design and by default, children’s data and legitimate interests;

ii. issuing consistency opinions on the administrative arrangements discussed below, and on the interplay between the General Data Protection Regulation 2016/679 (GDPR) and ePrivacy Regulation;

iii. other activities centred around the EU-U.S. Privacy Shield, the ePrivacy Regulation and data breach notifications; and

iv. a general focus on topics including non-personal data, blockchain and the use of new technologies such as artificial intelligence. Continue Reading

NERC enforcement action provides guidance to electric industry for compliance with the Critical Infrastructure Protection Reliability Standards

On January 25, 2019, a settlement agreement was reached between a utility company, which allegedly violated the Critical Infrastructure Protection (CIP) Reliability Standards, and the North American Reliability Corporation (NERC). Through this settlement, NERC provides guidance to the electric industry for compliance with the CIP Reliability Standards. The substantial penalties should prompt companies to educate senior management on cybersecurity risks and allocate the resources necessary to implement a cybersecurity program consistent with CIP Reliability Standards and other compliance obligations.

To read the full article, click here.

Risks and considerations when storing crypto-assets

Following the sudden death of its co-founder and CEO, Gerald Cotten, in December 2018, Quadriga, Canada’s largest cryptocurrency exchange, is unable to gain access to about $145 million of bitcoin and other digital assets. Quadriga reports that Cotton stored the digital assets in a “cold wallet” on his encrypted laptop and repeated attempts by his widow to gain access to the laptop have proven unsuccessful.

Quadriga has been forced to stop trading on its platform, which has affected its ability to serve its customers. The company is attempting to obtain an order for creditor protection in accordance with Canada’s Companies’ Creditors Arrangement Act to provide it with an opportunity to resolve this issue.

To review the full article on our FinTech Update blog, click here.

President prioritizes research, development, and deployment of artificial intelligence technology

The President has made artificial intelligence technology a policy priority. On February 11, 2019, the President issued an Executive Order to direct most federal executive agencies to promote and protect American advancements in artificial intelligence while working with private industry. The order recognized that public trust in artificial intelligence is an important factor in the development and use of the technologies, and highlights the need to “protect civil liberties, privacy, and American values in their application in order to fully realize the potential of AI technologies for the American people.”

Specifically, the President ordered the agencies to consider artificial intelligence as a research and development priority and

  • Invest in artificial intelligence (for example, machine learning) research and development.
  • Enhance access to data, models, algorithms, and computing resources to promote artificial intelligence research and development (consistent with obligations to maintain safety, security, privacy, and confidentiality).
  • Reduce barriers to the use of artificial intelligence (for example, machine learning) technologies.
  • Help develop technical standards that minimize vulnerability to attacks and “reflect Federal priorities for innovation, public trust, and public confidence in systems that use AI technologies.”
  • Train a workforce that can develop and take advantage of developments in artificial intelligence.
  • Develop an action plan to “to protect the advantage of the United States in AI and technology critical to United States economic and national security interests against strategic competitors and foreign adversaries.”

Continue Reading

Comprehensive data privacy legislation introduced in Massachusetts – includes private right of action without a need to prove harm

Massachusetts state Senator Cynthia Creem has introduced a consumer data privacy bill, SD 341, that would give Massachusetts consumers the right to sue in the event their personal information or biometric data is improperly collected or distributed or for any other potential violation of the new law. Under SD 341, and similar to Illinois’s Biometric Information Privacy Act (BIPA), consumers may not be required to demonstrate or have suffered monetary or property losses in order to seek damages for an alleged violation. Any violation of the proposed new law could be grounds for a valid private action.

The proposed bill is the latest signal that state legislatures are going to be increasingly active in regulating data protection issues. California’s new California Consumer Privacy Act (CCPA) is considered an expansion of privacy-related regulation beyond any existing federal or state law. Although the CCPA will not go into effect until January 2020, businesses are busy implementing compliance policies and procedures, including making plans now to ensure they can adequately and accurately respond to consumers’ requests regarding the type and nature of personal information they may possess on California residents. The Massachusetts bill appears to have many of the same characteristics as the CCPA, but its private right of action provision would be a boon for the plaintiff’s bar. Like Illinois’ BIPA and the Telephone Consumer Protection Act (TCPA), which have spawned scores of class action lawsuits, SD 341 does not require proof of actual damages. It states that “a violation of this chapter shall constitute an injury in fact to the consumer who has suffered the violation, and the consumer need not suffer a loss of money or property as a result of the violation in order to bring an action for a violation of this chapter.” A prevailing plaintiff can receive the greater of $750 “per consumer incident” or actual damages and can also receive attorneys’ fees.

Continue Reading

The interplay between the Clinical Trials Regulation and the GDPR

The European Data Protection Board (EDPB) recently adopted its opinion on the interplay between the Clinical Trials Regulation 536/2014 (CTR) and the General Data Protection Regulation 2016/679 (GDPR) (the opinion). The opinion was given at the request of the European Commission.

The CTR seeks to harmonise the rules for conducting clinical trials throughout the European Union, and the request for an opinion stemmed from an acknowledgement of the crucial interplay between these two pieces of EU legislation. The EDPB emphasised that interplay by clearing stating in the opinion that the CTR cannot be used as an exemption for compliance with the GDPR.

The opinion distinguishes between the primary use of data and the secondary use of data in clinical trials.

Continue Reading

German supervisory authority audited 40 websites on the use of tracking tools – and none of them was compliant

The Bavarian Data Protection Authority (‘Bavarian DPA’) audited major Bavarian websites for their use of tracking tools on Safer Internet Day. It calls its findings “desolate”. None of the tracking tools were implemented in a compliant manner.

Audit by the Bavarian DPA

Tracking and the requirements for using cookies have been a highly debated topic by the EU data protection authorities since last spring. The Conference of German Data Protection Authorities released a position paper on 26 April 2018, stating that tracking and profiling cookies require opt-in consent (‘Position Paper’; read more on the Position Paper in our blog here and find more background on cookies under GDPR in the German-language videos here).

The Bavarian DPA audited 40 Bavarian websites. In a summary report (‘Summary Report’, available here), the Bavarian DPA stated that all websites that were reviewed used third-party tracking tools, but none was implemented in compliance with data protection law. The websites tested relate to the following industries: online shops, sports, insurances, banks, media, cars and houses.

The Bavarian DPA emphasised its audit on transparency and consent.

Continue Reading

Notable challenges from the updated Massachusetts data breach notification law

The update to the existing Massachusetts data breach notification statute (set to go into effect on April 11, 2019) introduces novel requirements for notices to both affected individuals and regulators and requires credit monitoring services to be offered in some instances for at least 18 months. The legislation updates the statute in a number of particulars, but we focus here on the most notable new requirements.

Notable updates

Notices to affected individuals. The updated statute may require an organization to provide affected individuals with multiple (that is, repeat) notifications if after the initial notice the organization discovers information that updates or corrects the information required to be in such notifications. Other breach notification laws, like the EU’s General Data Protection Regulation and Canada’s breach notification law, may impose an ongoing obligation on organizations to notify regulators with updated information about breaches, but the Massachusetts statute may apply that same obligation to individual notices. The statute also sets forth additional content categories that the notices must contain.

Continue Reading

Electric industry should focus efforts in 2019 to meet additional cybersecurity and supply chain requirements

In late 2018, the Federal Energy Regulatory Commission (FERC) published a final rule updating and adding to the Critical Infrastructure Protection (CIP) Reliability Standards, which are intended to help protect the bulk electric system (BES) in North America against cybersecurity risks. The final rule:

  • Creates a new Supply Chain Risk Management Reliability Standard (CIP-013-1)
  • Updates the Electronic Security Perimeter(s) Reliability Standard (CIP-005-6)
  • Updates the Configuration Change Management and Vulnerability Assessments Reliability Standard (CIP-010-3)

Organizations subject to the Reliability Standards have until July 1, 2020, to develop and implement the necessary policies, procedures, and systems to meet these new obligations.

To read the full article, click here.

Free flowing data for 127 million people: Japan and the EU break down personal data transfer barriers

On 23 January 2019, the European Commission adopted an adequacy decision for Japan, with immediate effect. The decision certifies Japan as having a comparable level of data protection to that of the European Union.

On the same day, Japan adopted an equivalent decision regarding the EU’s data protection regime. This is the first example of mutual recognition of the adequate level of data protection.

According to Věra Jourová, European Commissioner for Justice, Consumers and Gender Equality, the mutual adequacy findings have created “the world’s largest area of safe data transfers”. Data is now able to flow freely between the EU and Japan without the need for further safeguards or authorisations. Ms. Jourová recognised the decision as providing “an example for future partnerships in this key area” and setting “global standards”.

The adequacy decision

In order to align itself with EU standards, Japan introduced a number of additional safeguards. These include:

  1. Supplementary rules, adopted by Japan’s independent data protection authority, the Personal Information Protection Commission (PPC). The rules bridge the differences between the two data protection regimes by providing for a higher level of protection of individuals’ rights. The rules are binding on Japanese companies that receive EU data based on the adequacy decision, and are enforceable by the PPC and the Japanese courts.
  2. Safeguards for public authority access to personal data. Assurances were given to the European Commission regarding safeguards concerning Japanese public authorities’ access to personal data for criminal law enforcement and national security purposes. Such access is limited to what is necessary and proportionate.
  3. Complaints mechanism. The PPC will administer and supervise a new mechanism for investigating and resolving complaints from Europeans regarding access to their data by Japanese public authorities.


Japan’s adequacy decision complements the EU-Japan Economic Partnership Agreement, which will enter into force in February 2019, by facilitating commercial exchanges. This demonstrates a clear relationship between international trade, and the protection of personal data, while acknowledging that dialogues about each issue must remain separate.

The adequacy decision will be reviewed by the European Commission after two years. After this, a review will take place every four years.