European Commission announces completion of South Korea adequacy talks

On 30 March 2021, the European Commission announced, in a joint statement with South Korea’s data protection authority, the Personal Information Protection Commission (PIPC), the “successful conclusion” of the adequacy talks between the EU and South Korea. Such adequacy decision will enable the free flow of personal data from the EU to South Korea, covering both private and public data controllers, and ultimately benefiting commercial data transfers and facilitating regulatory cooperation.

The adequacy talks began over four years ago, in January 2017 and this announcement brings them closer to receiving this adequacy decision. South Korea has been preparing for this adequacy decision by amending its data protection laws (which it did last year), to, for example, enact the new Personal Information Protection Act, which confirmed the independence and powers of the PIPC. This was referred to in the announcement as confirming the “high degree of convergence” between the EU and South Korea for data protection and was a major step in the adequacy talks.

The announcement also complements the EU-Republic of Korea Free Trade Agreement, and both sides agree that this will aid in their commitment to shared values concerning privacy and cooperation. The framework for the future adequacy decision relies on the strong supervision of the PIPC.

The European Commission will now begin launching the decision-making procedure to get the adequacy decision adopted in the upcoming months.

Next steps
The European Data Protection Board will publish an opinion before formal approval by a committee comprised of representatives of the EU member states. Once it is approved, the Commission can adopt the adequacy decision, thereby introducing the free flow of personal data between the EU and South Korea.

The ICO unveils its plans for updating anonymisation guidance

The ICO Data Sharing Code of Practice which was published earlier this year aimed to provide organisations with practical guidance for data sharing in compliance with data protection law, which we previously wrote about here.

The ICO are aware that data sharing encompasses many other dimensions and thus that the guidance would be updated on an on-going basis. As part of this, the ICO outlined its plans to update its guidance on anonymisation and pseudonymisation and on exploring privacy enhancing technologies. The refreshed guidance will assist in some of the challenges that organisations may face such as determining whether data is personal data or anonymous information and providing appropriate controls that should be adopted. Continue Reading

Swiss authority’s summary of its GDPR-like revised federal law

In its 2020 session, the Swiss Parliament passed the revised Federal Data Protection Act (FADP), which should come into force in the second half of 2022. The Swiss supervisory authority, the Federal Data Protection and Information Commissioner (FDPIC), has published a document outlining the important amendments, which is available here.

The revised FADP (revFADP) covers data protection of natural persons only and includes new definitions for genetic and biometric data, much like the GDPR. The revFADP also incorporates the principles of privacy by design (data protection through technology design) and by default. The FDPIC emphasises that such mechanisms should be “through the use of customer-friendly” programmes that aid data protection. Continue Reading

Aftermath of Schrems II decision in France: The French Council of State provides significant clarification on the U.S. based data host to provide services in the French health care sector

On March 12, 2021, the French Council of State (Conseil d’Etat), the highest French administrative court, handed down a ruling (ordonnance des référés) allowing Doctolib, a company in charge of booking COVID-19 vaccination appointments, to rely on a U.S.-based health data host.

In the present case, the servers of Doctolib – whose platform had been entrusted by the French government for booking COVID-19 vaccinations – were hosted by the Luxembourg subsidiary of AWS, a U.S. company. Specifically, in this case, the AWS data was stored in data centers located in the European Union (specifically, in France and Germany).

The French government’s decision to use a platform hosted by the subsidiary of a U.S.-based company raised significant concerns among French associations and trade unions because of the Schrems II decision rendered by the Court of Justice of the European Union (CJEU July 16, 2020, Case C-311/18, Data Protection Commissioner v. Facebook Ireland Ltd. and Maximilian Schrems), which shed light on the risks that U.S. surveillance laws might pose to data subjects in the event of access requests by U.S. agencies. Continue Reading

A new recipe for Cookies – The new German Telecommunications and Telemedia Data Protection Act

The German Federal Cabinet adopted the Telecommunications and Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutzgesetz – TTDSG, available here) on February 10, 2021. The TTDSG, among other things, provides new rules on cookies and similar technologies (Cookies), introducing only two categories of Cookies: (1) strictly necessary Cookies and (2) consent-based Cookies. The legal basis of legitimate interests cannot be relied upon for Cookies anymore. Germany will be the last member state to transpose Article 5(3) of the Directive 2002/58/EC, amended by Directive 2009/136/EC (ePrivacy Directive) into national law – almost a decade after the deadline passed, and ignoring the extensive discussions on the Cookie provisions in the ePrivacy Regulation (and particularly the exceptions from the consent requirement). Continue Reading

Tech Talk Laws: Technology transactions trends in 2021

In this episode, Sarah Bruno and LiLing Poh discuss recent trends as organizations invest more in technology through the acquisition of new platforms or programs, or by working with a vendor to bring a product to market. Exploring a case study involving a global pharmaceutical company on the rollout of a health-related digital app, they discuss key considerations related to cross-border considerations; the nature of data, regions data is collected from, and other security provisions; coordinating with vendors, middlemen and other third-parties; reasonable security for information exchange and working with in-house IT teams; industry considerations in highly regulated sectors; corruption considerations; and the ownership and protection of intellectual property.

Keep an eye on the Commonwealth: Virginia passes comprehensive data privacy law, empowers Attorney General as chief enforcer

The Virginia legislature, which adjourned its annual legislative session last week, passed the second state-level consumer data privacy law in the nation. The Virginia Consumer Data Protection Act (CDPA) was signed into law by Virginia Governor Ralph Northam on March 2, 2021, and will go into effect January 1, 2023. Virginia joins California as the second state to enact comprehensive data privacy protections for its residents.

The Virginia Attorney General (AG) will be the main interpreter and enforcer of the new law. The CDPA gives the AG exclusive enforcement authority–there is no private right of action. Without a private right of action, the AG alone will control how the CDPA will be enforced.

Continue Reading

Get your Update on IT & Data Protection Law in our Newsletter (Winter 2021 Edition)

The Winter 2021 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

  1. Strengthening fair competition – changes to the law against unfair competition
  2. Cologne Regional Court on the broad concept of the right to access (in court)
  3. EUR 14.5 million data protection fine lifted and now appealed
  4. Rostock Regional Court on obtaining cookie consent
  5. Munich Court of Appeals on real name use in telemedia
  6. Frankfurt Regional Court on drone photos covered by copyright freedom of panorama

The newsletter also includes multiple recommendations for readings on the ePrivacy Regulation, German Telecommunication and Telemedia Act, Standard Contractual Clauses, DPIAs, data breaches, Brexit, cookie fines and more.

We hope you enjoy reading it.

Nation’s second comprehensive consumer data privacy law enacted in Virginia

Virginia’s governor, Ralph Northam, signed the Virginia Consumer Data Protection Act (CDPA) into law on March 2, 2021. The CDPA is set to take effect on January 1, 2023, and is the second most comprehensive consumer privacy law to be enacted in the United States behind the California Consumer Privacy Act (CCPA), recently amended by the California Privacy Rights Act (CPRA), set to take effect on January 1, 2023. Our recent client alert provides a comparison of key provisions between CCPA/CPRA and CDPA

The Maryland digital advertising tax and what it means for you

When the Maryland General Assembly overrode a gubernatorial veto on Friday, February 12, 2021, it became the first state in the U.S. to place a tax on digital advertising services. Much remains to be seen as both chambers of Maryland’s General Assembly consider amendments to the new law and challenges make their way through the courts. In the meantime, DeAndré Morrow, Jeremy Abrams, and John Feldman wrote a new Reed Smith In-Depth analyzing the immediate and potential effects of the veto override and providing a forecast on if the tax will survive the judicial challenges it faces.