European Data Protection Board opines on UK draft adequacy decision

On the 14th of April 2021, the European Data Protection Board (EDPB) adopted two opinions on the European Commission’s draft adequacy decision for the transfers of personal data from the EU to the UK.

The EDPB assessed the alignment of the UK Data Protection Act to the GDPR and to the Law Enforcement Directive, and noted ‘strong alignment’ on key areas between the EU and UK data protection regimes such as lawful and fair processing for legitimate purposes, purpose limitation, data quality and proportionality, data retention, transparency and special categories of data, to name a few.

Continue Reading

Proposed rule would impose new notification requirements on banks and their service providers when a cybersecurity incident occurs

A new proposed federal rule, “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers,” could impose accelerated notification requirements on banking organizations and their service providers when notification incidents (as defined in the proposed rule) occur.

The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (FDIC) issued the rule on January 12, 2021. The rule’s comment period concluded April 12.

The issuing agencies argue that the adoption of this proposed rule would support their missions by, among other things, requiring that agencies have earlier notice of emerging threats to individual banking organizations and the broader financial system. This notice may help limit losses in the event of significant data security incidents.

 Our recent client alert explains the new obligations under the proposed rule and their effects on banking organizations.

Final rules on the new operational resilience framework published by the FCA and PRA

On March 29, 2021, the Financial Conduct Authority (FCA) published final rules that will create a new operational resilience framework for banks, building societies, solvency II firms, recognized investment exchanges, enhanced scope senior managers and certification regime firms, and those authorized or registered under the Payment Services Regulations 2017 or Electronic Money Regulations 2011. The new rules will apply from March 31, 2022 and will require firms to identify important business services and set maximum impact tolerances.

The Prudential Regulation Authority (PRA) also published its final Policy Statement (PS) 6/21 alongside the FCA. This includes new Operational Resilience Parts of the PRA Rulebook and a new Supervisory Statement (SS), both of which are also effective from March 31, 2022.

A hostile cyber environment was identified by the FCA and PRA in their joint discussion paper as one of the key challenges to becoming resilient. Cyber risk has therefore been a key driver to the introduction of operational resilience rules. These new rules (together with the Bank of England’s Financial Policy Committee’s proposed standards for response to cyber incidents) will require regulated firms to look deeply into their information security and cyber security defenses beyond what is currently required by the GDPR. This should result in greater protection and safeguarding of the personal data of its account holders and other individuals, thereby satisfying the main pillar of financial regulation which is to protect consumers.

 Our recent client alert lays out the requirements firms should follow in order to prevent, adapt to, respond to and learn from threats to and vulnerabilities in their operational resilience framework.



European Commission announces completion of South Korea adequacy talks

On 30 March 2021, the European Commission announced, in a joint statement with South Korea’s data protection authority, the Personal Information Protection Commission (PIPC), the “successful conclusion” of the adequacy talks between the EU and South Korea. Such adequacy decision will enable the free flow of personal data from the EU to South Korea, covering both private and public data controllers, and ultimately benefiting commercial data transfers and facilitating regulatory cooperation.

The adequacy talks began over four years ago, in January 2017 and this announcement brings them closer to receiving this adequacy decision. South Korea has been preparing for this adequacy decision by amending its data protection laws (which it did last year), to, for example, enact the new Personal Information Protection Act, which confirmed the independence and powers of the PIPC. This was referred to in the announcement as confirming the “high degree of convergence” between the EU and South Korea for data protection and was a major step in the adequacy talks.

The announcement also complements the EU-Republic of Korea Free Trade Agreement, and both sides agree that this will aid in their commitment to shared values concerning privacy and cooperation. The framework for the future adequacy decision relies on the strong supervision of the PIPC.

The European Commission will now begin launching the decision-making procedure to get the adequacy decision adopted in the upcoming months.

Next steps
The European Data Protection Board will publish an opinion before formal approval by a committee comprised of representatives of the EU member states. Once it is approved, the Commission can adopt the adequacy decision, thereby introducing the free flow of personal data between the EU and South Korea.

The ICO unveils its plans for updating anonymisation guidance

The ICO Data Sharing Code of Practice which was published earlier this year aimed to provide organisations with practical guidance for data sharing in compliance with data protection law, which we previously wrote about here.

The ICO are aware that data sharing encompasses many other dimensions and thus that the guidance would be updated on an on-going basis. As part of this, the ICO outlined its plans to update its guidance on anonymisation and pseudonymisation and on exploring privacy enhancing technologies. The refreshed guidance will assist in some of the challenges that organisations may face such as determining whether data is personal data or anonymous information and providing appropriate controls that should be adopted. Continue Reading

Swiss authority’s summary of its GDPR-like revised federal law

In its 2020 session, the Swiss Parliament passed the revised Federal Data Protection Act (FADP), which should come into force in the second half of 2022. The Swiss supervisory authority, the Federal Data Protection and Information Commissioner (FDPIC), has published a document outlining the important amendments, which is available here.

The revised FADP (revFADP) covers data protection of natural persons only and includes new definitions for genetic and biometric data, much like the GDPR. The revFADP also incorporates the principles of privacy by design (data protection through technology design) and by default. The FDPIC emphasises that such mechanisms should be “through the use of customer-friendly” programmes that aid data protection. Continue Reading

Aftermath of Schrems II decision in France: The French Council of State provides significant clarification on the U.S. based data host to provide services in the French health care sector

On March 12, 2021, the French Council of State (Conseil d’Etat), the highest French administrative court, handed down a ruling (ordonnance des référés) allowing Doctolib, a company in charge of booking COVID-19 vaccination appointments, to rely on a U.S.-based health data host.

In the present case, the servers of Doctolib – whose platform had been entrusted by the French government for booking COVID-19 vaccinations – were hosted by the Luxembourg subsidiary of AWS, a U.S. company. Specifically, in this case, the AWS data was stored in data centers located in the European Union (specifically, in France and Germany).

The French government’s decision to use a platform hosted by the subsidiary of a U.S.-based company raised significant concerns among French associations and trade unions because of the Schrems II decision rendered by the Court of Justice of the European Union (CJEU July 16, 2020, Case C-311/18, Data Protection Commissioner v. Facebook Ireland Ltd. and Maximilian Schrems), which shed light on the risks that U.S. surveillance laws might pose to data subjects in the event of access requests by U.S. agencies. Continue Reading

A new recipe for Cookies – The new German Telecommunications and Telemedia Data Protection Act

The German Federal Cabinet adopted the Telecommunications and Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutzgesetz – TTDSG, available here) on February 10, 2021. The TTDSG, among other things, provides new rules on cookies and similar technologies (Cookies), introducing only two categories of Cookies: (1) strictly necessary Cookies and (2) consent-based Cookies. The legal basis of legitimate interests cannot be relied upon for Cookies anymore. Germany will be the last member state to transpose Article 5(3) of the Directive 2002/58/EC, amended by Directive 2009/136/EC (ePrivacy Directive) into national law – almost a decade after the deadline passed, and ignoring the extensive discussions on the Cookie provisions in the ePrivacy Regulation (and particularly the exceptions from the consent requirement). Continue Reading

Tech Talk Laws: Technology transactions trends in 2021

In this episode, Sarah Bruno and LiLing Poh discuss recent trends as organizations invest more in technology through the acquisition of new platforms or programs, or by working with a vendor to bring a product to market. Exploring a case study involving a global pharmaceutical company on the rollout of a health-related digital app, they discuss key considerations related to cross-border considerations; the nature of data, regions data is collected from, and other security provisions; coordinating with vendors, middlemen and other third-parties; reasonable security for information exchange and working with in-house IT teams; industry considerations in highly regulated sectors; corruption considerations; and the ownership and protection of intellectual property.

Keep an eye on the Commonwealth: Virginia passes comprehensive data privacy law, empowers Attorney General as chief enforcer

The Virginia legislature, which adjourned its annual legislative session last week, passed the second state-level consumer data privacy law in the nation. The Virginia Consumer Data Protection Act (CDPA) was signed into law by Virginia Governor Ralph Northam on March 2, 2021, and will go into effect January 1, 2023. Virginia joins California as the second state to enact comprehensive data privacy protections for its residents.

The Virginia Attorney General (AG) will be the main interpreter and enforcer of the new law. The CDPA gives the AG exclusive enforcement authority–there is no private right of action. Without a private right of action, the AG alone will control how the CDPA will be enforced.

Continue Reading