Notice and consent requirements for security footage and biometric data collection

It is natural for businesses to be concerned about the security of their premises and to explore new technologies that can help mitigate health and safety risks related to that security. As retailers get back to business in the United States, the laws implicating biometrics and the increase in use cases for biometric technologies have caused these businesses to refocus their data collection points. One such use case that merits special attention, specifically in the context of reopening businesses after COVID-19 precautionary closures, is the information collected via security footage (also receiving attention as a result of recent protests). Our recent client alert discusses whether data collection via security footage possibly qualifies as “biometric identifiers” or “biometric information” under various state laws that implicate the topic, and whether notice and consent are necessary to collect and use that footage.

EDPS opines on the Commission’s data strategy

On 19 February 2020, the European Commission published details of its data strategy (here), the aim of which is to “create a single European data space – a genuine single market for data, open to data from across the world – where personal as well as non-personal data, including sensitive business data, are secure and businesses also have easy access to an almost infinite amount of high-quality industrial data, boosting growth and creating value, while minimising the human carbon and environmental footprint.”

The European Data Protection Supervisor (EDPS) published its opinion on the data strategy on 16 June 2020 (here). In essence, the EDPS supports the Commission’s commitment to develop the strategy in full compliance with the General Data Protection Regulation (GDPR) and European fundamental rights and values, including the right to the protection of personal data provided under Article 8 of the Charter of Fundamental Rights of the EU. However, the EDPS took the opportunity in its opinion to remind the Commission of a few specific areas of EU data protection law which it will need to consider in relation to some of the proposals set out in the strategy.

Continue Reading

GDPR vs. U.S. discovery: The conflict continues

Recent cases have highlighted the continued tensions between the GDPR and U.S. demands for discovery in the context of U.S. litigation and investigations. This issue can present a real concern for companies operating on both sides of the pond seeking to comply with obligations on either side. Whilst the GDPR provides EU citizens with valuable protections on the processing and cross-border transfer of their data, it is not an automatic shield from the demands of U.S. state or federal laws that require the preservation, collection, and potential disclosure of any documentation relevant to a matter – regardless of where it originates or to whom it relates.

The process of U.S. discovery that requires the transfer of potential evidence originating or stored in the EU to the U.S. will often trigger obligations under the GDPR where it involves the processing and cross-border transfer of personal data. While previous cases have shown U.S. courts to be reluctant to allow foreign laws to be a barrier to U.S. discovery, two recent cases have provided insight on the U.S. courts’ approach when dealing with the GDPR in this context. Continue Reading

Cybersecurity Maturity Model Certification: New requirements in the near future

Beginning in November 2020, the Department of Defense (DoD) has confirmed that new solicitations will include the new Cybersecurity Maturity Model Certification (CMMC). Despite the impact of COVID-19, this confirmation indicates that the DoD is intent upon ensuring the protection of certain critical information and shoring up protection of its critical networks and supply chain. Defense contractors should prepare for the new compliance requirements, including on the new measurement levels on the accreditation for assessors. The most recent updates related to CMMC implementation are explained in our recent client alert.

PRA extends deadline for responses to consultation on outsourcing and third-party risk management

At the end of 2019, the UK Prudential Regulation Authority (PRA) released its consultation paper (link here) setting out its proposals on a regulatory framework to modernise outsourcing and third-party risk management. The original deadline for responding to the proposals was 3 April 2020, but this has now been extended to 1 October 2020, which was announced as part of the Bank of England’s and the PRA’s measures to respond to the economic shock caused by COVID-19.

Background

In response to the growing dependency on third-party technology solutions (e.g. cloud outsourcing), the PRA wants to highlight the new risks associated with such an increasingly complex and constantly evolving area. As firms find themselves increasingly dependent on such services, any major disruption or outage could result in adverse consequences for financial stability. The consultation seeks to modernise the PRA’s expectations and sets out how firms should comply with existing requirements on such risks.

Continue Reading

ICO issues guidance for organisations amid coronavirus recovery

On 12 June 2020, the UK’s Information Commissioner’s Office (ICO) issued new guidance for organisations on the coronavirus (COVID-19) recovery phase (Guidance).

The Guidance (available here) forms part of the ICO’s wider data protection and coronavirus information hub (available here) which aims to help organisations navigate data protection during this unprecedented time.

The new Guidance comes as the lockdown measures start to ease and businesses begin to reopen. It sets out six key data protection steps that organisations need to consider around the use of personal data. Continue Reading

Responding to requests: the ICO considers manifestly unfounded and excessive requests

The Information Commissioner’s Office (ICO) has updated its guidance on access requests and whether such requests are manifestly unfounded or excessive, providing further clarification to the definitions in the guidance and on how data controllers should respond to such requests. We summarise the key points below.

Background

A data subject has rights under the Data Protection Act 2018 to send requests to the data controller pertaining to their personal data, for example: the right of access (section 45), right to rectification (section 46), right to erasure or restriction of processing (section 47) and requests relating to automated decision-making (section 50).

On the other hand, if a data controller finds requests to be “manifestly unfounded or excessive”, it may refuse to act or charge a reasonable fee for the requests, under section 53. The importance of how the data controller makes this decision has now been considered by the ICO.

Guidance

The ICO has given further clarification to the meaning of section 53, as summarised below: Continue Reading

Singapore launches national e-commerce standard

On 12 June 2020, Enterprise Singapore and the Singapore Standards Council launched Technical Reference 76: the first-ever guidelines to set out a national standard for e-commerce transactions. The standard is aimed at boosting the digitalisation of SMEs, as well as the burgeoning e-commerce sector in Singapore.

Technical Reference 76 serves as a practical reference for e-retailers and online marketplaces. The guidelines cover a wide range of functions, from the pre-purchase activities of browsing and selection, to purchasing and payment processes, as well as post-purchase fulfilment, delivery, product tracking, returns, refunds and exchanges. They provide best practices for businesses looking to develop and implement the necessary operational procedures, customer support, merchant verification controls, as well as processes to ensure that consumer-facing communications are clear and enable customers to make informed choices.

Continue Reading

Medical Device Coordination Group guidance on cybersecurity for medical devices

Background

In light of the growing concern over cybersecurity and the increasing complexity of medical device supply chains, the Medical Device Coordination Group has released updated guidance on cybersecurity for medical devices (the Guidance) (link here). The Guidance is intended to supplement the essential requirements listed in Annex I of the Medical Devices Regulations (Regulations 745/2017 and 746/2017) (link here). We have summarised below the key points in this Guidance.

Key points

The Guidance is targeted at manufacturers of medical devices. Generally, under the Medical Devices Regulations, manufacturers are required to develop their products in accordance with the state of the art, taking into account risk management principles, including operation, IT and information security.

  • Pre-market and post-market cybersecurity activities: under the Medical Devices Regulations, manufacturers are required to conduct pre-market activities such as establishing risk control measures, secure designs, clinical evaluation processes and conformity assessments. For post-market activities, manufacturers should modify their risk control measures, perform further risk assessments and update their post-market surveillance plans/systems as necessary.
  • Clarification of cybersecurity concepts: the Guidance elaborates in detail on important concepts such as IT security, information security, and operation security. Devices should be safe and effective – any risks associated with the operation of medical devices must be acceptable so as to enable a high level of protection of health and safety. In addition, manufacturers should consider cybersecurity requirements in accordance with the nature of the device, including the device type and intended use of communication technologies; anticipate any reasonably foreseeable misuse; and, lastly, work with other stakeholders such as integrators, operators, and users to ensure effective implementation.
  • Secure design and manufacture – ‘secure by design’: manufacturers must consider safety, security and effectiveness at an early stage of development and throughout the entire life cycle. A security/safety risk management process should be in place, documenting and evaluating all the security risks, and stating its impact on security as part of the risk assessment. The Guidance also provides an indicative list of security capabilities for medical devices, such as automatic logoff and emergency access. It is also an explicit requirement under Annex I of the Medical Devices Regulations to carry out an overall benefit risk analysis.
  • Documentation and instructions for use: manufacturers should provide technical documentation containing information that demonstrates conformity with the general safety and performance requirements in Annex I of the Medical Devices Regulations. This includes information to be provided to health care providers regarding the intended use environment. In addition, the documentation should be updated with information raised through the manufacturers’ post-market surveillance system related to the handling and remediation of cybersecurity incidents and vulnerabilities.
  • Post-market surveillance and vigilance: lastly, as cybersecurity vulnerabilities change and evolve, manufacturers should have in place a post-market surveillance programme, which they should regularly update. The Guidance recommends addressing the following in the programme: operation of the device in the intended environment; sharing and dissemination of cybersecurity information and knowledge of cybersecurity vulnerabilities and threats across multiple sectors; vulnerability remediation; and incident response.

Commentary

The Guidance provides a useful illustration of how manufacturers should comply with their obligations under the Medical Devices Regulations, and will be of great importance to modern manufacturers intending to incorporate new technology in their products.

Encryption of emails containing personal data – the German supervisory authorities issue guidance

On 26 May 2020, the German Data Protection Authorities (German DPAs) issued guidelines on measures to protect personal data transferred via email (Guidelines; available in Germen here). The Guidelines outline requirements for procedures to send and receive emails that must be met by data controllers, data processors and public email service providers (Email Service Providers) to comply with Art. 5(1)(f), 25 and 32(1) of the General Data Protection Regulation (GDPR).

Sending emails containing personal data

Data controllers and processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the data processing, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the data subjects concerned. Continue Reading

LexBlog