25 May 2019 was GDPR’s first birthday. Since its introduction, privacy and data protection issues have continued to dominate public debate and regulators have signalled that large fines for non-compliance are imminent. Now is an opportune time to review your privacy and data protection regimes. We have more regulatory guidance and case law than we
Friederike Wilde-Detmering
One year of GDPR – How have EU member states implemented and enforced the new data protection regime?
The GDPR just had its first birthday. Before the GDPR became effective, organisations were anxious because the Regulation provides for heavy penalties. But was their anxiety justified? And as a first step, how have EU member states themselves implemented the GDPR? This article will provide short answers to these questions.
Local implementation efforts
Although the GDPR intended to unify data protection law within the EU, it permits EU member states to implement stricter local rules in some cases, based on the so-called ‘opening clauses’. These allow local rules to be implemented on important issues, such as the requirements for the designation of a data protection officer, the age of consent of children, data protection in the context of employment, and data breach notification obligations.
EU member states have generally made good use of this option. Germany was the first member state to pass an act to implement the GDPR (and is currently working on an amendment), but the other EU member states quickly followed suit.
Local implementation highlights
Some EU member states have introduced local provisions that are worth noting, particularly for organisations doing business in these jurisdictions. Some examples are:
- In Germany, organisations that continually employ at least 10 people to deal with the automated processing of personal data must appoint a data protection officer.
- France has some preliminary notification obligations, especially with regard to the processing of biometric or genetic data, for example.
- Dutch law retains regulations from the previous Dutch data protection law with regard to the processing of sensitive data, for example in an employment context.
- Hungary and Spain introduced provisions with regard to the personal data of deceased individuals.
- Spanish law includes specific provisions for data processing in relation to, for example, video surveillance, whistleblowing and the financial solvency of individuals.
- The laws of Austria, the Czech Republic and Ireland provide for an easing of the fine system for public bodies.
You can find an overview of all implementation laws and their specialties here: https://www.reedsmith.com/-/media/files/perspectives/2018/gdpr_factsheet_may2018.pdf?la=en.
Continue Reading One year of GDPR – How have EU member states implemented and enforced the new data protection regime?
Territorial applicability of the GDPR
The GDPR is just around the corner and will be effective in less than three months – on 25 May 2018. Organizations are therefore in the midst of preparations to comply with the new Regulation in order to avoid the potentially high fines. Non-EU organizations have to assess whether the GDPR is applicable to them…
Four months until GDPR: Which EU countries are ready? How relevant are these laws?
The General Data Protection Regulation (GDPR) will come into effect on May 25, 2018. It will attempt to standardize data protection law throughout the European Union. The GDPR will not be fully harmonized since the law has more than 70 opening clauses that will leave room for the EU Member States’ legislators to implement (stricter,…
Germany’s new hate speech act in force: what social network providers need to do now
On 1 October 2017, the German Netzwerkdurchsetzungsgesetz (Network Enforcement Act, „NetzDG“) that we already reported on in April and May, entered into force (English version here). The NetzDG shall be an “act to improve enforcement of the law in social networks”, and aims at combating fake news and hate speech. Regulatory offences may be fined by up to EUR 5 million for individuals and up to EUR 50 million for the platform provider itself.
The NetzDG has been criticised since the beginning of the legislative process, as a great number of lawyers deem the law incompatible with the principle of freedom of expression and the upcoming EU E-Privacy Directive that will be effective 25 May 2018. Therefore, everyone is waiting in suspense for the first complaints brought up against this law to the German Federal Constitutional Court, or even the European Court of Justice.
We compiled the five key aspects of the NetzDG for social networks to make you NetzDG-ready.
Continue Reading Germany’s new hate speech act in force: what social network providers need to do now
First judgment on GDPR by German administrative court
The General Data Protection Regulation (“GDPR”) will become applicable 25 May 2018. Even though the GDPR entered into force 24 May 2016, its provisions will be binding and enforceable only from 25 May 2018. In advance of the applicability of the GDPR, the German Administrative Court Karlsruhe (“AC Karlsruhe”) already had to decide on it (Judgment of 6 July 2017, docket no. 10 K 7698/16).
Facts
On 25 November 2016, the Data Protection Authority of the state of Baden-Württemberg (“DPA”) imposed an administrative order on a credit agency, concerning an infringement of the GDPR.
The credit agency stored personal identifiable data, such as claims and related information, in compliance with Section 35 (2) sentence 2 no. 4 of the currently valid German Federal Data Protection Act (“FDPA”). The provision contains precise deadlines for the examination for the erasure of data.
The DPA referred to future violations of the GDPR that the DPA expected to occur after 24 May 2018, as the legal framework will change. Under Recital 39 of the GDPR, controllers are obligated to establish time limits for erasure or for a periodic review. According to the order issued by the DPA, the credit agency must erase the stored data, after 24 May 2018, after the expiry of three years at the latest, beginning with the due date of the claim, except for the insolvency or unwillingness of the data subject to pay. In the opinion of the DPA, the declaration of the credit agency to implement the GDPR provisions to its data erasure system by 25 May 2018, was not sufficient.
The DPA indicated to rely on Section 38 (5) sentence 1 of the FDPA, arguing that measures can be issued from the date that future violations of data protection laws can be inferred.Continue Reading First judgment on GDPR by German administrative court
Upcoming first annual review of the EU-U.S. Privacy Shield
During the week of 18 September 2017, the European Commission and the Article 29 Working Party (“WP29”) will undertake the first annual review of the EU-U.S. Privacy Shield (“Privacy Shield”). The meetings will take place in the United States. As for the U.S. side, the U.S. Department of Commerce will conduct the review, and it is likely that, among others, the U.S. Department of State and the U.S. Department of Justice will participate.
The EU-U.S. Privacy Shield mechanism
EU organisations that want to transfer personal data to recipients outside the EU/EEA must assess whether the recipient country ensures an adequate level of data protection. On 6 October 2015, the European Court of Justice (“CJEU”) invalidated the “Safe Harbour” decision by the European Commission, the predecessor to the Privacy Shield, in its Schrems v Data Protection Commissioner (Ireland) judgment (“Schrems Judgment”). By decision of 12 July 2016, the European Commission adopted a new transfer mechanism: the EU-U.S. Privacy Shield (“Adequacy Decision”).
Certified organisations
On a voluntarily basis, U.S. organisations can register for a self-certification to the U.S. Department of Commerce, and publicly assure to comply with the requirements under the Privacy Shield. A list of the certified organisations can be found here.
While about 5,500 organisations had signed up to Safe Harbour, about 2,500 organisations, including many large organisations, have already self-certified to the Privacy Shield in its first year. Apart from that, organisations still consider EU Model Clauses, as well as Binding Corporate Rules, as a good alternative to the Privacy Shield.Continue Reading Upcoming first annual review of the EU-U.S. Privacy Shield