Archives: Regulatory

Subscribe to Regulatory RSS Feed

Evaluation of the GDPR – The German supervisory authorities weigh in

The German Data Protection Authorities (German DPAs) released a “Report on the Experience Gained in the Implementation of the GDPR”, which was adopted at their conference on November 6, 2019 (Report; available in German here and English here). In this blog, we summarize the key issues that the German DPAs have raised in the Report. … Continue Reading

An FAQ guide to data breach notifications in Singapore

Singapore’s Personal Data Protection Commission (PDPC) has announced that data breach notification will soon become mandatory in Singapore. However, not all breaches need to be reported. We have prepared this guide to aid businesses in understanding when, to whom and how to notify should they encounter a data breach. As further guidance and details on … Continue Reading

ENISA releases report detailing security guidelines for Internet of Things

On 19 November 2019, the European Union Agency for Network and Information Security (ENISA) released its report ‘Good practices for security of Internet of Things (IoT)’ (Report), providing a comprehensive analysis of security concerns surrounding IoT, secure Software Development Life Cycle (sSDLC) principles, and setting out best practices. Below, we highlight some of the key … Continue Reading

Get your Update on IT & Data Protection Law in our Newsletter (Winter 2019 Edition)

The Winter 2019 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released: English version German version In this edition we cover the following topics: ECJ decision on the use of cookies (“Planet49”) does not provide clarity ECJ: Global take-down duties of hosting providers ECJ on the territorial … Continue Reading

How to respond to data breaches and cyber attacks

As part of Reed Smith’s webinar series on crisis management, on Wednesday 6 November 2019, partners Tom Webley, Philip Thomas and John M. McIntyre delivered a webinar to clients on data breaches, cyber attacks, and potential responses to such incidents. Our recent client alert focuses on the key themes arising out of the webinar and … Continue Reading

ICO consultation on draft guidance on the right of access

On 4 December 2019, the Information Commissioner’s Office (ICO) published draft guidance on data subject access requests (DSARs) (Guidance). This updated Guidance comes just 18 months after the current version was first published in April 2018. Previously, in June 2019, the ICO (here) criticised the Metropolitan Police for its handling of DSARs. The ICO also … Continue Reading

The USTR responds to French Digital Services Tax with large tariff proposal

In response to France’s Digital Services Tax (DST), the Office of the U.S. Trade Representative (USTR) proposed additional ad valorem duties of up to 100 percent on certain products from France. The USTR issued a Section 301 Investigation Report on the DST, concluding that the DST discriminates against U.S. companies, is inconsistent with prevailing principles … Continue Reading

ENISA launches security mapping tool

The European Union Agency for Cybersecurity (ENISA) has been supporting the European Union (EU) Member States in developing, implementing and evaluating their cyber security strategies. Since 2012 and as part of this support, ENISA has been developing tools, studies and guidelines to help EU Member States build on their national cyber security strategies. The latest … Continue Reading

The EBA releases its final ‘Guidelines on ICT and security risk management’ report

Last week (28 November 2019), the European Banking Authority (EBA) released the final version of its report entitled ‘EBA Guidelines on ICT and security risk management’ (the Guidelines) (link here) on the mitigation and management of financial institutions’ (FIs) information and communication technology (ICT) and security risks. We highlight below some of the key takeaways. … Continue Reading

Updated ICO guidance on handling special category data

On 14 November 2019, the Information Commissioner’s Office (ICO) published guidance (link here for organisations that process special category personal data (the Guidance). Previously, organisations tended to focus only on GDPR article 9 processing bases when processing special category personal data. Following this update from the ICO, organisations are reminded that they must have both … Continue Reading

Open banking: the Basel Committee on Banking Supervision has its say

On 19 November 2019, the Basel Committee on Banking Supervision (BCBS) published its report on open banking and its implications for banks and banking supervision. The report builds on the BCBS’ previous findings on open banking and application programming interfaces (APIs) in its 2018 report (“Sound practices on the implications of FinTech developments for banks … Continue Reading

EDPB adopts final version of guidelines on the territorial scope of the GDPR

On 12 November 2019, at its 15th plenary meeting, the European Data Protection Board (EDPB) adopted final guidelines on the territorial scope of the General Data Protection Regulation (GDPR) (the guidelines) following public consultation. We have previously considered the draft guidelines on our blog. The first of the two blogs considered the extra-territorial scope of … Continue Reading

German DPA releases findings of GDPR readiness audits of 50 organizations

The Lower Saxony Data Protection Authority (Lower Saxony DPA) has audited 50 large and medium-sized organizations on their implementation of the requirements of the GDPR since June 2018. On November 5, 2019, the Lower Saxony DPA released a report summarizing its findings (Report; available in German here). Summary of findings in the Report We previously reported … Continue Reading

New requirements for Singapore banks to include provisions in service contracts on protection of customer data

On 4 November 2019, Singapore’s Parliament published a draft amendment to the Banking Act. Under the amendment, all banks will be required to evaluate the ability of their service providers (whether these be a branch or office, or an external party) to: (a) safeguard the confidentiality and integrity, and ensure the availability, of the banks’ … Continue Reading

EU–U.S. Privacy Shield: EU Commission issues its third annual review report

On 23 October 2019, the European Commission (the Commission) released its report on the third annual review of the functioning of the EU–U.S. Privacy Shield (Privacy Shield). The report summarises various improvements in the functioning of the framework, and further ‘concrete steps’ that need to be taken to ensure its continued effectiveness. Background The Commission’s … Continue Reading

AI Auditing Framework: data protection impact assessment

In March 2019, the Information Commissioner’s Office (ICO) released a Call for Input on developing the ICO’s framework for artificial intelligence (AI). The ICO simultaneously launched its AI Auditing Framework blog to provide updates on the development of the framework and encourage organisations to engage on this topic with the ICO. On 23 October 2019, … Continue Reading

At odds no more: can regulatory collaboration bring innovation and data privacy closer together?

In July 2019, the UK’s Financial Conduct Authority (FCA) held a week-long Global Anti-Money Laundering and Financial Crime TechSprint (FCA TechSprint) event. The FCA TechSprint looked at ways to effectively combat financial crime and money laundering within the financial services industry. On 16 October 2019, the Information Commissioner’s Office (ICO) released a blog (here) that … Continue Reading

IAB issues CCPA compliance framework for public comment

Given the vast challenges California’s sweeping new privacy law, the California Consumer Privacy Act (CCPA), poses for digital marketing, the Interactive Advertising Bureau (IAB) released for public comment a draft of its proposed Compliance Framework for Publishers & Technology Companies (the Framework) on October 22. “Selling” and CCPA challenges for digital. Those who have been … Continue Reading

Georgia Attorney General Chris Carr discusses his thoughts on breaches and federal law

Reed Smith IP, Tech & Data attorneys Divonne Smoyer and Alexis Cocco conducted an in-depth Q&A with Georgia Attorney General Chris Carr. During the Q&A, he discusses why he doesn’t mind that his state doesn’t have mandatory breach notification requirements and what he wants to see in a federal privacy law, should one come to … Continue Reading

Uncertainty hangs over the life sciences and healthcare industries in draft regulations of The California Consumer Privacy Act

On October 10th, the Attorney General of California, Xavier Becerra, delivered the highly anticipated text of the proposed California Consumer Privacy Act (CCPA) regulations. However, untouched and unexplained were the Health Insurance Portability and Accountability Act, California Medical Information Act, and clinical research exemptions. The industry has and will continue to grapple with these exemptions, which … Continue Reading

Implications for employers and the biometric landscape under New York’s expanded data security law

Over the past several years, legislators from coast to coast have increasingly made data privacy and cybersecurity top priorities. The result has been a spike in the number and stringency of laws that impose proactive and reactive responsibilities – covering, for instance, data security and breach notifications – on companies that collect personal information, whether … Continue Reading

Latin America to bolster data protection in a legal overhaul

The General Data Protection Regulation (GDPR) has prompted a series of legislative proposals in Latin American countries to update data protection regulations, many of which reflect the higher standards of the GDPR. With a large number of European and U.S. companies operating in the region, we look at some of the latest developments below. Argentina … Continue Reading

EDPB issues guidelines on the contractual lawful basis for processing for online services

The European Data Protection Board (EDPB) met for its fourteenth plenary session on 8 and 9 October 2019. One of the key developments was the adoption of the final version of its guidelines on the contractual lawful basis for the processing of personal data in the context of online services under Article 6(1)(b) of the … Continue Reading
LexBlog