Archives: Regulatory

Subscribe to Regulatory RSS Feed

ENISA launches security mapping tool

The European Union Agency for Cybersecurity (ENISA) has been supporting the European Union (EU) Member States in developing, implementing and evaluating their cyber security strategies. Since 2012 and as part of this support, ENISA has been developing tools, studies and guidelines to help EU Member States build on their national cyber security strategies. The latest … Continue Reading

The EBA releases its final ‘Guidelines on ICT and security risk management’ report

Last week (28 November 2019), the European Banking Authority (EBA) released the final version of its report entitled ‘EBA Guidelines on ICT and security risk management’ (the Guidelines) (link here) on the mitigation and management of financial institutions’ (FIs) information and communication technology (ICT) and security risks. We highlight below some of the key takeaways. … Continue Reading

Updated ICO guidance on handling special category data

On 14 November 2019, the Information Commissioner’s Office (ICO) published guidance (link here for organisations that process special category personal data (the Guidance). Previously, organisations tended to focus only on GDPR article 9 processing bases when processing special category personal data. Following this update from the ICO, organisations are reminded that they must have both … Continue Reading

Open banking: the Basel Committee on Banking Supervision has its say

On 19 November 2019, the Basel Committee on Banking Supervision (BCBS) published its report on open banking and its implications for banks and banking supervision. The report builds on the BCBS’ previous findings on open banking and application programming interfaces (APIs) in its 2018 report (“Sound practices on the implications of FinTech developments for banks … Continue Reading

EDPB adopts final version of guidelines on the territorial scope of the GDPR

On 12 November 2019, at its 15th plenary meeting, the European Data Protection Board (EDPB) adopted final guidelines on the territorial scope of the General Data Protection Regulation (GDPR) (the guidelines) following public consultation. We have previously considered the draft guidelines on our blog. The first of the two blogs considered the extra-territorial scope of … Continue Reading

German DPA releases findings of GDPR readiness audits of 50 organizations

The Lower Saxony Data Protection Authority (Lower Saxony DPA) has audited 50 large and medium-sized organizations on their implementation of the requirements of the GDPR since June 2018. On November 5, 2019, the Lower Saxony DPA released a report summarizing its findings (Report; available in German here). Summary of findings in the Report We previously reported … Continue Reading

New requirements for Singapore banks to include provisions in service contracts on protection of customer data

On 4 November 2019, Singapore’s Parliament published a draft amendment to the Banking Act. Under the amendment, all banks will be required to evaluate the ability of their service providers (whether these be a branch or office, or an external party) to: (a) safeguard the confidentiality and integrity, and ensure the availability, of the banks’ … Continue Reading

EU–U.S. Privacy Shield: EU Commission issues its third annual review report

On 23 October 2019, the European Commission (the Commission) released its report on the third annual review of the functioning of the EU–U.S. Privacy Shield (Privacy Shield). The report summarises various improvements in the functioning of the framework, and further ‘concrete steps’ that need to be taken to ensure its continued effectiveness. Background The Commission’s … Continue Reading

AI Auditing Framework: data protection impact assessment

In March 2019, the Information Commissioner’s Office (ICO) released a Call for Input on developing the ICO’s framework for artificial intelligence (AI). The ICO simultaneously launched its AI Auditing Framework blog to provide updates on the development of the framework and encourage organisations to engage on this topic with the ICO. On 23 October 2019, … Continue Reading

At odds no more: can regulatory collaboration bring innovation and data privacy closer together?

In July 2019, the UK’s Financial Conduct Authority (FCA) held a week-long Global Anti-Money Laundering and Financial Crime TechSprint (FCA TechSprint) event. The FCA TechSprint looked at ways to effectively combat financial crime and money laundering within the financial services industry. On 16 October 2019, the Information Commissioner’s Office (ICO) released a blog (here) that … Continue Reading

IAB issues CCPA compliance framework for public comment

Given the vast challenges California’s sweeping new privacy law, the California Consumer Privacy Act (CCPA), poses for digital marketing, the Interactive Advertising Bureau (IAB) released for public comment a draft of its proposed Compliance Framework for Publishers & Technology Companies (the Framework) on October 22. “Selling” and CCPA challenges for digital. Those who have been … Continue Reading

Uncertainty hangs over the life sciences and healthcare industries in draft regulations of The California Consumer Privacy Act

On October 10th, the Attorney General of California, Xavier Becerra, delivered the highly anticipated text of the proposed California Consumer Privacy Act (CCPA) regulations. However, untouched and unexplained were the Health Insurance Portability and Accountability Act, California Medical Information Act, and clinical research exemptions. The industry has and will continue to grapple with these exemptions, which … Continue Reading

Implications for employers and the biometric landscape under New York’s expanded data security law

Over the past several years, legislators from coast to coast have increasingly made data privacy and cybersecurity top priorities. The result has been a spike in the number and stringency of laws that impose proactive and reactive responsibilities – covering, for instance, data security and breach notifications – on companies that collect personal information, whether … Continue Reading

Latin America to bolster data protection in a legal overhaul

The General Data Protection Regulation (GDPR) has prompted a series of legislative proposals in Latin American countries to update data protection regulations, many of which reflect the higher standards of the GDPR. With a large number of European and U.S. companies operating in the region, we look at some of the latest developments below. Argentina … Continue Reading

EDPB issues guidelines on the contractual lawful basis for processing for online services

The European Data Protection Board (EDPB) met for its fourteenth plenary session on 8 and 9 October 2019. One of the key developments was the adoption of the final version of its guidelines on the contractual lawful basis for the processing of personal data in the context of online services under Article 6(1)(b) of the … Continue Reading

Calculation of administrative fines under GDPR – standardized concept published in Germany

After a month of rumors, uncertainty, and German data protection authorities being nontransparent, the German conference of data protection authorities (Datenschutzkonferenz, DSK) published the concept for calculating administrative fines for data protection violations (Concept, available here) on October 16, 2019. The Concept sets out a standardized approach regarding the calculation of administrative fines in accordance … Continue Reading

Office of Administrative Law approves an adjustment to the covered electronic waste (CEW) recycling fee for covered electronic devices (CED)

The Office of Administrative Law approved an adjustment to the covered electronic waste (CEW) recycling fee for covered electronic devices (CED) on October 8, 2019. When a California consumer buys a CED – generally, any video display device with a screen larger than four inches – from a retailer, a CEW recycling fee is assessed. … Continue Reading

California attorney general issues draft CCPA regulations

On October 10, 2019, California Attorney General Xavier Becerra issued proposed regulations implementing and interpreting the California Consumer Privacy Act (CCPA). The draft regulations address privacy policies, consumer notices, practices for handling consumer requests, ways to verify consumer requests, requirements regarding minors, and rules governing nondiscrimination practices. The regulations are currently in draft form, with … Continue Reading

The e-Privacy Regulation saga rumbles on

The long-running e-Privacy Regulation saga continues. On 18 September 2019, the Council of the European Union (the Council) released proposed amendments to the draft regulation. We take a look at some of the proposals. Proposals The draft e-Privacy Regulation will replace the current Directive 2002/58/EC to “reinforce trust and security in the Digital Single Market”. … Continue Reading

A new California privacy initiative seeks to further bolster individual privacy rights

Another potentially groundbreaking California ballot initiative has been announced, just as companies began to digest and incorporate the amendments to the California Consumer Privacy Act (CCPA) into their compliance plans and learned the draft CCPA regulations will be issued by the California Attorney General in October. Last week, the primary advocate for and co-architect of … Continue Reading

Germany launches new, state-approved label for environmentally certified “Green Button” textiles (Grüner Knopf)

On 9 September 2019, the German Federal Ministry of Economic Cooperation and Development (Bundesministerium für wirtschaftliche Zusammenarbeit und Entwicklung – BMZ) introduced a new, state-regulated environmental label for “Green Button” (Grüner Knopf) certified textiles with a press release, available here. The BMZ also launched the official Green Button website, which is available in German at http://www.gruener-knopf.de/. … Continue Reading

Last minute amendments likely finalize CCPA language for January 1 deadline.

Late last week, the California legislature approved five bills intended to clarify the scope and required compliance obligations of the California Consumer Privacy Act (CCPA or the Act). Organizations now have just over three months to determine whether they need to comply with the newly amended CCPA, assess what their obligations are, and implement the … Continue Reading

Get your Update on IT & Data Protection Law in our Newsletter (Summer 2019 Edition)

The Summer 2019 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released: English version German version In this edition we cover the following topics: ECJ and GDPR: Another decision hitting social media activities by companies EDPB does not opt for changes to EU standard contractual clauses EU … Continue Reading

State attorneys general work with telecom giants to address robocalls

Robocalls: everyone receives one or two, but more likely dozens.  While some are helpful, most are annoying, and the worst can result in financial fraud.  While the FCC and Congress have been taking steps toward addressing the issue, state attorneys general (AGs) have taken the first major action to end unwanted robocalls.  On August 22, AGs … Continue Reading
LexBlog