Archives: Regulatory

Subscribe to Regulatory RSS Feed

The ICO’s take on explaining AI

The Information Commissioner’s Office (ICO) and the Alan Turing Institute have recently released an interim report (Report) outlining their approach to best practices in explaining artificial intelligence (AI) to users. The Report is of particular relevance to operators of AI systems who may be considering their duties under the General Data Protection Regulation 2016/679 (GDPR). In … Continue Reading

Get your Update on IT & Data Protection Law in our Newsletter (Spring 2019 Edition)

The Spring 2019 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released. We provide updates on cookies and tracking tools, Facebook fan pages, fines under GDPR, influencer marketing, email encryption, platform provider obligations, framing, the new German Trade Secrets Act, and more. The newsletter also includes multiple … Continue Reading

EDPB completes guidelines on codes of conduct, certification and accreditation of certification bodies

At its eleventh plenary session on 4 June 2019 in Brussels, the European Data Protection Board (EDPB) adopted final versions of (1) the Guidelines 1/2019 on codes of conduct and monitoring bodies under Regulation 2016/679, (2) annex 2 to the Guidelines on certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679 … Continue Reading

First sanction decision rendered by the CNIL regarding data breaches worth almost 1 per cent of the company’s yearly turnover: the era of tolerance seems to be over

By a new decision of sanction rendered on 28 May 2019, the French data protection authority Commission nationale de l’informatique et des libertés (CNIL) imposed a €400,000 fine on French property management company Sergic for failure to comply with its obligation to maintain the security of and to limit the storage of personal data. This … Continue Reading

60% of British adults and 80% of young teenagers suffered harm online in the last 12 months – the UK debate about the need to regulate the internet continues apace

Britain’s data protection and broadcasting regulators, the Information Commissioner’s Office and Ofcom, have published a joint Report looking into internet users’ concerns about online harms. The British government’s recently published White Paper, which outlined its approach for regulating the internet to tackle online harms, was informed by this Report. Methodology Over 3,000 interviews were conducted … Continue Reading

Regulating UK digital services – the British government shares its thoughts

The UK government recently published its response (Government Response) to a House of Lords committee report (Committee Report) discussing prospective regulation of digital services facilitated by the internet. The Government Response largely accepts the key recommendations of the Committee Report, and finds the Committee Report is closely aligned with the government’s preferred approach. The Government … Continue Reading

UK Jurisdiction Taskforce consultation on cryptoassets, distributed ledger technology and smart contracts

The UK Jurisdiction Taskforce (UKJT) recently published a consultation paper requesting submissions from stakeholders working with, or interested in, cryptoassets, distributed ledger technology (DLT) and smart contracts. Submissions will inform a legal statement by UKJT which will aim to settle questions on the legal status of cryptoassets and smart contracts. UKJT is drawn from industry, … Continue Reading

One year of GDPR – lessons learned by the ICO

The Information Commissioner’s Office (ICO) has published its update reflecting on its GDPR experience over the past year and its upcoming priorities to stay relevant, foster innovation and maintain its position as an “influential regulator on the national and international stage”. Supporting the public, DPOs, SMEs and other organisations The first year of the GDPR … Continue Reading

FCA and PRA jointly fine Raphaels Bank for outsourcing failure

R. Raphael & Sons plc (Raphaels) has received fines totalling £1,887,252 from the FCA and PRA for repeated failings in relation to inadequate systems and controls supporting the oversight and governance of its outsourcing arrangements. Raphaels outsourced certain functions that supported payment services for its prepaid and charge card programmes in the UK and Europe … Continue Reading

FERC requests comments on proposed new CIP Reliability Standard regulating the transmission of data between control centers

On April 18, 2019, the Federal Energy Regulatory Commission (FERC) issued a Notice of Proposed Rulemaking (NOPR) requesting comments on proposed Critical Infrastructure Protection (CIP) Reliability Standard CIP-012-1. As written, CIP-012-1 will require responsible entities to implement controls to protect communication links and data transmissions in an effort to mitigate cybersecurity risks to communications between … Continue Reading

New OCR fact sheet clarifies HIPAA liability for business associates

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a fact sheet clarifying violations of HIPAA (Health Insurance Portability and Accountability Act of 1996) for which a business associate can be held directly liable. The fact sheet outlines 10 specific circumstances for which OCR has authority to take enforcement … Continue Reading

One year of GDPR – How have EU member states implemented and enforced the new data protection regime?

The GDPR just had its first birthday. Before the GDPR became effective, organisations were anxious because the Regulation provides for heavy penalties. But was their anxiety justified? And as a first step, how have EU member states themselves implemented the GDPR? This article will provide short answers to these questions. Local implementation efforts Although the … Continue Reading

Council of Europe publish recommendations for the regulation of AI to protect human rights

The Council of Europe Commissioner for Human Rights has recently published recommendations for improving compliance with human rights regulations by parties developing, deploying or implementing artificial intelligence (AI). The recommendations are addressed to Member States. The principles concern stakeholders who significantly influence the development and implementation of an AI system. The Commissioner has focussed on … Continue Reading

OCR releases new FAQs on use of health apps

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a new set of Health Insurance Portability and Accountability Act (HIPAA) FAQs  building upon prior guidance from OCR. The new FAQs discuss the applicability of HIPAA to covered entities and business associates that interact with health apps and explain when HIPAA regulated … Continue Reading

Is 2019 the year for GDPR certification and codes of conduct?

The UK’s Information Commissioner’s Office (ICO) has published new guidance on certification and codes of conduct for data processing as well as expected timetables for finalising its revised guidelines on these topics. Certification Certification is a voluntary mechanism for organisations to validate their compliance with the General Data Protection Regulation 2016/679 (GDPR). Once the submissions … Continue Reading

CDEI calls for evidence to inform its review of online targeting and bias in algorithmic decision making

The Centre for Data Ethics and Innovation (CDEI) is inviting submissions to help inform its review of online targeting and bias in algorithmic decision making. Online targeting Online targeting refers to providing individuals with relevant and engaging content, products, and services. Typically users experience targeting in the form of online advertising or personalised social media … Continue Reading

Final guideline for Internet personal information protection published by Chinese Ministry of Public Security

After soliciting public comments since last November, the Chinese Ministry of Public Security (MPS) published the finalized Guideline for Internet Personal Information Security Protection (Guideline) on April 10, 2019. The Guideline applies to Personal Information Holders, defined as entities or individuals that “control and process personal information” through their provision of services using the Internet, … Continue Reading

The Highest French administrative Court slightly reduces the amount of a penalty imposed by the CNIL: is this the tip of the iceberg ?

A few days before the entry into force of the GDPR, the CNIL imposed a 250,000 euros penalty to the company Optical Center for failure to secure personal data on its website – where a breach occurred, allowing access to invoices and purchases orders containing personal and sensitive data of customers. Further to Optical Center’s … Continue Reading

Trade Secrets Act now a national law in Germany

On April 26, the Geschäftsgeheimnisgesetz (Trade Secrets Act, “Act”) came into effect. It took Germany over a year from the implementation deadline to transpose the Trade Secrets Directive (“Directive”) into national law. The Act replaces the provisions of the Unfair Competition Act on misappropriation of trade secrets and introduces new procedural rules for trade secret … Continue Reading

UK government consultation on the Internet of Things

The UK government has recently published an invitation to take part in its consultation on proposals for the regulation of the Internet of Things (IoT). The consultation, to be run by the Department for Digital, Culture, Media and Sport, seeks input into future regulation aimed at improving IoT security. This invitation follows the recent publication … Continue Reading

HHS reexamines prior interpretation of the Health Information Technology for Economic and Clinical Health Act’s penalty structure

The U.S. Department of Health and Human Services (“HHS”) filed a Notice of Enforcement Decision (the “Notice of Enforcement”) on April 26, 2019, confirming the agency’s reconsideration of its prior interpretation of the Health Information Technology for Economic and Clinical Health Act’s (the “HITECH Act’s”) penalty structure. Effective immediately, the maximum penalty that the HHS … Continue Reading

An interview with Vermont Attorney General T.J. Donovan

Check out this month’s edition of The Privacy Advisor, a publication of the International Association of Privacy Professionals (IAPP), for Aaron Lancaster and Divonne Smoyer’s and Q&A with Vermont Attorney General T.J. Donovan. As attorney general, he has taken an active role in advocating for consumers’ rights with respect to privacy and data security by … Continue Reading

German DPAs publish resolution on concept of ‘broad consent’ and the interpretation of “certain areas of scientific research”

On 3 April 2019, the Conference of German Data Protection Authorities (‘German DPAs’) published a resolution on the interpretation of “certain areas of scientific research” in Recital 33 of the GDPR and the concept of ‘broad consent’ (‘Resolution’). According to Recital 33 of the GDPR, it “is often not possible to fully identify the purpose … Continue Reading
LexBlog