The Winter 2022 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:
Following the recent adoption of a new draft EU cybersecurity directive (we wrote about it here), the UK government has now also launched a consultation on its proposal to reform the existing UK cybersecurity legislation (see consultation here).
A recap of the current UK cybersecurity law: NIS Regulations
One of the key pieces of cybersecurity legislation in the UK is the Network and Information Systems Regulations 2018 (NIS Regulations), which implemented the EU Cybersecurity Directive 2016 prior to Brexit.
Under the NIS Regulations, businesses who provide certain essential services (referred to as operators of essential services, or OES) and relevant digital service providers (RDSP) are required to register with the relevant competent authorities; meet a baseline level of cybersecurity requirements; and report any incident which has a significant impact on the continuity of the essential services.
The UK’s data protection regulator, the Information Commissioner’s Office (‘ICO’), has released draft guidance on the research provisions within the UK’s General Data Protection Regulation (‘UK GDPR’) and Data Protection Act (‘DPA’). The guidance is out for public consultation until 22 April 2022.
The Securities and Exchange Commission (SEC) is proposing new rules to require registered funds (RFs) and investment advisers (RIAs) to implement comprehensive cybersecurity programs. Under the proposed rules, the SEC seeks to accomplish four main objectives, requiring RFs and RIAs to:
- Maintain and implement cybersecurity policies and procedures;
- Adopt new recordkeeping standards;
- Report significant cybersecurity incidents to the commission; and
- Disclose cybersecurity risks and incidents to clients and investors.
Maryland and California look to join the list of states that not only regulate biometric data but provide consumers with the opportunity to seek hefty statutory damages and attorney’s fees from offending businesses. Similar to Illinois’ oft-litigated Biometric Information Privacy Act (“BIPA”), both bills would also (i) require written consent prior to the collection of biometric information; (ii) impose BIPA-like security measures, and (iii) mandate specific retention criteria, as described below.
The arrival of the new EU Standard Contractual Clauses (“EU SCCs”) for international transfers in June 2021 was widely awaited to better understand the new requirements to assess the third-country laws for government access to data prior to using the SCCs following the Court of Justice of the European Union’s (“CJEU”) decision on Schrems II. As a value add, the EU SCCs were updated to reflect the GDPR requirements and also enabled organisations to cover a wider range of data flows than their previous versions due to the addition of ‘processor-to-processor’ and ‘processor-to-controller’ scenarios. Binding Corporate Rules (“BCRs”), another transfer tool available under the EU General Data Protection Regulation (“GDPR”), have not yet been updated to reflect the same flexibility in reflecting the diversity of data flows and presently appear to be limited in use in comparison. It is expected that the European Data Protection Board (“EDPB”) will publish updated BCR requirements in 2022.
Two Chinese information security laws, the Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”), are creating difficulties for parties involved in litigation in the United States seeking discovery materials stored in China.
Both the DSL and the PIPL require data processors to obtain approval from the Chinese government before transferring any data stored in China to a foreign court or law enforcement authority, or otherwise face significant penalties such as fines in the millions of dollars.
Litigants in the U.S. should be aware that the DSL and PIPL may impose significant costs and delays in the discovery process, and may be used to avoid turning over certain materials.
On 7 February 2022, the UK Information Commissioner’s Office (ICO) announced that it had launched a consultation on Chapter 3 of its draft guidance on anonymisation, pseudonymisation, and privacy enhancing technologies (PET).
In a recent decision of December 19, 2021, case no. 1 BvR 1073/20 (published with an official press release dated February 2, 2022), the German Federal Constitutional Court (Bundesverfassungsgericht – BVerfG) set aside several judgments of the Berlin civil courts. The Berlin civil courts had denied the plaintiff, who alleges she was exposed to hate speech on a social network, the right to demand from the operator of the social network access to customer data, i.e., the full names of the users who had posted the content that the plaintiff considered to be hate speech. In the view of the BVerfG, the Berlin courts had failed to properly balance the parties’ interests and thereby had violated the plaintiff’s fundamental rights.