European Banking Authority issues revised Guidelines on Outsourcing arrangements

The European Banking Authority (EBA) issued its revised Guidelines on Outsourcing arrangements (Guidelines) at the end of Feb 2019. The revised guidelines are the first wholesale update since 2006 when the guidelines applied exclusively to credit institutions. They now apply to a broader range of in-scope financial institutions (FIs).

To review the full article on our FinTech Update blog, click here.

Is the Dutch GDPR fining matrix setting the tone for the ICO’s future fining policy?

The Dutch Data Protection Authority (DPA) released its GDPR fining policy on 14 March 2019, becoming the first EU Member State supervisory authority to set out a structure for calculating administrative fines for failing to comply with the GDPR.

Four categories of fines plus an aggravating category

The legal maximum monetary fine that can be imposed on a party breaching the GDPR is €20 million or up to 4 per cent of the company’s worldwide annual turnover, whichever amount is higher. In view of this broad (and very high) ceiling, the Dutch DPA has taken a step forward to categorise violations of the GDPR into four tiers of fines. According to their fining policy, the category of fine is determined by the nature, seriousness and duration of the violation, as well as the number of individuals involved in or affected by the breached obligation.

Each of the four penalty categories sets a minimum amount for the fine, which can then be increased or decreased on a case-by-case basis:

  • Category I: between €0 and €200,000
  • Category II: between €120,000 and €500,000
  • Category III: between €300,000 and €725,000
  • Category IV: between €450,000 and €1 million.

Continue Reading

TCPA violations of debt collectors could make the loan owner liable

The Ninth U.S. Circuit Court of Appeals majority opinion, reversed the grant of summary by the District Court that a loan owner could be liable for its debt collectors’ tactics that violate the TCPA, effectively closing the window on creditors using a No Vicarious Liability defense for claims arising from its debt collectors. The dissent contended that no agency existed between the loan owner and the third-party debt collectors, and held that the majority is inappropriately legislating a strict liability provision into the TCPA from the bench. Whether an agency relationship exists to establish vicarious liability remains a fact intensive inquiry. As such, extra care needs to be taken to ensure that an entity does not engage in conduct that may be construed as ratification of a wrongful conduct by a third party.

To review the full article, click here.

Singapore introduces new law to combat the spread of fake news

On 1 April 2019, the Protection from Online Falsehoods and Manipulation Bill was tabled in Singapore’s Parliament.

The bill aims to stem the communication of false statements of fact, enable the detection and control of information manipulation, and promote the transparency of online political advertisements.

Any person or organisation that spreads online falsehoods with malicious intent to harm the public interest in Singapore could face a fine of up to SGD 500,000 or, in the case of an individual, a five-year imprisonment term.

Such a statement would be considered harm to the public interest if its communication is likely to prejudice Singapore’s security, public health and safety, or foreign relations or to influence election results, incite hatred, or diminish public confidence in the performance of any public function.

Continue Reading

Involved in AI? The ICO wants to hear from you.

The Information Commissioner’s Office (ICO) is inviting organisations to help develop a framework for future auditing of artificial intelligence (AI).

A team from the ICO’s Technology Policy and Innovation Directorate will develop the framework. The framework is intended to help regulators ensure AI applications are transparent, fair and appropriately risk assessed.

As well as the invitation, the ICO has established a blog site where it will provide updates on its thinking about development of the framework.

Continue Reading

How (not) to restrict GDPR access requests in employment proceedings – German court establishes high threshold

Procedural laws and principles contain a clear concept regarding which party must present and prove what information in court proceedings. Claimants in employment proceedings currently try to use the right to access of data subjects under Article 15 GDPR to shake this concept up.

Judgment of the Higher Labour Court of Baden-Württemberg

On 20 December 2018, the Higher Labour Court of Baden-Württemberg (Landesarbeitsgericht Baden-Wuerttemberg – “LAG”) had to decide on the scope and exceptions of the data subjects’ access right (docket no. 17 Ca 4075/17). The decision was part of a lawsuit against unfair dismissal, made by a former employee against their former employer.

The LAG acknowledged the rights to obtain (i) general information about the employees’ personal data processed by the employer (Article 15(1) GDPR) as well as (ii) a copy of that data (Article 15(3) GDPR). According to the LAG, the copy under Article 15(3) GDPR comprises any of the employee’s personal data processed, including any correspondence, as well as performance and conduct data, even if such personal data was not stored in the employee’s employment file.

In the case at issue, the employer conducted internal investigations regarding operational misconduct of its employees and guaranteed its whistleblowers not to disclose their identity. It was, thus, crucial if the access right under Article 15(3) GDPR was restricted based on the rights and freedoms of others (Article 15(4) GDPR). The LAG supports the view that it may constitute a legitimate interest in the secrecy of the source of information if the employer has assured anonymity to its whistleblowers. However, the LAG emphasises that Article 15(4) GDPR may restrict the access request only to the extent that this is necessary to protect third parties’ secrecy interests, subject to balancing of interests test. The LAG took the view that it is not sufficient to make a general reference to the need for protection of whistleblowers. Instead, the LAG requires that the employer names the particular personal data of the employee to which the alleged third parties’ secrecy interests refer. The LAG held that it is necessary to name the related facts, the incident, the topic in terms of time and locality, and the acting persons in that regard.

Continue Reading

UK’s two-year strategy to boost data and AI

The UK Centre for Data Ethics and Innovation (CDEI) released its 2019/20 Work Programme and Two-year strategy to enhance the benefits of data and Artificial Intelligence (AI) for the UK society and economy on 20 March 2019.

What’s in scope?

CDEI is an advisory body founded by the UK government and is led by an independent board of experts. For the next two years, CDEI plans to shape a policy, regulatory and cultural environment in the UK that promotes constructive and ethical innovation in data and AI-driven technology. CDEI benefits from a prime spot to use the know-how and expertise of the UK, a country recognised as a global leader in data-enabled technology.

Under its two-year strategy, CDEI’s main objectives are to:

a. Promote policy and governance that enables data-driven technology to improve people’s lives;

b. Ensure the public’s views inform the governance of data-driven technology;

c. Ensure the governance of data-driven technology can safely support its rapid development (this means not only addressing issues from recent years but also continuing to be alert to emerging problems); and

d. Foster effective partnerships between civil society, government, research organisations and industry players.

Continue Reading

Planet49: Advocate General’s opinion on cookies and consent bundling

On 21 March 2019, Advocate General Maciej Szpunar (“AG”) delivered an opinion on cookie consent, information obligations regarding cookies and consent bundling (Case C-673/17, Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.). In the case at issue, users entering into a promotional lottery were confronted with two checkboxes:

  • A checkbox obtaining consent for marketing emails that was not pre-ticked, but was mandatory to tick in order to participate in the lottery (“Marketing Checkbox”)
  • A pre-ticked checkbox obtaining consent to cookies, which users could opt out of at any time (“Cookie Checkbox”)

Cookie consent

Article 4(11) of the General Data Protection Regulation (“GDPR”) defines consent as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

The AG stated that there was no active consent in this instance because the Cookie Checkbox was pre-ticked. It is not sufficient to be considered active consent if the user must object (by un-ticking the checkbox) to the use of cookies.

Continue Reading

e-Privacy meets GDPR – the European Data Protection Board shines some light

The European Data Protection Board (EDPB) published an opinion (Opinion) on the interplay between the ePrivacy Directive (Directive 2002/58/EC) and the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). The Opinion responds to questions submitted by the Belgian data protection authority, specifically:

  1. whether data protection authorities (DPAs) are competent to regulate processing that triggers both GDPR and the ePrivacy Directive;
  2. whether DPAs should take the ePrivacy Directive (and/or its national implementing legislation) into account when exercising their powers under GDPR;
  3. whether the cooperation and consistency mechanisms should apply to processing that triggers both GDPR and the ePrivacy Directive; and
  4. the extent to which processing can be governed by provisions of both the ePrivacy Directive and GDPR.

The EDPB also provided more general guidance on the interplay between the ePrivacy Directive and GDPR. This blog sets out key takeaways of the Opinion.

Continue Reading

The European Parliament adopts first stance to proposed EU Cybersecurity Act

On 12 March 2019, the European Parliament issued its first position on the text proposed by the European Commission for a Regulation of the European Parliament and of the Council on ENISA (the European Union Agency for Network and Information Security), also known as the EU Cybersecurity Act.

Initiatives to build strong EU-wide cybersecurity

The EU Cybersecurity Act was proposed in 2017 to:

i) Provide a permanent mandate for ENISA (to replace its limited mandate that would have expired in 2020);

ii) Allocate more resources to ENISA to enable it to fulfil its goals; and

iii) Establish an EU framework for cybersecurity certification for products, processes and services that will be valid throughout the EU.

The European Parliament, Council and Commission reached an informal trialogue agreement on the proposal of the EU Cybersecurity Act in December last year. Now that the European Parliament adopted its first-reading position, it is expected that the European Council will adopt the proposed Regulation without further amendments. The Regulation will then be published into the EU Official Journal and will enter into force 20 days following that publication.

Continue Reading

LexBlog