Posted in RegulatoryThe European Banking Authority (EBA) issued its revised Guidelines on Outsourcing arrangements (Guidelines) at the end of Feb 2019. The revised guidelines are the first wholesale update since 2006 when the guidelines applied exclusively to credit institutions. They now apply to a broader range of in-scope financial institutions (FIs).
To review the full article on our FinTech Update blog, click here.
Posted in RegulatoryThe Dutch Data Protection Authority (DPA) released its GDPR fining policy on 14 March 2019, becoming the first EU Member State supervisory authority to set out a structure for calculating administrative fines for failing to comply with the GDPR.
Four categories of fines plus an aggravating category
The legal maximum monetary fine that can be imposed on a party breaching the GDPR is €20 million or up to 4 per cent of the company’s worldwide annual turnover, whichever amount is higher. In view of this broad (and very high) ceiling, the Dutch DPA has taken a step forward to categorise violations of the GDPR into four tiers of fines. According to their fining policy, the category of fine is determined by the nature, seriousness and duration of the violation, as well as the number of individuals involved in or affected by the breached obligation.
Each of the four penalty categories sets a minimum amount for the fine, which can then be increased or decreased on a case-by-case basis:
Posted in RegulatoryThe Ninth U.S. Circuit Court of Appeals majority opinion, reversed the grant of summary by the District Court that a loan owner could be liable for its debt collectors’ tactics that violate the TCPA, effectively closing the window on creditors using a No Vicarious Liability defense for claims arising from its debt collectors. The dissent contended that no agency existed between the loan owner and the third-party debt collectors, and held that the majority is inappropriately legislating a strict liability provision into the TCPA from the bench. Whether an agency relationship exists to establish vicarious liability remains a fact intensive inquiry. As such, extra care needs to be taken to ensure that an entity does not engage in conduct that may be construed as ratification of a wrongful conduct by a third party.
To review the full article, click here.
Posted in RegulatoryOn 1 April 2019, the Protection from Online Falsehoods and Manipulation Bill was tabled in Singapore’s Parliament.
The bill aims to stem the communication of false statements of fact, enable the detection and control of information manipulation, and promote the transparency of online political advertisements.
Any person or organisation that spreads online falsehoods with malicious intent to harm the public interest in Singapore could face a fine of up to SGD 500,000 or, in the case of an individual, a five-year imprisonment term.
Such a statement would be considered harm to the public interest if its communication is likely to prejudice Singapore’s security, public health and safety, or foreign relations or to influence election results, incite hatred, or diminish public confidence in the performance of any public function.
Posted in RegulatoryThe Information Commissioner’s Office (ICO) is inviting organisations to help develop a framework for future auditing of artificial intelligence (AI).
A team from the ICO’s Technology Policy and Innovation Directorate will develop the framework. The framework is intended to help regulators ensure AI applications are transparent, fair and appropriately risk assessed.
As well as the invitation, the ICO has established a blog site where it will provide updates on its thinking about development of the framework.
Posted in In the Courts, Privacy & Data ProtectionProcedural laws and principles contain a clear concept regarding which party must present and prove what information in court proceedings. Claimants in employment proceedings currently try to use the right to access of data subjects under Article 15 GDPR to shake this concept up.
Judgment of the Higher Labour Court of Baden-Württemberg
On 20 December 2018, the Higher Labour Court of Baden-Württemberg (Landesarbeitsgericht Baden-Wuerttemberg – “LAG”) had to decide on the scope and exceptions of the data subjects’ access right (docket no. 17 Ca 4075/17). The decision was part of a lawsuit against unfair dismissal, made by a former employee against their former employer.
The LAG acknowledged the rights to obtain (i) general information about the employees’ personal data processed by the employer (Article 15(1) GDPR) as well as (ii) a copy of that data (Article 15(3) GDPR). According to the LAG, the copy under Article 15(3) GDPR comprises any of the employee’s personal data processed, including any correspondence, as well as performance and conduct data, even if such personal data was not stored in the employee’s employment file.
In the case at issue, the employer conducted internal investigations regarding operational misconduct of its employees and guaranteed its whistleblowers not to disclose their identity. It was, thus, crucial if the access right under Article 15(3) GDPR was restricted based on the rights and freedoms of others (Article 15(4) GDPR). The LAG supports the view that it may constitute a legitimate interest in the secrecy of the source of information if the employer has assured anonymity to its whistleblowers. However, the LAG emphasises that Article 15(4) GDPR may restrict the access request only to the extent that this is necessary to protect third parties’ secrecy interests, subject to balancing of interests test. The LAG took the view that it is not sufficient to make a general reference to the need for protection of whistleblowers. Instead, the LAG requires that the employer names the particular personal data of the employee to which the alleged third parties’ secrecy interests refer. The LAG held that it is necessary to name the related facts, the incident, the topic in terms of time and locality, and the acting persons in that regard.
Posted in Information GovernanceThe UK Centre for Data Ethics and Innovation (CDEI) released its 2019/20 Work Programme and Two-year strategy to enhance the benefits of data and Artificial Intelligence (AI) for the UK society and economy on 20 March 2019.
What’s in scope?
CDEI is an advisory body founded by the UK government and is led by an independent board of experts. For the next two years, CDEI plans to shape a policy, regulatory and cultural environment in the UK that promotes constructive and ethical innovation in data and AI-driven technology. CDEI benefits from a prime spot to use the know-how and expertise of the UK, a country recognised as a global leader in data-enabled technology.
Under its two-year strategy, CDEI’s main objectives are to:
a. Promote policy and governance that enables data-driven technology to improve people’s lives;
b. Ensure the public’s views inform the governance of data-driven technology;
c. Ensure the governance of data-driven technology can safely support its rapid development (this means not only addressing issues from recent years but also continuing to be alert to emerging problems); and
d. Foster effective partnerships between civil society, government, research organisations and industry players.
On 21 March 2019, Advocate General Maciej Szpunar (“AG”) delivered an opinion on cookie consent, information obligations regarding cookies and consent bundling (Case C-673/17, Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.). In the case at issue, users entering into a promotional lottery were confronted with two checkboxes:
Cookie consent
Article 4(11) of the General Data Protection Regulation (“GDPR”) defines consent as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
The AG stated that there was no active consent in this instance because the Cookie Checkbox was pre-ticked. It is not sufficient to be considered active consent if the user must object (by un-ticking the checkbox) to the use of cookies.
Posted in Privacy & Data ProtectionThe European Data Protection Board (EDPB) published an opinion (Opinion) on the interplay between the ePrivacy Directive (Directive 2002/58/EC) and the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). The Opinion responds to questions submitted by the Belgian data protection authority, specifically:
The EDPB also provided more general guidance on the interplay between the ePrivacy Directive and GDPR. This blog sets out key takeaways of the Opinion.
Posted in Privacy & Data ProtectionOn 12 March 2019, the European Parliament issued its first position on the text proposed by the European Commission for a Regulation of the European Parliament and of the Council on ENISA (the European Union Agency for Network and Information Security), also known as the EU Cybersecurity Act.
Initiatives to build strong EU-wide cybersecurity
The EU Cybersecurity Act was proposed in 2017 to:
i) Provide a permanent mandate for ENISA (to replace its limited mandate that would have expired in 2020);
ii) Allocate more resources to ENISA to enable it to fulfil its goals; and
iii) Establish an EU framework for cybersecurity certification for products, processes and services that will be valid throughout the EU.
The European Parliament, Council and Commission reached an informal trialogue agreement on the proposal of the EU Cybersecurity Act in December last year. Now that the European Parliament adopted its first-reading position, it is expected that the European Council will adopt the proposed Regulation without further amendments. The Regulation will then be published into the EU Official Journal and will enter into force 20 days following that publication.
