DPC’s authority to inquire into the EU-U.S. data transfers confirmed by the Irish High Court

On 14th May 2021, the Irish High Court (High Court) dismissed a legal challenge brought against the Irish Data Protection Commission (DPC) concerning its inquiry and a preliminary draft decision to suspend the EU-U.S. data transfers of personal data of an applicant organisation.

Background

These proceedings follow on from Schrems II decision of the Court of Justice of the European Union (CJEU) in July 2020, which upheld the use of Standard Contractual Clauses (SCCs’) for data transfers to third countries. The decision clarified the obligation of the controllers and processors to evaluate their ability to comply with the SCCs in the light of local laws applicable to them before relying on the SCCs and to take supplementary measures to eliminate any risk of non-compliance.

The DPC initiated its ‘own-volition’ inquiry into the applicant organisation’s EU-U.S. data transfers and adopted the preliminary draft decision, suspending personal data flows to the US due to lack of adequate level of protection for personal data transferred to the US and failure to implement supplementary measures by the applicant organisation. The DPC allocated a period of 21-days to the applicant organisation to make submissions to the DPC measures it plans to take to make data transfers possible. The applicant organisation filed judicial review proceedings on a number of grounds. The court rejected the submission by the DPC that the PDD and its procedures were not amenable to judicial review and reviewed each of the grounds that were raised. Continue Reading

Get the latest updates on our Tech Law Talks podcast

Catch up on our Tech Law Talks podcast series for practical observations on technology and data legal trends. We cover product and technology development to operational and compliance issues that technology practitioners encounter every day.

On this channel, we host regular discussions about the legal and business issues around data protection, privacy and security; data risk management; technology transactions; intellectual property; social media; and other types of information technology.

Banks navigate changing computer incident notification rules

Proposed cybersecurity rules from the OCC, FDIC and FRB affect banking organizations and bank service providers. In this panel discussion, three lawyers from Reed Smith’s Tech & Data practice – partner Anthony Diana, counsel Catherine Castaldo and associate Trevor Satnick – discuss specific impacts and describe what business leaders have to do to prepare. (7 mins)

EU: Navigating marketing communications in Europe

Leading Tech & Data lawyers Andy Splittgerber and Christian Leuthner discuss marketing consent in Europe in relation to data protection and spamming laws. Andy and Christian will guide you through the various issues involved and what you need to know. (13 mins)

EU: Cookies, tracking technologies and data protection

Join two of our Munich-based data protection team, Ramona Kimmich and Andy Splittgerber, as they outline the legal situation on the use of cookies in Germany and the EU. They discuss the current status of the EU ePrivacy Regulation and of Germany’s cookie law (TTDSG) and provide insight into the changes organizations operating websites in the EU need to make in 2021, if they want to use tracking technologies in compliance with data protection rules. (20 mins)

Technology transaction trends 2021

Sarah Bruno and LiLing Poh discuss recent trends as organizations invest more in technology through the acquisition of new platforms or programs, and through partnerships with vendors, to bring products to market. (20 mins)

EU: GDPR and Fines – First experiences and defence strategies

Join members of our tech and data team, Andy Splittgerber and Christian Leuthner, as they discuss the first fines levied under the EU’s data protection law three years after the EU General Data Protection Regulation went live. They take a look at recent developments and describe situations where it may be worth challenging the data privacy enforcers. Andy and Christian give valuable tips on what to do if the data protection authorities knock on your door. (7 mins)

Executive Order for cybersecurity creates new requirements for government contractors

In response to a number of recent high-profile cyber attacks aimed at federal agencies, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity (EO) on May 12, 2021. The EO which created a new Cyber Safety Review Board to review major cyber incidents and requires information and communications technology (ICT) service providers entering into contracts with the government to report data breaches. Agencies are mandated to provide their recommendations to the FAR Council within 60 days of the order, after which the FAR Council will make its proposed changes to the Federal Acquisition Regulations (FAR) within another 90 days. Contractors should act swiftly to review and provided comments proposed changes to as they are published and to ensure that any concerns about complying with the new requirements are presented to those tasked with implementing this EO.

Our recent client alert summarizes the new Executive Order and provides recommendations for entities that will be impacted by these sweeping new requirements.

Recent report signals NIST may publish IoT cybersecurity standards

Although regulators seem to think all too often that cybersecurity is an after-thought for internet-connected device manufacturers, the National Institute of Standards and Technology (NIST) recognizes that as the Internet of Things (IoT) grows, so do cybersecurity risks. In March 2021, NIST published several key takeaways from a recent workshop that provide helpful guidance for IoT manufacturers so that they can be more pro-active in securing IoT devices.

Continue Reading

Processing personal data in the context of connected vehicles

Earlier this year, following its public consultation, the European Data Protection Board (EDPB) approved its guidelines on the processing of personal data in the context of connected vehicles and mobility related applications (here).

Why are these guidelines needed?

In the guidelines, the EDPB notes that “vehicles are becoming massive data hubs” and “connected vehicles are generating increasing amounts of data, most of which can be considered personal data since they will relate to drivers or passengers”. Interestingly, the EDPB is also of the opinion that “[e]ven if the data collected by a connected car are not directly linked to a name, but to technical aspects and features of the vehicle, it will concern the driver or the passengers of the car.” To illustrate this latter point, the EDPB lists the following types of data that would fall within this category: speed, distance travelled, engine coolant temperature, engine RPM and tyre pressure. This is a broad interpretation of what constitutes ‘personal data’ under the General Data Protection Regulation (GDPR).

Some of the risks of processing personal data in the context of connected vehicles include:

  1. Not adequately informing all data subjects that their personal data is being processed. More often, it is only the driver or owner who is provided with the required transparency information;
  2. Ensuring that a data subject’s consent qualifies as valid consent under the GDPR – consent needs to be considered in the context of personal data processing under the GDPR and in relation to the ePrivacy Regulations as it is likely that information will be stored or accessed in terminal equipment;
  3. Legitimately handling any additional processing of personal data not contemplated by the initial collection e.g. for the purposes of law enforcement;
  4. Collecting excessive amounts of personal data due to the vehicle manufacturer’s desire to use such data to develop new functionality; and
  5. The increased security risks due to the number of different types of technology used in connected vehicles (e.g. wi-fi, USB, RFID).

Continue Reading

NICE AI: A health data opportunity

The UK National Institute for Health and Care Excellence (NICE), along with the Care Quality Commission (CQC), Health Research Authority (HRA) and Medicines and Healthcare products Regulatory Agency (MHRA) have partnered to promote the use of artificial intelligence (AI) in health and care. The agencies are calling this initiative the “Multi-Agency Advisory Service for AI and data-driven technology”.

The project will be funded by the NHS AI Lab and NICE, CQC, HRA, and MHRA will work together with the aim of improving care quality for all by ensuring that the use of AI and other data-driven innovations meet high standards in safety, effectiveness and data governance. The Multi-Agency Advisory Service for AI will also address standards for individuals to get access in health and care by providing direction on regulation, evaluation and adoption.

The project will seek to make pathways easier to follow and set clearer expectations related to the challenges faced when developing, commissioning or adopting AI technologies. The Multi-Agency Advisory Service for AI will work together to research, develop and test a service, and will seek support and input from stakeholders and future service users.

The project expects to provide the service in two key areas:

  • Developers of AI and data-driven technologies use in health and social care; and
  • Adopters of AI and data-driven technologies,

each of whom may benefit from assistance with regulatory issues and are looking to gain knowledge to efficiently adopt and deploy the best AI and data-driven technologies related to health and care.

The best part is that the agencies are looking for organisations to get involved.  It’s possible to register to get involved in user research or testing.

A summary of the proposed European regulation on digital operational resilience

The European Commission is considering amending the existing rules for the financial sector regarding digital operational resilience, with a view to unifying and strengthening the legal framework in this area.

The proposed change to legislation would amend the existing Network and Information Security (NIS) Directive and create a new regulation on digital operational resilience, known as the Digital Operational Resilience Act (DORA). The new rules would extend to 20 types of regulated EU financial entities, including fintechs.

The adopted act is open for public feedback until 18 May 2021. All feedback received will be summarised by the European Commission and will be presented to the European Parliament and Council with the aim of feeding this into the legislative debate.

Our recent client alert available here examines the reasoning and objectives behind these proposed changes, as well as the new obligations under the proposed rules.

A summary of the obligations, scope and effect of the proposed European regulation on artificial intelligence

On April 21, 2021, a draft proposed European regulation on artificial intelligence (AI) (Regulation) was released following the European Commission’s white paper “On Artificial Intelligence – A European approach to excellence and trust”, published in February 2020. The regulation shows that the European Union is seeking to establish a legal framework for AI by laying down harmonized rules on AI and a coordinated plan with EU member states to strengthen AI uptake and innovation across the EU, whilst guaranteeing EU citizens’ rights and safety.

Our recent client alert takes a closer look at the proposed draft and discusses how it goes beyond the requirements of the GDPR.

ICO announces it is working on bespoke UK set of Standard Contractual Clauses

What is new?

During the ICO’s Data Protection Practitioners’ Conference 2021 today, the ICO revealed that it is working on new Standard Contractual Clauses (SCCs) to facilitate transfers of personal data outside the UK. The ICO’s consultation on the new UK SCCs will take place this summer. This is a separate process to the new SCCs that are currently being finalised by the European Commission. These new EU SCCs will not be valid for use for restricted transfers of data outside the UK.

Why is this change taking place?

From 31 December 2020 organisations in the UK have been relying on existing SCCs (Decisions 2001/497/EC and 2010/87/EU) for transfers of data outside the UK except where such territories are recognised as adequate (e.g. countries in the EU, the EEA, and those that obtained the EU Commission’s adequacy decision). However, the existing SCCs will be repealed when the new EU SCCs come into play. Therefore, the ICO is taking measures to put in place new international transfer mechanisms for restricted transfers outside the UK.

Continue Reading

EDPB clarifies the application of the GDPR for scientific research

The European Data Protection Board (EDPB) released a document earlier this year in response to a request by the European Commission for clarifications on the application of the GDPR in the area of scientific health research, which you can read here. However, it’s important to note that the EDPB are currently preparing guidelines on the processing of personal data for scientific research purposes, which are set to be released later this year, which will include further elaborations.

Legal basis for processing of health-related data for scientific research purposes

The European Commission posed a question to the EDPB concerning the appropriate legal bases to rely on when personal data is processed for scientific research purposes. The European Commission was particularly interested in understanding two main issues: the interaction of the GDPR legal bases with the requirement to obtain consent for clinical trials, and whether, given the requirement for certain legal basis to have a foundation in Member State or EU law, whether multiple legal bases could be relied upon by one controller for a single research project conducted across several Member States.

The EDPB’s response states that ethical standards which require informed consent for participation in scientific research can and must be differentiated from explicit consent for processing special categories of personal data. It clarifies that they are different concepts and that consent to conduct the clinical trial is not the same (and should not be held to the same standard) as consent for processing special categories of personal data.

Moreover, with regards to legal bases for scientific research, the EDPB noted that when conducting a scientific research project in multiple Member States, they endorsed the use of the same legal basis across all Member States for processing personal data (including special category personal data) associated with the project. But they recognised that, due to the requirement for an underlying Member State or EU law in relation to some of the legal bases (e.g. legal obligation (art.6(1)(c)), reasons of public interest in the area of public health (art.9(2)(i)) and scientific research (art.9(2)(j)), this may not always be possible and a heterogeneous legal bases may be more appropriate. Continue Reading

LexBlog