The government has released a Statement of Intent (“the Statement”) for a new Data Protection Bill (“the Bill”). The Bill was originally announced in the Queen’s Speech earlier this year (see our previous blog on this). This Statement provides further detail on the government’s proposed reforms to data protection laws in the UK. The Bill … Continue Reading
In the past few years, we have seen an uptick in agencies beginning to focus on the cybersecurity readiness and response of organizations subject to their jurisdiction. The U.S. Securities and Exchange Commission (SEC), for example, has identified cybersecurity as a top priority for many years. This past June, the SEC named Stephanie Avakian and … Continue Reading
The German Data Protection Authorities (“DPAs”) released a paper on fines under Art. 83 General Data Protection Regulation (“GDPR”) in July 2017. Fines are hanging like a Sword of Damocles over the organizations that are getting ready for GDPR, since the upper limits of fines have been increased substantially. For example, German DPAs can currently … Continue Reading
The House of Lords EU Home Affairs Sub-Committee (“the Committee”) has published a report on the EU Data Protection Package and the impact of Brexit (“the Report”). The Report considers the implications of the UK’s exit from the EU for cross-border data transfers, and for UK data protection policy more generally. The Report looks at … Continue Reading
In the Opinion 1/15 of 26 July 2017 (“Opinion”), the Court of Justice of the European Union (“CJEU”) held that the proposed agreement between the EU and Canada on the transfer and processing of Passenger Name Record (“PNR”) data may not be concluded in its current form. The Opinion is available here. The CJEU said that … Continue Reading
The Bavarian Data Protection Authority (“Bavarian DPA”) has published an English-language version of a GDPR implementation audit questionnaire (“Questionnaire”). The Questionnaire is available here. The Questionnaire has been previously released in German. Content of the Questionnaire The Questionnaire includes questions on six topics: Structure and responsibility in the company • For example, is there awareness … Continue Reading
The Information Commissioner’s Office (“ICO”) has released its International Strategy 2017-2021 (“Strategy”). The Strategy supports its Information Rights Strategic Plan, which we reported on earlier this year. The first part of the Strategy refers to the challenges and priorities for the next five years, particularly in light of changes brought about by the General Data … Continue Reading
The ICO recently published its Information Rights Strategic Plan for 2017 – 2021 (the ‘Plan’). Within it, the ICO Commissioner, Elizabeth Denham, asserts that we are on the “edge of a new frontier,” and that the data protection landscape is about to be reshaped by the “game changing” General Data Protection Regulation (the ‘GDPR’). Noting … Continue Reading
As part of its GDPR Implementation Project, the Centre for Information Policy Leadership (‘CIPL’) has released a discussion paper on certifications, seals and marks. The paper stresses the benefits of certifications that can be adapted to different companies and contexts, all while retaining common cross-border baselines. As no such measure is currently in place ahead … Continue Reading
“A year from now, the European Union will start benefiting from the new data protection standards.” This week, the European Commission’s most senior voices gave an official statement promoting the benefits of the new General Data Protection Regulation (GDPR). Andrus Ansip (Vice-President) and Věra Jourová (Commissioner) of the European Commission aimed their statement at all … Continue Reading
The Council of the European Union (“Council”) has predicted that the ePrivacy Regulation will not come into force by 25 May 2018. The ePrivacy Directive (Directive 2002/58/EC) will, therefore, continue to apply. The new ePrivacy Regulation The new European data protection regime will enter into force in about one year. The General Data Protection Regulation … Continue Reading
For organisations with data flows between the United States and Switzerland, it is now possible to self-certify into the Swiss-U.S. Privacy Shield Framework. This process became available on 12 April 2017. The Swiss-U.S. Privacy Shield will operate in a substantially similar way to the EU-U.S. Privacy Shield. There are, however, key differences, including: (1) the … Continue Reading
Yesterday, the German Parliament (Bundestag) passed a new Data Protection Act (Datenschutz-Anpassungs-und-Umsetzungsgesetz EU – DSAnpUG-EU; the Act), despite major criticism. The Act is available online in German here. The Act shall adjust the current German data protection laws with the requirements of the General Data Protection Regulation (GDPR), and replace the current Federal Data Protection … Continue Reading
Although considered burdensome by some, data protection impact assessments (DPIAs) help controllers assess any data protection implications of their processing operations, with the added benefit of demonstrating compliance with the EU General Data Protection Regulation (GDPR). The Article 29 Working Party (WP29) recently published Guidelines on DPIAs and on determining whether processing is “likely to … Continue Reading
Information Commissioner Elizabeth Denham has recently given some valuable insights into the Information Commissioner’s Office’s (ICO) General Data Protection Regulation (“GDPR”) strategy. Addressing the House of Lords EU Home Affairs Sub-Committee, she made clear that numerous pressures face the ICO as a result of the substantial workload created by the GDPR. Commissioner Denham emphasised that … Continue Reading
As the European data protection framework evolves, big data remains a hot topic. Often, what makes up these large data sets is personal data, so it has clear data protection implications. The Information Commissioner’s Office (“ICO”) has therefore issued guidance on “Big data, artificial intelligence, machine learning and data protection.” This recent guidance provides helpful emphasis … Continue Reading
In the recent case of Prince Moulay Hicham v Elaph Publishing Limited, the Court of Appeal held in a unanimous decision that a claimant could include an action under the UK Data Protection Act 1998 (‘DPA’) as an alternative means of redress. To read our full client alert in relation to this judgment, please click … Continue Reading
The EU-U.S. Privacy Shield has come under scrutiny once again after 17 civil society organisations (the Coalition) sent a letter to the European Commissioner for Justice and Consumers. The 28 February 2017 letter raises the issue as to the breadth of Section 702 of the FISA (Foreign Intelligence Surveillance Act) Amendments Act (FAA), which provides … Continue Reading
On 1 March 2017, the UK government published its Digital Strategy (“Strategy”) for a “world-leading digital economy that works for everyone.”. The Strategy contains a number of statements that bring some certainty to the direction of regulation in the UK following its withdrawal from the European Union. Unlocking the data economy The Strategy notes the … Continue Reading
On 3 March 2017, the Bavarian Data Protection Authority (Bayerisches Landesamt für Datenschutzaufsicht – “DPA”) issued a 160-page 7th activity report (Tätigkeitsbericht), covering years 2015 and 2016. The activity report has been accompanied by a press release of the same date. Background In Germany, Data Protection Authorities are obliged to regularly, at least every two years, issue … Continue Reading
In January, the UK government confirmed that it will be implementing the EU’s Network and Information Security Directive (NIS Directive) regardless of Brexit. EU countries have until 9 May 2018 to implement the Directive into their national laws. Given Brexit, the UK government confirmed in its Cyber Security Regulation and Incentives Review that details of the … Continue Reading
At the beginning of February, the Minister of State responsible for digital and culture policy, Matt Hancock, reaffirmed the UK’s commitment to implementing legislation mirroring the General Data Protection Regulation (GDPR), and ensuring the uninterrupted flow of personal data between the UK and EU post Brexit. Reaffirmed Commitment to the GDPR… Continue Reading
In early January, the Article 29 Working Party (WP29) adopted its 2017 Action Plan (Action Plan) on the implementation of the General Data Protection Regulation (GDPR). Amongst the actions proposed, the Action Plan provides a list of guidelines to be published throughout the year; which are set to cover:… Continue Reading
The EU Commission recently launched a Public consultation on Building the European data economy. The objective behind the consultation is to feed into the Commission’s future policy agenda on the European data economy in 2017. The data economy In its Communication entitled “Building a European Data Economy,” the Commission has re-identified (from its 2012 Communication) … Continue Reading
