Catch up on our Tech Law Talks podcast series for practical observations on technology and data legal trends. We cover product and technology development to operational and compliance issues that technology practitioners encounter every day.
On this channel, we host regular discussions about the legal and business issues around data protection, privacy and security; data…
On April 21, 2021, a draft proposed European regulation on artificial intelligence (AI) (Regulation) was released following the European Commission’s white paper “On Artificial Intelligence – A European approach to excellence and trust”, published in February 2020. The regulation shows that the European Union is seeking to establish a legal framework for AI by laying…
In its 2020 session, the Swiss Parliament passed the revised Federal Data Protection Act (FADP), which should come into force in the second half of 2022. The Swiss supervisory authority, the Federal Data Protection and Information Commissioner (FDPIC), has published a document outlining the important amendments, which is available here.
The revised FADP (revFADP) covers data protection of natural persons only and includes new definitions for genetic and biometric data, much like the GDPR. The revFADP also incorporates the principles of privacy by design (data protection through technology design) and by default. The FDPIC emphasises that such mechanisms should be “through the use of customer-friendly” programmes that aid data protection.
Continue Reading Swiss authority’s summary of its GDPR-like revised federal law
On March 12, 2021, the French Council of State (Conseil d’Etat), the highest French administrative court, handed down a ruling (ordonnance des référés) allowing Doctolib, a company in charge of booking COVID-19 vaccination appointments, to rely on a U.S.-based health data host.
In the present case, the servers of Doctolib – whose platform had been entrusted by the French government for booking COVID-19 vaccinations – were hosted by the Luxembourg subsidiary of AWS, a U.S. company. Specifically, in this case, the AWS data was stored in data centers located in the European Union (specifically, in France and Germany).
The French government’s decision to use a platform hosted by the subsidiary of a U.S.-based company raised significant concerns among French associations and trade unions because of the Schrems II decision rendered by the Court of Justice of the European Union (CJEU July 16, 2020, Case C-311/18, Data Protection Commissioner v. Facebook Ireland Ltd. and Maximilian Schrems), which shed light on the risks that U.S. surveillance laws might pose to data subjects in the event of access requests by U.S. agencies.
Continue Reading Aftermath of Schrems II decision in France: The French Council of State provides significant clarification on the U.S. based data host to provide services in the French health care sector
The German Federal Cabinet adopted the Telecommunications and Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutzgesetz – TTDSG, available here) on February 10, 2021. The TTDSG, among other things, provides new rules on cookies and similar technologies (Cookies), introducing only two categories of Cookies: (1) strictly necessary Cookies and (2) consent-based Cookies. The legal basis of legitimate interests cannot be relied upon for Cookies anymore. Germany will be the last member state to transpose Article 5(3) of the Directive 2002/58/EC, amended by Directive 2009/136/EC (ePrivacy Directive) into national law – almost a decade after the deadline passed, and ignoring the extensive discussions on the Cookie provisions in the ePrivacy Regulation (and particularly the exceptions from the consent requirement).
Continue Reading A new recipe for Cookies – The new German Telecommunications and Telemedia Data Protection Act
The Winter 2021 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:
In this edition we cover the following topics:
…
On 19 January 2021, the Information Commissioner’s Office (ICO), published a letter dated 11 September 2020, available here, explaining that personal data transfers from UK based companies to the Securities and Exchange Commission (SEC) for the purposes of regulatory compliance may be permitted under the General Data Protection Regulation (GDPR).
Background
Firms regulated by the SEC must fulfil requests for documentation made by the SEC and make their books, records or documents available for inspection, to ensure compliance with U.S. federal securities laws, rules and regulations. This calls for the production of information, documentation, and other records, which may include personal data and special category personal data.Continue Reading The ICO offers guidance on personal data transfers to the SEC
The French data protection authority (CNIL) rendered three major decisions impacting worldwide online service providers following online controls and investigations performed on the companies’ websites. These decisions highlight the obligations of data controllers when using cookies and other trackers, notably regarding the way the user’s consent shall be collected, and the level of information that…
With the end of the Brexit transition period quickly approaching on 31 December 2020, the future of international data transfers between the UK and the European Union (EU) and European Economic Area (EEA) remains somewhat unclear.
As background, Article 44 of the General Data Protection Regulation (GDPR) prohibits the transfer of personal data from the EU/EEA to recipients in jurisdictions outside the EU/EEA, unless specific conditions are met. One such condition under the GDPR is an “adequacy decision” granted by the European Commission. If a third country is deemed adequate by the European Commission, the personal data can be transferred to that country without any additional safeguards being required.Continue Reading The UK is preparing its adequacy decisions post Brexit
On 12 November 2020, the European Commission released draft updated standard contractual clauses (SCCs) for consultation (available here).
The current SCCs were adopted by the Commission before the GDPR came into force. The CJEU’s decision in the Schrems II case has given greater urgency to updating the current SCCs. Once approved, the new SCCs will repeal the current SCCs. Data controllers and processors alike will therefore need to re-paper their agreements.
The main changes introduced by the draft SCCs are summarised below.Continue Reading European Commission releases draft updated standard contractual clauses
