On 27 April 2017 the German Parliament passed the new Federal Data Protection Act (the Bundesdatenschutzgesetz or “new BDSG”) which from 25 May 2018 will replace the current German Data Protection Act. The new BDSG adapts German law in line with the EU’s new General Data Protection Regulation (the “GDPR”). The GDPR has direct effect in EU members states, but it allows member states to pass legislation which supplements the GDPR but is consistent with it.
On 6th April, 2017, the European Parliament adopted a resolution stating that there are deficiencies in the EU-US data transfer accord Privacy Shield which must be “urgently resolved” in order to give citizens and companies legal certainty. MEPs called on the EU Commission to conduct an assessment and to ensure that the Privacy Shield complies sufficiently with the EU Charter of Fundamental Rights and new EU data protection rules. (more…)
On February 2, the Italian Data Protection Authority, known as the “Garante,” imposed a fine of EUR 5,880,000 on a UK money transfer company that it found to be in violation of Italian data privacy rules. This is the largest ever publicly-known fine imposed by an EU data protection authority, and it approaches the level of fines that are likely to be imposed under the EU’s General Data Protection Regulation (“GDPR”) that will come into force in May 2018. Although the GDPR is not yet in force, the Garante’s enforcement action shows that European data protection authorities are willing to levy the kind of fines allowed by the GDPR.
On 2 March 2017, the UK Information Commissioner’s Office (“ICO”) published detailed draft guidance on consent under the GDPR and has submitted it for public consultation. This is the ICO’s first piece of specific GDPR guidance published further to its overview of the GDPR published last January.
The guidance sets out the ICO’s interpretation of the new requirements to obtain valid consent under the GDPR including its view of the role of consent in the GDPR, the benefits of getting consent right and the penalties for getting it wrong. The guidance also explains: (i) when consent is required or appropriate (or not) and the alternative to consent; (ii) what constitutes valid consent under the GDPR with specific guidance on children’s consent and consent for research purposes; (iii) advice on how to obtain, record and manage consent; and (iv) a consent checklist.
The decision by the Court of Justice of the European Union (the CJEU) on Oct. 6, 2015, invalidating the U.S.-EU Safe Harbor Decision (the Judgment) is a landmark judgment. Case C-362/14 Maximillian Schrems v Data Protection Commissioner  ECLI: EU:C:2015:650. By voiding the legal basis for transatlantic data transfers for the 4,400 companies reliant on U.S.-EU Safe Harbor, the Judgment began what has been a seismic year for data protection and crossborder data transfers in the European Union, whose aftershocks will reverberate throughout 2017 and beyond.
The closely followed case challenging the validity of Standard Contractual Clauses for the transfer of personal data outside the EEA to countries considered not to provide an adequate level of data protection, including the US, is progressing with a hearing coming up February 7th and schedule set for the proceedings, including amicus participation.
On January 26, 2017 Sidley hosted “Data Protection in Finance 2017: GDPR Readiness – Strategies and Practice” in association with DataGuidance. The interactive conference provided opportunities for networking with industry peers, as well as a full day of informative panel discussions focused on practical steps to achieve compliance with the EU General Data Protection Regulation’s (“GDPR”).
The Court of Justice of the European Union (“CJEU”) issued, on December 21, 2016, its ruling in the joined cases, Tele2 Sverige AB v. Post-och telestyrelsen (C-203/15), and Secretary of State for Home Department v. Tom Watson and Others (C-698/15), concerning the interpretation of EU’s Article 15(1) of the ePrivacy Directive (2002/58/EC). Article 15(1) enables EU Member States to adopt measures that restrict privacy rights granted to users of Electronic Communication Services (“ECSs”) when they are “necessary, appropriate and proportionate… to safeguard national security”. Examples of ECSs include private and public companies in Internet, telecommunication, satellite and cable businesses. (more…)
On 11 April 2016, the European Commission consulted on Directive 2002/58/EC on privacy and electronic communications (the “ePrivacy Directive”), seeking input from a wide range of businesses, organizations and individuals on the effectiveness of the ePrivacy Directive and their views for its revision. The European Commission’s review is a key element of its Digital Single Market Strategy, which aims to reinforce trust and security in digital services in the EU.
The European Commission released the results of this consultation on 19 December 2016. The consultation received 421 replies from stakeholders in all Member States and outside the EU, which included 162 replies from citizens; 186 contributions from industry actors; 40 public authorities, including competent authorities which enforce the ePrivacy Directive at national level; 33 contributions from civil society associations. The largest number of respondents came from Germany (25.9%), UK (14.3%), Belgium (10%) and France (7.1%).
On December 13, 2016 at its plenary meeting, the EU’s Article 29 Working Party (“WP29”) adopted guidance on the EU-US Privacy Shield Framework for businesses and individuals in Europe. Since the U.S. Department of Commerce began accepting certifications to the Privacy Shield in August 2016, almost 1,300 companies have self-certified to the Privacy Shield and we understand many more are awaiting approval from the Department of Commerce.