On December 19, 2016 the Joint Committee of the European Supervisory Authorities (“ESAs”) launched a public consultation (the “Consultation”) on the potential benefits and risks of Big Data for consumers and financial firms to determine whether any regulatory or supervisory actions will be required. The ESAs are three EU-wide supervisory authorities, the European Banking Authority (“EBA”), European Securities and Markets Authority (“ESMA”) and the European Insurance and Occupational Pensions Authority (“EIOPA”).
On 15 December 2016 the Article 29 Working Party (“WP29”) released draft guidelines and FAQs on key provisions in the EU’s General Data Protection Regulation (“GDPR”). The guidelines cover the right to data portability, data protection officers and the lead supervisory authority. The WP29 has invited comments from stakeholders on the draft guidelines and FAQs. The deadline for comments is January 31, 2017. Although this invitation for comment is directed at the new guidance, some members of the WP29 have expressed interest in comments on additional issues for the WP29 2017 work plan, for which guidance has not been issued.
A recent speech by the Financial Conduct Authority (“FCA”) Director of Specialist Supervision, Nausicaa Delfas, delivered at the Financial Times’ Cyber Security Summit, shows that the FCA, which is the leading financial services regulator in the United Kingdom, is taking the issue of cyber security seriously and that it believes new approaches are needed to combat the threat to financial services firms.
The FCA’s concerns are consistent with those being expressed by US banking regulators and the Group of Seven (G-7) industrial nations who agreed on a set of guidelines to combat cyber risks affecting global financial institutions.
On October 25, 2016 the European Commission (the “Commission“) adopted its 2017 Work Programme (the “Work Programme”) which sets out what the Commission intends to do over the next 12 months. The Work Programme is the third to be presented under Jean-Claude Junker’s presidency of the Commission and will also be the first Work Programme to be adopted following consultation with the European Parliament (the “Parliament“) and the European Council (the “Council“).
The Bavarian State Commissioner for Data Protection (“BayLDA“) announced on October 20, 2016, that it had fined a company for appointing an IT manager as its data protection officer (“DPO“). Germany’s strict data protection laws mean that appointing a DPO has long been a requirement for some companies in Germany, whereas in most other EU Member States there will be no such requirement until the General Data Protection Regulation (“GDPR”) takes effect.
Ten state German data protection authorities announced on 3 November 2016 that they would be conducting a review of approximately 500 companies in respect of their international transfers of personal data. Under EU data protection laws, there is a general prohibition on transfers of personal data to countries outside the European Economic Area (“EEA“), which do not ensure an adequate level of protection, such as the US, unless certain exemptions apply. Exemptions include, for example, consent of the data subjects, EU-US Privacy Shield certification, Binding Corporate Rules and EU data transfer agreements known as “Model Contracts.”
Two legal challenges have been filed at the Court of Justice of the European Union (“CJEU”) against the European Commission’s adequacy decision on the EU-U.S. Privacy Shield. Privacy Shield was adopted on July 12, 2016 after the CJEU struck down the earlier Safe Harbour agreement in October 2015 over concerns about U.S. surveillance techniques.
The UK’s Secretary of State confirmed on October 31, 2016 that the UK will be implementing the new EU General Data Protection Regulation (GDPR), as the UK will still be a member of the EU when the GDPR comes into effect on 25 May 2018.
The UK’s Information Commissioner, Elizabeth Denham showed her support for this by issuing a statement describing the confirmed implementation as “good news.” Commissioner Denham further advised that the Information Commissioner’s Office (ICO) is committed to assisting businesses to prepare to meet these new requirements and that a revised timeline setting out which areas of GDPR guidance the ICO will be prioritizing will be published in November. In closing, Commissioner Denham stressed that although, “there may still be questions about how the GDPR would work on the UK leaving the EU […] this should not distract from the important task of compliance with GDPR by 2018.”
The EU Data Protection Directive requires that data be processed fairly, which includes providing individuals with certain information about how a business uses their data, for example, by way of a privacy notice. These information requirements will be enhanced under the new EU Data Protection Regulation (“GDPR“), which will require many companies to review and amend their employee and customer notices, consents and policies (including privacy notices).
Members of the UK House of Lords have amended the Investigatory Powers Bill to make privacy a fundamental concern by inserting the following in clause 1 –
“This Act sets out the extent to which certain investigatory powers may be used to interfere with privacy.”
The amendment, proposed by Lord Janvrin, a member of the UK parliament’s Intelligence and Security Committee (“ISC“), was approved on Tuesday 11 October 2016, after a debate in which many members highlighted the need for safeguards against disproportionate use of the Bill by public authorities.