On 11 April 2016, the European Commission consulted on Directive 2002/58/EC on privacy and electronic communications (the “ePrivacy Directive”), seeking input from a wide range of businesses, organizations and individuals on the effectiveness of the ePrivacy Directive and their views for its revision. The European Commission’s review is a key element of its Digital Single Market Strategy, which aims to reinforce trust and security in digital services in the EU.
The European Commission released the results of this consultation on 19 December 2016. The consultation received 421 replies from stakeholders in all Member States and outside the EU, which included 162 replies from citizens; 186 contributions from industry actors; 40 public authorities, including competent authorities which enforce the ePrivacy Directive at national level; 33 contributions from civil society associations. The largest number of respondents came from Germany (25.9%), UK (14.3%), Belgium (10%) and France (7.1%).
On December 13, 2016 at its plenary meeting, the EU’s Article 29 Working Party (“WP29”) adopted guidance on the EU-US Privacy Shield Framework for businesses and individuals in Europe. Since the U.S. Department of Commerce began accepting certifications to the Privacy Shield in August 2016, almost 1,300 companies have self-certified to the Privacy Shield and we understand many more are awaiting approval from the Department of Commerce.
On December 19, 2016 the Joint Committee of the European Supervisory Authorities (“ESAs”) launched a public consultation (the “Consultation”) on the potential benefits and risks of Big Data for consumers and financial firms to determine whether any regulatory or supervisory actions will be required. The ESAs are three EU-wide supervisory authorities, the European Banking Authority (“EBA”), European Securities and Markets Authority (“ESMA”) and the European Insurance and Occupational Pensions Authority (“EIOPA”).
On 15 December 2016 the Article 29 Working Party (“WP29”) released draft guidelines and FAQs on key provisions in the EU’s General Data Protection Regulation (“GDPR”). The guidelines cover the right to data portability, data protection officers and the lead supervisory authority. The WP29 has invited comments from stakeholders on the draft guidelines and FAQs. The deadline for comments is January 31, 2017. Although this invitation for comment is directed at the new guidance, some members of the WP29 have expressed interest in comments on additional issues for the WP29 2017 work plan, for which guidance has not been issued.
A recent speech by the Financial Conduct Authority (“FCA”) Director of Specialist Supervision, Nausicaa Delfas, delivered at the Financial Times’ Cyber Security Summit, shows that the FCA, which is the leading financial services regulator in the United Kingdom, is taking the issue of cyber security seriously and that it believes new approaches are needed to combat the threat to financial services firms.
The FCA’s concerns are consistent with those being expressed by US banking regulators and the Group of Seven (G-7) industrial nations who agreed on a set of guidelines to combat cyber risks affecting global financial institutions.
On October 25, 2016 the European Commission (the “Commission“) adopted its 2017 Work Programme (the “Work Programme”) which sets out what the Commission intends to do over the next 12 months. The Work Programme is the third to be presented under Jean-Claude Junker’s presidency of the Commission and will also be the first Work Programme to be adopted following consultation with the European Parliament (the “Parliament“) and the European Council (the “Council“).
The Bavarian State Commissioner for Data Protection (“BayLDA“) announced on October 20, 2016, that it had fined a company for appointing an IT manager as its data protection officer (“DPO“). Germany’s strict data protection laws mean that appointing a DPO has long been a requirement for some companies in Germany, whereas in most other EU Member States there will be no such requirement until the General Data Protection Regulation (“GDPR”) takes effect.
Ten state German data protection authorities announced on 3 November 2016 that they would be conducting a review of approximately 500 companies in respect of their international transfers of personal data. Under EU data protection laws, there is a general prohibition on transfers of personal data to countries outside the European Economic Area (“EEA“), which do not ensure an adequate level of protection, such as the US, unless certain exemptions apply. Exemptions include, for example, consent of the data subjects, EU-US Privacy Shield certification, Binding Corporate Rules and EU data transfer agreements known as “Model Contracts.”
Two legal challenges have been filed at the Court of Justice of the European Union (“CJEU”) against the European Commission’s adequacy decision on the EU-U.S. Privacy Shield. Privacy Shield was adopted on July 12, 2016 after the CJEU struck down the earlier Safe Harbour agreement in October 2015 over concerns about U.S. surveillance techniques.
The UK’s Secretary of State confirmed on October 31, 2016 that the UK will be implementing the new EU General Data Protection Regulation (GDPR), as the UK will still be a member of the EU when the GDPR comes into effect on 25 May 2018.
The UK’s Information Commissioner, Elizabeth Denham showed her support for this by issuing a statement describing the confirmed implementation as “good news.” Commissioner Denham further advised that the Information Commissioner’s Office (ICO) is committed to assisting businesses to prepare to meet these new requirements and that a revised timeline setting out which areas of GDPR guidance the ICO will be prioritizing will be published in November. In closing, Commissioner Denham stressed that although, “there may still be questions about how the GDPR would work on the UK leaving the EU […] this should not distract from the important task of compliance with GDPR by 2018.”