On 26 July 2017, the Court of Justice of the EU (“Court”) issued its Opinion on the proposed EU-Canada Agreement on the transfer and processing of Passenger Name Record data (“PNR Data”). The opinion, issued by the Court’s Grand Chamber, confirms that the Court accepts the necessity of processing large amounts of personal data to protect against terrorism in general. However, in order to ensure compliance with the EU Charter of Fundamental Rights (“the Charter”), the Court will scrutinize the details of any EU legislative act to ensure that no data are retained or accessed without a clear link to the underlying justification of combating terrorism. (more…)
The Belgian Commission for the Protection of Privacy (“Privacy Commission”) has recently published guidance on Article 30 of the GDPR which contains the obligation for data controllers and processors to record their processing activities.
This record will have to be up-to-date by 25 May 2018 and readily made available to the regulator should it ask to view it. (more…)
Businesses and consumers are increasingly using Internet of Things (“IoT”) devices to communicate and process quantities and types of information that have never before been captured. In response, more federal agencies are turning their attention to the potential risks, and developing guidance for the deployment of IoT technologies. The latest to weigh in on risks include the Governmental Accountability Office and the Department of Commerce. (more…)
Today the BBC published a news article on the panic many businesses are now in over the imminent implementation of the GDPR in May 2018.
According to the BBC article, some research indicates just 29% of UK businesses have begun to prepare for the GDPR. Another forecast was that European financial institutions could face fines of nearly €5 billion in the first 3 years following the GDPR’s coming into force. (more…)
On June 20, 2017, the New York State Department of Financial Services (“NYDFS”) expanded its set of frequently asked questions (“FAQs”) and answers concerning its recently finalized Cybersecurity Regulations (23 NYCRR 500.01), which set forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk. The now 17 questions included in the release address the types of entities that fall within the scope of the Regulations, the notice requirements attending a Cybersecurity Event (as defined in the Regulations), the annual certification requirement, and additional specific elements of the rules. (more…)
On May 23, 2017, the Commodity Futures Trading Commission (CFTC) unanimously approved proposed amendments to the recordkeeping obligations set forth in CFTC Regulation 1.31 (Recordkeeping Rule) which is applicable to all CFTC registered entities and other persons required to maintain records under the Commodity Exchange Act (CEA). The final amendments are intended to modernize the Recordkeeping Rule by making the form and manner in which regulatory records must be kept technology-neutral. The amendments provide recordkeepers with greater flexibility regarding the retention and production of CFTC regulatory records. The CFTC indicated that it does not believe the amendments impose any new recordkeeping requirements on any recordkeeper, and existing recordkeeping methods remain valid for compliance with the amended Recordkeeping Rule should a recordkeeper choose not to take advantage of the less-prescriptive, principles based approach of the amended Recordkeeping Rule. The final amendments also reorganized the Recordkeeping Rule for ease of understanding, including by adopting new definitions. The amendments represent a long-awaited and generally positive modernization of important CFTC rules that have often frustrated market participants. The effective date for the amended Recordkeeping Rule is August 28, 2017. (more…)
The English High Court recently handed down a judgment which limits the circumstances in which companies will be able to assert legal professional privilege in documents created as part of an internal investigation into potential criminal activity. The Court ruled that a claim for litigation privilege in the context of a criminal investigation will only be valid where, at the time that the relevant documents were created, the prospective defendant has sufficient knowledge about the matter to believe that there is a realistic prospect that a prosecutor will have enough material to proceed with a prosecution. The belief that a prosecutor will commence an investigation into a company is not sufficient to establish a claim for litigation privilege. The judge’s narrow interpretation of legal advice privilege also means that notes of interviews with employees will generally not attract privilege unless they provide “clues” as to aspects of legal advice given to the company. (more…)
The UK is expected to introduce its updated customer due diligence regime with effect from June 26 or shortly thereafter. The changes are wide-ranging and will affect virtually all financial services firms doing business in the UK.
The Government has published a near-final draft of the new legislation. To the extent they’ve not already started, affected firms should be planning for the changes that will be required to their existing policies, procedures and systems.
In this post, we highlight the key issues for financial services firms, and propose a series of action points that they may wish to consider over the next month as they move to implement the new requirements. (more…)
On February 2, the Italian Data Protection Authority, known as the “Garante,” imposed a fine of EUR 5,880,000 on a UK money transfer company that it found to be in violation of Italian data privacy rules. This is the largest ever publicly-known fine imposed by an EU data protection authority, and it approaches the level of fines that are likely to be imposed under the EU’s General Data Protection Regulation (“GDPR”) that will come into force in May 2018. Although the GDPR is not yet in force, the Garante’s enforcement action shows that European data protection authorities are willing to levy the kind of fines allowed by the GDPR.
The National Association of Insurance Commissioners (NAIC) has created a new task force to monitor technology, data collection and Cybersecurity developments in the insurance industry. The Innovation and Technology (EX) Task Force (IT Task Force) was formed on March 9, 2017 and reports directly to the NAIC’s Executive Committee. The IT Task Force will appoint and oversee the work of the following NAIC groups: the Big Data Working Group, the Cybersecurity Working Group and the Speed-to-Market Working Group. According to the NAIC’s March 9, 2017 press release, the IT Task Force’s purpose is to help insurance regulators stay informed about technology-related developments, products and services in the insurance industry, including start-up companies, and to ensure they meet consumer expectations and ensure consumer protections. The press release notes that annual investment in insurance technology (InsurTech) has increased to more than $2.5 Billion and continues to grow.