In a statement of intent published on 7 August 2017, the UK Government has committed to updating and strengthening data protection laws through a new Data Protection Bill (the “Bill”). The Bill will incorporate the new EU General Data Protection Regulation (the “GDPR”) into UK law.
According to the UK’s Minister of State for Digital, Matt Hancock, the Bill will “give [the UK] one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit.” (more…)
Singapore’s Personal Data Protection Commission (PDPC) has launched a public consultation into a proposed revision to the law that would require reporting of certain data breaches. Singapore currently uses a voluntary approach to data breach notifications, but, according to the PDPC, this has resulted in uneven notification practices. Under the proposals, it will be mandatory for organizations to inform customers of personal data breaches that pose any risk of impact or harm to the affected individual as soon as they are discovered. If an incident involves 500 or more individuals, organizations will need to notify the PDPC as soon as possible but no later than 72 hours after discovery of the breach. The proposals aim to allow individuals to take steps to protect their interests in the event of a data breach, for example, by changing their password. (more…)
On 26 July 2017, the Court of Justice of the EU (“Court”) issued its Opinion on the proposed EU-Canada Agreement on the transfer and processing of Passenger Name Record data (“PNR Data”). The opinion, issued by the Court’s Grand Chamber, confirms that the Court accepts the necessity of processing large amounts of personal data to protect against terrorism in general. However, in order to ensure compliance with the EU Charter of Fundamental Rights (“the Charter”), the Court will scrutinize the details of any EU legislative act to ensure that no data are retained or accessed without a clear link to the underlying justification of combating terrorism. (more…)
The Belgian Commission for the Protection of Privacy (“Privacy Commission”) has recently published guidance on Article 30 of the GDPR which contains the obligation for data controllers and processors to record their processing activities.
This record will have to be up-to-date by 25 May 2018 and readily made available to the regulator should it ask to view it. (more…)
Today the BBC published a news article on the panic many businesses are now in over the imminent implementation of the GDPR in May 2018.
According to the BBC article, some research indicates just 29% of UK businesses have begun to prepare for the GDPR. Another forecast was that European financial institutions could face fines of nearly €5 billion in the first 3 years following the GDPR’s coming into force. (more…)
On May 24, 2017, the China Food and Drug Administration (CFDA) issued its  Circular No. 63 (the Circular), setting out penalties for clinical trial data integrity violations, including intentional data falsification, incomplete and incompliant data and other data defects. The highlights are: (more…)
The English High Court recently handed down a judgment which limits the circumstances in which companies will be able to assert legal professional privilege in documents created as part of an internal investigation into potential criminal activity. The Court ruled that a claim for litigation privilege in the context of a criminal investigation will only be valid where, at the time that the relevant documents were created, the prospective defendant has sufficient knowledge about the matter to believe that there is a realistic prospect that a prosecutor will have enough material to proceed with a prosecution. The belief that a prosecutor will commence an investigation into a company is not sufficient to establish a claim for litigation privilege. The judge’s narrow interpretation of legal advice privilege also means that notes of interviews with employees will generally not attract privilege unless they provide “clues” as to aspects of legal advice given to the company. (more…)
The UK is expected to introduce its updated customer due diligence regime with effect from June 26 or shortly thereafter. The changes are wide-ranging and will affect virtually all financial services firms doing business in the UK.
The Government has published a near-final draft of the new legislation. To the extent they’ve not already started, affected firms should be planning for the changes that will be required to their existing policies, procedures and systems.
In this post, we highlight the key issues for financial services firms, and propose a series of action points that they may wish to consider over the next month as they move to implement the new requirements. (more…)
*This post was originally distributed as a privacy and cybersecurity client alert on Monday, May 15, 2017. Sign up for our privacy and cybersecurity distribution list here.
As you likely will have heard, there is an ongoing major cyber-attack involving the WannaCry ransomware. It is affecting businesses across the world and across sectors, including financial services firms, healthcare entities and even manufacturers. We are actively advising clients on cybersecurity matters, and we have recently guided clients through ransomware attacks. We have also recently authored a major report on improving transatlantic cybersecurity in collaboration with the US Chamber of Commerce.
Following the WannaCry attack, many companies and their counsel will need to consider and coordinate the following: (more…)
The EU’s Article 29 Working Party (“WP29”) adopted, on 5 April 2017, final guidelines on the new right of data portability under the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) which applies from 25 May 2018. (more…)