On 27 April 2017 the German Parliament passed the new Federal Data Protection Act (the Bundesdatenschutzgesetz or “new BDSG”) which from 25 May 2018 will replace the current German Data Protection Act. The new BDSG adapts German law in line with the EU’s new General Data Protection Regulation (the “GDPR”). The GDPR has direct effect in EU members states, but it allows member states to pass legislation which supplements the GDPR but is consistent with it.
On 6th April, 2017, the European Parliament adopted a resolution stating that there are deficiencies in the EU-US data transfer accord Privacy Shield which must be “urgently resolved” in order to give citizens and companies legal certainty. MEPs called on the EU Commission to conduct an assessment and to ensure that the Privacy Shield complies sufficiently with the EU Charter of Fundamental Rights and new EU data protection rules. (more…)
On February 2, the Italian Data Protection Authority, known as the “Garante,” imposed a fine of EUR 5,880,000 on a UK money transfer company that it found to be in violation of Italian data privacy rules. This is the largest ever publicly-known fine imposed by an EU data protection authority, and it approaches the level of fines that are likely to be imposed under the EU’s General Data Protection Regulation (“GDPR”) that will come into force in May 2018. Although the GDPR is not yet in force, the Garante’s enforcement action shows that European data protection authorities are willing to levy the kind of fines allowed by the GDPR.
Cybersecurity compliance is becoming increasingly complicated with multiple regulators across the globe weighing in on your legal requirements to manage cyber risk. If you have wondered how others are approaching their compliance strategy, you are not alone.
You are invited to participate in a brief survey regarding your business’s approach to cybersecurity legal requirements. Specifically, the purpose of this survey is to learn how businesses like yours are responding to cybersecurity legal requirements under the European Union’s General Data Protection Regulation (GDPR) and Network and Information Security Directive (NIS Directive). In particular, we are interested in whether and if so, how businesses in the U.S. and the EU and elsewhere are applying the U.S. National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity to comply with these EU cybersecurity requirements. Understanding which standards business are applying in order to comply with these requirements could be helpful in encouraging consistency of cybersecurity frameworks in the U.S., the EU and other regions.
Please use the link provided below to access the survey which will take very few minutes to complete. We plan to publish the results in approximately six weeks. Please note that no individuals or specific businesses will be identified in any published results without their express consent.
CLICK HERE to begin the survey.
Thank you for your participation.
On February 3, 2017, Eastern District of Pennsylvania Magistrate Judge Thomas J. Rueter ordered Google to comply with FBI search warrants to produce emails stored on foreign servers as part of a domestic criminal investigation. In re Search Warrant No. 16-960-M-01 to Google (E.D. Pa. Feb. 3, 2017). This ruling comes on the heels of the Second Circuit’s decision in Microsoft Corp. v. United States, 829 F.3d 197 (2d Cir. 2016) (denied rehearing on January 24, 2017), which reached an opposite decision and held that Microsoft could not be forced to turn over user data stored on a server located in Ireland. (For more background, see Second Circuit Microsoft Ruling: A Plea for Congressional Action (August 8, 2016)).
*The authors are not licensed to practice law in Australia, and this information is intended for educational purposes only.
Australia has passed data breach notification legislation requiring certain companies with annual revenue over AU $3 million ($2.3 million) to notify the Australian Information Commissioner and affected individuals in the event of a qualifying data breach.
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (“the Bill”), which the Australian Senate passed on February 13th, amends the Privacy Act of 1988 (Privacy Act) to require that qualifying companies provide notification if there is “unauthorized access to, unauthorized disclosure of, or loss of, personal information by an entity,” and “the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.” According to the Office of the Australian Information Commissioner, examples of personal information include names, signatures, addresses, telephone numbers, dates of birth, medical records and “commentary or opinion” about individuals.
On 2 March 2017, the UK Information Commissioner’s Office (“ICO”) published detailed draft guidance on consent under the GDPR and has submitted it for public consultation. This is the ICO’s first piece of specific GDPR guidance published further to its overview of the GDPR published last January.
The guidance sets out the ICO’s interpretation of the new requirements to obtain valid consent under the GDPR including its view of the role of consent in the GDPR, the benefits of getting consent right and the penalties for getting it wrong. The guidance also explains: (i) when consent is required or appropriate (or not) and the alternative to consent; (ii) what constitutes valid consent under the GDPR with specific guidance on children’s consent and consent for research purposes; (iii) advice on how to obtain, record and manage consent; and (iv) a consent checklist.
The decision by the Court of Justice of the European Union (the CJEU) on Oct. 6, 2015, invalidating the U.S.-EU Safe Harbor Decision (the Judgment) is a landmark judgment. Case C-362/14 Maximillian Schrems v Data Protection Commissioner  ECLI: EU:C:2015:650. By voiding the legal basis for transatlantic data transfers for the 4,400 companies reliant on U.S.-EU Safe Harbor, the Judgment began what has been a seismic year for data protection and crossborder data transfers in the European Union, whose aftershocks will reverberate throughout 2017 and beyond.
Following the establishment of the E.U. – U.S. Privacy Shield last summer, Switzerland has now agreed to a similar framework facilitating the transfer of personal data from Swiss companies to companies based in the United States (hereinafter “Swiss – U.S. Privacy Shield” or “Privacy Shield”) that will allow companies to certify adherence to the framework as of 12 April 2017.
The closely followed case challenging the validity of Standard Contractual Clauses for the transfer of personal data outside the EEA to countries considered not to provide an adequate level of data protection, including the US, is progressing with a hearing coming up February 7th and schedule set for the proceedings, including amicus participation.