Taking a step into the digital age, the European Commission announced that the 2020s shall become the EU’s Digital Decade. The EU’s digitalization, including in the area of health, is one of the Commission’s key priorities and covers a wide range of actions and related initiatives.
Building on prior initiatives, in 2019 the Commission announced six key priorities (since supplemented by the COVID-19 recovery plan) that would shape the coming five years of policy making. One of these six key priorities is to create a Europe fit for the digital age and work on a digital strategy that will empower people with a new generation of technologies.
The European Commission (EC), on 12 November 2020, published a draft decision implementing revised Standard Contractual Clauses (draft SCCs) – (the EC’s Draft). The EC’s Draft was published following the Court of Justice of the European Union’s (CJEU) decision in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems on 16 July 2020 (Schrems II), which found (amongst other things) that supplementary protections may need to be implemented when SCCs are used to ensure an ‘essentially equivalent’ level of data protection. The publication of the EC’s Draft comes just one day after the European Data Protection Board (EDPB) published its draft recommendations describing how controllers and processors transferring personal data outside the European Economic Area (EEA) may comply with the Schrems II ruling. The EC’s Draft is open for public consultation until 10 December 2020, after which it will undergo a process of review by representatives of every EU Member State (the Committee) who will each need to provide a positive opinion in relation to the EC’s Draft as part of the EU examination procedure. The European Data Protection Supervisor must also be consulted and it is recommended that the EDPB is consulted. The EC’s College of Commissioners may then adopt the EC’s final decision
After three years of discussions and in a final debate, the Swiss parliament has agreed on the final draft bill of a new and modernized data protection law.
In particular, the National Council and the Council of States found a compromise on the these outstanding issues: (more…)
In 2017, the Swiss government issued a draft bill for a new Swiss Data Protection Act (“nDPA”) with two main goals: (1) to enhance the level of protection of personal data provided in the current Swiss Data Protection Act which dates back to 1992 (largely, to align with the EU GDPR); and (2) to ensure that there is an “adequate” level of data protection to allow for the continued flow of personal data from the EEA to Switzerland.
On 2 September 2020, the European Data Protection Board (EDPB) published draft guidelines on the concepts of controller and processor under the GDPR (Draft Guidelines). The Draft Guidelines are intended to expand on and ultimately replace the guidance issued by the former Article 29 Working Party in 2010 (WP29 Guidance). The Draft Guidelines should be reviewed carefully to assess whether: (i) the understanding of an organisation’s role as a controller, joint controller or processor should be revised; and (ii) changes to existing vendor processes and contracts are needed in light of the assessment of guarantees provided by vendors and the more detailed processing provisions and ongoing diligence now required.
The Draft Guidelines consist of two parts. The first part seeks to further clarify the meaning of these concepts—which are crucial in determining compliance responsibilities under the GDPR—by reference to various examples. The second part provides detailed guidance on their respective roles and responsibilities, and the relationships between them.
The Draft Guidelines, accessible here, are subject to public consultation until 19 October 2020.
Following the Court of Justice of the European Union’s (“CJEU”) decision in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”), the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) concluded in a position paper published on 8 September that the Swiss-US Privacy Shield no longer provides a valid mechanism for the transfer of personal data from Switzerland to the US.
In a decision with significant implications for international trade and cross-border data flows, the EU’s highest court – the Court of Justice of the European Union (“CJEU”) ruled on 16 July 2020 that a key legal mechanism (called the EU-US Privacy Shield program) used to enable transfers of personal data from the European Union (“EU”) was invalid, while also potentially requiring additional protections to be implemented when another key transfer mechanism (called Standard Contractual Clauses) is used. The case – Data Protection Commissioner v. Facebook Ireland, Max Schrems (“Schrems II”) – considered the validity of the EU-US Privacy Shield (“Privacy Shield”) program (a privacy certification made available for US organizations through an agreement between the European Commission and the US government) and Standard Contractual Clauses (“SCC”) (a form of international data transfer agreement made available for use by the European Commission).
Ongoing confusion about lawful basis for data processing in a clinical study environment: European Data Protection Board and European Commission on the one hand and certain Member States on the other differ on the correct approach. Swiss sponsors operating clinical studies in the EU face ongoing uncertainty around the appropriate lawful basis for processing study subject personal data in spite of guidance being published by the European Commission and the European Data Protection Board.
On 8 January 2020, the UK’s Information Commissioner’s Office (ICO) published a draft Direct Marketing Code of Practice (Draft Code) for public consultation. The Draft Code is intended to update existing guidance published pre-GDPR and provide clarity on certain important issues.
Summarised below are the key takeaways from the Draft Code: (more…)
A recent opinion from the European Data Protection Supervisor (EDPS) on data protection and scientific research builds on an opinion from January 2019 from the European Data Protection Board on the GDPR and clinical trials. The Opinion from the EDPS should be taken into account by life sciences companies in their ongoing assessment of how to apply the GDPR to scientific research both in clinical trials and more broadly.
The EDPS – an independent supervisory authority whose primary objective is to ensure that European institutions and bodies respect the right to privacy and data protection – recently published a preliminary opinion on data protection and scientific research (the Opinion). The EDPS acknowledges the critical importance of scientific research but states that “data protection obligations should not be misappropriated as a means […] to escape transparency and accountability.” In particular, according to the EDPS, compliance with data protection laws is “wholly compatible” with responsible scientific research. However, the EDPS recommends intensifying dialogue between data protection authorities (DPAs) and ethical review boards for a common understanding of which activities amount to genuine research and expects further guidance to be published by the European Data Protection Board – an independent European body, composed of representatives of the national DPAs and the EDPS.