Key Takeaways From Sidley’s Privacy and Cybersecurity Monitor-Side Chat Featuring Bruno Gencarelli, Head of International Data Flows and Protection at the European Commission
On June 25, 2020, Sidley partner, Alan Raul, founder and co-head of Sidley’s privacy and cybersecurity practice, hosted Bruno Gencarelli, head of International Data Flows and Protection at the European Commission, for a Monitor-Side Chat.
The discussion focused largely on the Commission’s report on two years of the GDPR which was issued on 24 June 2020. Key themes of the report include:
- EU data protection authorities (“DPAs”) should increase their efforts towards the adoption of a harmonised approach to responding to cross-border investigations;
- a call for greater resources to be given to DPAs by EU Member States to ensure the GDPR is sufficiently enforced;
- a need for greater consistency among EU Member States on interpretations of the GDPR in national laws in order to avoid unnecessary burdens on companies; and
- greater utilisation of the data portability right under the GDPR to ensure individuals have greater involvement in the digital economy by enabling them to switch between different service providers and make use of other innovative services.
European Commission’s Public Consultation on Proposed EU Artificial Intelligence Regulatory Framework
On 19 February 2020, the European Commission published a white paper on the use of artificial intelligence (“AI”) in the EU (the “White Paper”). The White Paper forms part of the Commission President, Ursula Von der Leyen’s, digital strategy, one of the key pillars of her administration’s five year tenure, recognising that the EU has fallen behind the US and China with respect to the strategic deployment of AI. To tackle this problem, the Commission proposes a common EU approach to ‘speed up the uptake’ of AI in the EU, whilst also tackling the human and ethical implications of AI’s fast growing use in the EU, including the possible downsides of its use, such as opaque decision making and hidden, embedded gender and racial discrimination. In order to achieve a common EU approach to AI, and to create “trustworthy” AI that can rival developments in the US and China, the Commission proposes the creation of a regulatory framework for AI.
EDPB Provides Clarity and Raises New Questions with Publication of Final Guidelines on the Territorial Scope of the GDPR
Following an extensive public consultation, the European Data Protection Board (“EDPB”) has published a final version of its guidelines on the territorial scope of the GDPR (“Guidelines”). This comes almost one year since the draft guidelines were originally published. Please read this blog together with our previous blog on the draft guidelines, as this blog addresses only the key differences between the draft guidelines and the Guidelines. (more…)
EDPB Stakeholder Event Highlights Continued Confusion over Data Subject Rights Compliance under the GDPR
On 4 November 2019, the European Data Protection Board (EDPB), the EU-wide data supervisory authority, held a stakeholders’ event on data subject rights under the GDPR. At the event, various stakeholders including e.g., corporates and NGOs, raised a number of issues including, for example:
Website Cookie Consent: Is the Cookie Starting to Crumble?
Two important decisions have recently occurred relating to website operators’ use of cookies. First, the Court of Justice of the European Union (the “CJEU” or the “Court”) has issued its judgment in Planet49, a case which looked at the standards of consent and transparency for the use of cookies and similar technologies in the context of the e-Privacy Directive and the GDPR and determined that opt-out consent, by way of a pre-ticked checkbox, was insufficient to obtain GDPR-standard consent for non-essential cookies. Second, the Spanish data protection authority, AEPD, fined Vueling, a Spanish airline, €30,000 for forcing visitors to its website to accept the use of non-essential cookies on their device in order to continue viewing the website.
We set out below our summaries and key takeaways from both decisions which help to highlight the latest approach of both the courts and European data protection regulators in relation to cookie consent.
UK and U.S. Privacy Shield Guidance on Brexit
In light of the UK’s possible departure from the European Union (EU), currently scheduled for October 31, 2019 (“Exit Day”), the UK Government has passed the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) (No.2) Regulations 2019 (“Regulations”) which enter into force immediately before Exit Day.
EDPB Adopts Opinion on Interplay Between the EU Clinical Trials Regulation and the GDPR
On 23 January 2019, the European Data Protection Board (EDPB) adopted an opinion on the interplay between the EU Clinical Trials Regulation (CTR) and the EU General Data Protection Regulation (GDPR). The Opinion addresses the appropriate legal basis for the processing of personal data in the context of clinical trials (primary use), and the secondary use of clinical trial data. (more…)
Transfers of Personal Data from the EU to the U.S. in the Event of a Brexit ‘No-Deal’
The EU-U.S. Privacy Shield (“Privacy Shield”) enables the free-flow of personal data from the European Economic Area (“EEA”) to the U.S. Under the Privacy Shield, U.S. participant organisations commit to adhering to Privacy Shield principles, which include accountability for the onward transfer of personal data after receiving such data from EEA organisations, data integrity obligations and purpose limitations with respect to the personal data transferred. Privacy Shield participant organisations are also required to develop and maintain a Privacy Shield-compliant privacy policy which informs individuals of the organisation’s practices and procedures when handling personal data and explains the independent recourse mechanisms in place for individuals to address complaints with respect to the processing of their personal data. (more…)
French DPA Publishes Updated Data Protection Impact Assessment Guidance
Under Article 35(3) of the EU General Data Protection Regulation (GDPR), organisations are required to conduct a data protection impact assessment (DPIA) where they: (i) engage in a systematic and extensive evaluation of personal aspects of individuals, based on automated processing, and on which decisions are based that produce legal or other effects that concern the individual, or (ii) process special categories of personal data (e.g. health data) on a large scale or personal data relating to criminal convictions, or (iii) engage in a systematic monitoring of a publicly accessible area on a large scale. (more…)
EU DPAs Receive Thousands of Complaints Under the GDPR
European Digital Rights (EDRi), a digital user rights non-for-profit organisation, on 25 October 2018, launched an online platform, ‘GDPR Today’. In its first edition of the GDPR Today, the EDRi published statistics collected from eight EU Member States (France, Germany, Ireland, Italy, Poland, Romania, Sweden and the United Kingdom). The statistics show that since the GDPR’s entry into force on 25 May 2018, data protection authorities (DPAs) have received thousands of complaints from EU individuals on the implementation of the GDPR by businesses and other organisations. Of note, the United Kingdom’s DPA, the UK Information Commissioner’s Office (ICO), has topped the list of complaints received, with nearly 15,000 complaints. Germany and France follow in the rankings, with 6,555 complaints and 3,767 complaints received, respectively. However, the UK figure includes complaints filed with the ICO prior to the GDPR’s effective date. (more…)