In March 2021, the European Commission released a proposal for the creation of a “Digital Green Certificate,” which will allow EU citizens to travel easier throughout the EU during the COVID-19 pandemic. Last week, the EU Member States agreed on some proposed changes to the proposal, including strengthening of the data privacy provisions. According to the proposal, in order to obtain a Digital Green Certificate, individuals must prove that they have been vaccinated, present a negative test result, or have recently recovered from COVID-19. The proposal allows the issuance of a certificate for all COVID-19 vaccines, which have received an EU-wide marketing authorisation, however only the results of certain in vitro diagnostic tests will be considered valid.
On April 26, 2021, the European Commission announced that its draft proposal for the new EU Artificial Intelligence Regulation (“Draft AI Regulation”) is open for feedback until June 22, 2021. The Draft AI Regulation was published on April 21. Please refer to our blog post here that provides an overview of the Draft AI Regulation and its potential impact.
On April 2, 2021 the French Data Protection Authority (the “Commission Nationale de l’Informatique et des Libertés” or “CNIL”) published its intent to start auditing websites for compliance with cookie regulations. This publication comes following a large number of developments and actions taken by the CNIL to further improve and guide organizations through cookie compliance. The CNIL had issued several recommendations, guidelines and cookie tools to raise awareness on the importance of this topic, with a final set of guidelines published on October 1, 2020 following public consultation rounds (“Cookie Guidelines”). The CNIL had determined that a 6-month grace period would apply following publication of the Cookie Guidelines. This grace period ended on April 1, 2021 and the CNIL now expects companies to be compliant with its recommendations and guidelines. The CNIL has confirmed that it may make use of the totality of its corrective powers to remedy non-compliance with the rules, including issuing (public) sanctions. In light of the increase in scrutiny on cookies in the EU (and the US pursuant to certain state laws), organizations with websites / platforms operating in the EU (and U.S.) may want to reconsider their cookie practices and start carrying out cookie audits.
On April 21, 2021, the European Commission (EC) issued its eagerly awaited draft proposal on the EU Artificial Intelligence Regulation (Draft AI Regulation) – the first formal legislative proposal regulating Artificial Intelligence (AI) on a standalone basis. The Draft AI Regulation is accompanied by a revision of the EU’s rules on machinery products, which lay down safety requirements for machinery products before being placed on the EU market. The new draft Machinery Products Regulation – proposed by the EU Commission on the same day – intends to tackle safety issues that arise in emerging technologies. The Draft AI Regulation (which appears to have borrowed a number of principles from existing EU legislation, including the EU General Data Protection Regulation 2016/679 (GDPR)) has an intentionally broad scope, and regulates the use of AI in accordance with the level of risk the AI system presents to fundamental human rights and other key values the EU adheres to. AI systems that are considered to present an “unacceptable” level of risk are banned from the EU, and “high-risk” systems are subject to strict requirements. AI systems which are considered to present a lower risk level are subject to transparency requirements or are not regulated at all. Companies engaged in the development, manufacturing, importation, distribution, servicing, and use of AI – irrespective of industry – should assess to what extent their products are implicated and how they will address any regulatory requirements they are subject to. The Draft AI Regulation foresees maximum administrative fines of up to €30m or 6% of total worldwide annual turnover in the event of non-compliance – meaning fines are higher than the ones under the GDPR.
On 13 April 2021, the European Data Protection Board (EDPB) adopted two Opinions on the draft UK adequacy decisions: (i) Opinion 14/2021 for transfers of personal data under the EU General Data Protection Regulation (EU GDPR); and (ii) Opinion 15/2021 for transfers of personal data under the Law Enforcement Directive (LED).
With the roll-out of the COVID-19 vaccine and the start of easing of social distancing measures, the latest initiative being considered at a national as well as an international level is the introduction of so-called “digital health passports” or “immunity passports,” i.e., a tool to record and share the immune status of an individual whether by virtue of a COVID-19 test result or vaccination record – indeed, it is estimated there are currently more than 70 digital health passports and 14 vaccine passport apps in operation globally. However, the privacy concerns (and indeed the broader ethical implications) of introducing such measures, without the implementation of appropriate safeguards are significant and a current topic of intense debate.
On 5 March 2021, the Federal Data Protection and Information Commissioner (FDPIC) published a short position paper on the revised Swiss Data Protection Act (revDPA). The position paper provides guidance for companies that are subject to the revDPA as to how to meet its requirements once it enters into force, which is expected to be in the second half of 2022 after the Federal Administration has completed drafting the associated implementing ordinances.
On February 10, 2021, the Council of the European Union (which includes representatives of the European Union (EU) member states, hereinafter Council) reached an agreement on the ePrivacy Regulation proposal that governs the protection of privacy and confidentiality of electronic communications services (ePrivacy Regulation).
The first draft of the ePrivacy Regulation was approved by the European Commission in 2017 and has since been under discussion in the Council. The current agreement in the Council comes shortly after Portugal took over the Council presidency (on January 1, 2021) and released a revised draft of the ePrivacy Regulation (on January 5), which was the 14th draft including the original EU Commission proposal. The present agreement is therefore a breakthrough in the negotiation process and allows the Portuguese Council presidency to start negotiations with the European Parliament on the final text.
On February 12, 2021, the European Commission (Commission) published an “Assessment of the EU Member States’ rules on health data in the light of GDPR” (the Assessment). The Assessment concludes, amongst other things, that there are variations in the implementation of the EU General Data Protection Regulation (GDPR) at a national level with regards to the processing of health data. In turn, this has led to a fragmented approach to the processing of health data for health and research purposes across the EU. To avoid further fragmentation, the Assessment proposes various future EU-level actions, including stakeholder-driven Codes of Conduct as well as new targeted and sector-specific legislation.
On February 19, 2021, the European Commission (EC) published two draft implementing decisions to enable the continuing free-flow of personal data from the EU to the UK (the Draft Adequacy Decisions) i.e., post-Brexit: (i) for transfers of personal data under the EU General Data Protection Regulation (EU GDPR); and (ii) for transfers of personal data under the Law Enforcement Directive (LED). This will come as a huge relief to companies across all industries who are in parallel already grappling with the repercussions of Schrems II. In fact, the Draft Adequacy Decisions (which collectively run to almost 140 pages) are the first of their kind in a post-Schrems II world and will likely be closely reviewed—including by privacy advocate Max Schrems who has promised his Twitter followers to “take a look at” the Draft Adequacy Decisions in particular with regard to the LED (i.e., which addresses UK government surveillance activities).