This post summarizes the EDPB’s stated positions on these points and explores the implications for firms providing payment services in the European Economic Area (EEA).
On July 17, 2018, the European Commission released a press release announcing Japan and the European Union have concluded talks on reciprocal adequacy of their respective data protection systems, alongside a corresponding Q&A on reciprocal adequacy. After successful negotiations, both jurisdictions have reached a mutual adequacy arrangement, recognising the adequacy in each jurisdiction’s data protection framework and representing the first time that the EU and a third country have agreed on a reciprocal recognition of the level of “adequate” data protection. (more…)
On 11 June 2018, members of a Committee within the European parliament (“MEPs”) narrowly voted in favour of suspending the EU-U.S. Privacy Shield (“Privacy Shield”), an agreement that facilitates the transfer of personal data of EU data subjects to the U.S., unless the U.S. government fully complies with the Privacy Shield data protection requirements by 1 September 2018. Although the resolution is only a draft and has no legal effect, it reflects continued European concerns surrounding Privacy Shield. (more…)
The Hong Kong Office of the Privacy Commissioner for Personal Data (the “Hong Kong Data Privacy Commissioner”) has recently published compliance guidance on the upcoming GDPR to raise awareness in Hong Kong companies about the potential effects and reforms needed in order to comply with the new GDPR requirements. (more…)
This past year was marked by ever more significant data breaches, growing cybersecurity regulatory requirements at the state and federal levels and continued challenges in harmonizing international privacy and cybersecurity regulations. We expect each of these trends to continue in 2018.
As we begin this New Year, here is list of the top 10 privacy and cybersecurity issues for 2018: (more…)
On 28 November 2017, the Article 29 Working Party (the “WP29”) published detailed draft guidelines on consent under the EU General Data Protection Regulation (the “GDPR”), which is to come into effect on 25 May 2018. The draft guidance has been submitted for public consultation for a six week period before being adopted.
The WP29 guidance on consent (“Consent Guidelines”) provides an analysis of the notion of consent under the GDPR as well as practical guidance for organisations on the requirements to obtain and demonstrate valid consent under the GDPR. (more…)
The EU-U.S. Privacy Shield has survived its infancy, although the October 18, 2017 European Commission report on its first annual review of the functioning of the EU-U.S. Privacy Shield (the “Report”) leaves uncertainty as to the long-term future of EU-U.S. Privacy Shield if the U.S. is unwilling or unable to adopt further Commission “recommendations”. The Report details the Commission’s findings on the implementation and enforcement of the Privacy Shield during its first year of operation. (more…)
On October 3, 2017, the Article 29 Working Party (“WP29”) adopted draft guidelines regarding notification of personal data breaches under the EU’s General Data Protection Regulation (“GDPR”) which will require breach notification within 72 hours of awareness of a breach. (“Draft Guidelines”) (The Draft Guidelines appear to have been released for public comment during the week of 16th October). The deadline for comment is November 24, 2017. The Draft Guidelines are available here. The WP29 is a collective of EU data privacy supervisory authorities (“DPAs”). (more…)
On 4 October 2017 the Article 29 Working Party (“WP29”) published its final Guidelines on Data Protection Impact Assessment (“DPIA”) which were initially released in draft form in April 2017. Article 35 of the General Data Protection Regulation (“GDPR”) requires the use of DPIAs, or risk assessments of the proposed processing of personal data by an organisation, as part of regular business processes. The key revisions to note are in relation to the following concepts: (more…)
An Irish High Court ruling may have a significant impact on one of the main mechanisms that global companies use to transfer personal data out of the European Economic Area (“EEA”). The Irish High Court ruled on 3 October 2017 that the Standard Contractual Clauses (“SCCs”) used by companies to transfer data from the EEA to US, also frequently referred to as “Model Contracts,” must be the subject of review by the Court of Justice of the European Union. (more…)