Category

European Union

26 March 2020

WEBINAR – COVID-19 – European and U.S. Cybersecurity Issues: Preventing and Responding to Cyber Incidents

Join OneTrust DataGuidance and Sidley for a webinar discussing COVID-19 and European and U.S. cybersecurity and cyber risk insurance issues.

The COVID-19 global pandemic presents unique legal and practical challenges for companies across all industries, including with respect to cybersecurity risks and protections. There are increased cyber vulnerabilities from insider and external threat actors, including cyber attacks on individuals and companies.

In this webinar, we will highlight the dynamic and evolving cybersecurity threats companies face as a result of the pandemic, and the global legal implications of a cyber breach in this new environment – and how they can reduce these risks, and effectively respond to a cyber incident.

(more…)

EmailShare
25 March 2020

European Data Protection Board Releases Statement on Personal Data and COVID-19

On 20 March 2020, the European Data Protection Board (“EDPB”) released a statement on the protection of personal data in connection with measures that public authorities and business organizations (including employers) are taking to address the Coronavirus (COVID-19) pandemic. This statement is an extension of the statement released by the EDPB chair on 16 March 2020, (which can be accessed here). In its latest statement, the EDPB emphasises that EU data protection law (in particular, the EU General Data Protection Regulation (“GDPR”)) does not stand in the way of measures adopted to fight against COVID-19 – if these measures are necessary, proportionate and consistent with safeguards required under EU Member State laws. The EDPB statement also provides useful guidance for organisations to consider when adopting measures to lawfully process personal data during this time.

Overall, while EDPB statement may provide some reassurance to organizations with respect to COVID-19 measures, organizations will be advised to consider guidance issued by specific EU Member State data protection authorities as well. In particular, specific EU Member State data protection authorities have begun issuing COVID-19 guidance that is, at least in certain respects divergent: while certain data protection authorities are adopting a more restrictive approach (for example, the French CNIL), others are more permissible (for example, the UK’s Information Commissioner’s Office).

(more…)

EmailShare
24 March 2020

COVID-19: Key EU And U.S. Cybersecurity Issues and Risk-Remediation Steps

The COVID-19 crisis has created significant cybersecurity risks for organizations across the world, particularly arising from remote working, scams and phishing attacks, and weakened information governance controls. These risks warrant attention by legal counsel and information security officers in light of potentially significant adverse legal, financial and reputational consequences that could arise – all while the organization is dealing with effects of a global pandemic.

In addition to identifying the cybersecurity risks, we also consider key measures that organizations can consider adopting to reduce such risks, including measures recommended by the UK’s National Cybersecurity Centre (NCSC), EU’s Agency for Cybersecurity (ENISA) and the US Federal Bureau of Investigation.  The speed at which the COVID-19 crisis has evolved has meant that many organizations have not been able to deploy effective risk-reducing measures in a timely manner.

(more…)

EmailShare
26 February 2020

CJEU Considers the Use of CCTV and Legitimate Interests

With the use of CCTV on the rise, it has become increasingly important for controllers to find a framework in which the conflicting rights of those who are subject to such surveillance are balanced. In its recent decision of TK v Asociaţia de Proprietari bloc M5A-ScaraA EU:C:2019:1064 (TK), the CJEU considered whether the processing carried out by CCTV cameras was necessary and proportionate for the purposes of legitimate interests pursued by the controller.

(more…)

EmailShare
13 February 2020

French CNIL Publishes Draft Guidance on Cookie Consent

On January 14, 2020, the French data protection authority, the CNIL, proposed a consultation on its draft recommendations on practical ways to collect website user consent for cookies and similar technologies (the “Recommendations”). The Recommendations follow the publication in July 2019 of updated guidance on cookies, including requirements for obtaining GDPR-standard consent, by various European data protection authorities, including the CNIL and the ICO (the latter guidance was reported by Data Matters here). The CNIL has since undertaken a consultation to develop practical methods to obtain user consent.

(more…)

EmailShare
10 February 2020

UK ICO Releases Draft Direct Marketing Code of Practice for Public Consultation

On 8 January 2020, the UK’s Information Commissioner’s Office (ICO) published a draft Direct Marketing Code of Practice (Draft Code) for public consultation. The Draft Code is intended to update existing guidance published pre-GDPR and provide clarity on certain important issues.

Summarised below are the key takeaways from the Draft Code: (more…)

EmailShare
27 January 2020

Highest European Court Confirms: No Presumption of Confidentiality Over Documents Submitted in Marketing Authorization Dossier

On January 22, 2020, the Court of Justice of the European Union (CJEU) found that there is not a general presumption of confidentiality over documents containing clinical and preclinical data provided to the European Medicines Agency (EMA) to support a marketing authorization application. However, the CJEU indicated that certain information may be protected if the interested party can specifically show that the disclosure will cause it harm. This is the first time the CJEU has ruled on this matter, upholding the EMA’s approach to handling access to documents requests.

(more…)

EmailShare
20 January 2020

New Guidance Published Addressing Scientific Research and the GDPR

A recent opinion from the European Data Protection Supervisor (EDPS) on data protection and scientific research builds on an opinion from January 2019 from the European Data Protection Board on the GDPR and clinical trials. The Opinion from the EDPS should be taken into account by life sciences companies in their ongoing assessment of how to apply the GDPR to scientific research both in clinical trials and more broadly.

The EDPS – an independent supervisory authority whose primary objective is to ensure that European institutions and bodies respect the right to privacy and data protection – recently published a preliminary opinion on data protection and scientific research (the Opinion). The EDPS acknowledges the critical importance of scientific research but states that “data protection obligations should not be misappropriated as a means […] to escape transparency and accountability.”  In particular, according to the EDPS, compliance with data protection laws is “wholly compatible” with responsible scientific research. However, the EDPS recommends intensifying dialogue between data protection authorities (DPAs) and ethical review boards for a common understanding of which activities amount to genuine research and expects further guidance to be published by the European Data Protection Board – an independent European body, composed of representatives of the national DPAs and the EDPS.

(more…)

EmailShare
13 January 2020

New Guidance Published on Cybersecurity and Medical Devices

New European medical device guidance will require manufacturers to carefully review cybersecurity and IT security requirements in relation to their devices and in their product literature. This new guidance comes at the same time as a draft guidance on privacy by design has been published by the European Data Protection Board requiring product developers to implement privacy into the design of their products.

In December 2019, the Medical Device Coordination Group (MDCG) published its guidance on cybersecurity for medical devices (the Guidance). The MDCG is composed of representatives of all Member States and it is chaired by a representative of the European Commission. The Guidance is intended to assist medical device manufacturers meet the new cybersecurity requirements in the Medical Devices Regulation (MDR) and the In Vitro Diagnostic Regulation (IVDR) (collectively, the Regulations). In particular, the Guidance aims to assist with regard to both the pre-market and post-market requirements of the Regulations to ensure companies achieve “an adequate balance between benefit and risk during all possible operation modes of a medical device.”

(more…)

EmailShare
09 January 2020

ICO Delays British Airways and Marriott GDPR Fines

Further to the publication of the ICO’s notices of intention to fine British Airways and Marriott in July 2019, the ICO has recently issued a statement delaying the issuance of both GDPR fines which had originally been expected by the end of 2019. (The ICO’s initial notices of intention to fine had stated that British Airways would face a fine of £183m ($228m) and Marriott, a fine of £99m ($123m). We reported on these here: British Airways and Marriott.)

(more…)

EmailShare
1 2 3 22
XSLT Plugin by BMI Calculator