On March 6, 2018, Singapore announced that it has joined the APEC Cross-Border Privacy Rules (CBPR) system as well as the APEC Privacy Recognition for Processors (PRP) program. Singapore is the sixth member of the CBPR system, which includes Canada, Japan, Korea, Mexico and the United States, and is the second member of the PRP program after the US. (more…)
Following months of intense debate, an attempted filibuster, and close votes in both the House and Senate, Congress last week finally extended Section 702 of the Foreign Intelligence Surveillance Act (FISA).
The fourth edition of The Privacy, Data Protection and Cybersecurity Law Review takes a look at the evolving global privacy, data protection and cybersecurity landscape in a time when mega breaches are becoming more common and businesses are coming under increased scrutiny from regulators, Boards of Directors and their customers. Several lawyers from Sidley’s global Privacy and Cybersecurity practice have contributed to this publication. See the links below for a closer look at this developing area of law. (more…)
On 28 November 2017, the Article 29 Working Party (the “WP29”) published detailed draft guidelines on consent under the EU General Data Protection Regulation (the “GDPR”), which is to come into effect on 25 May 2018. The draft guidance has been submitted for public consultation for a six week period before being adopted.
The WP29 guidance on consent (“Consent Guidelines”) provides an analysis of the notion of consent under the GDPR as well as practical guidance for organisations on the requirements to obtain and demonstrate valid consent under the GDPR. (more…)
On 6 November 2017, the Dutch Data Protection Authority (‘”DPA”) issued a statement in which it confirms that controllers subject to Dutch data protection law will – in most cases – no longer need to notify their data processing activities to the DPA. The General Data Protection Regulation (“GDPR”), which becomes applicable on 25 May 2018, abolishes the system of DPA notifications and replaces it with the requirement to keep internal records of data processing operations. Until that date, controllers can still submit notifications if they wish to do so, but in general the DPA will no longer enforce compliance with the notification requirement in the law.
The EU-U.S. Privacy Shield has survived its infancy, although the October 18, 2017 European Commission report on its first annual review of the functioning of the EU-U.S. Privacy Shield (the “Report”) leaves uncertainty as to the long-term future of EU-U.S. Privacy Shield if the U.S. is unwilling or unable to adopt further Commission “recommendations”. The Report details the Commission’s findings on the implementation and enforcement of the Privacy Shield during its first year of operation. (more…)
On October 3, 2017, the Article 29 Working Party (“WP29”) adopted draft guidelines regarding notification of personal data breaches under the EU’s General Data Protection Regulation (“GDPR”) which will require breach notification within 72 hours of awareness of a breach. (“Draft Guidelines”) (The Draft Guidelines appear to have been released for public comment during the week of 16th October). The deadline for comment is November 24, 2017. The Draft Guidelines are available here. The WP29 is a collective of EU data privacy supervisory authorities (“DPAs”). (more…)
On 4 October 2017 the Article 29 Working Party (“WP29”) published its final Guidelines on Data Protection Impact Assessment (“DPIA”) which were initially released in draft form in April 2017. Article 35 of the General Data Protection Regulation (“GDPR”) requires the use of DPIAs, or risk assessments of the proposed processing of personal data by an organisation, as part of regular business processes. The key revisions to note are in relation to the following concepts: (more…)
On October 16, 2017, the U.S. Supreme Court granted the U.S. government’s request for review of a lower court decision that rejected the government’s construction of the Stored Communications Act (SCA) and embraced a more restrictive view that Microsoft had advanced, backed by much of the tech industry and many privacy groups. (more…)
An Irish High Court ruling may have a significant impact on one of the main mechanisms that global companies use to transfer personal data out of the European Economic Area (“EEA”). The Irish High Court ruled on 3 October 2017 that the Standard Contractual Clauses (“SCCs”) used by companies to transfer data from the EEA to US, also frequently referred to as “Model Contracts,” must be the subject of review by the Court of Justice of the European Union. (more…)