Category

European Union

02 December 2019

EDPB Stakeholder Event Highlights Continued Confusion over Data Subject Rights Compliance under the GDPR

On 4 November 2019, the European Data Protection Board (EDPB), the EU-wide data supervisory authority, held a stakeholders’ event on data subject rights under the GDPR. At the event, various stakeholders including e.g., corporates and NGOs, raised a number of issues including, for example:

(more…)

EmailShare
21 November 2019

The Sixth Edition of The Privacy, Data Protection and Cybersecurity Law Review is Available

The sixth edition of The Privacy, Data Protection and Cybersecurity Law Review takes a look at the evolving global privacy, data protection and cybersecurity landscape in a time when mega breaches are becoming more common, significant new data protection legislation is coming into effect, and businesses are coming under increased scrutiny from regulators, Boards of Directors and their customers. Several lawyers from Sidley’s global Privacy and Cybersecurity practice have contributed to this publication. See the chapters below for a closer look at this developing area of law. (more…)

EmailShare
04 November 2019

Website Cookie Consent: Is the Cookie Starting to Crumble?

Two important decisions have recently occurred relating to website operators’ use of cookies.  First, the Court of Justice of the European Union (the “CJEU” or the “Court”) has issued its judgment in Planet49, a case which looked at the standards of consent and transparency for the use of cookies and similar technologies in the context of the e-Privacy Directive and the GDPR and determined that opt-out consent, by way of a pre-ticked checkbox, was insufficient to obtain GDPR-standard consent for non-essential cookies.  Second, the Spanish data protection authority, AEPD, fined Vueling, a Spanish airline, €30,000 for forcing visitors to its website to accept the use of non-essential cookies on their device in order to continue viewing the website.

We set out below our summaries and key takeaways from both decisions which help to highlight the latest approach of both the courts and European data protection regulators in relation to cookie consent.

(more…)

EmailShare
01 November 2019

European Commission Provides Important Guidance on Qualification and Classification of Software Under New Medical Devices Regulations

The European Commission’s Medical Devices Coordination Group (MDCG) has published a much-anticipated guidance on the qualification and classification of software devices as medical devices (MDSW)1  under the new Medical Devices Regulation (MDR) and In Vitro Diagnostic Regulations (IVDR) (the Guidance, available here). The Guidance seeks to provide clarification to medical software manufacturers with respect to (i) when software is considered a device (qualification) and (ii) what risk category the device falls into (classification).

Under the currently applicable rules, supported by guidance set out in MEDDEV 2.1/6,2 most software devices are classified as low risk. However, the new classification rules set out in the MDR, in particular Rule 11, significantly change the classification of MDSW, with many software devices to be generally considered medium- or even high-risk devices.

Here we examine which areas have been clarified by the Guidance and which topics remain open to interpretation.

(more…)

EmailShare
29 October 2019

Observations from Albania: the 41st Annual International Conference of Data Protection and Privacy Commissioners (October 23-24, 2019)

UK ICO Commissioner Liz Denham, who serves as Conference Chair, welcomed attendees at the public session and provided a brief summary of what transpired at the Commissioners’ closed door sessions. She noted that “privacy” has gone “mainstream.” People around the world expect more information about how their data is used. She stressed the importance of future international collaboration and regulatory cooperation to develop shared strategies and tactics “to protect people from big companies.”

Commissioner Denham also highlighted the increased focus on the role of data protection as a relevant consideration in competition analysis by international regulators. She noted that the International Privacy Commissioners’ Conference, and the ongoing assembly of global regulators, resolved to be more transparent in the future with respect to the regulated community and other interested parties. Finally, she hinted that a new name for the group would be announced before the 2019 conference concludes.

(more…)

EmailShare
24 September 2019

Assessing the Impact of the Barbados’ Proposed Data Protection Bill on the Barbadian Private Sector

*Jan Yves Remy is a former Sidley Austin Associate and now serves as the Deputy Director at Shridath Ramphal Centre for International Trade Law, Policy and Services at the University of the West Indies in Barbados.  As with all posts, this article is for your informational purposes only; Sidley Austin does not have offices in or practice law in Barbados.

Today, more than 120 countries have privacy and data protection laws or regulations in place. Many of the new or modernized laws tend to be based on comprehensive legislation, rather than sectoral rules, as data needs to move across industry groups and borders. With its new data protection bill, Barbados is planning to join the ranks; this is a significant move, and it is one fueled at least in part by the entry into force of the European Union’s General Data Protection Regulation (“GDPR”) on May 25, 2018. The GDPR was designed to harmonize data protection laws across Europe and to protect EU residents’ data privacy rights; and, its coming triggered significant privacy and data protection compliance activities amongst organizations doing business in the EU and working with the personal data of EU residents.

(more…)

EmailShare
09 August 2019

UK ICO Issues New Draft Data Sharing Code of Practice

The UK’s Information Commissioner’s Office (“ICO”) has recently issued a draft version of its statutory code of practice for sharing of personal data between controllers under the GDPR and the UK Data Protection Act 2018 (“DPA”) (the “Draft Code”) which provides a number of practical recommendations which controllers should take into account when sharing personal data.

(more…)

EmailShare
24 July 2019

European Commission Publishes Ethics Guidelines for Trustworthy Artificial Intelligence

The High-Level Expert Group on Artificial Intelligence (“AI HLEG”), an independent expert group set up by the European Commission in June 2018 as part of its AI strategy, has published its final Ethics Guidelines for Trustworthy Artificial Intelligence (“AI”) (the “Guidelines”).

These Guidelines form part of a wider focus by the Commission on AI, with President-elect of the European Commission, Ursula von der Leyen commenting most recently on July 16, in her proposed political guidelines, that: “In my first 100 days in office, I will put forward legislation for a coordinated European approach on the human and ethical implications of Artificial Intelligence…”.

(more…)

EmailShare
11 July 2019

UK ICO Publishes New Guidance on the Use of Cookies and Similar Technologies

On 3 July 2019, the UK’s Information Commissioner’s Office (“ICO”) published new guidance on cookies and similar technologies (“Guidance”) in conjunction with a new blog post: “Cookies – what does ‘good’ look like?” which aims to provide “myth-busting” advice on common cookies uncertainties. You can find a full copy of the new guidance here and a link to the ICO’s blog post here. With its new Guidance, the ICO has formally recognised the stricter standards of consent and transparency now in force under the GDPR.

(more…)

EmailShare
08 July 2019

UK ICO Issues Largest Ever GDPR Privacy Fine of £183m ($228m)

Today we saw the ICO issue a notice of its intention to fine British Airways £183.39m for infringements of the GDPR – a record fine and the largest seen in the UK and the EU. The proposed fine relates to a cyber incident which BA notified to the ICO (as BA’s lead data protection authority, DPA) in September 2018. The incident involved the theft from the BA website and mobile app of personal data relating to customers over a two-week period. In terms of next steps, BA now has an opportunity to make representations to the ICO as to the proposed findings and sanction.

(more…)

EmailShare
XSLT Plugin by BMI Calculator