Category

European Union

22 January 2019

Transfers of Personal Data from the EU to the U.S. in the Event of a Brexit ‘No-Deal’

The EU-U.S. Privacy Shield (“Privacy Shield”) enables the free-flow of personal data from the European Economic Area (“EEA”) to the U.S. Under the Privacy Shield, U.S. participant organisations commit to adhering to Privacy Shield principles, which include accountability for the onward transfer of personal data after receiving such data from EEA organisations, data integrity obligations and purpose limitations with respect to the personal data transferred. Privacy Shield participant organisations are also required to develop and maintain a Privacy Shield-compliant privacy policy which informs individuals of the organisation’s practices and procedures when handling personal data and explains the independent recourse mechanisms in place for individuals to address complaints with respect to the processing of their personal data.  (more…)

EmailShare
17 January 2019

French DPA Publishes Updated Data Protection Impact Assessment Guidance

Under Article 35(3) of the EU General Data Protection Regulation (GDPR), organisations are required to conduct a data protection impact assessment (DPIA) where they: (i) engage in a systematic and extensive evaluation of personal aspects of individuals, based on automated processing, and on which decisions are based that produce legal or other effects that concern the individual, or (ii) process special categories of personal data (e.g. health data) on a large scale or personal data relating to criminal convictions, or (iii) engage in a systematic monitoring of a publicly accessible area on a large scale. (more…)

EmailShare
02 January 2019

EU Commission Decision Reconciles Data Protection Rules with the Need for Effective Trade Defence and Trade Policy Investigations

On December 17, 2018, European Commission Decision (EU) 2018/1996 (the ‘Decision’) was published in the Official Journal of the European Union. The Decision lays down rules designed to reconcile the rights of individuals respecting their personal data, with the need for effective trade defence and trade policy investigations in the EU. (more…)

EmailShare
30 November 2018

EDPB Issues Long-Awaited Guidance on Territorial Scope of the GDPR

On November 23, 2018, the European Data Protection Board (“EDPB”) published draft guidelines seeking to clarify the territorial scope of the GDPR (“Guidelines”).  The Guidelines have been eagerly awaited, particularly by controllers and processors outside of the EU looking for confirmation as to whether or not the EU data protection rules apply to them.  The Guidelines largely reaffirm prior interpretations of the GDPR’s territorial application under Article (3)(1), and offer essential guidance with respect to the GDPR’s – heavily debated – extraterritorial application under Article (3)(2).  The GDPR applies to companies established in the EU as well as companies outside of the EU that are “targeting” individuals in the EU (by offering them products or services) or monitoring their behavior (as far as that behavior takes place in the EU).

The proposed Guidelines are open for public consultation until January 18, 2019.  It remains to be seen whether and how any outstanding issues will have been addressed upon conclusion of the consultation. (more…)

EmailShare
26 November 2018

The Fifth Edition of The Privacy, Data Protection and Cybersecurity Law Review is Available

The fifth edition of The Privacy, Data Protection and Cybersecurity Law Review takes a look at the evolving global privacy, data protection and cybersecurity landscape in a time when mega breaches are becoming more common, significant new data protection legislation is coming into effect, and businesses are coming under increased scrutiny from regulators, Boards of Directors and their customers. Several lawyers from Sidley’s global Privacy and Cybersecurity practice have contributed to this publication. (more…)

EmailShare
13 November 2018

EU DPAs Receive Thousands of Complaints Under the GDPR

European Digital Rights (EDRi), a digital user rights non-for-profit organisation, on 25 October 2018, launched an online platform, ‘GDPR Today’. In its first edition of the GDPR Today, the EDRi published statistics collected from eight EU Member States (France, Germany, Ireland, Italy, Poland, Romania, Sweden and the United Kingdom). The statistics show that since the GDPR’s entry into force on 25 May 2018, data protection authorities (DPAs) have received thousands of complaints from EU individuals on the implementation of the GDPR by businesses and other organisations. Of note, the United Kingdom’s DPA, the UK Information Commissioner’s Office (ICO), has topped the list of complaints received, with nearly 15,000 complaints. Germany and France follow in the rankings, with 6,555 complaints and 3,767 complaints received, respectively. However, the UK figure includes complaints filed with the ICO prior to the GDPR’s effective date. (more…)

EmailShare
23 October 2018

EU Parliament Adopts Blockchain Resolution

On October 3, 2018, the European Parliament passed its long awaited resolution on distributed ledger technologies and blockchains (the “Blockchain Resolution”). The Blockchain Resolution was adopted to protect and empower EU citizens and businesses with respect to the specific issues that arise in relation to the blockchain or “distributed ledger” technology, one of which being the tension with data protection rights and the GDPR in general. (more…)

EmailShare
02 October 2018

The Trump Administration’s Approach to Data Privacy, and Next Steps

* This article originally appeared in Law360 on September 27, 2018.

On Sept. 25, 2018, the Trump administration proposed an approach and initiated a process to modernize U.S. data privacy policy.  The administration’s approach is “risk-based” rather than rule-based, and, as such, signals a willingness to move away from a privacy model of mandated notice and choice that has “resulted primarily in long, legal, regulator-focused privacy policies and check boxes.” Rather, the administration is proposing that U.S. privacy policy “refocus” on achieving desirable privacy “outcomes,” such as ensuring that users are “reasonably informed” and can “meaningfully express” their privacy preferences, while providing organizations with the flexibility to continuing innovating with cutting-edge business models and technologies.

(more…)

EmailShare
12 September 2018

“Cryptoassets are here to stay”: EU Authorities to Provide Guidance on Cryptocurrencies and ICOs

On September 4, the Innovation Group of the European Parliament’s Committee on Economic and Monetary Affairs met to discuss a proposal presented by the rapporteur Ashley Fox,1 member of the European Parliament, to include a framework for initial coin offerings (ICOs) within the proposed European Union (EU) financial services regulatory regime for crowdfunding2 (see European Commission (Commission) proposal COM(2018) 113 final).3

As part of the public discussion, the Commission, the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA) and the UK Financial Conduct Authority (FCA) were present to provide their thoughts. (more…)

EmailShare
XSLT Plugin by BMI Calculator