On 21 August 2018, the Dutch Supervisor Authority announced that it had conducted an investigation into the designation of a Data Protection Officer (DPO) under the General Data Protection Regulation (GDPR) by 91 hospitals and 33 healthcare insurers in the Netherlands. Two hospitals had not yet communicated the contact details of their DPO to the Dutch Supervisor Authority, and were given four weeks to designate a DPO. In addition, the Supervisor Authority found that 25% of the hospitals and healthcare insurers whose practices were reviewed did not properly publish their DPO’s contact details on their website. They will also be expected to implement the necessary compliance measures. (more…)
On August 7, a group of regulators from 11 jurisdictions published a consultation (the Consultation) on the Global Financial Innovation Network (the GFIN), which aims to promote international cooperation on innovation and the use of technology in financial services (FinTech) and in regulatory processes (RegTech).
The group — which includes the U.S. Consumer Financial Protection Bureau, the UK Financial Conduct Authority (the FCA), the Hong Kong Monetary Authority (HKMA) and the Monetary Authority of Singapore (MAS) — is one of the first major collaborative efforts on FinTech and RegTech issues among regulators in developed financial services markets. The Consultation builds on the FCA’s proposal earlier this year to create a “global sandbox” for innovative financial services firms.
This post summarizes the proposed role of the GFIN, the issues on which its founding regulators are consulting and how these may affect financial services firms.
On July 17, 2018, the European Commission released a press release announcing Japan and the European Union have concluded talks on reciprocal adequacy of their respective data protection systems, alongside a corresponding Q&A on reciprocal adequacy. After successful negotiations, both jurisdictions have reached a mutual adequacy arrangement, recognising the adequacy in each jurisdiction’s data protection framework and representing the first time that the EU and a third country have agreed on a reciprocal recognition of the level of “adequate” data protection. (more…)
*Originally Published July 12, 2018 by Chambers and Partners Data Protection & Cyber Security 2018
There is a lot going on with privacy around the world. As discussed in the chapters of this book, significant new laws are being adopted or taking effect, important judicial decisions are being decided to interpret existing legal requirements, and citizens are contending with their own expectations about confounding new technologies and business models. It is not clear, however, that the public policy being developed in any country is a thoughtful reaction to the promises and perils of today’s digital economy, rather than a knee-jerk over-reaction to imagined harms and a handful of high-profile incidents. (more…)
On 11 June 2018, members of a Committee within the European parliament (“MEPs”) narrowly voted in favour of suspending the EU-U.S. Privacy Shield (“Privacy Shield”), an agreement that facilitates the transfer of personal data of EU data subjects to the U.S., unless the U.S. government fully complies with the Privacy Shield data protection requirements by 1 September 2018. Although the resolution is only a draft and has no legal effect, it reflects continued European concerns surrounding Privacy Shield. (more…)
On 28 May 2018, the European Data Protection Board (the “EDPB”) released a statement on the revision of the ePrivacy Regulation (the “proposed Regulation”) and its impact on the protection of individuals in relation to the privacy and confidentiality of their communications. It is the first statement of substance by the EDPB since it was established by the EU General Data Protection Regulation on 25 May 2018. The statement calls on the European Commission, Parliament and Council to work together to ensure a swift adoption of the proposed Regulation, which will replace the current ePrivacy Directive (the “Directive”).
Whether you are marking today with a glass of champagne, a shot of whiskey, or a hot cup of tea, today marks a significant day for privacy professionals world-wide.
Here’s to all of the privacy professionals who have put in so many hours to prepare for the GDPR, fully effective as of Friday May 25, 2018 at midnight in Brussels; that is 6 PM eastern on Thursday, May 24th for toasting purposes.
For business executives, policymakers, and consumers who have become aware of the GDPR in recent weeks and are interested in learning more, visit our GDPR resource page here.
The Hong Kong Office of the Privacy Commissioner for Personal Data (the “Hong Kong Data Privacy Commissioner”) has recently published compliance guidance on the upcoming GDPR to raise awareness in Hong Kong companies about the potential effects and reforms needed in order to comply with the new GDPR requirements. (more…)
The British Private Equity & Venture Capital Association has issued a Guide to GDPR for the Funds Industry focusing on practical guidance, including explanations of what the GDPR is and why it is relevant for the funds industry. Authors included Sidley lawyers William RM Long, Geraldine Scali, Vishnu Shankar, Francesca Blythe, Denise Kara and Eleanor Dodding.
The GDPR, or the General Data Protection Regulation, is a new EU data privacy law that comes into force on 25 May 2018. The GDPR is intended to provide a single harmonised data privacy law that applies across the EU and is appropriate for the use of Personal Data in the 21st century. The GDPR imposes many new data protection requirements on the collection, use and disclosure of Personal Data which will be relevant to firms and imposes significant fines of up to 4% of annual worldwide turnover.
The Guide describes how key parts of the GDPR will apply to firms and key obligations and issues for firms to consider in dealing with the GDPR. Read more.
On 28 February 2018, the Belgian Commission for the Protection of Privacy (the “Privacy Commission”) published a recommendation setting out its approach to Data Protection Impact Assessments (“DPIAs”), and in doing so published a “White List” and a “Black List” of processing operations, pursuant to the General Data Protection Regulation (“GDPR”). Organisations subject to the GDPR are required to assess whether they need to undertake a DPIA when undertaking new processing operations. However under the GDPR, member state data protection authorities:
- are required to publish a “Black List” of processing operations which are always subject to the requirement to undertake a DPIA; and
- are permitted to publish a “White List” of processing operations which are not subject to the requirement to undertake a DPIA.