The Swiss Parliament Agrees on the Draft Bill of a New Data Protection Act
After three years of discussions and in a final debate, the Swiss parliament has agreed on the final draft bill of a new and modernized data protection law.
In particular, the National Council and the Council of States found a compromise on the these outstanding issues: (more…)
EDPB Publishes Draft Guidelines on the Concepts of Controller and Processor under the GDPR
On 2 September 2020, the European Data Protection Board (EDPB) published draft guidelines on the concepts of controller and processor under the GDPR (Draft Guidelines). The Draft Guidelines are intended to expand on and ultimately replace the guidance issued by the former Article 29 Working Party in 2010 (WP29 Guidance). The Draft Guidelines should be reviewed carefully to assess whether: (i) the understanding of an organisation’s role as a controller, joint controller or processor should be revised; and (ii) changes to existing vendor processes and contracts are needed in light of the assessment of guarantees provided by vendors and the more detailed processing provisions and ongoing diligence now required.
The Draft Guidelines consist of two parts. The first part seeks to further clarify the meaning of these concepts—which are crucial in determining compliance responsibilities under the GDPR—by reference to various examples. The second part provides detailed guidance on their respective roles and responsibilities, and the relationships between them.
The Draft Guidelines, accessible here, are subject to public consultation until 19 October 2020.
Schrems II Fallout — Understanding Essential Equivalence and What Businesses Should Do Now
Schrems II — Legal Analysis
With the EU-U.S. Privacy Shield declared invalid as a result of the Schrems II decision, there will be an immediate impact on the future of international data flows and potentially for your business.
Join OneTrust DataGuidance, Sidley, and speakers from industry for a webinar taking a detailed look at the Schrems II decision and discussing what additional safeguards may be required for international transfers following the decision, as well as legal analysis into whether there is essential equivalence between U.S. and EU privacy protections.
Brazilian Data Protection Law Update – Delayed Enforcement, Lack of Administrative Structure, and Market Unreadiness
(*As with all posts, this article is for informational purposes only; Sidley Austin LLP does not have offices in or practice law in Brazil; Felipe Saraiva is a former Sidley associate licensed to practice law in Brazil.)
The enactment of Law n. 13.709/2018 (the Brazilian Data Protection Law, or “LGPD”) in 2018 was followed by great enthusiasm from the general public in Brazil. Indeed, the comprehensive law has been viewed as a necessary measure for the country to join a select but growing group of nations in the systematic protection of individuals’ personal data.
Originally, the LGPD provided for a 12-month grace period for its enforcement; however, this term was subsequently extended to 24 months, as legislators understood the initial time frame wouldn’t give companies enough time to adapt. As previously analyzed in an article by these authors published on January 20, 2020, the LGPD’s provisions require a great deal of compliance effort from all organizations that are subject to the law.
In view of the current crisis caused by the spread of COVID-19, the compliance difficulties companies are facing, and the fact that the actual creation of the National Agency of Data Protection (“ANPD”) called for in the law is still pending, Brazilian legislators are further extending the LGPD’s grace period; these legislators now indicate that enforcement of the law’s general provisions are extended to May 3, 2021, while its legal sanctions would become enforceable as of August 1, 2021.
Payments and Fintech: Addressing Key EU, UK and U.S. Cybersecurity Issues
Data is key to innovation, growth, and staying competitive in the payments sector. In recent years, there has been a massive increase in the volume of data maintained and processed by payment service providers. Regulators and policymakers on both sides of the Atlantic are imposing increasingly prescriptive cybersecurity regulatory frameworks and closer scrutiny upon companies, while new and escalating cybersecurity threats challenge standard safeguards.
For the latest insights on the risks posed and effective ways to mitigate them, please join OneTrust DataGuidance and Sidley for a webinar focusing on the cybersecurity issues confronting the payments and fintech sectors in the EU, UK, and U.S.
UK Supreme Court Grants Google Permission to Appeal Class Action Claim in Lloyd vs Google LLC
The Supreme Court has recently granted Google permission to appeal the Court of Appeal’s decision in the case of Lloyd v Google LLC ([2019]) EWCA Civ 1599). The class action brought against Google by Richard Lloyd, the former editor of consumer protection rights group “Which?”, relates to the alleged tracking of personal data by Google of 4.4 million iPhone users and subsequent selling of the users’ data to advertisers, without the users’ knowledge and consent. Google is now appealing the Court of Appeal’s decision granting Mr Lloyd permission to serve his representative action on Google. This landmark case is of particular importance as it has the potential to significantly widen the scope for claims to be brought in respect of a failure to protect data under the GDPR.
Schrems II – Live Reaction to the Key Landmark Decision on the Future of International Data Transfers
Join Us for Post-Decision Coverage of the Schrems II Case
On July 16, the Court of Justice of the European Union will release its much anticipated decision in the Schrems II case, evaluating the validity of key data transfer mechanisms, including Standard Contractual Clauses. The decision could impact the future of international data flows and your business.
We will host an immediate reaction and analysis with leading industry panelists on this landmark decision to understand its impact and what the future may hold.
Key Takeaways From Sidley’s Privacy and Cybersecurity Monitor-Side Chat Featuring Bruno Gencarelli, Head of International Data Flows and Protection at the European Commission
On June 25, 2020, Sidley partner, Alan Raul, founder and co-head of Sidley’s privacy and cybersecurity practice, hosted Bruno Gencarelli, head of International Data Flows and Protection at the European Commission, for a Monitor-Side Chat.
The discussion focused largely on the Commission’s report on two years of the GDPR which was issued on 24 June 2020. Key themes of the report include:
- EU data protection authorities (“DPAs”) should increase their efforts towards the adoption of a harmonised approach to responding to cross-border investigations;
- a call for greater resources to be given to DPAs by EU Member States to ensure the GDPR is sufficiently enforced;
- a need for greater consistency among EU Member States on interpretations of the GDPR in national laws in order to avoid unnecessary burdens on companies; and
- greater utilisation of the data portability right under the GDPR to ensure individuals have greater involvement in the digital economy by enabling them to switch between different service providers and make use of other innovative services.
French Council of State Upholds €50m CNIL Fine against Google
On June 19, 2020, the French Conseil d’État (“Council of State”) issued a decision upholding the €50 Million fine imposed against Google LLC by the French Supervisory Authority (the “CNIL”). On January 21, 2019, the French CNIL had issued a fine against Google’s U.S. headquarters for failure to comply with the EU General Data Protection Regulation’s (“GDPR”) fundamental principles of transparency and legitimacy. Please refer to the relevant Sidley Data Matters’ blog post on the CNIL decision here. The CNIL found that Google had insufficiently informed Android users about their data processing activities, given the complexity of Google’s privacy policy and terms & conditions, and that the consent obtained from them through the use of pre-ticked boxes was insufficient to serve as a legal basis for processing used for targeted advertising. This was the first and highest regulatory fine the CNIL had issued on the basis of the GDPR.
European Commission’s Public Consultation on Proposed EU Artificial Intelligence Regulatory Framework
On 19 February 2020, the European Commission published a white paper on the use of artificial intelligence (“AI”) in the EU (the “White Paper”). The White Paper forms part of the Commission President, Ursula Von der Leyen’s, digital strategy, one of the key pillars of her administration’s five year tenure, recognising that the EU has fallen behind the US and China with respect to the strategic deployment of AI. To tackle this problem, the Commission proposes a common EU approach to ‘speed up the uptake’ of AI in the EU, whilst also tackling the human and ethical implications of AI’s fast growing use in the EU, including the possible downsides of its use, such as opaque decision making and hidden, embedded gender and racial discrimination. In order to achieve a common EU approach to AI, and to create “trustworthy” AI that can rival developments in the US and China, the Commission proposes the creation of a regulatory framework for AI.