On 31 August 2023, the UK Information Commissioner’s Office (ICO) published guidance on the handling of worker health data for employers (ICO Guidance). The ICO Guidance aims to provide tips and good practice advice about how to comply with applicable data protection legislation such as the UK GDPR when collecting and processing worker health data. Helpfully, the ICO Guidance also contains various checklists to help employers assess data protection considerations when processing worker health data.
The European Commission issued the Financial Data Access Act (FIDA) proposal in June this year. FIDA will create a legislative framework that aims to “bring payments and the wider financial sector into the digital age” by facilitating the sharing of and access to customer financial data (whether of businesses or consumers).
On 4 July 2023, the EU Commission proposed a new Regulation for procedural rules to standardize and streamline cooperation between EU Member State Data Protection Authorities (DPAs) when enforcing the EU General Data Protection Regulation (GDPR) in cross-border cases (GDPR Procedural Regulation). The GDPR adopts a decentralized enforcement model. National EU Member State DPAs are competent to enforce the GDPR on their respective territories. However, in cases with cross-border elements, the GDPR requires all concerned DPAs to cooperate in accordance with the GDPR’s “one-stop-shop” through cooperation and consistency mechanisms. Although these mechanisms establish key principles of cooperation and provide the basis for consistent application of the GDPR throughout the EU, the EU Commission determined more legislative action was needed to increase efficiency and harmonization of cross-border GDPR enforcement action.
On July 10, 2023, the European Commission issued its Final Implementing Decision granting the U.S. adequacy (“Adequacy Decision”) with respect to companies that subscribe to the EU-U.S. Data Privacy Framework (“DPF”).
The EU Digital Markets Act (DMA) is set to revolutionize the way in which so-called ‘Big Tech’ is regulated in the EU, shifting toward ex-ante rulemaking and away from traditional after-the-fact enforcement. The DMA imposes a stringent regulatory regime on large online platforms (so-called “gatekeepers”) and gives the European Commission (Commission) new enforcement powers, including an ability to impose severe fines and remedies for noncompliance.
*This article first appeared on Law360 on October 14, 2022
A series of coordinated announcements on Oct. 7 lifted the veil on a new trans-Atlantic data transfer mechanism.
This announcement has been hotly anticipated since a joint declaration from the U.S. and European Union governments on March 25, that there was an agreement in principle for a new EU-U.S. Data Privacy Framework.
The key document in the framework process is Executive Order No. 14086 on enhancing safeguards for U.S. signals intelligence activities, accompanied by a detailed fact sheet on the executive order.
The U.S. President and European Commission President announced in a joint press statement on March 25th, 2022 that an agreement “in principle” has been reached on a new Trans-Atlantic Data Privacy Framework (Privacy Shield Agreement 2.0). Once approved and implemented, the agreement would facilitate the transatlantic flow of personal data and provide an alternative data transfer mechanism (in addition to EU Standard Contractual Clauses and Binding Corporate Rules) for companies transferring personal data from the EU to the U.S. This is a welcome announcement for companies that have been dealing with the legal uncertainty of such data flows following the Schrems II decision in July 2020, which invalidated the EU-U.S. Privacy Shield 1.0 for international transfers of personal data.
From February 28-March 3, Sidley and OneTrust DataGuidance hosted their annual Data Protection in Financial Services (DPFS) Week, a series of webinars looking at the impacts of data privacy across the financial sector. Industry speakers covered a range of issues including:
- How the latest privacy and cybersecurity developments in Europe and the U.S. have impacted financial services
- How new and existing privacy and cyber requirements intersect with finance-specific regulation
- What financial organizations can do to keep ahead of the curve in the ever-evolving data privacy and cyber landscape
- How to deal with and manage the key issues for 2022, such as AI, data governance, and international transfers
On September 21, 2021, Sidley partners Alan Raul and William Long engaged in a fireside chat with Elizabeth Denham and Claudia Berg of the United Kingdom (UK) Information Commissioner’s Office (ICO). Elizabeth Denham is due to end her five-year tenure as UK Information Commissioner on October 31, 2021. Claudia Berg is the ICO’s General Counsel. The webinar entitled “Governance of Data Innovation: Risks and Rewards for Business” touched on the crucial issues in data protection and cyberlaw including the future of international data transfers, emerging technologies, and Brexit. Please see below our “10 Key Takeaways” from this fascinating and timely discussion.
On August 27, 2021, the Swiss Federal Data Protection and Information Commissioner (FDPIC) formally recognized the new EU Standard Contractual Clauses published by the European Commission on June 4, 2021 (New SCCs). The New SCCs are intended to legitimize transfers of personal data from Switzerland to countries not deemed by the FDPIC as providing an adequate level of protection for personal data (cf. official statement) — thereby completing its guidance on international data transfers published on June 18, 2021. The aim of these documents is to reduce uncertainties in a post-Schrems II era and to help companies ensure the ongoing lawful transfer of personal data.