Category

GDPR

03 December 2018

Privacy Legislation Could Provide Common Ground for the Newly Divided Congress

*This article first appeared in the Hill.com on November 19, 2018

With the House having now flipped, policy consensus in Congress is not likely to get any easier. But there is one subject around which countries, companies, consumers and, yes, even Congress is increasingly converging. That issue is privacy. The new privacy zeitgeist follows years of data breaches as well as new concerns about invisible data collection, political micro-targeting and manipulation, the proliferation of internet-connected devices, and a potential lack of transparency in the decisions that machines increasingly make about us.

(more…)

EmailShare
30 November 2018

EDPB Issues Long-Awaited Guidance on Territorial Scope of the GDPR

On November 23, 2018, the European Data Protection Board (“EDPB”) published draft guidelines seeking to clarify the territorial scope of the GDPR (“Guidelines”).  The Guidelines have been eagerly awaited, particularly by controllers and processors outside of the EU looking for confirmation as to whether or not the EU data protection rules apply to them.  The Guidelines largely reaffirm prior interpretations of the GDPR’s territorial application under Article (3)(1), and offer essential guidance with respect to the GDPR’s – heavily debated – extraterritorial application under Article (3)(2).  The GDPR applies to companies established in the EU as well as companies outside of the EU that are “targeting” individuals in the EU (by offering them products or services) or monitoring their behavior (as far as that behavior takes place in the EU).

The proposed Guidelines are open for public consultation until January 18, 2019.  It remains to be seen whether and how any outstanding issues will have been addressed upon conclusion of the consultation. (more…)

EmailShare
26 November 2018

The Fifth Edition of The Privacy, Data Protection and Cybersecurity Law Review is Available

The fifth edition of The Privacy, Data Protection and Cybersecurity Law Review takes a look at the evolving global privacy, data protection and cybersecurity landscape in a time when mega breaches are becoming more common, significant new data protection legislation is coming into effect, and businesses are coming under increased scrutiny from regulators, Boards of Directors and their customers. Several lawyers from Sidley’s global Privacy and Cybersecurity practice have contributed to this publication. (more…)

EmailShare
13 November 2018

EU DPAs Receive Thousands of Complaints Under the GDPR

European Digital Rights (EDRi), a digital user rights non-for-profit organisation, on 25 October 2018, launched an online platform, ‘GDPR Today’. In its first edition of the GDPR Today, the EDRi published statistics collected from eight EU Member States (France, Germany, Ireland, Italy, Poland, Romania, Sweden and the United Kingdom). The statistics show that since the GDPR’s entry into force on 25 May 2018, data protection authorities (DPAs) have received thousands of complaints from EU individuals on the implementation of the GDPR by businesses and other organisations. Of note, the United Kingdom’s DPA, the UK Information Commissioner’s Office (ICO), has topped the list of complaints received, with nearly 15,000 complaints. Germany and France follow in the rankings, with 6,555 complaints and 3,767 complaints received, respectively. However, the UK figure includes complaints filed with the ICO prior to the GDPR’s effective date. (more…)

EmailShare
23 October 2018

EU Parliament Adopts Blockchain Resolution

On October 3, 2018, the European Parliament passed its long awaited resolution on distributed ledger technologies and blockchains (the “Blockchain Resolution”). The Blockchain Resolution was adopted to protect and empower EU citizens and businesses with respect to the specific issues that arise in relation to the blockchain or “distributed ledger” technology, one of which being the tension with data protection rights and the GDPR in general. (more…)

EmailShare
02 October 2018

The Trump Administration’s Approach to Data Privacy, and Next Steps

* This article originally appeared in Law360 on September 27, 2018.

On Sept. 25, 2018, the Trump administration proposed an approach and initiated a process to modernize U.S. data privacy policy.  The administration’s approach is “risk-based” rather than rule-based, and, as such, signals a willingness to move away from a privacy model of mandated notice and choice that has “resulted primarily in long, legal, regulator-focused privacy policies and check boxes.” Rather, the administration is proposing that U.S. privacy policy “refocus” on achieving desirable privacy “outcomes,” such as ensuring that users are “reasonably informed” and can “meaningfully express” their privacy preferences, while providing organizations with the flexibility to continuing innovating with cutting-edge business models and technologies.

(more…)

EmailShare
07 September 2018

New Belgian Data Protection Act Takes Effect

On September 5, 2018, the new Belgian Data Protection Act implementing the GDPR (the Belgian Act) was published and entered into force. Despite the GDPR being an EU regulation that directly applies to all EU Member States, several provisions of the GDPR explicitly allow, and even require, Member States to enact legislation which implements the law. Member States were expected to have this legislation in place by May 25, 2018, but the majority of Member States (including Belgium) did not meet the deadline. Since December 2017, however, Belgium has had in place a law implementing many of the more procedural provisions of the GDPR, namely the Act on the Establishment of the Supervisory Authority (the SA Act). The SA Act lays down the structure, powers and competence of the new Belgian Supervisory Authority, and also includes rules of procedure applicable to administrative proceedings before the Authority. (more…)

EmailShare
06 September 2018

European Data Protection Board Clarifies Application of GDPR to Payment Service Providers

On July 5, 2018, the European Data Protection Board (EDPB)1 replied to a request from a Member of the European Parliament (MEP), Dutch Democrat Sophie in ‘t Veld, for clarification on a number of issues relating to the protection of personal data under the EU General Data Protection Regulation (2016/679) (GDPR) and the revised EU Payment Services Directive (2015/2366) (PSD2). In its response, the EDPB set out its position on how the requirement to obtain explicit consent from payment service users under PSD2 interacts with the GDPR. The EDPB also provided guidance on the use of personal data relating to a payee by an account information service provider or a payment initiation service provider acting for a payer.

This post summarizes the EDPB’s stated positions on these points and explores the implications for firms providing payment services in the European Economic Area (EEA).

(more…)

EmailShare
29 August 2018

DataGuidance’s Thought Leaders in Privacy: Vishnu Shankar

Vishnu Shankar, an associate in our London office, spoke with DataGuidance at the 2018 IAPP Data Protection Intensive. He discussed his recommendations on regulatory requirements regarding breach notification across several key pieces of legislation, including the GDPR and the NIS Directive, as well as sector-specific requirements.

See More >>

EmailShare
23 August 2018

Dutch Supervisory Authority Investigates GDPR Compliance in the Healthcare Sector

On 21 August 2018, the Dutch Supervisor Authority announced that it had conducted an investigation into the designation of a Data Protection Officer (DPO) under the General Data Protection Regulation (GDPR) by 91 hospitals and 33 healthcare insurers in the Netherlands. Two hospitals had not yet communicated the contact details of their DPO to the Dutch Supervisor Authority, and were given four weeks to designate a DPO. In addition, the Supervisor Authority found that 25% of the hospitals and healthcare insurers whose practices were reviewed did not properly publish their DPO’s contact details on their website. They will also be expected to implement the necessary compliance measures. (more…)

EmailShare
1 2 3 5
XSLT Plugin by BMI Calculator