Unpacking Digital Data Laws Across Europe: Addressing the Digital Markets Act
The EU Digital Markets Act (DMA) is set to revolutionize the way in which so-called ‘Big Tech’ is regulated in the EU, shifting toward ex-ante rulemaking and away from traditional after-the-fact enforcement. The DMA imposes a stringent regulatory regime on large online platforms (so-called “gatekeepers”) and gives the European Commission (Commission) new enforcement powers, including an ability to impose severe fines and remedies for noncompliance.
U.S.-EU Data Transfer Framework Signals Strengthened Collaboration
*This article first appeared on Law360 on October 14, 2022
A series of coordinated announcements on Oct. 7 lifted the veil on a new trans-Atlantic data transfer mechanism.
This announcement has been hotly anticipated since a joint declaration from the U.S. and European Union governments on March 25, that there was an agreement in principle for a new EU-U.S. Data Privacy Framework.
The key document in the framework process is Executive Order No. 14086 on enhancing safeguards for U.S. signals intelligence activities, accompanied by a detailed fact sheet on the executive order.
Third Time’s a Charm? Privacy Shield Agreement Reached In Principle
The U.S. President and European Commission President announced in a joint press statement on March 25th, 2022 that an agreement “in principle” has been reached on a new Trans-Atlantic Data Privacy Framework (Privacy Shield Agreement 2.0). Once approved and implemented, the agreement would facilitate the transatlantic flow of personal data and provide an alternative data transfer mechanism (in addition to EU Standard Contractual Clauses and Binding Corporate Rules) for companies transferring personal data from the EU to the U.S. This is a welcome announcement for companies that have been dealing with the legal uncertainty of such data flows following the Schrems II decision in July 2020, which invalidated the EU-U.S. Privacy Shield 1.0 for international transfers of personal data.
Data Protection in Financial Services Week 2022
From February 28-March 3, Sidley and OneTrust DataGuidance hosted their annual Data Protection in Financial Services (DPFS) Week, a series of webinars looking at the impacts of data privacy across the financial sector. Industry speakers covered a range of issues including:
- How the latest privacy and cybersecurity developments in Europe and the U.S. have impacted financial services
- How new and existing privacy and cyber requirements intersect with finance-specific regulation
- What financial organizations can do to keep ahead of the curve in the ever-evolving data privacy and cyber landscape
- How to deal with and manage the key issues for 2022, such as AI, data governance, and international transfers
Governance of Data Innovation: Risks and Rewards for Business – Key Takeaways from our Discussion with the UK Information Commissioner’s Office
On September 21, 2021, Sidley partners Alan Raul and William Long engaged in a fireside chat with Elizabeth Denham and Claudia Berg of the United Kingdom (UK) Information Commissioner’s Office (ICO). Elizabeth Denham is due to end her five-year tenure as UK Information Commissioner on October 31, 2021. Claudia Berg is the ICO’s General Counsel. The webinar entitled “Governance of Data Innovation: Risks and Rewards for Business” touched on the crucial issues in data protection and cyberlaw including the future of international data transfers, emerging technologies, and Brexit. Please see below our “10 Key Takeaways” from this fascinating and timely discussion.
Switzerland Recognizes New EU Standard Contractual Clauses and Issues Guidance on International Data Transfers
On August 27, 2021, the Swiss Federal Data Protection and Information Commissioner (FDPIC) formally recognized the new EU Standard Contractual Clauses published by the European Commission on June 4, 2021 (New SCCs). The New SCCs are intended to legitimize transfers of personal data from Switzerland to countries not deemed by the FDPIC as providing an adequate level of protection for personal data (cf. official statement) — thereby completing its guidance on international data transfers published on June 18, 2021. The aim of these documents is to reduce uncertainties in a post-Schrems II era and to help companies ensure the ongoing lawful transfer of personal data.
Sidley Privacy and Cybersecurity Roundtable
Please join Sidley’s Privacy and Cybersecurity Group for a two-part discussion with UK government officials with a focus on data transfer and innovation.
UK Data Protection and Data Transfers – New Directions
In this Chatham House discussion, our panelists will cover:
- Data Transfers to the U.S. and Developments on “Adequacy”
- G7 and OECD Data Protection Initiatives
- UK Regulation of Data and Promotion of Innovation
UK Government Publishes UK Approach to International Transfers, Including Data Adequacy
On August 26, 2021, the UK Government’s Department for Digital, Culture, Media and Sport (DCMS) published its mission statement setting out the UK approach to adequacy assessments and international data transfers, alongside a Manual Template and Manual Guidance for undertaking adequacy assessments and an infographic map illustrating ten priority countries forming part of that process. This release forms part of a broader package of measures announced by DCMS to “seize the opportunities of data to boost growth, trade and improve its public services” following the UK’s exit from the EU, which included an announcement that John Edwards (the current New Zealand Privacy Commissioner) is the Government’s preferred nominee to be the next UK Information Commissioner. (more…)
UK ICO Opens Consultation on Data Transfer Agreements and Guidance
On 11 August 2021, the UK Information Commissioner’s Office (ICO) launched a public consultation on its draft international data transfer agreement and guidance (Consultation). The Consultation comes two months after the European Commission’s adoption of new EU Standard Contractual Clauses (EU SCCs) and the European Data Protection Board’s publication of the final Schrems II guidance. The EU SCCs do not automatically apply in the UK since its exit from the EU. Moreover, the ICO has not yet formally acknowledged the EU SCCs, i.e., as a valid data transfer mechanism under the UK GDPR.
NHS’ Plans to Share Patient Records with Third Parties
NHS Digital (the national custodian for health and care data in England) in May 2021, announced a new data sharing initiative called the General Practice Data for Planning and Research (GPDPR) service. The launch of the GPDPR could result in the historical medical records of up to 55 million patients in England being shared with third parties.
Although the GP data collection was set to take place as of July 1, 2021, on June 8, 2021 it was announced that the launch will be postponed to September 1, 2021.