An Irish High Court ruling may have a significant impact on one of the main mechanisms that global companies use to transfer personal data out of the European Economic Area (“EEA”). The Irish High Court ruled on 3 October 2017 that the Standard Contractual Clauses (“SCCs”) used by companies to transfer data from the EEA to US, also frequently referred to as “Model Contracts,” must be the subject of review by the Court of Justice of the European Union. (more…)
On 13 September 2017, the European Commission presented its draft work program for the next sixteen months up to the end of 2018. In addition to boosting jobs, growth and investments, the European Commission’s main priority is to improve and strengthen the Single Digital Market, where individuals as well as businesses can seamlessly access and exercise online activities under conditions of fair competition and a high level of consumer and personal data protection. With that objective in mind, the European Commission plans to launch the following initiatives between now and the end of 2018:
On 13 September 2017, the UK Government introduced the new Data Protection Bill (the “Bill”) in the House of Lords. If enacted, the Bill will repeal and replace the existing Data Protection Act 1998 and supplement the EU’s new General Data Protection Regulation (“GDPR”). (more…)
Brussels – Sidley Austin LLP is pleased to announce that Wim Nauwelaerts has joined the firm as a partner in its Brussels office. He will be a member of Sidley’s global Privacy and Cybersecurity practice. (more…)
The Belgian Commission for the Protection of Privacy (“Privacy Commission”) has recently published guidance on Article 30 of the GDPR which contains the obligation for data controllers and processors to record their processing activities.
This record will have to be up-to-date by 25 May 2018 and readily made available to the regulator should it ask to view it. (more…)
Today the BBC published a news article on the panic many businesses are now in over the imminent implementation of the GDPR in May 2018.
According to the BBC article, some research indicates just 29% of UK businesses have begun to prepare for the GDPR. Another forecast was that European financial institutions could face fines of nearly €5 billion in the first 3 years following the GDPR’s coming into force. (more…)
The EU’s Article 29 Working Party (“WP29”) adopted, on 5 April 2017, final guidelines on the new right of data portability under the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) which applies from 25 May 2018. (more…)
On April 18 in the DC office, Sidley hosted the firm’s third annual Privacy and Cybersecurity Roundtable for over 70 clients. Speakers included a senior representative of the European Data Protection Supervisor, senior officials from the Office of the New York State Attorney General and the Federal Trade Commission, legal, policy and compliance leaders from Facebook and Gannett, along with several members of the firm’s privacy, securities law and governance groups. (more…)
On 27 April 2017 the German Parliament passed the new Federal Data Protection Act (the Bundesdatenschutzgesetz or “new BDSG”) which from 25 May 2018 will replace the current German Data Protection Act. The new BDSG adapts German law in line with the EU’s new General Data Protection Regulation (the “GDPR”). The GDPR has direct effect in EU members states, but it allows member states to pass legislation which supplements the GDPR but is consistent with it.
On February 2, the Italian Data Protection Authority, known as the “Garante,” imposed a fine of EUR 5,880,000 on a UK money transfer company that it found to be in violation of Italian data privacy rules. This is the largest ever publicly-known fine imposed by an EU data protection authority, and it approaches the level of fines that are likely to be imposed under the EU’s General Data Protection Regulation (“GDPR”) that will come into force in May 2018. Although the GDPR is not yet in force, the Garante’s enforcement action shows that European data protection authorities are willing to levy the kind of fines allowed by the GDPR.