On 13 April 2021, the European Data Protection Board (EDPB) adopted two Opinions on the draft UK adequacy decisions: (i) Opinion 14/2021 for transfers of personal data under the EU General Data Protection Regulation (EU GDPR); and (ii) Opinion 15/2021 for transfers of personal data under the Law Enforcement Directive (LED).
With the roll-out of the COVID-19 vaccine and the start of easing of social distancing measures, the latest initiative being considered at a national as well as an international level is the introduction of so-called “digital health passports” or “immunity passports,” i.e., a tool to record and share the immune status of an individual whether by virtue of a COVID-19 test result or vaccination record – indeed, it is estimated there are currently more than 70 digital health passports and 14 vaccine passport apps in operation globally. However, the privacy concerns (and indeed the broader ethical implications) of introducing such measures, without the implementation of appropriate safeguards are significant and a current topic of intense debate.
On 5 March 2021, the Federal Data Protection and Information Commissioner (FDPIC) published a short position paper on the revised Swiss Data Protection Act (revDPA). The position paper provides guidance for companies that are subject to the revDPA as to how to meet its requirements once it enters into force, which is expected to be in the second half of 2022 after the Federal Administration has completed drafting the associated implementing ordinances.
On February 10, 2021, the Council of the European Union (which includes representatives of the European Union (EU) member states, hereinafter Council) reached an agreement on the ePrivacy Regulation proposal that governs the protection of privacy and confidentiality of electronic communications services (ePrivacy Regulation).
The first draft of the ePrivacy Regulation was approved by the European Commission in 2017 and has since been under discussion in the Council. The current agreement in the Council comes shortly after Portugal took over the Council presidency (on January 1, 2021) and released a revised draft of the ePrivacy Regulation (on January 5), which was the 14th draft including the original EU Commission proposal. The present agreement is therefore a breakthrough in the negotiation process and allows the Portuguese Council presidency to start negotiations with the European Parliament on the final text.
On February 12, 2021, the European Commission (Commission) published an “Assessment of the EU Member States’ rules on health data in the light of GDPR” (the Assessment). The Assessment concludes, amongst other things, that there are variations in the implementation of the EU General Data Protection Regulation (GDPR) at a national level with regards to the processing of health data. In turn, this has led to a fragmented approach to the processing of health data for health and research purposes across the EU. To avoid further fragmentation, the Assessment proposes various future EU-level actions, including stakeholder-driven Codes of Conduct as well as new targeted and sector-specific legislation.
On January 28, 2021, the UK Financial Conduct Authority (FCA) published Consultation Paper CP21/3, “Changes to the SCA-RTS and to the guidance in ‘Payment Services and Electronic Money – Our Approach’ and the Perimeter Guidance Manual” (Consultation Paper). This follows the FCA’s announcement in its 2020-21 business plan that payment services were one of its main supervisory priorities1 and its temporary guidance of July 9, 2020, on prudential risk management and safeguarding in light of the COVID-19 pandemic (Temporary COVID Guidance).
The FCA is proposing amendments to:
- the UK onshored versions of EU technical standards on strong customer authentication (SCA) and common and secure methods of communication (UK SCA-RTS);
- its Approach Document on Payment Services and Electronic Money (Approach Document); and
- its Perimeter Guidance Manual (PERG).
On February 19, 2021, the European Commission (EC) published two draft implementing decisions to enable the continuing free-flow of personal data from the EU to the UK (the Draft Adequacy Decisions) i.e., post-Brexit: (i) for transfers of personal data under the EU General Data Protection Regulation (EU GDPR); and (ii) for transfers of personal data under the Law Enforcement Directive (LED). This will come as a huge relief to companies across all industries who are in parallel already grappling with the repercussions of Schrems II. In fact, the Draft Adequacy Decisions (which collectively run to almost 140 pages) are the first of their kind in a post-Schrems II world and will likely be closely reviewed—including by privacy advocate Max Schrems who has promised his Twitter followers to “take a look at” the Draft Adequacy Decisions in particular with regard to the LED (i.e., which addresses UK government surveillance activities).
On February 17, 2021 the European Medicines Agency (EMA) published an updated version of its good clinical practice questions and answers (GCP Q&A). The updated section relates to access to patient medical records by GCP inspectors from European Economic Area (EEA) Member States. It stresses the importance of sponsors conducting studies in countries outside the EEA obtaining the prior explicit consent of a clinical trial participant for the review of their medical records by EEA GCP inspectors.
Case: R (on the application of KBR, Inc) (Appellant) v Director of the Serious Fraud Office (Respondent)  UKSC 2
On February 5, 2021, the UK Supreme Court ruled that the Serious Fraud Office (SFO) cannot compel foreign companies with no presence in the jurisdiction to produce documents held abroad using its powers under Section 2(3) of the Criminal Justice Act 1987 (CJA 1987).
After losing its ability to use European Investigation Orders to obtain evidence located in other EU member states due to Brexit, the judgment is a further setback for the SFO in terms of the extraterritorial reach of its investigative powers and may in certain circumstances affect its ability to investigate fully cross-border serious fraud cases. When seeking documents or electronic data held abroad from foreign companies that are not registered in the UK or do not carry on business there, the SFO will now have to rely on mutual legal assistance or an overseas production order (where such mechanisms are available).
However, the Supreme Court’s ruling will provide foreign companies with greater certainty regarding documents that may have to be produced to the SFO, particularly where production could be resisted in their own jurisdiction on grounds of privilege.
Foreign investment in many entities regulated by the U.S. Federal Communications Commission (FCC) has long been subject to an interagency review process for the consideration of national security, foreign policy, and trade policy issues, referred to as “Team Telecom.” Pursuant to an April 2020 executive order and an October 2020 report and order of the FCC, this process has been formalized and streamlined under the new Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (Committee).