On 3 July 2019, the UK’s Information Commissioner’s Office (“ICO”) published new guidance on cookies and similar technologies (“Guidance”) in conjunction with a new blog post: “Cookies – what does ‘good’ look like?” which aims to provide “myth-busting” advice on common cookies uncertainties. You can find a full copy of the new guidance here and a link to the ICO’s blog post here. With its new Guidance, the ICO has formally recognised the stricter standards of consent and transparency now in force under the GDPR.
The Chinese government is proposing heightened requirements on cross-border transfers of personal information from China, recently publishing draft Measures on Security Assessment of Cross-border Transfer of Personal Information (the “Draft Measures”). This comes less than a month after the Chinese government issued another draft Measures for Data Security Management which require network operators to conduct a security assessment for any transfer of important data (i.e. any data that may directly affect China’s national security, economic security, social stability, or public health and security if leaked) to overseas. The Draft Measures now focus on the cross-border transfer of personal information by network operators and are viewed as a continuous effect of the Chinese government to strengthen the data protection in China.
Today we saw the ICO issue a notice of its intention to fine British Airways £183.39m for infringements of the GDPR – a record fine and the largest seen in the UK and the EU. The proposed fine relates to a cyber incident which BA notified to the ICO (as BA’s lead data protection authority, DPA) in September 2018. The incident involved the theft from the BA website and mobile app of personal data relating to customers over a two-week period. In terms of next steps, BA now has an opportunity to make representations to the ICO as to the proposed findings and sanction.
The 25th of May, 2019 marked a year since the EU General Data Protection Regulation (“GDPR”) came into force. For most in privacy, involvement with the GDPR has been ongoing for well over this year, but on the first anniversary of the GDPR we take an opportunity to look back and reflect on where we are now in relation to some key areas of interest including enforcement action, privacy litigation, breach notification and developing guidance from the European Data Protection Board (“EDPB”).
Recently, the Dutch Supervisory Authority (the “Autoriteit Persoonsgegevens” or “Dutch SA”) has taken the position that the use of so-called “cookie walls,” whereby website access is made conditional upon the provision of consent to tracking cookies, is not compliant with the EU General Data Protection Regulation (“GDPR”).
We held our 5th Annual Privacy and Cybersecurity Roundtable on May 1, in Washington, D.C. The event featured the Chair of the European Data Protection Board Andrea Jelinek and FTC Commissioner Noah Phillips. Other government speakers represented the White House, UK’s Information Commissioner’s Office, and staff members from the U.S. Senate and House of Representatives. Other distinguished panelists included Cam Kerry of Brookings and Jane Horvath from Apple. The speakers addressed privacy and cybersecurity enforcement in the U.S. and EU, Brexit, Online Harms and the prospects for federal privacy legislation. The insightful program was followed by a competition between the sausage-making (and brewing) achievements of leading privacy jurisdictions such as Brussels, California, Washington, D.C. and China (representing a privacy continuum!). Sidley also commemorated “20 Years of CyberLaw at Sidley” – two decades since the founding of today’s Privacy and Cybersecurity practice. We look forward to continuing to thrive and serve our clients. We hope to see you at next year’s Privacy and Cybersecurity Roundtable.
In light of the UK’s possible departure from the European Union (EU), currently scheduled for October 31, 2019 (“Exit Day”), the UK Government has passed the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) (No.2) Regulations 2019 (“Regulations”) which enter into force immediately before Exit Day.
On 29 March 2019, the Belgian House of Representatives appointed a new Data Protection Commissioner and four directors to the executive committee of the Belgian Data Protection Authority (‘DPA’).
These are the first appointments to be made to the DPA since it replaced the previous Belgian Privacy Commission in anticipation of the EU GDPR. This is therefore the first time that executive roles have been officially filled in the context of the regulator’s expanded competence – including the DPA’s new power to impose administrative fines of up to €20,000,000 EUR or 4 percent of an undertaking’s worldwide annual revenues for certain infringements of the EU GDPR.
The updated 2019 Chambers Global Practice Guide for Data Protection & Cybersecurity is available, covering important developments across the globe and bringing expert legal commentary for businesses particularly involved in the life sciences sector. Read More
On February 26, 2019, the Technology Policy Institute’s Two Think Minimum podcast featured Sidley Partner and founder of the Privacy and Cybersecurity practice, Alan Raul, alongside former FTC Acting Chairman and Commissioner of the FTC Maureen Ohlhausen. The topic of the day was the future of privacy legislation in 2019. Topics ranged from politics, U.S. State trends, activity in Europe, FTC enforcement powers and more.