Category

International

12 December 2019

EDPB Provides Clarity and Raises New Questions with Publication of Final Guidelines on the Territorial Scope of the GDPR

Following an extensive public consultation, the European Data Protection Board (“EDPB”) has published a final version of its guidelines on the territorial scope of the GDPR (“Guidelines”). This comes almost one year since the draft guidelines were originally published.  Please read this blog together with our previous blog on the draft guidelines, as this blog addresses only the key differences between the draft guidelines and the Guidelines. (more…)

EmailShare
10 December 2019

Fund Managers Targeted in Sophisticated Cyberattacks

There has been a spike in 2019 of targeted cyberattacks against Asia-based fund managers, especially those in a startup phase of business. Regulators worldwide, including the Securities and Futures Commission of Hong Kong, have issued guidelines for reducing and mitigating hacking risks. This post summarizes the practical measures that may be adopted to protect your firm against cyberattacks and the keys to successful crisis management in the event that an unauthorized data breach occurs. (more…)

EmailShare
09 December 2019

German DSK Issues GDPR Fining Methodology Guidelines

Recently, the Association of German Data Protection Authorities (“Datenschutzkonferenz” or “DSK”) issued guidelines setting a GDPR fining methodology (“Fining Methodology”).  GDPR enforcement across the EU has picked up over the past year.  This Fining Methodology has been issued at the time of a significant increase in GDPR enforcement action across the EU.  The European Data Protection Board (“EDPB”) reported a total of 281,088 national enforcement actions being initiated as of May 22, 2019 (approximately one year after the GDPR’s entry into application).  Since then, data protection authorities across the EU have been initiating enforcement and fines on a daily basis.  In particular, in the UK, the Information Commissioner’s Office (“ICO”) has issued two notices of intention to fine of  €114m and €215m for failure to implement appropriate data security measures.

(more…)

EmailShare
03 December 2019

European Data Protection Board Adopts Data Protection by Design and by Default Guidelines

On 13 November 2019, the European Data Protection Board (“EDPB”) adopted guidelines on the GDPR’s data protection by design and by default principle (“Guidelines”).  The Guidelines provide further guidance into the technical and organizational measures and safeguards that data controllers must take into account when designing their processing activities.  The EDPB encourages early consideration of data protection by design and by default principles (“DPbDD”) and considers DPbDD to be at the forefront of GDPR compliance.  Data controllers, processors and technology providers should consider re-assessing their processing operations and products against the standards put forward in the Guidelines.

(more…)

EmailShare
21 November 2019

The Sixth Edition of The Privacy, Data Protection and Cybersecurity Law Review is Available

The sixth edition of The Privacy, Data Protection and Cybersecurity Law Review takes a look at the evolving global privacy, data protection and cybersecurity landscape in a time when mega breaches are becoming more common, significant new data protection legislation is coming into effect, and businesses are coming under increased scrutiny from regulators, Boards of Directors and their customers. Several lawyers from Sidley’s global Privacy and Cybersecurity practice have contributed to this publication. See the chapters below for a closer look at this developing area of law. (more…)

EmailShare
04 November 2019

Website Cookie Consent: Is the Cookie Starting to Crumble?

Two important decisions have recently occurred relating to website operators’ use of cookies.  First, the Court of Justice of the European Union (the “CJEU” or the “Court”) has issued its judgment in Planet49, a case which looked at the standards of consent and transparency for the use of cookies and similar technologies in the context of the e-Privacy Directive and the GDPR and determined that opt-out consent, by way of a pre-ticked checkbox, was insufficient to obtain GDPR-standard consent for non-essential cookies.  Second, the Spanish data protection authority, AEPD, fined Vueling, a Spanish airline, €30,000 for forcing visitors to its website to accept the use of non-essential cookies on their device in order to continue viewing the website.

We set out below our summaries and key takeaways from both decisions which help to highlight the latest approach of both the courts and European data protection regulators in relation to cookie consent.

(more…)

EmailShare
01 November 2019

European Commission Provides Important Guidance on Qualification and Classification of Software Under New Medical Devices Regulations

The European Commission’s Medical Devices Coordination Group (MDCG) has published a much-anticipated guidance on the qualification and classification of software devices as medical devices (MDSW)1  under the new Medical Devices Regulation (MDR) and In Vitro Diagnostic Regulations (IVDR) (the Guidance, available here). The Guidance seeks to provide clarification to medical software manufacturers with respect to (i) when software is considered a device (qualification) and (ii) what risk category the device falls into (classification).

Under the currently applicable rules, supported by guidance set out in MEDDEV 2.1/6,2 most software devices are classified as low risk. However, the new classification rules set out in the MDR, in particular Rule 11, significantly change the classification of MDSW, with many software devices to be generally considered medium- or even high-risk devices.

Here we examine which areas have been clarified by the Guidance and which topics remain open to interpretation.

(more…)

EmailShare
29 October 2019

Observations from Albania: the 41st Annual International Conference of Data Protection and Privacy Commissioners (October 23-24, 2019)

UK ICO Commissioner Liz Denham, who serves as Conference Chair, welcomed attendees at the public session and provided a brief summary of what transpired at the Commissioners’ closed door sessions. She noted that “privacy” has gone “mainstream.” People around the world expect more information about how their data is used. She stressed the importance of future international collaboration and regulatory cooperation to develop shared strategies and tactics “to protect people from big companies.”

Commissioner Denham also highlighted the increased focus on the role of data protection as a relevant consideration in competition analysis by international regulators. She noted that the International Privacy Commissioners’ Conference, and the ongoing assembly of global regulators, resolved to be more transparent in the future with respect to the regulated community and other interested parties. Finally, she hinted that a new name for the group would be announced before the 2019 conference concludes.

(more…)

EmailShare
15 October 2019

China Implements Regulation Increasing Protections for Children’s Personal Data

On 22 August 2019, the Cyberspace Administration of China (CAC) announced the implementation of the Online Protection of Children’s Personal Data Regulation (儿童个人信息网络保护规定), (“the Regulation”) which came into force on 1 October 2019. The Regulation comprises a list of rules which seek to ensure the safety of children’s personal data and promote a healthy upbringing for children.

This constitutes the latest step in China’s drive to sophisticate its data protection regime and adds to legislation under the framework of the Cybersecurity Law, implemented in 2017. It contains similarities to the Children’s Online Privacy Protection Act (COPPA) in the U.S. and the GDPR in the EU.

As there is no official English translation of the Regulation, this article summarises its key points.

(more…)

EmailShare
1 2 3 24
XSLT Plugin by BMI Calculator