On 13 November 2019, the European Data Protection Board (“EDPB”) adopted guidelines on the GDPR’s data protection by design and by default principle (“Guidelines”). The Guidelines provide further guidance into the technical and organizational measures and safeguards that data controllers must take into account when designing their processing activities. The EDPB encourages early consideration of data protection by design and by default principles (“DPbDD”) and considers DPbDD to be at the forefront of GDPR compliance. Data controllers, processors and technology providers should consider re-assessing their processing operations and products against the standards put forward in the Guidelines.
The sixth edition of The Privacy, Data Protection and Cybersecurity Law Review takes a look at the evolving global privacy, data protection and cybersecurity landscape in a time when mega breaches are becoming more common, significant new data protection legislation is coming into effect, and businesses are coming under increased scrutiny from regulators, Boards of Directors and their customers. Several lawyers from Sidley’s global Privacy and Cybersecurity practice have contributed to this publication. See the chapters below for a closer look at this developing area of law. (more…)
We set out below our summaries and key takeaways from both decisions which help to highlight the latest approach of both the courts and European data protection regulators in relation to cookie consent.
The European Commission’s Medical Devices Coordination Group (MDCG) has published a much-anticipated guidance on the qualification and classification of software devices as medical devices (MDSW)1 under the new Medical Devices Regulation (MDR) and In Vitro Diagnostic Regulations (IVDR) (the Guidance, available here). The Guidance seeks to provide clarification to medical software manufacturers with respect to (i) when software is considered a device (qualification) and (ii) what risk category the device falls into (classification).
Under the currently applicable rules, supported by guidance set out in MEDDEV 2.1/6,2 most software devices are classified as low risk. However, the new classification rules set out in the MDR, in particular Rule 11, significantly change the classification of MDSW, with many software devices to be generally considered medium- or even high-risk devices.
Here we examine which areas have been clarified by the Guidance and which topics remain open to interpretation.
UK ICO Commissioner Liz Denham, who serves as Conference Chair, welcomed attendees at the public session and provided a brief summary of what transpired at the Commissioners’ closed door sessions. She noted that “privacy” has gone “mainstream.” People around the world expect more information about how their data is used. She stressed the importance of future international collaboration and regulatory cooperation to develop shared strategies and tactics “to protect people from big companies.”
Commissioner Denham also highlighted the increased focus on the role of data protection as a relevant consideration in competition analysis by international regulators. She noted that the International Privacy Commissioners’ Conference, and the ongoing assembly of global regulators, resolved to be more transparent in the future with respect to the regulated community and other interested parties. Finally, she hinted that a new name for the group would be announced before the 2019 conference concludes.
On 22 August 2019, the Cyberspace Administration of China (CAC) announced the implementation of the Online Protection of Children’s Personal Data Regulation (儿童个人信息网络保护规定), (“the Regulation”) which came into force on 1 October 2019. The Regulation comprises a list of rules which seek to ensure the safety of children’s personal data and promote a healthy upbringing for children.
This constitutes the latest step in China’s drive to sophisticate its data protection regime and adds to legislation under the framework of the Cybersecurity Law, implemented in 2017. It contains similarities to the Children’s Online Privacy Protection Act (COPPA) in the U.S. and the GDPR in the EU.
As there is no official English translation of the Regulation, this article summarises its key points.
*Jan Yves Remy is a former Sidley Austin Associate and now serves as the Deputy Director at Shridath Ramphal Centre for International Trade Law, Policy and Services at the University of the West Indies in Barbados. As with all posts, this article is for your informational purposes only; Sidley Austin does not have offices in or practice law in Barbados.
Today, more than 120 countries have privacy and data protection laws or regulations in place. Many of the new or modernized laws tend to be based on comprehensive legislation, rather than sectoral rules, as data needs to move across industry groups and borders. With its new data protection bill, Barbados is planning to join the ranks; this is a significant move, and it is one fueled at least in part by the entry into force of the European Union’s General Data Protection Regulation (“GDPR”) on May 25, 2018. The GDPR was designed to harmonize data protection laws across Europe and to protect EU residents’ data privacy rights; and, its coming triggered significant privacy and data protection compliance activities amongst organizations doing business in the EU and working with the personal data of EU residents.
Under the revised Payment Services Directive (2015/2366) (PSD2), the European Banking Authority (EBA) and the European Commission were required to develop and adopt regulatory technical standards on strong customer authentication and common and secure open standards of communication. These regulatory technical standards were passed into EU law as Commission Delegated Regulation (EU) 2018/389 (the RTS), which entered into effect on September 14, 2019.
The RTS has direct effect on payment service providers (PSPs), including card issuers and acquirers, in all EU member states. However, certain EU member states, including the UK, have implemented transitional measures for a phased implementation of the rules in the context of card-based payments for e-commerce transactions.
This post discusses the requirements under the RTS for card issuers and acquirers to authenticate payment service users (PSUs), which is referred to as “strong customer authentication” (SCA).
On August 29, 2019, the Monetary Authority of Singapore (MAS) announced that it will begin accepting applications for new digital bank licenses. Interested parties have until December 31 to submit their applications. This follows the MAS’ initial announcement in June to issue up to two digital full bank (DFB) licenses and three digital wholesale bank (DWB) licenses, effectively opening up digital bank licenses to nonbank players.