FemTech Has Been Warned: UK’s ICO Indicates Closer Scrutinization of FemTech Apps
On 4 April 2023, John Edwards, the UK’s Information Commissioner, stated that the UK’s Information Commissioner’s Office (ICO) would be “going after providers of women’s health apps and auditing them, and getting them to change any practices that are non-compliant.” Speaking at the IAPP Global Privacy Summit in Washington DC, the Information Commissioner indicated that this proposed strategy forms part of the ICO’s new “agile” initiative, which will focus on “areas of vulnerability, targeting…intervention [where] that has the greatest impact”.
UK’s OfCom to Publish Guidance on Illegal Content Risk Assessments in Light of Online Safety Bill
The UK’s Online Safety Bill (“Bill”), once legislated, will impose duties of care on providers of digital services, social media platforms and other online services to make them responsible for content generated and shared by their users and to mitigate the risk of harm arising from illegal content, and if services are deemed accessible by children, a duty to protect children from harm. As currently drafted, the Bill applies to any service or site that has users in the UK, or targets the UK as a market, even if it is not based in the country. The Bill is currently at the Committee Stage of the legislative process. Although the Bill is expected to receive Royal Assent during 2023, the timeline as to when the provisions will come into force is still unclear.
UK GDPR Reform Is Back! Department of Science, Innovation and Technology Introduces New Data Protection and Digital Information Bill
On 8 March 2023, the newly created Department of Science, Innovation and Technology (“DSIT”) introduced the Data Protection and Digital Information (No. 2) Bill. The “Bill” is in substance a re-introduction of the previous Data Protection and Digital Information Bill which was withdrawn from Parliament on the same day as the new Bill was published. The Bill, which has been hailed by the UK Government as one that will “save billions” and “cut down pointless paperwork” is the UK’s latest attempt to create a more streamlined piece of data protection legislation for the UK whilst still “ensur[ing] data adequacy.” The Information Commissioner’s Office (“ICO”) also welcomed the re-introduction of the Bill, with the Commissioner stating that he would “support [the Bill’s] ambition.” While much of the Bill remains the same as its previous iteration, we set out the key provisions and notable amendments below.
UK’s New Pro-innovation Approach to Regulating Digital Technologies
On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.
Substantial Changes to Hong Kong’s Privacy Laws Coming
In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.
It Is Now More Difficult For International Pharma To Transfer Data Out Of China
New measures for the security assessment of data transfers from China to other countries could make it harder for international pharma companies with China operations to transfer health data out of the country. Lianying Wang explains.
Unpacking Digital Data Laws Across Europe: Addressing the Digital Markets Act
The EU Digital Markets Act (DMA) is set to revolutionize the way in which so-called ‘Big Tech’ is regulated in the EU, shifting toward ex-ante rulemaking and away from traditional after-the-fact enforcement. The DMA imposes a stringent regulatory regime on large online platforms (so-called “gatekeepers”) and gives the European Commission (Commission) new enforcement powers, including an ability to impose severe fines and remedies for noncompliance.
EU Publishes New NIS2 Cyber Directive Imposing Liability and Obligations on Senior Management
On 17 January 2023, the new Network and Information Systems Security Directive (“NIS2 Directive”), which is aimed at establishing a minimum level of cybersecurity standards across the EU and is set to replace its predecessor (the NIS or “NIS1 Directive”), entered into force. The new NIS2 Directive aims to further harmonize and strengthen cybersecurity and resilience throughout the EU in response to a continued increase in digitization and rise in cyber (and in particular ransomware) threats – which is estimated to have reached a total cost of €5.5 trillion at the end of 2020 (double the figure of 2015) and continues to rise in the EU and globally notably due to ongoing geopolitical conflicts in Ukraine and Russia. (more…)
The Ninth Edition of The Privacy, Data Protection and Cybersecurity Law Review is Now Available
The ninth edition of The Privacy, Data Protection and Cybersecurity Law Review provides a global overview of the legal and regulatory regimes governing data privacy and security, and covers areas such as data processors’ obligations, data subject rights, data transfers and localization, best practices for minimizing cyber risk, public and private enforcement, and an outlook for future developments. Several lawyers from Sidley’s global Privacy and Cybersecurity practice have contributed to this publication. See the chapters below for a closer look at this developing area of law.
European Commission Publishes Draft Cyber Resilience Act
On 15 September 2022, the European Commission (“Commission” or “EC”) published a draft proposal for a Cyber Resilience Act (“CRA” ). The CRA comes in response to the increasingly common occurrence of cyberattacks, with some predicting that the global cost of cyberattacks for companies will reach $10.5 trillion annually by 2025, up from $3 trillion in 2015. The CRA promises to transform the European cybersecurity landscape by harmonizing and bolstering cybersecurity rules across all technologies with “digital elements.” The Commission is currently inviting public feedback on the CRA through 18 November 2022. The CRA will then pass through the European Parliament for debate and for amendments to be proposed.
