A close observer of the GDPR will have noticed that, in several places, individual EU Member States can implement derogations from the GDPR requirements. Of course, as a regulation under EU law there is less scope for local flexibility under the GDPR than under the current EU Data Protection Directive 95/46. Yet the GDPR does, in a number of key areas, allow an EU Member State to set down local laws that could allow a more locally relevant flavour to a particular aspect of compliance.
While the prospect of different local flavours may be unwelcome to global businesses seeking to maintain a harmonised standard of compliance across the EU (one of the policy aims of the GDPR of course), clearly the EU policy makers and legislators considered that Member States must be given room to implement their own rules in certain areas. For instance, Member States may introduce further rules around the use of genetic data, biometric data and health data.
On 11 April 2017 the Cyberspace Administration of China published a circular calling for comments on its draft Security Assessment for Personal Information and Important Data Transmitted Outside of the People’s Republic of China Measures (the Draft Export Review Measures). Public comments are open through 11 May 2017.
The main legislative purpose of the Draft Export Review Measures is to clarify the process and requirements relating to the data localisation provisions in the Cyber Security Law, one of the most controversial aspects of the law. While the Draft Export Review Measures do add a significant level of implementing detail as to the practicalities of compliance, we expect that for many multinational corporations with operations in, or doing business with, China, the nature of the clarifications do not go in the direction that they would have wanted. In particular, the Draft Export Review Measures include a significant expansion of the scope of the localization measure, potentially applying to all businesses collecting data in China.
Hogan Lovells has released a guide highlighting the key provisions in the Draft Export Review Measures, including an overview of the significant points for commentary. The full guide is available here. Please refer to the contacts at the end of the guide for related inquiries.
In this IP Enforcement Focus v-log, we report on a recent decision of the German Supreme Court dealing with illegal file sharing which has received a lot of attention.
The case centres on how the court views secondary liability of Internet account holders where family members or groups are involved?
Click here to view the V-log
IP Enforcement Focus is a series of written, video and audio posts which plug into your current enforcement issues. Click here to subscribe to IP Enforcement
Germany has introduced a new “Regulation for the Operation of Unmanned Aircraft Systems” (“Drone-Regulation“). On 7 April 2017, the new Drone-Regulation entered into force adapting national legislation to the risk-based approach of the European Union and setting the way for innovative technologies. However, the new rules also contain identification and qualification obligations as well as strict authorisation requirements for specific operations of Unmanned Aircraft Systems (“UAS”).
Some aspects of Germany’s new UAS regulations parallel the Federal Aviation Administration’s (“FAA”) Small UAS Rule (Part 107) that went into effect in the United States last August. Similar to the rules adopted by the FAA, Germany’s new UAS regulations place general restrictions on operating UAS beyond visual line of sight (“BVLOS”) and limit operations over people. Notably, however, Germany’s new regulations also provide a pathway for authorizing more advanced commercial UAS operations that go beyond the scope of the regulations in circumstances where it is safe to do so. This is similar to the waiver process adopted by the FAA in Part 107 for authorizing operations beyond the scope of the rule.
Enabling future technologies, abandoning authorisation requirements for UAS below 5 kg
Germany recognizes the great potential inherent in drones in the private as well as the commercial sector and tries to reconcile the immense potential of future technologies with increasing privacy concerns. To achieve this goal, the new regulation introduces changes mainly to the current German Air Traffic Regulation (“Luftverkehrs-Ordnung“), i.e. generally abandoning the former distinction between Flight Models (RC Aircraft) and UAS and the general obligation to obtain an authorisation for UAS operation.
The UK ICO has published what it describes as a feedback request on profiling and automated decision-making, with the intention that responses will “help inform the UK’s contribution to the WP29 guidelines due to be published later this year.”
Given the growing importance of profiling to most businesses, companies should consider whether they wish to contribute their views, particularly on areas where they consider more guidance is needed on what GDPR’s requirements mean in practical terms. For example, the GDPR focuses on profiling that has a “legal” or “significant” effect, and the ICO discussion paper contains its “initial thoughts” on what might constitute significant effects, which includes “causing individuals to change their behaviour in a significant way.” As the ICO acknowledges, what amounts to a “legal” or “significant” effect can be somewhat subjective, and so this is an opportunity for businesses that engage in profiling to put forward their opinions and influence future guidance.
The deadline for responses is 28 April.
2016 was an eventful year in the Asia-Pacific region, as data protection and cyber security issues increasingly feature in the news headlines in the Asia-Pacific region as they do elsewhere, our annual publication, the 2017 Asia-Pacific Data Protection and Cyber Security Guide provides you with an update on key regulatory developments and emerging trends in data protection and cyber security.
Key developments include:
- China’s passage of its Cyber Security Law, which will take effect from 1 June, 2017. China’s approach to cyber security regulation is highly controversial, introducing data localization measures and invasive forms of technology regulation. Multi-national businesses across a range of industry sectors are concerned about the impact of this new, vaguely drafted law. Businesses in sectors such as banking and insurance have significant concerns about what the new law will mean for their operating platforms in China. Technology businesses fear that they may be excluded from markets altogether.
- Amendments to Japan’s Act on the Protection of Personal Information will take effect next month, introducing a data export control, measures for dealing in anonymized personal data and removing exemptions for small businesses. Critically, Japan will now have a dedicated data protection regulator responsible for administering and enforcing the law.
- The publication of the Implementing Rules and Regulations for the Philippines’ Data Privacy Act of 2012 saw elements of the EU General Data Protection Regulation adopted into law, including a 72 hour data breach notification obligation, special requirements in relation to consents to profiling and a right to data portability.
The pace of regulatory development is rapid and multi-national businesses with operations in the Asia-Pacific region will want to stay abreast of the issues.
Our team would be delighted to share further insights with you.
Please click here to view the guide in full.
Welcome to the Hogan Lovells Global Payments Newsletter. In this monthly publication we provide an overview of the most recent payments, regulatory and market developments from major jurisdictions around the world as well as sharing interesting reports and surveys on issues affecting the market.
Key developments of interest over the last month include:
- EBA publishes final draft RTS on Strong Customer Authentication: the EBA released the draft RTS mandated by PSD2 on 23 February 2017. Key changes from the previous draft include the banning of “screen scraping” and new exemptions to the requirement for strong customer authentication.
- HM Treasury publishes draft AML Regulations and response to consultation: On 15 March 2017, HM Government published its findings from the consultation on the Fourth Anti-Money Laundering Directive. It has also published the draft AML regulations which contain a number of additions to the existing AML regulations.
- EBA consults on guidelines for complaints of infringements of PSD2: the EBA published draft guidelines for competent authorities on the complaints procedures to be considered by PSPs to ensure compliance with PSD2 on 16 February 2017.
To view a PDF of the full Newsletter please click here. You can also follow us on Twitter at @HLPayments for regular news and updates.
Welcome signs greet participants at the 2017 Satellite Symposium.
At this year’s SmallSat Symposium in Silicon Valley, February 6-8, 2017, attendees exchanged perspectives on promoting innovation and development in the satellite industry, all surrounded by exhibits of the first computers and early innovators who paved the way. Due to attendance twice as high as last year’s event, the SmallSat Symposium experienced a slight upgrade—the event was moved from last year’s tent in the Hogan Lovells, Menlo Park parking lot to the Computer History Museum in Mountain View. This dramatic increase in attendance is just one indicator of the significant growth the SmallSat industry is experiencing.
The Information Commissioner’s Office (ICO) has issued a £70,000 fine against Flybe and a £13,000 fine against Honda Motor Europe Ltd for breaching Regulation 22 of the Privacy and Electronic Communications Regulations (PECR) by sending emails requesting individuals to update their marketing preferences. The two cases confirm that:
- the interpretation by the ICO of what constitutes “marketing material” is very wide; and
- the ICO will take enforcement action against organisations that seek to circumvent the rules on direct marketing by disguising marketing messages as service messages.
Flybe sent emails with the subject line “Are your details correct?” and advised individuals to update out-of-date information and marketing preferences. The emails were sent to over 3 million individuals who had opted out of marketing messages.
The Federal Trade Commission (FTC) and National Highway Traffic Safety Administration (NHTSA) are co-hosting a workshop on June 28, 2017, to explore the privacy and security issues raised by automated and connected vehicle technologies. The agencies are looking to explore the types of data such technologies collect, store, transmit, and share; the potential benefits and challenges posed by the technologies; the privacy and security practices of vehicle manufacturers; the roles that federal agencies should play in regulating privacy and security issues; and how self-regulatory standards apply to connected vehicle privacy and security issues.
In advance of the workshop, the FTC and NHTSA are seeking public comment on privacy and security issues. Comments may be submitted through April 20, 2017, and the agencies have noted the following topics of interest: