The steady trickle of GDPR guidance from the Article 29 Working Party continues. Fresh from finalising its guidance on data portability, lead supervisory authorities and data protection officers, the Working Party has published draft guidance on data protection impact assessments (DPIA), the full text of which is available on the Working Party website. Comments can be submitted to the … Continue Reading
On 19 April 2017, the UK Government’s Department for Culture, Media and Sport (DCMS) published a report on cybersecurity breaches and how they affected UK companies in the last year. Headline statistics from the report include:
- 61% of businesses hold personal data electronically;
- 46% of all UK businesses identified at least one cybersecurity breach in the past year, rising to
A close observer of the GDPR will have noticed that, in several places, individual EU Member States can implement derogations from the GDPR requirements. Of course, as a regulation under EU law there is less scope for local flexibility under the GDPR than under the current EU Data Protection Directive 95/46. Yet the GDPR does, in a number of key … Continue Reading
The UK ICO has published what it describes as a feedback request on profiling and automated decision-making, with the intention that responses will “help inform the UK’s contribution to the WP29 guidelines due to be published later this year.”
Given the growing importance of profiling to most businesses, companies should consider whether they wish to contribute their views, particularly on … Continue Reading
The Information Commissioner’s Office (ICO) has issued a £70,000 fine against Flybe and a £13,000 fine against Honda Motor Europe Ltd for breaching Regulation 22 of the Privacy and Electronic Communications Regulations (PECR) by sending emails requesting individuals to update their marketing preferences. The two cases confirm that:
- the interpretation by the ICO of what constitutes “marketing material” is very
On 17 March Hogan Lovells hosted a live webinar where several of our Global TMT thought leaders interviewed a panel of academic experts from our Law and Technology Academic Advisory Council on the key legal and tech trends for 2017, including regulation of artificial intelligence, competition law and big data, global privacy and copyright trends, and the future of broadband … Continue Reading
The UK Information Commissioner’s Office has just published draft guidance on consent under GDPR. This is an interesting move given that the Article 29 Working Party has promised guidance on the same topic later this year, but reading the guidance makes it clear why the ICO decided to prioritise it: many of the practices which it identifies as unacceptable are … Continue Reading
Last week, the UK’s Information Commissioner’s Office (ICO) published a monetary penalty notice which fined a private healthcare company, HCA International, £200,000 for its failure to keep sensitive data secure.
In this instance, several data protection compliance issues were at stake – HCA had engaged a subcontractor based in India to process sensitive personal data without putting an agreement in … Continue Reading
Please join us for our March 2017 Privacy and Cybersecurity Events.
Data brokers are organisations that obtain data from a variety of sources and then sell or license it to third parties. Many trade in personal data, which is purchased by their customers for several purposes, most commonly to support marketing campaigns. In 2012, data brokers’ trade in personal data was reported to have generated over $150 billion in revenue.
The … Continue Reading
On 1 February 2017, the German federal cabinet adopted a draft data protection bill. The planned implementation statute aims to supplement and further define the EU General Data Protection Regulation, which will come into force in 2018. The Chronicle of Data Protection’s summary of the most relevant aspects of the draft bill can be found here. We turn now … Continue Reading
The internet has become today’s global trade route, and personal data is one of its major currencies. The growth in the digital economy is impressive. One study found that economic activity taking place over the internet is growing at 10% per year within the G-20 group of nations. In the United States alone, one estimate found that companies exported nearly … Continue Reading
After all of the 2016 drama, the start of a brand new year is a welcome development in itself – a clean sheet for a script yet to be written. However, 2017 will not be without challenges and the same applies to the world of privacy and data protection. Many of the big issues that arose during 2016 will need … Continue Reading
On January 10, 2017, the European Commission released a Communication, a fact sheet, a working document and a public consultation relating to Europe’s “data economy”. The fact sheet states that “data is a new type of economic asset”, which is essential for innovation and growth. The Commission’s objective is to remove “unjustified restrictions” and “legal uncertainties” in order … Continue Reading
On January 5, 2017 Paris Law School Panthéon-Assas launched its first university degree (diplôme d’université) aimed at training future Data Protection Officers (DPOs) under the new European General Data Protection Regulation (GDPR), which becomes effective across the EU on May 25th, 2018. Created by Paris University Professor Bénédicte Fauvarque-Cosson and Hogan Lovells partner Winston Maxwell, the new program will include … Continue Reading
The European Commission has released its proposal for a new EU e-Privacy Regulation that will replace the existing e-Privacy Directive. The high level aim of the draft e-Privacy Regulation is to harmonise the specific privacy framework relating to electronic communications within the EU and ensure consistency with the GDPR. Compared to the existing Directive, the draft e-Privacy Regulation has broader … Continue Reading
Please join us for our January 2017 Privacy and Cybersecurity Events.
No one could accuse the EU Article 29 Working Party (WP29) of not delivering as promised. Following its recently held December plenary meeting, the WP29 has released three separate guidelines with their interpretation of some key aspects of the General Data Protection Regulation, namely:
- data portability,
- data protection officers (DPOs), and
- lead supervisory authorities.
At the same time, the WP29 … Continue Reading
Have you visited our online client cybersecurity resource portal: Ready, Set, Respond? Designed by our cross-practice team of global practitioners to provide in-house counsel with the tools they need to prepare for the inevitable cybersecurity incident and quickly and easily stay up to date on the evolving state of cybersecurity regulation around the world, the portal is regularly updated … Continue Reading
We are pleased to announce that Hogan Lovells Frankfurt-based Partner Tim Wybitul has published a handbook – EU-Datenschutz-Grundverordnung im Unternehmen: Praxisleitfaden – to assist organizations with compliance with the European General Data Protection Regulation (GDPR). Written in German, the handbook includes plain-language summaries of GDPR requirements as well as project-planning and other checklists and examples to aid companies in complying … Continue Reading
Not many people will remember this but in 2008, Richard Thomas, the former UK Information Commissioner caused a fairly dramatic stir in the privacy world – at least among policy makers and fellow regulators – by unashamedly proclaiming that European data protection law was outdated and ineffective to address the technological and privacy challenges of the 21st century. At first, … Continue Reading
The Philippines’ first comprehensive data protection law, the Data Privacy Act of 2012 (the “Act“), took effect on 8 September 2012. The Act mandated the creation of a National Privacy Commission (“NPC“) to implement, enforce and monitor compliance with the Act, with one of its duties to promulgate rules and regulations … Continue Reading
Data privacy in an employment context remains a challenge for companies. On the one hand, employers have a strong interest in monitoring personnel conduct or performance. Few controllers are likely to have collected more personal data about an individual than their employer. On the other hand, employees have a reasonable expectation of privacy … Continue Reading