There are now more than 90 privacy proposals that federal, state, and local regulators and policymakers are considering as privacy continues to dominate the news cycle. Hogan Lovells partners led a panel in discussing what comes next.
On 9 March 2019, the House of Lords Select Committee on Communications published its report on “Regulating in a digital World”. It included a number of recommendations to the government, including 10 guiding principles for the development of regulation online, a new public interest test for data driven mergers and a new Digital Authority, to oversee regulation of the digital world. The Select Committee on Communications is appointed by the House of Lords “to look at a broad range of communication and broadcasting public policy issues and highlight areas of
On 12 March 2019 at its Eighth Plenary Session, the European Data Protection Board (“EDPB”) adopted its Opinion 5/2019 on the interplay between the ePrivacy Directive (“ePD”) and the General Data Protection Regulation (“GDPR”). The Belgian Data Protection Authority had, on 3 December 2018, requested that the EDPB examine the overlap between the two laws and in particular the competence, tasks, and powers of data protection authorities (“DPAs”). The EDPB adopted its Opinion in response to this request and in order to promote the consistent interpretation of the boundaries of
On 14 March 2019, the Dutch data protection authority (Autoriteit Persoonsgegevens, DPA) announced (in Dutch) its fining structure for violations of the European General Data Protection Regulation (GDPR) and the Dutch law implementing the GDPR (Implementation Act). The GDPR sets two levels of administrative fines that may apply depending on which GDPR provisions have been infringed: The higher of €10 million or 2% of global revenue and the higher of €20 million or 4% of global revenue. At both levels, the GDPR sets maximums for administrative fines and calls on
The European Telecommunications Standards Institute (ETSI) has published a new standard for cybersecurity in relation to consumer IoT products. The standard builds on the UK’s Code of Practice for Consumer IoT Security, published in October last year. The Code of Practice was developed by the UK Government following publication of a draft code as part of the Secure by Design report published by the Government in March 2018 and after consultation with industry, consumer associations, and academics. The UK Code is voluntary but the UK Government was keen to work
Many companies have been struggling with GDPR implementation over the past two years, putting much effort into new roles, privacy concepts, and workflows. Now that the dust of the immediate GDPR compliance rush is settling, the first details of fines imposed under the GDPR and the number of cases pending with Data Protection Authorities (DPAs) in Europe are being made public. In Germany, DPAs are investigating a broad range of non-compliance issues and showing a tendency toward increasing their enforcement activities, to the point that we expect an announcement of
Article 83 of the GDPR provides for two levels of administrative fines: a lower level – maximum of €10 million or 2% of the global turnover – for violations relating to record-keeping, data security, data protection impact assessments, data protection by design and default, and data processing agreements; and a higher level – maximum of €20 million or 4% of the global turnover – for violations relating to data protection principles, the legal basis for processing, information to data subjects, the prohibition of processing sensitive data, denial of data subjects’
A draft act on adjusting the Polish legal system to the provisions of the GDPR is under way in the lower house of the Polish Parliament (Sejm). The draft act contains, among others, provisions amending the rules for processing personal data by banks, credit institutions, loan companies and other entities regulated by Polish banking law. Particular controversy has been caused by the government’s proposal to limit the scope of data on which the credit risk scoring may be based, to only those categories of data which are expressly indicated in
Increasing numbers of initiatives, devices, and solutions related to the Internet of Things (IoT) are substantially impacting the development of cybersecurity and data privacy regulations throughout Asia. After the implementation of the General Data Protection Regulation (GDPR) in Europe, for example, Asian lawmakers are considering strengthening their own data protection laws. The region is also characterized by a push in a number of jurisdictions towards data localization requirements driven more by “cyber sovereignty,” national security considerations, and protectionist impulses than data protection considerations. Restrictions on the collection and free use
The Brazilian General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”), passed by Congress on 14 August 2018, will come into effect on 15 February 2020. The new data protection law significantly improves Brazil’s existing legal framework by regulating the use of personal data by the public and private sectors. Very similar to the General Data Protection Regulation (“GDPR”) implemented in the European Union, the LGPD imposes strict regulations on the collection, use, processing, and storage of electronic and physical personal data. In conjunction with the passing of
Class actions have become an increasingly common means to seek redress in data privacy cases. With data breaches and data privacy claims on the rise, we asked our lawyers in France and the U.S. what you should bear in mind. How real is the risk of class actions in data privacy? Michelle Kisloff, U.S.: Class actions have long been a fact of life in the U.S., in areas ranging from securities, product liability, employment and consumer protection, to name a few. For the past several years, they have been on
This is the fifth installment in Hogan Lovells’ series on the California Consumer Privacy Act. As the most comprehensive privacy law to be enacted in the United States thus far, the California Consumer Privacy Act (CCPA) has inevitably invited comparisons to the European Union’s General Data Protection Regulation (GDPR). At first glance, it is clear that the drafters of the CCPA (and the ballot measure that spurred its passage) drew inspiration from the GDPR. However, the CCPA is not a carbon copy of the GDPR, and a GDPR compliance program
This is the third installment in Hogan Lovells’ series on the California Consumer Privacy Act. What personal information do you have about California consumers and households? The California Consumer Privacy Act of 2018 (“CCPA”) provides a series of new compliance obligations and operational challenges for companies doing business in California. A vital first step for any company subject to the CCPA and looking to forge a practical path forward is to inventory the personal information (“PI”) that the company collects, stores, and shares with others. As part of our ongoing
This is the second installment in Hogan Lovells’ series on the California Consumer Privacy Act. Words matter. Nowhere is this truer than in legislation, where word choices—often the product of long debate and imperfect compromise—determine the scope and impact of a law. Legislative history can speak volumes about those word choices, and the unique legislative history of the California Consumer Privacy Act of 2018 (CCPA) only highlights the importance of understanding the terms used in the act.
Groundbreaking. Watershed. Unprecedented. We have heard the California Consumer Privacy Act of 2018 (CCPA) called all these things and more since its enactment on June 28, 2018. Our experience to date has confirmed the compliance challenge ahead for organizations that engage with the residents of the world’s fifth-largest economy. We will explore the ramifications for businesses of this seminal legislation in this multi-part series, The Challenge Ahead, authored by members of Hogan Lovells’ CCPA team. Each post will provide analysis of key legal issues implicated by the CCPA along with practical takeaways.
On 4 September, the Legislative Decree no. 101 of 10 August 2018 (the “Decree”) for the national implementation of General Data Protection Regulation (EU) 2016/679 (the “GDPR”) has been published in the Official Journal. The approach of the legislator was to maintain the structure of former Legislative Decree 196/2003 (the “Privacy Code”) which, however, has been extensively amended and integrated, and now contains only some residual provisions in addition to those of the GDPR which are directly applicable. The Decree will enter into force on 19 September 2018. The Decree first of all integrates the provisions of the GDPR
Please join us for our September 2018 Privacy and Cybersecurity Events. September 11 GDPR One Stop Shop Eduardo Ustaran is participating in DataGuidance’s webinar on “One Stop Shop under the GDPR.” Location: Webinar September 13 Messaging Forum Mark Brennan will lead a session at the CTIA Mobile World Congress Americas where he will discuss text messaging privacy and other regulatory issues. Location: Los Angeles September 13 Protecting Privacy Harriet Pearson is a featured speaker at The Atlantic’s forum on “Protecting Privacy.” Policymakers, technology industry leaders, and experts will discuss
In July, Eduardo Ustaran spoke at Privacy Laws & Business’ International Conference in Cambridge about the sort of activities likely to prompt regulators into exercising their increased fining powers under the EU GDPR. A link to the video of his presentation can be found here and a detailed report of the presentation is available here.
More than 15 years after the adoption of the Data Protection Directive1, the European Commission noticed that the current legislative framework on data protection did not adequately deal with the risks associated with online activity2. Acknowledging this, the General Data Protection Regulation (GDPR)3 was finally adopted by the European Parliament on 14 April 2016, entering into force in May 2016 and becoming directly applicable in all Member States on 25 May 20184. The GDPR targets the data controller or its processor and provides a set of standardised rules relating to
Could the GDPR give rise to forum shopping and are there any pre-litigation strategies that should be considered? Here, we review four key elements that should be kept in mind in respect of data class actions in the EU. Damages In the US, many class actions are dismissed for lack of ‘standing’, i.e. because the litigants do not demonstrate that they suffered an ‘injury in fact’ that is concrete and actual or imminent. Does the US ‘injury in fact’ standard apply for data class actions in Europe? Under the GDPR,
A data lake is an infrastructure that permits different data sets from within a group to be combined and analysed together. To analyse a data lake under GDPR, it is helpful to think of a data lake in two phases, which we analyse in our user guide. The infrastructure phase Here, the guide covers: Identify the entity that is hosting the data lake. Implement an intragroup data processing agreement. Check data localisation rules. Data protection impact assessment. Data lake governance committee. The applications phase Specifically, we look at: Data lake service
The era of big data is here. Although we are yet to see its full potential, the use of big data analytics is already proving invaluable to businesses and its applications have been found in numerous and diverse sectors. However, the use of big data has also brought much controversy, particularly when it involves sensitive information, concerns children, minorities or other vulnerable people, or where the decision-making has a significant impact on individuals. As both public interest and regulatory scrutiny in artificial intelligence, machine learning and big data continues to build,
Thank you to everyone who participated in last week’s webinar “California Consumer Privacy Act: What you need to know now.” In this complimentary webinar, Hogan Lovells partners Mark Brennan, Bret Cohen, Harriet Pearson, and Tim Tobin, discussed: • What triggered the new law? • What data is covered? • What does CCPA require, and how do you start operationalizing the requirements? • Disclosure requirements • Opt-out and opt-in requirements • Data access, portability, and “right to delete” requirements • What’s the impact on your GDPR compliance program-what additional steps do
“Getting to Data Nirvana” is our four-step approach to help you integrate your legal, regulatory and compliance work streams into your organisation’s overall data strategy. The job of the legal and compliance teams is to make sure that their company’s data projects do not breach applicable laws. Their task is not easy because the number of laws regulating the processing of data – particularly personal data – are increasing multiplying worldwide. However, a focus solely on data compliance can prevent broader thinking about data strategy, and how legal and regulatory