EDPB releases information note in the event of a “No-deal Brexit”

On February 12, 2019, the European Data Protection Board (“EDPB”) published two information notes to highlight the impact of a so-called “No-deal Brexit” on data transfers under the EU General Data Protection Regulation (“GDPR”), as well as the impact on organizations that have selected the UK Information Commissioner (“ICO”) as their “lead supervisory authority” for their “Binding Corporate Rules” (“BCRs”).

In the “No-deal” scenario, the United Kingdom would leave the European Union on  March 29, 2019 without having agreed the terms for the departure with the latter, a contingency that increasingly appears likely as attempts by the UK Government to secure consensus in the UK Parliament on the Withdrawal Agreement continue to falter.

Information note on data transfers under the GDPR in the event of a “No-deal Brexit”

 In its first note, the EDPB reminds organizations that in the event of a “No-deal Brexit”, transfers to the UK from the EU will need to involve the use of one of the traditional data transfer mechanisms arising under the GDPR, at least until such time as the UK receives a formal adequacy determination from the EU.  The EDPB use the note to walk through the various options, including use of standard (or ad hoc) data protection clauses, “Binding Corporate Rules” and derogations, stopping only to note that the use of derogations should be a last resort.  Public authorities, unlike private enterprises, can avail themselves of additional options, including administrative, bilateral or multilateral agreements, where those are legally binding and enforceable, as well as “administrative arrangements” meeting certain requirements.  The EDPB is not the only EU regulatory body concerning itself with the prospect of a No-deal Brexit.  The ICO itself has released extensive guidance for organizations to help plan ahead for such a contingency, discussing data transfer considerations among others.

 Information note on BCRs for companies which have the ICO as BCR “lead supervisory authority”

 In its second note, the EDPB recommends that organizations take certain measures in the event that the ICO can no longer serve as a “lead,” which is one consequence of a “No-deal Brexit.”  As background, BCRS are a mechanism by which organizations may lawfully convey personal data from the EU to affiliates outside the EU, provided those affiliates agree to comply with a set of privacy principles and rules now codified under Article 47 of the EU General Data Protection Regulation (“GDPR”).

Organizations seeking to adopt BCRs must submit to an process that begins with designating a “lead supervisory authority,” identified on the basis of particular criteria, and then proceeds to negotiations with the authority (potentially aided by additional authorities) over the content of the BCRs.  Once the BCR terms are agreed, a “consistency mechanism” is triggered, whereby the EDPB will issue an opinion on the BCRs within a stipulated period of time.  If favorable, it will result in the BCRs being approved for use in the EU.

Meanwhile, organizations that secured approval for their BCRs under the EU’s pre-GDPR regime have been updating their BCRs over the past year to bring them into compliance with recent regulatory guidance papers, notably WP 256 (Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules).  The Article 29 Working Party, now superseded by the EDPB, issued its guidance to align these legacy BCRs with the changes brought about by the GDPR.  Further complicating matters, a number of organizations whose BCRs are supervised by the ICO as lead authority have been motivated by the prospects of a “No-deal Brexit” to transition their BCRs to another EU lead authority, presenting their BCRs to regulators in other EU Member States, with Ireland a clear favorite.

What are the EDPB’s recommendations?

In its information note, the EDPB observe that in the event of a “No-deal Brexit,” the ICO can no longer serve as a “lead,” or even backstop reviewer, for EU BCRs.  The EDPB distinguish between two scenarios:  where an ICO-led BCR application is pending and where an ICO-led application has been approved.

In the first scenario, organizations that have submitted their BCRs to the ICO for review, but have not yet completed the review process, will need to identify a new “lead supervisory authority,” applying criteria set forth in Working Document 263, adopted by the Article 29 Working Party in April 2018.  This includes assessing:

  • where the organization maintains its European headquarters or which EU affiliate has delegated its data protection responsibilities;
  • which EU affiliates could oversee and enforce the BCRs or issue decisions in relation to EU data processing; or
  • which affiliates are involved in data transfers from the EU.

This “new” lead authority will then assume responsibility for the organization’s BCRs, “initiate a new procedure” with the organization, and ultimately submit the BCRs to the EDPB under the GDPR’s “consistency mechanism.”  If, however, the BCR application is already before the EDPB when a “No-deal Brexit” occurs, the organization still will need to designate a new “lead authority” to replace the ICO.  This authority then will “resubmit” the application to the EDPB, seemingly resetting the EDPB’s 8-week deadline for evaluating the application.

Finally, where organizations already have BCRs that have been approved by the ICO, under the pre-GDPR regime, the EDPB cryptically states that they will need to identify a new lead supervisory authority in order to maintain the effectiveness of their BCRs as a data transfer mechanism.  This undoubtedly will spur many organizations to proceed apace in transitioning their BCRs to a new “lead” authority ahead of  March 29, 2019.

Defense Department Releases Artificial Intelligence Strategy

(This article was originally published in Global Policy Watch.)

On February 12, 2019 the Department of Defense released a summary and supplementary fact sheet of its artificial intelligence strategy (“AI Strategy”). The AI Strategy has been a couple of years in the making as the Trump administration has scrutinized the relative investments and advancements in artificial intelligence by the United States, its allies and partners, and potential strategic competitors such as China and Russia. The animating concern was articulated in the Trump administration’s National Defense Strategy (“NDS”): strategic competitors such as China and Russia has made investments in technological modernization, including artificial intelligence, and conventional military capability that is eroding U.S. military advantage and changing how we think about conventional deterrence. As the NDS states, “[t]he reemergence of long-term strategic competition, rapid dispersion of technologies” such as “advanced computing, “big data” analytics, artificial intelligence” and others will be necessary to “ensure we will be able to fight and win the wars of the future.”

The AI Strategy offers that “[t]he United States, together with its allies and partners, must adopt AI to maintain its strategic position, prevail on future battlefields, and safeguard [a free and open international] order. We will also seek to develop and use AI technologies in ways that advance security, peace, and stability in the long run. We will lead in the responsible use and development of AI by articulating our vision and guiding principles for using AI in a lawful and ethical manner.”

DoD will implement the AI Strategy through five main lines of effort:

  • Delivering AI-enabled capabilities that address key missions
  • Scaling AI’s impact across DOD through a common foundation that enables decentralized development and experimentation
  • Cultivating a leading AI workforce
  • Engaging with commercial, academic, and international allies and partners
  • Leading in military ethics and AI safety

The AI Strategy emphasizes that “[f]ailure to adopt AI will result in legacy systems irrelevant to the defense of our people, eroding cohesion among allies and partners, reduced access to markets that will contribute to a decline in our prosperity and standard of living, and growing challenges to societies that have been built upon individual freedoms.”

The Joint Artificial Intelligence Center (“JAIC”), which was established in June 2018, is led by Lt. Gen. Jack Shanahan and reports to the DoD Chief Information Officer Dana Deasy.  It is designated as the principal implementer and integrator of the AI Strategy. Specifically, the JAIC will coordinate activities that align with DoD’s strategic approach, such as: (1) rapidly delivering AI-enabled capabilities; (2) establishing a common foundation for scaling AI’s impact across DoD; (3) facilitating AI planning, policy, governance, ethics, safety, cybersecurity, and multilateral coordination; and (4) attracting and cultivating world-class personnel.

The AI Strategy makes clear that DoD recognizes that “[t]he present moment is pivotal: we must act to protect our security and advance our competiveness, seizing the initiative to lead the world in the development and adoption of transformative defense AI solutions that are safe, ethical, and secure. JAIC will spearhead this effort, engaging with the best minds in government, the private sector, academia, and international community. The speed and scale of the change required are daunting, but we must embrace change if we are to reap the benefits of continued security and prosperity for the future.” Accordingly, Lt. Gen. Shanahan and Dana Deasy, speaking to a group of reporters, highlighted that DoD has recently invested $90 million in AI-related research and technology development, and that DoD will request additional resources for the JAIC in its fiscal year 2020 budget request in order to support its execution of the AI Strategy.

The DoD strategy comes on the heels of President Trump’s Executive Order (“EO”), “Maintaining American Leadership in Artificial Intelligence,” that launches a coordinated federal government strategy for artificial intelligence. The EO directs federal departments and agencies to invest the resources necessary to drive technological breakthroughs in AI (and outpace China’s developments in this area), lead the develop of global technical standards, address workforce issues as industries adopt AI, foster trust in AI technologies, and promote U.S. research and innovation with allies and partners.

European Data Protection Board releases Guidance on Intersection of the GDPR and the Clinical Trials Regulation

The European Data Protection Board (“Board”) released an opinion on January 23, 2019, on the intersection between the EU General Data Protection Regulation (“GDPR”) and the Clinical Trials Regulation (“CTR”).  The opinion considers a Q&A on this topic prepared by the European Commission’s Directorate General for Health.  The Directorate General decided to create this Q&A because of perceived contradictions between the GDPR and the CTR, in particular in relation to the legal basis (e.g., the use of consent) and the further use of clinical trial data. (See also here).

The opinion provides some helpful clarifications.  It starts out by making a logical distinction between the primary and the secondary use of clinical trial data.

Primary use

The Board defines primary use of clinical trial data as all processing operations related to a specific clinical trial protocol, from the collection of the data to the deletion at the end of the archiving period.  However, the Board correctly observes that this does not mean that all processing has the same legal basis.  It distinguishes between two main processing purposes: protection of health (safety) and scientific research.


According to the Board, the processing of clinical trial data for “safety” purposes can be based on a legal obligation (Art. 6(1)(c) and Art. 9(2)(i) GDPR), so no consent is required.  As for the notion of a “safety” purpose, the Board refers to safety reporting (i.e., pharmacovigilance), inspections by competent bodies, and retention of clinical trial data in line with the CTR’s archiving obligations.  While this clarification is helpful, it probably warrants some further reflection and elaboration.  After all, the purpose of clinical trials and the CTR fundamentally involves assessing the safety of the medicinal product being investigated, not just the safe performance of a trial.

Scientific Research

The Board notes that performing purely scientific research using clinical trial data cannot be based on a legal obligation (at least not a legal obligation in the CTR).  For this reason, an alternative legal basis must be found.  The Board considers two possibilities.

  • Consent

The Board rightly points out that consent to participate in a clinical trial (a CTR consent) must be distinguished from consent to the processing of clinical trial data (a GDPR consent).  The Board then specifically accepts that scientific research can be performed on the basis of consent, while focusing on the freely given nature of the GDPR consent, in particular in relation to vulnerable trial participants.[1]

In relation to the withdrawal of consent, the Board repeats its guidelines on consent of April 2018.  Withdrawal of consent means that no further research can be performed on the trial data and that the data should be deleted in the absence of another legal basis, such as the safety purposes mentioned above.  For example, the safety processing discussed above would have another legal basis.  Surprisingly, the Board does not consider the possibility of applying Art. 17(3)(d) GDPR, which contains a derogation to the deletion obligation specifically for scientific research.

  • Alternatives to consent?

The Board highlights two alternatives to consent for the processing of sensitive health data:  Art. 9(2)(i) GDPR (processing in the interest of public health) or Art. 9(2)(j) GDPR (processing for scientific research).  However, both legal bases require an underpinning in a European Union or Member State law.  Unhelpfully, such laws remain rare in the EU at the present time.

Secondary Use

 In relation to secondary use of clinical trial data (i.e., uses outside the scope of the trial protocol), the CTR requires that consent be procured for such use.  The Board again points out that this is not a consent in the GDPR sense of the word, indicating that the CTR consent does not have to rise to the more exacting GDPR standard.

From a GDPR perspective, the Board now specifically recognizes that the secondary use of clinical trial data should not always require a fresh consent.  Instead, such use could also rely on the presumption of compatibility in Art. 5(1)(b) GDPR.  The application of this presumption means that no new legal basis (and thus no new GDPR consent) is required for the secondary use of clinical trial data for scientific research.  This is a helpful clarification, as this  specific provision in the GDPR intended to encourage scientific research is often ignored.  The Board, less helpfully, does not explain when the presumption of compatibility can apply and states that it requires specific attention and future guidance.

On the basis of its opinion, the Board requests that the European Commission changes its Q&A to reduce its focus on consent and to better reflect alternative legal bases in the GDPR.  It is now up the European Commission to consider the Board’s recommendations and, hopefully, continue the dialogue with the Board and other stakeholders to ensure a seamless and harmonized application of the rules.

[1] While the Board acknowledges that the CTR also addresses this ethical consideration, it points out that: “[…] even though conditions for an informed consent under the CTR are gathered, a clear situation of imbalance of powers between the participant and the sponsor/investigator will imply that the consent is not ‘freely given’ in the meaning of the GDPR.”  This statement controversially implies that the standard for assessing coercion when someone agrees to the processing of personal data in a clinical trial is different from, and higher than, the standard used for assessing coercion when someone agrees to participate in a clinical trial.

President Trump Signs Executive Order on Artificial Intelligence

Today, President Trump signed an Executive Order (“EO”), “Maintaining American Leadership in Artificial Intelligence,” that launches a coordinated federal government strategy for Artificial Intelligence (the “AI Initiative”).  Among other things, the AI Initiative aims to solidify American leadership in AI by empowering federal agencies to drive breakthroughs in AI research and development (“R&D”) (including by making data computing resources available to the AI research community), to establish technological standards to support reliable and trustworthy systems that use AI, to provide guidance with respect to regulatory approaches, and to address issues related to the AI workforce.  The Administration’s EO is the latest of at least 18 other countries’ national AI strategies, and signals that investment in artificial intelligence will continue to escalate in the near future—as will deliberations with respect to how AI-based technologies should be governed.

Continue Reading

China Releases Draft Amendments to the Personal Information Protection Standard

On February 1, 2019, China’s National Information Security Standardization Technical Committee (“TC260”) released a set of amendments to GB/T 35273-2017 Information Technology – Personal Information Security Specification (“the Standard”) for public comment.  The comment period ends on March 3.

Although not legally binding, the Standard has been highly influential since becoming effective in May 2018, as it set out the best practices expected by Chinese regulators (see our previous blogpost on the Standard here).  The Standard has been widely used by companies to benchmark their compliance efforts in China.

The draft amendments reflect Chinese regulators’ evolved thinking on a number of important topics that are hotly debated around the world, such as enhanced notice and consent requirements and requirements for target advertising.  The draft amendments would also introduce new requirements for third party access to data and revise notification requirements for data beaches, among other proposed changes. Continue Reading

HHS Releases Voluntary Cybersecurity Guidance

Hospitals and other health care organizations are attractive targets for cyber-attacks, in part because their databases contain medical records and other sensitive information. Breaches of this information could have very serious implications for patients.  Moreover, electronics connected to a health care facility’s network keep people alive, distribute medicines, and monitor vital signs. As a result, disruption to the operations of health care facilities could pose a very real risk to health and safety.  Such risks are becoming more than theoretical.  For instance, the WannaCry attack disrupted a third of the United Kingdom’s Health Service organizations by cancelling appointments and disturbing operations.

In recognition of the imperative for cybersecurity in the health care sector, in late December 2018 the Department of Health and Human Services (“HHS”) released voluntary cybersecurity guidance, titled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” (“HHS Cybersecurity Guidance”).  The HHS Cybersecurity Guidance is intended to shepherd healthcare organizations through the process of planning for and implementing cybersecurity controls. It was authored by the Health Sector Coordinating Council, comprised of more than 150 cybersecurity and healthcare experts from government and industry, and was required by Section 405(d) of the Cybersecurity Act of 2015.

Continue Reading

Illinois Supreme Court Decides Actual Harm Not Required to Bring Claim Under BIPA

On January 25, 2019, the Illinois Supreme Court published its widely anticipated decision in Rosenbach v. Six Flags Entertainment Corporation et al., addressing the question of what it means to be an “aggrieved” person under the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”). Under BIPA, aggrieved persons are entitled to seek liquidated damages and injunctive relief. In a unanimous decision authored by Chief Judge Karmeier, the court held that individuals seeking relief under BIPA “need not allege some actual injury or adverse effect” to be considered aggrieved persons.

Continue Reading

European Data Protection Board Releases Report on the Privacy Shield

On January 24, the European Data Protection Board (“EDPB”) adopted a report (“Report”) regarding the second annual review of the EU-U.S. Privacy Shield (“Privacy Shield”).  In a press release accompanying the Report, the EDPB welcomed efforts by EU and U.S. authorities to implement the Privacy Shield,  including in particular the recent appointment of a permanent Ombudsperson.  But the EDPB also noted that certain concerns remain with respect to the implementation of the Privacy Shield.

The EDPB, which is made up of representatives of various European data protection authorities, is established by the GDPR, and advises on the consistent application of data protection rules throughout the EU.  The Report is not binding on the EU or U.S. authorities directly; instead it will serve to guide regulators considering the implementation of the Privacy Shield.  The Report is also likely to influence the EU Commission’s assessment of the Privacy Shield, and to contribute to political pressure in the European Parliament to continue to reform the Shield.     Continue Reading

Vermont and D.C. Enact New Auto-Renewal Statutes

Vermont and the District of Columbia recently joined the growing list of states that have enacted automatic renewal statutes.  Automatic renewal clauses (“auto-renewals”) allow providers of goods or services to bill consumers periodically without obtaining express consent before each billing cycle.  These clauses are becoming increasingly common for a variety of goods and services.  Regulators have expressed concern that consumers may lack clarity as to when auto-renewals apply and what they entail.  As a result, slightly fewer than half of U.S. states have enacted laws that govern how and what businesses need to disclose when an agreement contains auto-renewals.  These state laws add to the regulatory complexity in this space, which includes a federal auto-renewal statute governing online contracts (Restore Online Shopper’s Confidence Act), as well as the federal Telemarketing Sales Rule, which governs auto-renewals offered through telemarketing.

Vermont’s new law, H.B. 593, takes effect on July 1, 2019.  This law is notable for two new requirements described below, but applies only to contracts with an initial term of one year or more and subsequent terms that are longer than one month.  Monthly or quarterly subscription services are not covered by the new statute, and financial institutions and insurance contracts are exempt.

Vermont’s new law imposes two unique requirements:

  • Boldface Disclosures for Auto-Renewals: Many states with an auto-renewal statute require that the auto-renewal be stated “clearly and conspicuously.”  Only a few of these states, such as California and Oregon, define “clearly and conspicuously.”  Vermont goes a step further and specifies that “clearly and conspicuously” means bold-face type.
  • Double Opt-In: Vermont is the first state to require that companies obtain two consents from consumers — one consent to the contract itself, and a second consent to the auto-renewal clause.

Last week, the Mayor of D.C. signed into law the Structured Settlements and Automatic Renewal Protections Act of 2018.  This law requires sellers to disclose the auto-renewal clause clearly and conspicuously (defined as “larger than the surrounding text, in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other markers”).  If the contract is twelve months or more and will automatically renew for a term of one month or more, the seller must provide notice to the consumer no less than thirty and no more than sixty days prior to the cancellation deadline:  (1) that unless the customer cancels the contract, it will renew automatically; (2) the cancellation deadline; and (3) the methods by which the customer can cancel.  In addition, sellers offering free trials of at least one month that automatically renew must notify consumers one to seven days prior to the renewal and must obtain affirmative consent to the automatic renewal before charging the consumer.

Earlier this week, West Virginia also introduced a new auto-renewal bill, and several other states introduced legislation last term.  So there are likely to be more changes to come in the auto-renewals compliance landscape.  We will continue to monitor these developments and will keep you apprised on this blog.