Australia Proposes New Encryption Legislation

In August 2018, the Government of Australia unveiled a new proposed bill that would grant the county’s national security and law enforcement agencies additional powers when confronting encrypted communications and devices. The text of the draft Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (the “Assistance and Access Bill” or the “Bill”) states that the purpose is “to secure critical assistance from the communications industry and enable law enforcement to effectively investigate serious crimes in the digital era.”

The Assistance and Access Bill, if enacted, could affect a wide range of service providers both in and outside of Australia. Continue Reading

ICO consults on privacy “regulatory sandbox”

Designing data-driven products and services in compliance with privacy requirements can be a challenging process.  Technological innovation enables novel uses of personal data, and companies designing new data-driven products must navigate new, untested, and sometimes unclear requirements of privacy laws, including the General Data Protection Regulation (GDPR).  These challenges are often particularly acute for companies providing products and services leveraging artificial intelligence technologies, or operating with sensitive personal data, such as digital health products and services.

Recognising some of the above challenges, the Information Commissioner’s Office (ICO) has commenced a consultation on establishing a “regulatory sandbox”.  The first stage is a survey to gather market views on how such a regulatory sandbox may work (Survey).  Interested organisations have until 12 October to reply.

The key feature of the regulatory sandbox is to allow companies to test ideas, services and business models without risk of enforcement and in a manner that facilitates greater engagement between industry and the ICO as new products and services are being developed.

The regulatory sandbox model has been deployed in other areas, particularly in the financial services sector (see here), including by the Financial Conduct Authority in the UK (see here).

Potential benefits of the regulatory sandbox include reducing regulatory uncertainty, enabling more products to be brought to market, and reducing the time of doing so, while ensuring appropriate protections are in place (see the FCA’s report on its regulatory sandbox here for the impact it has had on the financial services sector, including lessons learned).

The ICO indicated earlier this year that it intends to launch the regulatory sandbox in 2019 and will focus on AI applications (see here).

Further details on the scope of the Survey are summarised below.

Continue Reading

UK “No-Deal Brexit” Technical Notice Sets Out Plans on EU – UK Data Flows

By Grace Kim and Ezra Steinhardt

On September 13, 2018, the UK government published a series of technical notices on how to prepare for a scenario in which the UK leaves the EU without agreement on March 29, 2019 (“no-deal Brexit”).  The government stressed that a no-deal Brexit “remains unlikely given the mutual interests of the UK and the EU in securing a negotiated outcome,” but that “it’s our duty as a responsible government to prepare for all eventualities.”  One of the notices, “Data protection if there’s no Brexit deal,” sets out the UK government’s position on data flows between the UK and EU and recommends actions that organizations should take to help ensure the continued flow of personal data from the EU to the UK if no agreement is reached.

Data privacy standards in the UK to remain the same

In the event of a no-deal Brexit, the technical notice is clear that the UK will maintain the same data protection standards as exist today.  This is because the General Data Protection Regulation (“GDPR”) currently applies in the UK (as it remains, for now, an EU Member State), and, at the point of a no-deal Brexit, the UK would incorporate the GDPR into UK law.  The GDPR rules — now and following Brexit — are supplemented by the UK Data Protection Act 2018, which sets out how certain aspects of the GDPR apply in the UK (e.g., in relation to children’s data). Continue Reading

Key Provisions in India’s Draft Personal Data Bill

Key Provisions in India’s Draft Personal Data Bill

This post is a follow-up to our earlier post on the release of India’s draft personal data protection bill. In this post, we go into greater detail about the bill’s provisions and flag issues for companies worldwide that may process data in India or provide goods or services in India.

High Level Insights

The General Data Protection Regulation (GDPR) as a Model: For the most part, the Committee’s recommendations use GDPR as a model. The draft bill grants individual rights, institutes heightened consent requirements, mandates organizational practices such as DPIAs, and imposes stiff penalties for non-compliance. However, the draft bill coins new terminology, referring to GDPR’s “data subjects” as “data principals” and GDPR’s “data controllers” as “data fiduciaries.”

Data Localization: The Committee includes a data localization provision that requires copies of Indian personal data be stored in India. Likewise, it erects barriers that make it more difficult to transfer personal data out of India.

The Central Role of the Data Protection Authority (DPA): As in GDPR, the draft bill would introduce a DPA with the power to interpret regulations, investigate businesses, and issue fines, injunctions, and even criminal penalties. But unlike GDPR, the Committee’s proposal empowers the DPA to engage in rulemaking. For example, the DPA could identify new categories of sensitive data, specify new lawful bases for processing, and decide whether a particular business needs to hire a DPO, perform a DPIA, or undergo a data audit. As such, the DPA’s leadership and structure may have a substantial impact on the scope of India’s data protection regime.

Continue Reading

California Legislature Passes Amendments to Expansive Consumer Privacy Law

Less than three months ago, California enacted the California Consumer Privacy Act of 2018 (“CCPA”). Industry and privacy watch groups alike have scrutinized the law. This summer saw fierce negotiations all in the name of improving the CCPA. Last Friday, on August 31, 2018, the California legislature passed SB 1121 to amend the CCPA.

The CCPA applies to for-profit entities that conduct business in California. It has an expansive definition of personal information, and grants California residents a number of new rights, including rights to request access to and deletion of certain data, and to opt-out of the sale of data. For a more detailed summary of the CCPA, please see our previous blog post.

SB 1121 largely preserves the substance of the CCPA, but it contains the following technical edits: Continue Reading

U.S. Wireless Industry Establishes IoT Security Certification Program

CTIA, the U.S. wireless industry’s trade association, recently announced the creation of a cybersecurity certification program for Internet of Things (IoT) devices that connect to the internet via LTE or Wi-Fi.  The program permits device makers to submit such IoT devices for testing by CTIA-authorized labs in order to obtain a certification of compliance with respect to cybersecurity.

Continue Reading

Covington Webinar: Examining the CLOUD Act

Covington’s Alex Berengaut and Kate Goodloe today hosted a webinar on the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act.  The CLOUD Act was signed into law in March and creates a new framework for government access to data held by technology companies worldwide.  The webinar, hosted with DataGuidance, is available here.  The webinar expands on many aspects of the CLOUD Act we previously covered on this blog.

Brazil’s New General Data Privacy Law Follows GDPR Provisions

On August 14, Brazilian President Michel Temer signed into law the new General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais or “LGPD”) (English translation), making Brazil the latest country to implement comprehensive data privacy regulation.

The law’s key provisions closely mirror the European Union’s General Data Privacy Regulation (“GDPR”), including significant extraterritorial application and vast fines of up to two percent of the company’s previous year global revenue (the GDPR allows for up to four percent in certain aggravated circumstances).

Continue Reading

EU and Japan conclude talks on reciprocal adequacy finding

On July 17, 2018, the European Commission successfully concluded negotiations with Japan on a reciprocal adequacy finding which will allow personal data to flow freely from the EU to Japan (and vice versa).

The adequacy decision has not yet been formally adopted, as it must still undergo the respective EU and Japanese approval procedures, which the EU and Japan expect to complete by fall 2018.  During that period, Japan is expected to implement additional safeguards required in order to meet EU data protection standards (e.g., for onward transfers).

The conclusion of the negotiations follow Japan’s recent modernization of its data protection legislation which increased the convergence between the two systems. By agreeing on a reciprocal adequacy decision, the European Commission (representing the EU) and Japan acknowledge each other’s data protection laws to “adequately” protect personal data.  Once the adequacy decision is adopted, data can flow safely between the EU and Japan without the need to adopt additional safeguards (e.g., standard contractual clauses). The adequacy decision is expected to strengthen trade and economic relations between the EU and Japan.

NTIA’s International Internet Policy Priorities for 2018 and Beyond

On July 20, 2018, the U.S. Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) published comments it received from a wide array of tech and telecom companies, trade groups, civil society, academia, and others regarding its “international Internet policy priorities for 2018 and beyond.”  NTIA’s Office of International Affairs (“OIA”) had requested comments and recommendations from interested stakeholders in four broad categories: (1) free flow of information and jurisdiction; (2) the multistakeholder approach to Internet governance; (3) privacy and security; and (4) emerging technologies and trends.  NTIA plans to harness the comments it received to help it identify “priority” issues, and to leverage its resources and expertise to effectively address stakeholders’ interests.   Continue Reading

LexBlog