On November 25, 2021, the Council of the European Union reached an agreement on the draft Digital Services Act (“DSA”) (see here and here) and the Digital Markets Act (“DMA”) (see here) bringing them one step closer to adoption. The European Parliament will discuss the drafts on December 9 and plans to announce
EDPB Publishes Draft Guidelines on Interplay of Article 3 GDPR and the GDPR’s Cross-Border Transfer Rules
On November 19, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (available here). The draft guidelines are currently subject to a public consultation period that ends on January 31, 2022; interested stakeholders can submit their feedback here.
In this blog post, we provide a brief background on the issues addressed in the draft guidelines, and summarize the key takeaways.
Progress on the Pending EU ePrivacy Regulation
According to a leaked draft, on November 4, 2021, the Council of the European Union (“Council”) and the European Parliament (“Parliament”) agreed a number of amendments to the following three chapters of the draft ePrivacy Regulation, which will replace the ePrivacy Directive 2002/58/EC and has been pending since January 2017):
- Chapter III (End-Users’ Rights
Inside Privacy Audiocast: Episode 16 – China’s PIPL: What Companies Need to Know
On Episode 16 of Covington’s Inside Privacy Audiocast, Dan Cooper, Yan Luo and Zhijing Yu discuss the implications of China’s Personal Information Protection Law (PIPL) for companies with data or doing business in China. The law, which entered into force on November 1, is the first comprehensive personal information protection law in China and
EU Privacy, Data and Consumer Legislative Updates of October 2021
Date: October 29, 2021
In Case You Missed It: EU Privacy, Data and Consumer Legislative Updates of the Past Month
| Date | Tag | News | Link to Source |
| October 29 | Cybersecurity | The European Commission announced that it adopted a delegate act to the Radio Equipment Directive (Directive (EU) 2014/53). This act sets out measures to (1) improve |
The UK Government Publishes its AI Strategy
On 22 September 2021, the UK Government published its 10-year strategy on artificial intelligence (“AI”; the “UK AI Strategy”).
The UK AI Strategy has three main pillars: (1) investing and planning for the long-term requirements of the UK’s AI ecosystem; (2) supporting the transition to an AI-enabled economy across all sectors and regions of the UK; and (3) ensuring that the UK gets the national and international governance of AI technologies “right”.
The approach to AI regulation as set out in the UK AI Strategy is largely pro-innovation, in line with the UK Government’s Plan for Digital Regulation published in July 2021.
Continue Reading The UK Government Publishes its AI Strategy
COVID-19: Legal Considerations and Best Practices for Employers Processing Vaccination Data
With the rollout of the COVID-19 vaccine, more and more businesses are planning to reopen their physical office spaces. They are confronted with ensuring a safe workplace and minimizing the risk of exposure to COVID-19. As employers consider health screening measures, ranging from temperature checks to vaccine mandates, they must navigate complex privacy issues.
Continue Reading COVID-19: Legal Considerations and Best Practices for Employers Processing Vaccination Data
UK ICO’s Children’s Code Transition Year Ends and ICO Approves Related Certification Schemes
On 2 September 2021, the transition year for the Children’s code (or Age Appropriate Design Code) published by the UK Information Commissioner (“ICO”) ended. The ICO’s Children’s code was first published in September 2020, with a 12-month transition period. In an accompanying blog, the ICO has stated that it will be “proactive in requiring social media platforms, video and music streaming sites and the gaming industry to tell [the ICO] how their services are designed in line with the code.”
Over the summer, the ICO has also approved two certification schemes under the UK GDPR. The certification schemes provide organizations with a mechanism to demonstrate their high level of commitment to data protection compliance.
Swiss Federal Data Protection Authority Recognizes the New EU Standard Contractual Clauses as a Lawful Mechanism to Transfer Personal Data Outside of Switzerland
On August 27, 2021, the Swiss Federal Data Protection Authority announced that it recognizes the EU recently approved standard contractual clauses as a transfer mechanism to transfer Swiss personal data to non-adequate countries (see here and here). However, the standard contractual clauses will need to be adjusted to meet the requirements of the Swiss Ordinance to the Federal Act on Data Protection (“FADP”).
Continue Reading Swiss Federal Data Protection Authority Recognizes the New EU Standard Contractual Clauses as a Lawful Mechanism to Transfer Personal Data Outside of Switzerland
UK Information Commissioner’s Office Opens Public Consultation on Policy Proposals and Documentation for International Transfers
On August 11, 2021, the UK Information Commissioner’s Office (“ICO”) opened a public consultation to solicit stakeholder input regarding the UK’s approach to regulating international transfers of personal data under the UK General Data Protection Regulation (“UK GDPR”) (see here). To kick off this initiative, the ICO published a consultation paper setting out various policy options that the UK is considering, as well as:
- a draft set of contractual templates to facilitate transfers of personal data outside the UK, including: (1) a draft international data transfer agreement (“IDTA”); and (2) a draft international transfer addendum to be appended to the recently approved EU standard contractual clauses (“EU Addendum”); and
- a draft transfer impact assessment tool designed to help controllers and processors transferring personal data under the UK GDPR satisfy the requirements articulated by the Court of Justice of the European Union (“CJEU”) in the Schrems II decision (see here).
The ICO has requested that interested stakeholders submit their feedback by no later than October 7, 2021. In this blog post, we summarize these documents and tools, and identify topics that interested stakeholders may want to address when preparing their submission to the public consultation.