On April 17, 2020, the UK’s Information Commissioner’s Office (“ICO”) issued an opinion on the recently announced Apple-Google initiative to develop a Bluetooth-based Contact Tracing Framework (“CTF”) to help prevent the spread of COVID-19. The ICO opinion is generally supportive of the Apple-Google proposal and perceives it to be, at this early phase, aligned with principles of data protection by design and by default. The ICO also cautions that since apps developed under the CTF could also be used to collect additional data using other techniques beyond those currently planned, developers of such apps must ensure compliance with data protection laws.
Continue Reading UK ICO Issues Opinion on Apple-Google Initiative for a Contact Tracing Framework
European Commission’s plans on data and Europe’s digital future (Part 3 of 4)
On 19 February 2020, the new European Commission published two Communications relating to its five-year digital strategy: one on shaping Europe’s digital future, and one on its European strategy for data (the Commission also published a white paper proposing its strategy on AI; see our previous blogs here and here). In both Communications, the Commission sets out a vision of the EU powered by digital solutions that are strongly rooted in European values and EU fundamental rights. Both Communications also emphasize the intent to strengthen “European technological sovereignty”, which in the Commission’s view will enable the EU to define its own rules and values in the digital age. The Communications set out the Commission’s plans to achieve this vision.
Continue Reading European Commission’s plans on data and Europe’s digital future (Part 3 of 4)
European Commission Presents Strategies for Data and AI (Part 1 of 4)
On 19 February 2020, the European Commission presented its long-awaited strategies for data and AI. These follow Commission President Ursula von der Leyen’s commitment upon taking office to put forward legislative proposals for a “coordinated European approach to the human and ethical implications of AI” within the new Commission’s first 100 days. Although the papers published this week do not set out a comprehensive EU legal framework for AI, they do give a clear indication of the Commission’s key priorities and anticipated next steps.
The Commission strategies are set out in four separate papers—two on AI, and one each on Europe’s digital future and the data economy. Read together, it is clear that the Commission seeks to position the EU as a digital leader, both in terms of trustworthy AI and the wider data economy.Continue Reading European Commission Presents Strategies for Data and AI (Part 1 of 4)
French Supervisory Authority Publishes Guidance for Website and App Developers
On January 27, 2020, the French Supervisory Authority (“CNIL”) issued a guidance for developers of websites and applications which sets out the main principles of the General Data Protection Regulation (“GDPR”), expounds on their application in the online environment, and gives practical tips to help developers respect users’ privacy when deploying websites and apps.
The guidance consists of 17 recommendations, each covering a key principle supported by additional advice and examples. Below, we list all 17 of these recommendations and provide a brief summary of the CNIL’s advice related to each.Continue Reading French Supervisory Authority Publishes Guidance for Website and App Developers
Dutch Court Decides on Scope of GDPR Right of Access
In late December 2019, the Court of The Hague (Netherlands) published a preliminary reference procedure (see here, in Dutch). The Court was asked to decide on the scope of the right of access under the GDPR.
The defendant in this case was a bailiff involved in the bankruptcy procedure.
Continue Reading Dutch Court Decides on Scope of GDPR Right of Access
EDPB Publishes Article 28 Standard Clauses Adopted by Danish Supervisory Authority
On December 11, 2019, the European Data Protection Board (“EDPB”) published the final text of the standard clauses adopted by the Danish Supervisory Authority (Datatilsynet, hereafter “Danish SA”) pursuant to Article 28(8) of the General Data Protection Regulation (“GDPR”). The Danish clauses are now accessible on the EDPB’s register of decisions taken by Supervisory Authorities. The Danish clauses serve as a standard data processing agreement that controllers and processors may choose to adopt to fulfill the requirements of Article 28(3) and (4) of the GDPR. However, note that these SCCs are not standard data protection clauses under Article 46(2)(c) or (d) of the GDPR, and as such, cannot serve as a valid legal mechanism to transfer personal data outside the European Economic Area (“EEA”).
Continue Reading EDPB Publishes Article 28 Standard Clauses Adopted by Danish Supervisory Authority
German Constitutional Court Reshapes “Right to be Forgotten” and Expands Its Oversight of Human Rights Violations
In two recent landmark decisions issued on November 6, 2019, the German Constitutional Court (“BVerfG”) presented its unique perspective on the “right to be forgotten” and announced that it will assume a greater role in safeguarding German residents’ fundamental rights from now on.
Continue Reading German Constitutional Court Reshapes “Right to be Forgotten” and Expands Its Oversight of Human Rights Violations
China Seeks Public Comments on Draft Measures for the Publication of Cybersecurity Threat Information
On November 20, 2019, the Cyberspace Administration of China (“CAC”) released the draft Measures for the Publication of Cybersecurity Threat Information (“Draft Measures”) for public comment. (An official Chinese version is available here). The comment period ends on December 19, 2019.
The release of the Draft Measures marks an important step forward in implementing Article 26 of China’s Cybersecurity Law (“CSL”), which establishes that the publication of cybersecurity information (such as those related to system vulnerabilities, computer viruses, cyberattacks and/or network intrusions) to “the public” must comply with unspecified “relevant rules.” Article 26 does not specify what kind of entities or individuals are subject to this requirement; thus, it is unclear whether Article 26 applies to entities that have discovered vulnerabilities on their own networks and/or the activities of third parties that have uncovered cybersecurity threats to others’ networks, such as cybersecurity research firms.
The Draft Measures are intended to provide further guidance for these entities and individuals based in China that have threat information about other network operators’ network or information systems and outlines how they can publish the threat information in a compliant way. The Draft Measures are silent as to whether these requirements will apply to entities or individuals that are based outside of China and, if these requirements are applicable for the publication of threat information globally, how entities or individuals outside of China can comply. It is also unclear about the extent to which the Draft Measures would apply to network operators who become aware of cybersecurity threat information related to their own networks.Continue Reading China Seeks Public Comments on Draft Measures for the Publication of Cybersecurity Threat Information
ICO Launches Public Consultation on New Data Sharing Code of Practice
On July 16, 2019, the UK’s Information Commissioner’s Office (“ICO”) released a new draft Data sharing code of practice (“draft Code”), which provides practical guidance for organizations on how to share personal data in a manner that complies with data protection laws. The draft Code focuses on the sharing of personal data between controllers, with a section referring to other ICO guidance on engaging processors. The draft Code reiterates a number of legal requirements from the GDPR and DPA, while also including good practice recommendations to encourage compliance. The draft Code is currently open for public consultation until September 9, 2019, and once finalized, it will replace the existing Data sharing code of practice (“existing Code”).
Continue Reading ICO Launches Public Consultation on New Data Sharing Code of Practice
European Commission Issues Report on the Implementation of the GDPR
On July 24, 2019, the European Commission (“the Commission”) published a report appraising Europe’s progress in implementing the General Data Protection Regulation (“GDPR”) as a central component of its revamped data protection framework. In its report, the Commission highlights certain achievements resulting from implementation efforts, calls attention to issues that require further action, and describes several ongoing and planned initiatives. The report is a follow-up to a prior report issued in January 2018, and was informed to a great extent by the ongoing work of the Multi-stakeholder Group, which is comprised of civil society and business representatives, academics and practitioners, to support the application of the GDPR. The report will contribute to the Commission’s formal 2-year review of the GDPR to take place in May 2020.
Continue Reading European Commission Issues Report on the Implementation of the GDPR