Photo of Phil Bradley-Schmieg

Philippe Bradley-Schmieg’s practice covers a range of commercial, regulatory and intellectual property matters affecting the IT, e-health, internet media and telecoms sectors, often with a multi-jurisdictional scope.  He advises on intellectual property, compliance and policy matters such as online consumer rights, liability for third party content, patent, copyright and database right licensing, privacy and data protection, medical confidentiality, cybersecurity, data breach responses, and law enforcement data disclosure.  Mr. Bradley-Schmieg advises on UK, EU and international law, and has worked in London and Brussels.

On January 2, 2018, the Standardization Administration of China (“SAC”) released the final version of the national standard on personal information protection, officially entitled GB/T 35273-2017 Information Technology – Personal Information Security Specification (GB/T 35273-2017 信息安全技术 个人信息安全规范) (hereinafter “the Standard”).  The Standard will come into effect on May 1, 2018.

As highlighted in our previous coverage of drafts of the Standard (see here and here), although it is nominally a voluntary framework, the Standard effectively sets out the best practices that will be expected by regulators auditing companies and enforcing China’s existing (but typically more generally-worded) data protection rules, most notably the 2016 Cybersecurity Law.  Drafts of the Standard — even prior its finalization — have also in some cases been the basis for non-compliance remediation plans and undertakings agreed between companies and the Cyberspace Administration of China (“CAC”) following CAC audits, as we reported here.

The Standard applies to “personal information controllers,” namely any private or public organization that has “the power to decide the purpose and method” of processing personal information.  This is seemingly modelled on European law’s “data controller” concept.

The Standard regulates the use of “personal information” by these controllers, a term largely aligned with strict conceptualizations of “personal data” under the EU’s General Data Protection Regulation (“GDPR”).  Examples of “personal information” listed in an annex to the Standard include device hardware serial codes, IP addresses, website tracking records, and unique device identifiers, among other things.  The definition of “sensitive personal information,” however, takes a different approach to the GDPR: rather than applying only to specific types of data, the Standard takes a risk-based approach, defining “sensitive” personal information as any personal information which, if lost or misused, is capable of endangering persons or property, easily harming personal reputation and mental and physical health, or leading to discriminatory treatment.  According to the Standard, this could for example include national identification card numbers, login credentials, banking and credit details, a person’s accurate location, information on a person’s real estate holdings, and information about a minor (under 14 years old).

Similar to general principles of most data protection laws, the Standard requires transparency, specificity and fairness of processing purpose, proportionality (use and retention of only the minimum information necessary to achieve the stated purpose), security, risk assessment, and the respect of individuals’ rights to control the processing of information about them.  It also requires either consent from individuals, or reliance on a limited range of exceptions set out in the Standard, for the purpose of collection and processing of personal information.

This article looks at some of these aspects in more detail, including some of their key divergences from European data protection law, including the GDPR.  (Please note that this is not an exhaustive description of the Standard, nor is it a detailed comparison with the GDPR.)
Continue Reading China Issues New Personal Information Protection Standard

On September 13, 2017, the UK Government published a new Data Protection Bill regulating the use of individuals’ personal data.

The Bill, which is intended to replace the UK Data Protection Act 1998, would serve a range of functions, most notably setting out how the UK intends to make use of its leeway to derogate from basic rules in the new EU General Data Protection Regulation 2016/679 (the “GDPR”).  For instance, the GDPR allows countries in the EU to modify its rules or introduce additional sanctions where necessary to protect freedom of expression, research, or other public interest objectives.

The Bill would also apply “GDPR-like” rules to data that is not covered by the GDPR (such as data in unstructured paper-based files), implement of the new EU Police and Criminal Justice Data Protection Directive (the “PCJ DPD”), and set down privacy and data security rules for its intelligence agencies.

The Bill will now undergo further debate and amendment, and should hopefully clear both Houses of Parliament in advance of May 25, 2018, when the GDPR will become law in the UK subject to any modifications implemented by the Bill.

This post discusses some of the Bill’s salient points for commercial organizations.
Continue Reading UK Government Publishes New Data Protection Bill

On September 5, 2017, the Grand Chamber of the European Court of Human Rights (“ECtHR”) issued its ruling on appeal in the case of Bărbulescu v. Romania, concerning alleged unlawful workplace monitoring of Mr. Barbulescu’s private communications.

Overturning the ECtHR’s prior ruling in the case (covered by Inside Privacy here), the Grand Chamber held that Romanian courts had not adequately and fairly weighed up the competing interests of Mr Barbulescu and his employer.  That defect of justice meant that Romania had failed to proactively protect Mr Barbulescu’s right to privacy, as required by its membership of the European Convention on Human Rights.

The Grand Chamber held that Mr Barbulescu’s right to privacy extended to his workplace, despite his private use of a work computer constituting a breach of his rules of employment.  The Grand Chamber held that while privacy in the workplace can be restricted “as necessary,” “an employer’s instructions cannot reduce private social life in the workplace to zero,” since the right to privacy does not necessarily depend on an individual’s reasonable expectations, and can be enjoyed in public and in the workplace, notwithstanding prohibitions and warnings given to the individual.  A fulsome balancing exercise was therefore required in cases such as these.

The Grand Chamber underlined that provided national courts undertake an adequate balancing exercise, they have some discretion as to the actual result (i.e. whether the employer’s or employee’s rights prevail in a given case).  Similar discretion is also enjoyed by national legislators and constitutions when setting underlying rules on workplace privacy, provided such rules – and a means to enforce them – are actually in place.

Nevertheless, the ruling states that workplace monitoring must always be limited to what is necessary for a legitimate purpose, and should be accompanied by a range of safeguards, normally including prior notice to employees – particularly when the content of communications is concerned.
Continue Reading New Ruling in European Employee Monitoring Case

On Thursday, April 20th, the UK government launched a “Call for Views” regarding the UK’s options for the implementation of the new EU General Data Protection Regulation (GDPR) at national level.  The consultation deadline is May 10th, at mid-day UK time.

Although the GDPR was an effort to bring greater harmonization to data protection regimes throughout the EU, it nevertheless contains a number of areas in which national laws can deviate from its default position – for instance to permit researchers to store and use health data without having to repeatedly seek consents, or to ensure that freedom of expression is not unfairly curtailed by the “right to be forgotten.”
Continue Reading UK Starts 3-Week Consultation on GDPR Implementation

The UK Information Commissioner’s Office (ICO), which enforces data protection legislation in the UK, has fined a company £20,000 (approximately 24,000 USD / 23,000 EUR) for not exercising sufficient due diligence when buying and using marketing databases.

The ICO found that over 580,000 individuals’ contact details had been obtained by The Data Supply Company Ltd (“TDSC”) from sources such as financial institutions and competition websites, and then sold on to third parties.  This had led to at least 21,045 unsolicited text messages and 174 complaints.

Because the data was used for direct electronic marketing (by email, SMS, etc.), TDSC was not entitled to rely on its data sources’ generic consent requests, such as “We may share your information with carefully selected third parties where they are offering products or services that we believe will interest you”, nor even fuller notices that disclosed “long lists” of general categories of possible recipients of the data.
Continue Reading UK Company Fined For Buying And Selling Non-Compliant Marketing Databases

On March 9, 2017, the Court of Justice of the EU (“CJEU”) handed down a ruling limiting the reach of its prior “right to be forgotten” jurisprudence, by holding that the right does not prevail over society’s interest in access to official public records of company details required by law.
Continue Reading CJEU Limits Public Record ‘Right to Be Forgotten’

On January 25, 2017, President Trump signed a new Executive Order on Enhancing Public Safety in the Interior of the U.S.  Among other elements, the Executive Order directs U.S. government agencies to “ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information,” but only if doing so is “consistent with applicable law.”

This prompted certain commentators, such as Member of the European Parliament Jan-Philipp Albrecht, to question whether the Executive Order would have an impact on the robustness of the EU-U.S. Privacy Shield data transfer framework
Continue Reading European Commission Dismisses Privacy Shield Concerns Over Trump Executive Order

On December 21, 2016 the Court of Justice of European Union (“CJEU”) issued its judgment in Joined Cases C-203/15 and C-698/15, Tele2 /Watson.

The decision considered the legality of UK and Swedish laws permitting the generalized retention of communications metadata (for 6-12 months) for the purposes of prevention, detection or prosecution of crime (not

The Article 29 Working Party (“WP29”) – the representatives of national data protection regulators in the EU – has issued new guidance on three important aspects of the new General Data Protection Regulation (“GDPR”), which comes into force in May 2018.

This first salvo of GDPR-focused guidance concerns:

  1. the new “Right to Data Portability”, an obligation on companies and public authorities to build tools that allow users to download their data or transfer it directly to a competitor (the guidance is here, and an FAQ is here);
  2. the new obligation for organizations to appoint a “Data Protection Officer”, a quasi-independent role within companies that will be tasked with internal supervision and advice regarding GDPR compliance (guidance / FAQ); and
  3. the new “One Stop Shop” mechanism – helping companies identify which “lead” data protection authority will be their main point of contact for multi-country regulatory procedures (guidance / FAQ).

Despite the guidance having formally been “adopted”, the WP29 is nevertheless inviting stakeholder comments on the new guidance, until the end of January 2017.  Indeed, the guidance takes a number of positions that could attract large volumes of comments ahead of the January 31 deadline.
Continue Reading New EU GDPR Guidance: Data Portability, Data Protection Officers, and the One Stop Shop

By Phil Bradley-Schmieg and Gemma Nash

On August 30, 2016, a major UK telecoms company (TalkTalk) lost its appeal against a fine imposed on it for failing to report a personal data breach to the UK national data protection authority (the Information Commissioner) within 24 hours of its receipt of a customer’s complaint.

Commission Regulation No 611/2013 (“the Notification Regulation”) and the UK’s Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), require telecommunication service providers to report personal data breaches within 24 hours of their “detection.”  TalkTalk’s appeal focused on the extent to which an internal investigation can take place before it is deemed to have “detected” a breach.


Continue Reading UK Telco Loses Appeal; Should Have Reported Data Breach Within 24 Hours Of Customer Complaint, Not Fuller Investigation