At the beginning of a new year, we are looking ahead to five key technology trends in the EMEA region that are likely to impact businesses in 2023.
Continue Reading Top Five EMEA Technology Trends to Watch in 2023
The Digital Markets Act for Privacy Professionals
This post is the first of a series of blog posts about the Digital Markets Act (“DMA”), which was adopted on July 18, 2022, and it deals specifically with those provisions of the DMA that are relevant to organizations’ privacy programs.
Continue Reading The Digital Markets Act for Privacy Professionals
A packed end to the UK’s cyber summer: Government moves forward with telecoms cybersecurity proposals and consults on a Cyber Duty to Protect
The UK Government’s (UKG) proposals for new, sector-specific cybersecurity rules continue to take shape. Following the announcement of a Product Security and Telecommunications Infrastructure Bill and a consultation on the security of apps and app stores in the Queen’s Speech (which we briefly discuss here), the UKG issued a call for views on whether action is needed to ensure cyber security in data centres and cloud services (described here).
In recent weeks, the UKG has made two further announcements:
- On 30 August 2022, it issued a response to its public consultation on the draft Electronic Communications (Security measures) Regulations 2022 (Draft Regulations) and a draft Telecommunications Security code of practice (COP), before laying a revised version of the Draft Regulations before Parliament on 5 September.
- On 1 September 2022, it issued a call for information on the risks associated with unauthorized access to individuals’ online accounts and personal data, and measures that could be taken to limit that risk.
We set out below further detail on these latest developments.
*****
Special Category Data by Inference: CJEU significantly expands the scope of Article 9 GDPR
On August 1, 2022, the CJEU issued its ruling in Case 184/20 (OT v Vyriausioji tarnybinės etikos komisija) following a referral from the Lithuanian Regional Administrative Court. In this ruling, the CJEU elected to interpret the GDPR very broadly in a judgment that is likely to have a significant impact for organisations processing
A Cautious Approach: the UK Government’s Data Protection and Digital Information Bill
On 18 July 2022, following its recent response to the public consultation on the reform of UK data protection law (see our blog post on the response here), the UK Government introduced its draft Data Protection and Digital Information Bill (the “Bill”) to the House of Commons.
The Bill is 192 pages, and contains 113 sections and 13 Schedules, which amend and sit alongside existing law (the UK GDPR, Data Protection Act 2018 (“DPA”), Privacy and Electronic Communications Regulations 2003 (“PECR”), the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, etc.). Some readers’ immediate reaction might be to query whether the Bill will simplify the legislative framework for businesses operating in the UK and facilitate the goal of the Information Commissioner to provide “certainty” for businesses. Time will tell. The Government’s publication of a Keeling Schedule (essentially a redline of the UK GDPR and DPA 2018 showing the changes resulting from the Bill), expected in the Autumn, will be welcome.
Much of the content of the Bill was previewed in the Government’s consultation response and include proposed changes that are designed to try to reduce the administrative burden on business to some extent. The Bill is by no means a radical departure from existing law, however, and in some key areas – such as data transfers – the law will essentially remain the same. But we now have additional important details on proposed changes to UK data protection law, and we set out in this post our immediate thoughts on some details that are worth highlighting.
UK and U.S. Governments set a date for the entry into force of the UK-U.S. CLOUD Act Agreement
In October 2019, the UK and U.S. Governments signed an agreement on cross-border law enforcement demands for data from Communication Service Providers (the “Agreement”, which we described in our earlier post here). Only now, however, have the two countries completed the procedural steps required to bring the Agreement into force. On July 21, 2022
8 Eye-catching Reforms in the UK Government’s Response to its Public Consultation on Data Protection Law
The UK Government recently published its long-awaited response to its data reform consultation, ‘Data: A new direction’ (see our post on the consultation, here).
As many readers are aware, following Brexit, the UK Government has to walk a fine line between trying to reduce the compliance burden on organizations and retaining the ‘adequacy’ status that the European Commission granted in 2021 (see our post on the decision, here).
While we’ll have to wait to review the detail of the final legislation, we outline below some of the more eye-catching proposals for reform.
Calculating GDPR fines: EDPB publishes proposals for a harmonized methodology
The most significant change that GDPR made to EU data privacy law was to enhance enforcement and create a framework for increased fines for non-compliance. Four years after the GDPR started to apply, and as enforcement action picks up across the EU, the EDPB has finally issued draft guidelines on the calculation of administrative fines
UK Government calls for views in three areas to assess whether action is needed to enhance security of data centres and cloud services
The UK Government has issued a “call for views” on the current level of physical, technical and organizational security provided by data center operators (i.e. colocation service providers, not businesses that operate their own data centers) and cloud service providers (including providers of infrastructure-as-a-service, platform-as-a-service, and managed services). The Government intends to use
UK Privacy and Digital Policy & Legislative Roundup
In the Queen’s Speech on 10 May 2022, the UK Government set out its legislative programme for the months ahead. This includes: reforms to UK data protection laws (no details yet); confirmation that the government will strengthen cybersecurity obligations for connected products and make it easier for telecoms providers to improve the UK’s digital infrastructure; and new rules to enable the use of self-driving cars on public roads. In addition, the government confirmed its plans to move forward with the Online Safety Bill. As part of the government’s broader agenda to “level up” the UK and provide a post-Brexit economic dividend, many of the legislative initiatives referenced in the Queen’s Speech are presented as seeking to encourage greater use of data and technology to support innovation and enable growth.
We summarize below the key digital policy announcements in the Queen’s Speech and how they fit into wider developments in the UK’s regulatory landscape.
Continue Reading UK Privacy and Digital Policy & Legislative Roundup