The UK Government has announced that it intends to introduce the Cyber Security and Resilience Bill (the “Bill”) to Parliament in 2025. Formally proposed as part of the King’s Speech in July, this Bill is intended to strengthen the UK’s cross-sectoral cyber security legislation to better protect the UK’s economy and infrastructure. This Bill will update the existing NIS Regulations, which derive from EU law. Part of the UK Government’s motivation seems to be to keep pace with updates to EU law in this area, specifically relating to the NIS2 Directive that starts to apply this month (see our blog post on this, here).Continue Reading What to expect from the UK’s Cyber Security and Resilience Bill (and when)
International
CJEU Upholds Country-of-Origin Principle for Online Service Providers in the EU
By Marty Hansen & Laura Somaini on
Posted in European Union
On May 30, 2024, the Court of Justice of the EU (“CJEU”) handed down its rulings in several cases (C-665/22, Joined Cases C‑664/22 and C‑666/22, C‑663/22, and Joined Cases C‑662/22 and C‑667/22) concerning the compatibility with EU law of certain Italian measures imposing obligations on providers of online platforms and search engines. In doing so, the CJEU upheld the so-called “country-of-origin” principle, established in the EU’s e-Commerce Directive and based on the EU Treaties principle of free movement of services. The country-of-origin principle gives the Member State where an online service provider is established exclusive authority (“competence”) to regulate access to, and exercise of, the provider’s services and prevents other Member States from imposing additional requirements.
We provide below an overview of Court’s key findings.Continue Reading CJEU Upholds Country-of-Origin Principle for Online Service Providers in the EU
CNIL Opens Public Consultation on Its Standards for Processing Health Data
On May 16, 2024, the CNIL launched a public consultation on all of its health data standards. Interested stakeholders are encouraged to participate by completing a questionnaire (available in French here) by July 12, 2024.
French law has specific requirements for the processing of health data. In particular, it…
Continue Reading CNIL Opens Public Consultation on Its Standards for Processing Health DataChina Eases Restrictions on Cross-Border Data Flows
After nearly six months since the initial draft was issued for public comments on September 28, 2023 (see here for our previous alert on that development), on March 22, 2024, the Cyberspace Administration of China (“CAC”) issued the final version of the Provisions on Promoting and Standardizing Cross-Border Data Flows (促进和规范数据跨境流动规定) ( “Provisions”) (Chinese version available here). The Provisions take effect immediately.
The newly finalized Provisions introduce significant changes to China’s existing cross-border data transfer regime. These changes primarily involve exemptions from the previously mandated transfer mechanisms outlined in the Personal Information Protection Law (“PIPL”) and its implementing regulations. Such mechanisms included undergoing a government-led security assessment, entering into a standardized contract, or obtaining personal information protection certification. As a result, many companies that previously faced these requirements may now be exempt, easing their compliance burden for cross-border data transfers. Importantly, the Provisions take precedence over any conflicting provisions within PIPL’s implementing regulations, including the Measures on the Standard Contract for Cross-Border Transfer of Personal Information and the Measures for Security Assessment of Cross-Border Data Transfer.Continue Reading China Eases Restrictions on Cross-Border Data Flows
UK ICO Launches a Consultation on “Consent or Pay” Business Models
By Mark Young & Paul Maynard on
On 6 March 2024, the ICO issued a call for views on so-called “Consent or pay” models, where a user of a service has the option to consent to processing of their data for one or more purposes (typically targeted advertising), or pay a (higher) fee to access the service without their data being processed for those purposes. This is sometimes referred to as “pay or okay”.
The ICO has provided an “initial view” of these models, stating that UK data protection law does not outright prohibit them. It also sets out factors to consider when implementing these models and welcomes the views of publishers, advertisers, intermediaries, civil society, academia and other interested stakeholders. The consultation is open until 17 April 2024.Continue Reading UK ICO Launches a Consultation on “Consent or Pay” Business Models
ICO Launches Consultation Series on Generative AI
By Will Capstick, Marianna Drake, Marty Hansen, Lisa Peets & Mark Young on
On 15 January 2024, the UK’s Information Commissioner’s Office (“ICO”) announced the launch of a consultation series (“Consultation”) on how elements of data protection law apply to the development and use of generative AI (“GenAI”). For the purposes of the Consultation, GenAI refers to “AI models that can create new content e.g., text, computer code, audio, music, images, and videos”.
As part of the Consultation, the ICO will publish a series of chapters over the coming months outlining their thinking on how the UK GDPR and Part 2 of the Data Protection Act 2018 apply to the development and use of GenAI. The first chapter, published in tandem with the Consultation’s announcement, covers the lawful basis, under UK data protection law, for web scraping of personal data to train GenAI models. Interested stakeholders are invited to provide feedback to the ICO by 1 March 2024.Continue Reading ICO Launches Consultation Series on Generative AI
EU Supervisory Authorities Publish New Guidance on Cookies
Several EU data protection supervisory authorities (“SAs”) have recently issued guidance on cookies. On January 11, 2024, the Spanish SA published guidance on cookies used for audience measurement (often referred to as analytics cookies) (available in Spanish only). On December 20, 2023, the Austrian SA published FAQs on cookies and data protection (available in German only). On October 23, 2023, the Belgian SA published a cookie checklist (available in Dutch and French).
The new guidance builds on existing guidance but addresses some new topics which we discuss below.Continue Reading EU Supervisory Authorities Publish New Guidance on Cookies
UK Information Commissioner’s Office Releases New Guidance for Monitoring at Work
By Shona O'Donovan on
On 3 October 2023, the UK Information Commissioner’s Office (“ICO”) finalized its Employment practices and data protection − Monitoring workers guidance (“Guidance”) to account for new types of work, including work from home, and the use of more sophisticated technologies for monitoring. In November 2022, we published a detailed blog post on the ICO’s public consultation.
The finalized Guidance is aimed at employers. It does not prevent employers from engaging in monitoring; rather, it sets out how they can do so in compliance with data protection law. The Guidance defines “monitoring workers” as “any form of monitoring of people who carry out work on [an employer’s] behalf” and can include “monitoring workers on particular work premises or elsewhere” both during and outside working hours. The Guidance is clear that it applies to homeworking. It also applies to a range of monitoring technologies and purposes, including (but not limited to) technologies for monitoring timekeeping or access control; keystroke monitoring to track, capture and log keyboard activity; and productivity tools which log how workers spend their time.Continue Reading UK Information Commissioner’s Office Releases New Guidance for Monitoring at Work
China Proposes Significant Changes to Cross-Border Transfer Rules
By Yan Luo, Xuezi Dan & Nicholas Shepherd on
On September 28, 2023, the Cyberspace Administration of China (“CAC”) issued draft Provisions on Standardizing and Promoting Cross-Border Data Flows (Draft for Comment) (规范和促进数据跨境流动规定(征求意见稿)) (draft “Provisions”) (Chinese version available here) for a public consultation, which will conclude on October 15, 2023.
The draft Provisions propose significant changes to the existing cross-border data transfer regime established under China’s Personal Information Protection Law (“PIPL”). Specifically, the draft Provisions provide certain exemptions to the requirement to adopt a transfer mechanism under Article 38 of the PIPL. In addition, the draft Provisions significantly lower the thresholds that trigger the obligation to undergo a government-administered security assessment or adopt Standard Contracts. Moreover, in the event of a conflict between the draft Provisions and the PIPL’s implementing regulations (including the Measures on the Standard Contract for the Cross-Border Transfer of Personal Information and the Measures for Security Assessment of Cross-Border Data Transfer), the draft Provisions would prevail.Continue Reading China Proposes Significant Changes to Cross-Border Transfer Rules
European Commission Publishes Guidance on NIS2: Interplay with Sector-Specific Laws
By Mark Young & Paul Maynard on
As many readers will be aware, the EU’s new cybersecurity directive, NIS2, imposes security, incident notification, and governance obligations on entities in a range of critical sectors, including energy, transport, finance, health, and digital infrastructure (for an overview of NIS2, see our previous post here). One of the main reasons the Commission proposed these new rules was the inconsistent ways in which Member States had implemented requirements under the prior directive, NIS. To help improve harmonization further, the Commission has now issued two guidance documents to help assess when NIS2 or sector-specific requirements apply, and to ensure that registration requirements are consistent across the Union.
Continue Reading European Commission Publishes Guidance on NIS2: Interplay with Sector-Specific Laws