On July 26, four Chinese agencies, the Cyberspace Administration of China (“CAC”), the Ministry of Industry and Information Technology (“MIIT”), the Ministry of Public Security (“MoPS”), and the National Standards Committee, announced their plan to begin the government’s campaign to improve the protection of personal information, according to Xinhua News Agency (link is in Chinese). … Continue Reading
By Dan Cooper and Rosie Klement On July 26, 2017, the Court of Justice of the EU (CJEU) published Opinion 1-15 (the “Opinion”) on the proposed agreement between the European Union and Canada on the transfer and processing of passenger name record (“PNR”) data (the “Agreement”). The Agreement was signed in 2014, but the CJEU … Continue Reading
By Lisa Peets, Ezra Steinhardt, and Rosie Klement On July 14, 2017, the Impact Assessment Institute (“IAI”) (an independent institute committed to impartial impact assessment and scientific evaluation of policy and legislation in the EU) published a study assessing the impact assessment carried out by the European Commission in connection with the Commission’s proposal for … Continue Reading
On July 11, 2017, the Cyberspace Administration of China (CAC) released the draft Regulation on the Protection of the Critical Information Infrastructure (“Draft Regulation”) for public comment (official Chinese version available here). The comment period ends on August 10, 2017. Aiming to add greater clarification to the Cybersecurity Law, which took effect on June 1, … Continue Reading
The UK Information Commissioner’s Office (“ICO”), which enforces data protection legislation in the UK, has ruled that the NHS Royal Free Foundation Trust (“Royal Free”), which manages a London hospital, failed to comply with the UK Data Protection Act 1998 in providing 1.6 million patient records to Google DeepMind (“DeepMind”), requiring the Royal Free to … Continue Reading
By Dan Cooper and Rosie Klement The EU’s Article 29 Working Party (“WP29”) has issued new guidance on data processing in the employment context (available here). Adopted on June 8, 2017, the guidance primarily takes account of the existing data protection framework under the EU Data Protection Directive (Directive 95/46/EC), but also considers the developments coming … Continue Reading
South Korea has became the fifth member economy to join the Asia-Pacific Economic Cooperation’s (“APEC”) Cross-Border Privacy Rules (“CBPR”) system, a voluntary but legally enforceable code of conduct that aims to facilitate secure data transfers and e-commerce between parties to the agreement. Established in 2011, the CBPR system aims to provide a minimum level of … Continue Reading
On June 9, 2017, the Cyberspace Administration of China (“CAC”), together with three other agencies, released a Catalog of Critical Network Equipment and Network Security Products (First Batch) (“the Catalog,” original Chinese version available here). It specifies network products that must be certified before they can be marketed in China. China’s Cybersecurity Law (see our … Continue Reading
Part 3 of this three-part entry discusses a separate, but equally important, legal development in China’s data protection environment. On May 8, 2017, the Supreme People’s Court and the Supreme People’s Procuratorate issued an interpretation of criminal law regarding infringement of citizens’ personal information (the “Interpretation”). The Interpretation examines the provision in China’s Criminal Law, … Continue Reading
Part 1 of this post clarified which parts of China’s latest Cybersecurity Law (the “Law”) are currently ready to be enforced and which parts are awaiting clarification in the form of implementing regulations or standards. In this post, we will discuss latest landscape of implementing regulations and national standards that supplement the Law. Implementing … Continue Reading
On June 1, 2017, China’s new Cybersecurity Law (the “Law”) finally went into effect. It is the first Chinese law that systematically lays out the regulatory requirements on data privacy and cybersecurity, subjecting to government scrutiny many activities in cyberspace that were previously unregulated or addressed in a sector-by-sector fashion. Three weeks after the Law … Continue Reading
The Article 29 Working Party (“WP29”), a group consisting of representatives from each European data protection authority, the European Data Protection Supervisor, and the European Commission, yesterday issued a press release detailing its recommendations for the first Annual Joint Review of the EU-U.S. Privacy Shield (“Privacy Shield”), which will take place in September 2017. Specifically, … Continue Reading
In a new post on the Covington Digital Health blog, our colleagues discuss a new European Cloud in Health Advisory Council whitepaper calling for a review of European healthcare data protection rules holding back greater adoption of cloud computing and AI; and for more discussion about the ethics and governance of re-use of patient data for research and planning. To read … Continue Reading
On May 27, 2017, China’s National Information Security Standardization Technical Committee (“NISSTC”), a standard-setting committee jointly supervised by the Standardization Administration of China (“SAC”) and the Cyberspace Administration of China (“CAC”), released Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (Draft Version) (the “draft Standard”) for public comments. The official Chinese version of … Continue Reading
The first annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) is scheduled to occur in September 2017 in Washington, D.C. The first review is particularly important for the nascent framework, as regulators in both the U.S. and the EU are expected to closely scrutinize the operation of the first year of the Privacy Shield, … Continue Reading
Today, the Cyberspace Administration of China (“CAC”) released the final version of the Measures on the Security Review of Network Products and Services (Trial) (“the Measures”), with an effective date of June 1, 2017 (official Chinese version available here). The issuance of the Measures marks a critical first step toward implementing China’s Cybersecurity Law (“the … Continue Reading
As we approach the May 2018 effective date of the EU General Data Protection Regulation (“GDPR”), there have been a number of global developments over the last few months with respect to the so-called “right to be forgotten,” which will be codified under Article 17 of the GDPR. European Developments In the EU, we previously … Continue Reading
On Thursday, April 20th, the UK government launched a “Call for Views” regarding the UK’s options for the implementation of the new EU General Data Protection Regulation (GDPR) at national level. The consultation deadline is May 10th, at mid-day UK time. Although the GDPR was an effort to bring greater harmonization to data protection regimes … Continue Reading
By Denitsa Marinova On April 11, 2017, the Data Protection Commissioner of Ireland (DPC) published her annual report for 2016, highlighting key developments and activities for the past year and outlining priorities for 2017 and beyond. The report will be of interest to Irish entities and multinational organizations with a base in Ireland, including companies … Continue Reading
On April 11, 2017, the Cyberspace Administration of China (“CAC”) released a draft of the Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data (“the Draft Measures”) for public comment (official Chinese version available here). The comment period ends on May 11, 2017. The issuance of the long-anticipated Draft Measures … Continue Reading
By Dan Cooper and Rosie Klement On April 2, 2017, the Information Commissioner’s Office (“ICO”) released a consultation paper for UK organizations to comment on how the new profiling provisions under the General Data Protection Regulation (“GDPR”) could be interpreted and applied when the GDPR comes into force in May 2018. The public consultation on … Continue Reading
Nearly 2,000 organizations are now listed as self-certified to the EU-U.S. Privacy Shield on the Department of Commerce’s (“Commerce”) Privacy Shield website. Given current developments on both sides of the Atlantic, there are likely to be significant Privacy Shield developments in the coming months. EU Justice Commissioner Věra Jourová recently concluded her visit to the … Continue Reading
The UK Information Commissioner’s Office (ICO), which enforces data protection legislation in the UK, has fined a company £20,000 (approximately 24,000 USD / 23,000 EUR) for not exercising sufficient due diligence when buying and using marketing databases. The ICO found that over 580,000 individuals’ contact details had been obtained by The Data Supply Company Ltd … Continue Reading
By Luca Tosoni and Dan Cooper On 2 February 2017, the Italian DPA (“Garante”) imposed a record fine of 5,880,000 Euros on a UK company operating in Italy for its violation of the data privacy consent rules contained in Italian law. This is the largest data privacy fine ever issued by a European data protection … Continue Reading
