By Lisa Peets, Ezra Steinhardt, and Rosie Klement On July 14, 2017, the Impact Assessment Institute (“IAI”) (an independent institute committed to impartial impact assessment and scientific evaluation of policy and legislation in the EU) published a study assessing the impact assessment carried out by the European Commission in connection with the Commission’s proposal for … Continue Reading
The UK Information Commissioner’s Office (“ICO”), which enforces data protection legislation in the UK, has ruled that the NHS Royal Free Foundation Trust (“Royal Free”), which manages a London hospital, failed to comply with the UK Data Protection Act 1998 in providing 1.6 million patient records to Google DeepMind (“DeepMind”), requiring the Royal Free to … Continue Reading
By Dan Cooper and Rosie Klement The EU’s Article 29 Working Party (“WP29”) has issued new guidance on data processing in the employment context (available here). Adopted on June 8, 2017, the guidance primarily takes account of the existing data protection framework under the EU Data Protection Directive (Directive 95/46/EC), but also considers the developments coming … Continue Reading
In a new post on the Covington Digital Health blog, our colleagues discuss a new European Cloud in Health Advisory Council whitepaper calling for a review of European healthcare data protection rules holding back greater adoption of cloud computing and AI; and for more discussion about the ethics and governance of re-use of patient data for research and planning. To read … Continue Reading
On Thursday, April 20th, the UK government launched a “Call for Views” regarding the UK’s options for the implementation of the new EU General Data Protection Regulation (GDPR) at national level. The consultation deadline is May 10th, at mid-day UK time. Although the GDPR was an effort to bring greater harmonization to data protection regimes … Continue Reading
By Luca Tosoni and Dan Cooper On 2 February 2017, the Italian DPA (“Garante”) imposed a record fine of 5,880,000 Euros on a UK company operating in Italy for its violation of the data privacy consent rules contained in Italian law. This is the largest data privacy fine ever issued by a European data protection … Continue Reading
On March 9, 2017, the Court of Justice of the EU (“CJEU”) handed down a ruling limiting the reach of its prior “right to be forgotten” jurisprudence, by holding that the right does not prevail over society’s interest in access to official public records of company details required by law.… Continue Reading
By Dan Cooper and Rosie Klement On March 2, 2017, the Information Commissioner’s Office (“ICO”) released draft guidance for UK organizations on how the notion of consent will be interpreted and applied when the General Data Protection Regulation (“GDPR”) comes into force in May 2018. The ICO is currently engaging in a public consultation on … Continue Reading
On February 9, 2017, six Democratic senators wrote to DHS Secretary John Kelly about their concerns over a Trump executive order that would remove Privacy Act protections for non-U.S. citizens and lawful permanent residents. Senators Ed Markey (MA), Ron Wyden (OR), Jeff Merkley (OR), Al Franken (MN), Chris Coons (DE), and Mazie Hirono (HI) wrote … Continue Reading
On January 12, 2017, the U.S. Federal Trade Commission announced the adoption of a Swiss-U.S. Privacy Shield, to replace the existing Swiss-U.S. Safe Harbor Agreement. Companies have a three month grace period to switch from the old to the new regime. The Swiss version of the Privacy Shield had to be negotiated following the invalidation … Continue Reading
By Joseph Jones, Phil Bradley-Schmieg and Gemma Nash On December 21, 2016 the Court of Justice of European Union (“CJEU”) issued its judgment in Joined Cases C-203/15 and C-698/15, Tele2 /Watson. The decision considered the legality of UK and Swedish laws permitting the generalized retention of communications metadata (for 6-12 months) for the purposes of … Continue Reading
The Article 29 Working Party (“WP29”) – the representatives of national data protection regulators in the EU – has issued new guidance on three important aspects of the new General Data Protection Regulation (“GDPR”), which comes into force in May 2018. This first salvo of GDPR-focused guidance concerns: the new “Right to Data Portability”, an … Continue Reading
Yesterday, the European Parliament voted to approve the EU-U.S. Umbrella Agreement, a framework for the exchange of personal data for law-enforcement (including anti-terrorism) purposes between the EU and U.S. As we previously explained, negotiations on this Agreement have been underway for quite some time, with the European Parliament first calling for it back in March … Continue Reading
On September 16, 2016, Digital Rights Ireland (“DRI”), a digital rights advocacy group, lodged an action with the EU General Court for annulment of the European Commission’s Decision on the EU-U.S. Privacy Shield arrangement. While the existence of the application has only recently become public knowledge, it was widely-expected that the Privacy Shield would face … Continue Reading
On August 31, 2016, a bill was presented to the Luxembourg Parliament (the “Bill”) to amend the Law of August 2, 2002, on the Protection of Persons with regard to the Processing of Personal Data. The Bill aims to reduce the current administrative burden and anticipates the application of the General Data Protection Regulation (“GDPR”) … Continue Reading
Last week, the European Data Protection Supervisor (the “EDPS”), in collaboration with European consumer organisation BEUC, hosted a joint conference on Big Data: individual rights and smart enforcement in Brussels (for the conference agenda, see here). The conference brought together leading regulators and experts in the areas of competition, data protection and consumer protection, including … Continue Reading
As announced last week, the European Data Protection Supervisor (“EDPS”) released on September 23, 2016 an opinion on “coherent enforcement of fundamental rights in the age of big data.” This opinion follows an earlier Preliminary Opinion on privacy and competitiveness in the age of big data, published in 2004 (see our previous blog post here). … Continue Reading
The EU-U.S. Privacy Shield’s recent introduction has created an efficient mechanism to ensure that trans-Atlantic personal data flows are lawful. With that in place, attention is now turning back to restrictions within the EU, particularly around hosting data in cloud computing services. European healthcare is particularly affected by such restrictions. This has motivated a significant … Continue Reading
A new post on the Covington eHealth blog reports that the UK government is running a consultation around NHS patient data security standards and a new legal framework for secondary uses (e.g. research) of patient data. To find out more about the proposals and the consultation, please click here.… Continue Reading
At a joint press conference in Brussels this morning (July 12, 2016), EU Commissioner Jourová and the U.S. Secretary of Commerce, Penny Pritzker, presented the new EU-U.S. data transfer mechanism (see press release here, adequacy decision text here, annexes here and Q&A factsheet here). The press conference followed the approval of the underlying adequacy decision … Continue Reading
On July 8, 2016, the draft EU-U.S. Privacy Shield adequacy decision was formally approved by the so-called “Article 31 Committee” of EU Member States (see press release, here). That approval opens the door for the College of EU Commissioners to approve the Privacy Shield on Monday (July 11). Once translated and published in the Official … Continue Reading
On May 12, 2016, The French High Court (“Cour de Cassation”) rendered a short decision stating that the right to be forgotten does not supersede the freedom of press. In this case, two brothers took legal action against a famous French daily newspaper. The two individuals requested that their respective names be removed from search results … Continue Reading
On May 30, the European Data Protection Supervisor (the “EDPS”) issued an opinion on the Privacy Shield, see opinion here and press release here. The EDPS acknowledged that the European Commission’s draft adequacy decision on the Privacy Shield is a step in the right direction and shows a number of improvements compared to the EU-U.S. … Continue Reading
This morning (May 26, 2016) the European Parliament (“EP”) approved a non-binding resolution on the proposed EU – U.S. Privacy Shield (see resolution here and press release here). The resolution is far more positive in relation to the Privacy Shield than some of the proposals floated by some political groups earlier this week (see, for instance, the resolution proposed … Continue Reading
