On Episode 15 of Covington’s Inside Privacy Audiocast, Dan Cooper is joined by Nick O’Connell, head of Al Tamimi’s Digital & Data practice in Saudi Arabia. Nick shares his insights on recent privacy developments in Saudi Arabia and the broader Middle East region, in particular as they relate to emerging data protection frameworks in these
On April 27, 2021, the Irish Oireachtas Committee on Justice met in Dublin to consider recent written submissions received criticising the Irish Data Protection Commission (DPC). The meeting was divided into two hour-long meetings with the first meeting devoted to the criticisms of Max Schrems, the Austrian privacy campaigner, and Fred Logue, an Irish data protection lawyer. The second meeting, the longer of the two, heard from Helen Dixon, the Data Protection Commissioner, and the Irish Council of Civil Liberties.
Ten politicians, including the Chair (a lawyer with data law experience), questioned each of the invitees on what was a limited agenda. Each participant was limited to a five minute opening statement after which member politicians attending queried them. Discussion of ongoing cases was not permitted.
The Committee scheduled Mr. Schrems and Ms. Dixon on separate panels, presumably to avoid a repeat of Ms. Dixon’s objection to the previous invitation from the European Parliament’s LIBE Committee proposing to hear from both together at the same hearing. Each in turn were the key participants in their panel discussions. Mr. Schrems repeated criticisms he has made previously and Ms. Dixon gave a strong defence of her office.…
Continue Reading Irish Parliamentary Committee Hearing Discusses Criticism of the Irish DPC
On January 5, 2021, the Council of the European Union released a new, draft version of the ePrivacy Regulation, which is meant to replace the ePrivacy Directive. The European Commission approved a first draft of the ePrivacy Regulation in January 2017. The draft regulation has since then been under discussion in the Council.
On January 1, 2021, Portugal took over the presidency of the Council for six months. Ahead of the next meeting of the Council’s working party responsible for the draft ePrivacy Regulation, the Portuguese Presidency issued a revised version of the draft regulation. This is the 14th draft version of the ePrivacy Regulation (including the European Commission’s first draft).
Once approved, the ePrivacy Regulation will set out requirements and limitations for publicly available electronic communications service providers (“service providers”) processing data of, or accessing devices belonging to, natural and legal persons “who are in the [European] Union” (“end-user”). The regulation aims to safeguard the privacy of the end-users, the confidentiality of their communications, and the integrity of their devices. These requirements and limitations will apply uniformly in all EU Member States. However, EU Member States have the power to restrict the scope of these requirements and limitations where this is a “necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests.“…
Continue Reading Council of the EU Released a (New) Draft of the ePrivacy Regulation
On December 24th, with a year-end deadline and the holidays fast approaching, European Commission and United Kingdom (“UK”) officials announced they reached a deal on the EU-UK Trade and Cooperation Agreement (“Agreement”). Once formally adopted by the European Union (“EU”) institutions, the Agreement will govern the relationship between the EU and UK beginning on January 1, 2021, following the end of the Brexit transition period.
The Agreement is likely to avert a year-end scramble to secure cross-border data transfers between the EU and the UK. Although the final text has not yet been published, a UK government summary of the deal indicates that the parties agreed to allow for the continued free flow of personal data for up to six months to allow time for the EU and UK to adopt mutual “adequacy decisions,” in which each jurisdiction may recognize the other as offering adequate protection for transferred personal data. Absent these adequacy decisions (and the interim period established by the Agreement), organizations would need to consider implementing additional safeguards, such as standard contractual clauses, to transfer personal data between the EU and UK.…
Continue Reading Brexit Deal Keeps EU-UK Data Flows Open as Parties Pursue Mutual Adequacy
On December 15, 2020, the Irish Data Protection Commission (“DPC”) fined Twitter International Company (“TIC”) EUR 450,000 (USD 500,000) following a narrow investigation into TIC’s compliance with obligations to (a) notify a personal data breach within 72 hours under Article 33(1) GDPR; and (b) document the facts of the breach under Article 33(5) GDPR. The process to investigate these points took a little under two years, and resulted in a decision of nearly 200 pages.
This is the first time that the DPC has issued a GDPR fine as a lead supervisory authority (“LSA”) after going through the “cooperation” and “consistency” mechanisms that enable other authorities to raise objections and the EDPB to resolve disagreements. The delay in the process and details in the EDPB binding resolution suggest that this was a somewhat arduous process. Several authorities raised objections in response to the DPC’s draft report – regarding the identity of the controller (Irish entity and/or U.S. parent), the competence of the DPC to be LSA, the scope of the investigation, the size of the fine, and other matters. Following some back and forth — most authorities maintained their objections despite the DPC’s explanations — the DPC referred the matter to the EDPB under the GDPR’s dispute resolution procedure. The EDPB considered the objections and dismissed nearly all of them as not being “relevant and reasoned”, but did require the DPC to reassess the level of the proposed fine.
Process aside, the DPC’s decision contains some interesting points on when a controller is deemed to be “aware” of a personal data breach for the purpose of notifying a breach to a supervisory authority. This may be particularly relevant for companies based in Europe that rely on parent companies in the US and elsewhere to process data on their behalf. The decision also underlines the importance of documenting breaches and what details organizations should include in these internal reports.…
Continue Reading Twitter Fine: a View into the Consistency Mechanism, and “Constructive Awareness” of Breaches
On September 16, 2020, the Spanish Supervisory Authority (“AEPD”) approved a “Code of Conduct for Data Processing in Advertising” (“Code”) (see the decision approving the code here). This is the first GDPR approved Code of Conduct with an accredited monitoring body in the European Union. The Code enters into effect on November 17, 2020, two months after its approval.
Below we provide a brief FAQ about the Code.
On 11 November 2020, the European Data Protection Board (“EDPB”) issued two draft recommendations relating to the rules on how organizations may lawfully transfer personal data from the EU to countries outside the EU (“third countries”). These draft recommendations, which are non-final and open for public consultation until 30 November 2020, follow the EU Court of Justice (“CJEU”) decision in Case C-311/18 (“Schrems II”). (For a more in-depth summary of the CJEU decision, please see our blog post here and our audiocast here. The EDPB also published on 24 July 2020 FAQs on the Schrems II decision here).
The two recommendations adopted by the EDPB are:
- Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (“Draft Recommendations on Supplementary Measures”); and
- Recommendations 02/2020 on the European Essential Guarantees for surveillance measures (“Recommendations on EEG”).
Recently, there has been a significant level of attention given to data protection and privacy matters on the Continent, and in the just the past year, we have seen new laws proposed or enacted in places like Nigeria, Egypt, Kenya, and of course South Africa, although prior to that, places like Morocco, Ghana and Mali…
On June 22, 2020, the South African President announced that certain provisions of POPIA would take effect on July 1, provisions which most regard as essential to the statute, such as those imposing conditions on the lawful processing of personal information, procedures for handling complaints, and general enforcement provisions. Only days later, the South African…
On September 22, 2020, the Federal Trade Commission (“FTC”) hosted “Data to Go,” a virtual workshop on data portability. The workshop convened experts from civil society, academia, and industry to discuss the potential risks as well as consumer and competition benefits of data portability, as well as issues and best practices related to its implementation in legislative and industry-led initiatives. The discussions emphasized five key themes regarding data portability efforts in the U.S. and globally.…
Continue Reading Five Key Themes from the FTC’s Data Portability Workshop