The much discussed and long-awaited General Data Protection Regulation (“GDPR”) applies from today, May 25, 2018. It will update and harmonize data protection laws across the EU, and sets out comprehensive rules in relation to personal data handling, as well as the rights of individuals over their personal data. It is unclear how aggressively the … Continue Reading
Having received Royal Assent on May 23, 2018, the UK Data Protection Bill is now an Act of Parliament. The Data Protection Act 2018 (the “Act”) implements the General Data Protection Regulation (“GDPR”) and replaces the UK Data Protection Act 1998. Notable provisions that make use of the ability of Member States to implement different … Continue Reading
By Bruce Bennett, Carlo Kostka, Charlotte Hill, Craig Pollack, Dan Cooper, Gemma Nash, Kristof Van Quathem, Mark Young, and Sophie Bertin The EU Payment Services Directive (PSD2), which took effect on January 13, 2018, puts an obligation on banks to give Third Party Providers (TPPs) access to a customer’s payment account data, provided the customer expressly … Continue Reading
On January 12, the International Consumer Electronics Show (CES) in Las Vegas closed its doors for another year. Each CES raises a new set of technology themes, ranging from robots to smart fridges — and this year, the winner was voice technologies. Such technologies, while not entirely new, are now becoming mainstream: sales of smart … Continue Reading
By Mark Young, Joseph Jones and Ruth Scoles Mitchell The Article 29 Working Party (WP29) has published long-awaited draft guidance on transparency and consent under the General Data Protection Regulation (“GDPR”). We are continuing to analyze the lengthy guidance documents, but wanted to highlight some immediate reactions and aspects of the guidance that we think … Continue Reading
Kristof Van Quathem, special counsel in Covington’s Brussels office, advises clients on data protection, data security, and cybercrime matters. He has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies, ranging from compliance advice on the adopted laws, regulations, and guidelines, to the … Continue Reading
On September 13, 2017, the UK Government published a new Data Protection Bill regulating the use of individuals’ personal data. The Bill, which is intended to replace the UK Data Protection Act 1998, would serve a range of functions, most notably setting out how the UK intends to make use of its leeway to derogate … Continue Reading
On 13 September, the Information Commissioner’s Office (ICO) published draft guidance on GDPR contracts and liabilities on contracts between controllers and processors under the GDPR (the “Guidance”). The ICO is consulting on the Guidance until 10 October. We summarize the key aspects of the Guidance below.… Continue Reading
Earlier this month, the UK Government published a consultation on plans to implement the EU Directive on security of network and information systems (the “NIS Directive”, otherwise known as the Cybersecurity Directive). The consultation includes a proposal to fine firms that fail to implement “appropriate and proportionate security measures” up to EUR 20 million or … Continue Reading
By Lisa Peets, Ezra Steinhardt, and Rosie Klement On July 14, 2017, the Impact Assessment Institute (“IAI”) (an independent institute committed to impartial impact assessment and scientific evaluation of policy and legislation in the EU) published a study assessing the impact assessment carried out by the European Commission in connection with the Commission’s proposal for … Continue Reading
By Dan Cooper and Rosie Klement The EU’s Article 29 Working Party (“WP29”) has issued new guidance on data processing in the employment context. Adopted on June 8, 2017, the guidance primarily takes account of the existing data protection framework under the EU Data Protection Directive (Directive 95/46/EC), but also considers the developments coming into force … Continue Reading
In a new post on the Covington Digital Health blog, our colleagues discuss a new European Cloud in Health Advisory Council whitepaper calling for a review of European healthcare data protection rules holding back greater adoption of cloud computing and AI; and for more discussion about the ethics and governance of re-use of patient data for research and planning. To read … Continue Reading
As we approach the May 2018 effective date of the EU General Data Protection Regulation (“GDPR”), there have been a number of global developments over the last few months with respect to the so-called “right to be forgotten,” which will be codified under Article 17 of the GDPR. European Developments In the EU, we previously … Continue Reading
On Thursday, April 20th, the UK government launched a “Call for Views” regarding the UK’s options for the implementation of the new EU General Data Protection Regulation (GDPR) at national level. The consultation deadline is May 10th, at mid-day UK time. Although the GDPR was an effort to bring greater harmonization to data protection regimes … Continue Reading
By Denitsa Marinova On April 11, 2017, the Data Protection Commissioner of Ireland (DPC) published her annual report for 2016, highlighting key developments and activities for the past year and outlining priorities for 2017 and beyond. The report will be of interest to Irish entities and multinational organizations with a base in Ireland, including companies … Continue Reading
By Dan Cooper and Rosie Klement On April 2, 2017, the Information Commissioner’s Office (“ICO”) released a consultation paper for UK organizations to comment on how the new profiling provisions under the General Data Protection Regulation (“GDPR”) could be interpreted and applied when the GDPR comes into force in May 2018. The public consultation on … Continue Reading
The UK Information Commissioner’s Office (ICO), which enforces data protection legislation in the UK, has fined a company £20,000 (approximately 24,000 USD / 23,000 EUR) for not exercising sufficient due diligence when buying and using marketing databases. The ICO found that over 580,000 individuals’ contact details had been obtained by The Data Supply Company Ltd … Continue Reading
On March 9, 2017, the Court of Justice of the EU (“CJEU”) handed down a ruling limiting the reach of its prior “right to be forgotten” jurisprudence, by holding that the right does not prevail over society’s interest in access to official public records of company details required by law.… Continue Reading
By Dan Cooper and Rosie Klement On March 2, 2017, the Information Commissioner’s Office (“ICO”) released draft guidance for UK organizations on how the notion of consent will be interpreted and applied when the General Data Protection Regulation (“GDPR”) comes into force in May 2018. The ICO is currently engaging in a public consultation on … Continue Reading
The Article 29 Working Party (“WP29”) – the representatives of national data protection regulators in the EU – has issued new guidance on three important aspects of the new General Data Protection Regulation (“GDPR”), which comes into force in May 2018. This first salvo of GDPR-focused guidance concerns: the new “Right to Data Portability”, an … Continue Reading
On August 31, 2016, a bill was presented to the Luxembourg Parliament (the “Bill”) to amend the Law of August 2, 2002, on the Protection of Persons with regard to the Processing of Personal Data. The Bill aims to reduce the current administrative burden and anticipates the application of the General Data Protection Regulation (“GDPR”) … Continue Reading
Last week, the European Data Protection Supervisor (the “EDPS”), in collaboration with European consumer organisation BEUC, hosted a joint conference on Big Data: individual rights and smart enforcement in Brussels (for the conference agenda, see here). The conference brought together leading regulators and experts in the areas of competition, data protection and consumer protection, including … Continue Reading
On June 16, 2016, the French data protection authority (“CNIL”) launched a public consultation on the General Data Protection Regulation (“GDPR). The consultation focuses on four priority themes set out in the Article 29 Working Party’s 2016 Action plan: the data protection officer; the right to data portability; data protection impact assessments; and certification.… Continue Reading
On May 12, 2016, The French High Court (“Cour de Cassation”) rendered a short decision stating that the right to be forgotten does not supersede the freedom of press. In this case, two brothers took legal action against a famous French daily newspaper. The two individuals requested that their respective names be removed from search results … Continue Reading
