Last week, the National Telecommunications and Information Administration (“NTIA”) released submissions it had received from the Federal Trade Commission (“FTC”) staff and many other parties on NTIA’s proposed framework for advancing consumer privacy while protecting innovation. Although NTIA did not request comments on a possible federal privacy bill, most submissions took the opportunity to inform … Continue Reading
Earlier this year, in the run-up to the General Data Protection Regulation’s (“GDPR”) May 25, 2018 date of application, a major question for stakeholders was how zealously the GDPR would be enforced. Now, as the GDPR approaches its six-month birthday, an answer to that question is rapidly emerging. Enforcement appears to be ramping up significantly. … Continue Reading
On September 5, 2018, a first instance Administrative Court in Italy decided that a public company cannot reject an application for the position of data protection officer (“DPO”) on the basis that the applicant is not a certified ISO 27001 Auditor / Lead Auditor (decision available here). ISO 27001 is an international information security standard. … Continue Reading
On October 23, 2018, the European Federation of Pharmaceutical Industries in cooperation with the Future of Privacy Forum and the Center for Information Policy Leadership will organize a workshop entitled, “Can GDPR Work for Health Research.” In the first session, the workshop will discuss the implications of the General Data Protection Regulation (“GDPR”) on clinical … Continue Reading
On 25 May 2018, the EU General Data Protection Regulation (GDPR) came into effect. The GDPR establishes some of the most robust privacy requirements globally and is likely to be a model followed by other jurisdictions. Airlines are uniquely affected by the GDPR with passenger data being at the heart of their business and international … Continue Reading
Designing data-driven products and services in compliance with privacy requirements can be a challenging process. Technological innovation enables novel uses of personal data, and companies designing new data-driven products must navigate new, untested, and sometimes unclear requirements of privacy laws, including the General Data Protection Regulation (GDPR). These challenges are often particularly acute for companies … Continue Reading
By Grace Kim and Ezra Steinhardt On September 13, 2018, the UK government published a series of technical notices on how to prepare for a scenario in which the UK leaves the EU without agreement on March 29, 2019 (“no-deal Brexit”). The government stressed that a no-deal Brexit “remains unlikely given the mutual interests of … Continue Reading
On July 20, 2018, the U.S. Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) published comments it received from a wide array of tech and telecom companies, trade groups, civil society, academia, and others regarding its “international Internet policy priorities for 2018 and beyond.” NTIA’s Office of International Affairs (“OIA”) had requested comments and … Continue Reading
By Kristof Van Quathem and Anna Sophia Oberschelp de Meneses Exactly one month after the GDPR started applying, the French Supervisory Authority (“CNIL”) issued a formal warning to two companies in relation to their processing of localization data for targeted advertising (see here). The CNIL found that the consent on which both companies relied did … Continue Reading
On July 27, 2018, the Government of India’s Committee of Experts released a draft Protection of Personal Data Bill. Together with an accompanying report, the draft bill moves India one step closer towards enacting a comprehensive data protection regime. Last year, the Supreme Court of India issued a landmark decision holding that privacy is a … Continue Reading
Blockchain technology has the potential to revolutionise many industries; it has been said that “blockchain will do to the financial system what the internet did to media”. Its most famous use is its role as the architecture of the cryptocurrency Bitcoin, however it has many other potential uses in the financial sector, for instance in … Continue Reading
On July 17, 2018, the Dutch Supervisory Authority announced that it will start a preliminary investigation to assess whether certain large corporations comply with the EU’s General Data Protection Regulation (“GDPR”) – see the official press release here (in Dutch). To that end, the authority will review the “records of processing activities” from thirty randomly … Continue Reading
The much discussed and long-awaited General Data Protection Regulation (“GDPR”) applies from today, May 25, 2018. It will update and harmonize data protection laws across the EU, and sets out comprehensive rules in relation to personal data handling, as well as the rights of individuals over their personal data. It is unclear how aggressively the … Continue Reading
Having received Royal Assent on May 23, 2018, the UK Data Protection Bill is now an Act of Parliament. The Data Protection Act 2018 (the “Act”) implements the General Data Protection Regulation (“GDPR”) and replaces the UK Data Protection Act 1998. Notable provisions that make use of the ability of Member States to implement different … Continue Reading
By Bruce Bennett, Carlo Kostka, Charlotte Hill, Craig Pollack, Dan Cooper, Gemma Nash, Kristof Van Quathem, Mark Young, and Sophie Bertin The EU Payment Services Directive (PSD2), which took effect on January 13, 2018, puts an obligation on banks to give Third Party Providers (TPPs) access to a customer’s payment account data, provided the customer expressly … Continue Reading
On January 12, the International Consumer Electronics Show (CES) in Las Vegas closed its doors for another year. Each CES raises a new set of technology themes, ranging from robots to smart fridges — and this year, the winner was voice technologies. Such technologies, while not entirely new, are now becoming mainstream: sales of smart … Continue Reading
By Mark Young, Joseph Jones and Ruth Scoles Mitchell The Article 29 Working Party (WP29) has published long-awaited draft guidance on transparency and consent under the General Data Protection Regulation (“GDPR”). We are continuing to analyze the lengthy guidance documents, but wanted to highlight some immediate reactions and aspects of the guidance that we think … Continue Reading
Kristof Van Quathem, special counsel in Covington’s Brussels office, advises clients on data protection, data security, and cybercrime matters. He has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies, ranging from compliance advice on the adopted laws, regulations, and guidelines, to the … Continue Reading
On September 13, 2017, the UK Government published a new Data Protection Bill regulating the use of individuals’ personal data. The Bill, which is intended to replace the UK Data Protection Act 1998, would serve a range of functions, most notably setting out how the UK intends to make use of its leeway to derogate … Continue Reading
On 13 September, the Information Commissioner’s Office (ICO) published draft guidance on GDPR contracts and liabilities on contracts between controllers and processors under the GDPR (the “Guidance”). The ICO is consulting on the Guidance until 10 October. We summarize the key aspects of the Guidance below.… Continue Reading
Earlier this month, the UK Government published a consultation on plans to implement the EU Directive on security of network and information systems (the “NIS Directive”, otherwise known as the Cybersecurity Directive). The consultation includes a proposal to fine firms that fail to implement “appropriate and proportionate security measures” up to EUR 20 million or … Continue Reading
By Lisa Peets, Ezra Steinhardt, and Rosie Klement On July 14, 2017, the Impact Assessment Institute (“IAI”) (an independent institute committed to impartial impact assessment and scientific evaluation of policy and legislation in the EU) published a study assessing the impact assessment carried out by the European Commission in connection with the Commission’s proposal for … Continue Reading
By Dan Cooper and Rosie Klement The EU’s Article 29 Working Party (“WP29”) has issued new guidance on data processing in the employment context. Adopted on June 8, 2017, the guidance primarily takes account of the existing data protection framework under the EU Data Protection Directive (Directive 95/46/EC), but also considers the developments coming into force … Continue Reading
In a new post on the Covington Digital Health blog, our colleagues discuss a new European Cloud in Health Advisory Council whitepaper calling for a review of European healthcare data protection rules holding back greater adoption of cloud computing and AI; and for more discussion about the ethics and governance of re-use of patient data for research and planning. To read … Continue Reading
