As we draw ever closer to 25 May 2018 we have seen increasing activity in preparation for the EU General Data Protection Regulation ("GDPR") coming into effect.
The French data protection authority, the CNIL, has been particularly active, launching a second public consultation on the GDPR which looked at a further 3 key topics identified by the Article 29 Working Party ("WP29") in its 2017 action plan. The 3 topics were: i) breach notification; ii) consent; and iii) profiling. The feedback from this consultation was shared in the 2017 GDPR Fablab, organised by the WP29, which has the purpose of providing useful guidelines on the topics consulted on by the end of this year. A press release about the Fablab and other recent WP29 activities from the CNIL is available here. The CNIL has also published a 6 step methodology to assist organisations in their preparations for the GDPR.
We also saw steps taken by the Spanish data protection authority, the AEPD, in preparation for the GDPR, with confirmation in their blog that the requirement to register files containing personal data will disappear under the GDPR.
And continuing a trend we have reported on in previous alerts of countries currently outside of the scope of the GDPR adopting new data protection laws equivalent to the GDPR, the Serbian data protection authority, the Commissionaire for information of public importance and personal data protection, has published on its website a "model on the law on protection of personal data" (the "Model"). The Model seeks to replace the current data protection law in Serbia which came into effect in 2009, moving towards an approach more in line with that in the EU.
Across Europe, and further afield, we have also seen data protection authorities taking steps and making decisions that signify a move towards greater protection for the rights of data subjects, something that goes to the heart of the GDPR. In Russia, for example, a 'personal data violations' bill introduced civil offences for the violation of data subjects' rights. A decision by the Supreme Administration Court in Czech Republic confirmed that data controllers are not able to contract out of their obligations, with data controllers remaining responsible for any personal data over which they are the data controller even when they subcontract any part of the processing.
We have also seen similar activity in the context of the employer-employee relationship, with a decision from the Italian data protection authority, the Garante, prohibiting the indiscriminate monitoring of employee emails and smartphones, and an opinion being issued by the Portuguese data protection authority, the CNPD, on the provision of employee pay slips under enforcement proceedings.
These developments continue to demonstrate a move towards greater awareness of data subject rights and the importance of protecting them, which only looks set to continue as we head towards May 2018.
Please see below for further data protection updates from across the world:
- Italy: Italian DPA issues EUR 11 million fine for breach of personal data protection code
- Ireland: High court reserves judgment in Schrems case
- Australia: Mandatory data breach notification act passed by parliament
- United States: Record number of data breach notices in New York in 2016
- Argentina: Argentina issues draft data protection bill