Updata Your quarterly Data Privacy and Cybersecurity update
January to March 2019
Executive summary
Welcome to the third edition of Updata the international quarterly update from Eversheds Sutherland's dedicated Privacy and Cybersecurity team.
Updata provides you with a compilation of privacy and cybersecurity regulatory and legal updates from our contributors around the globe over the past quarter.
This quarter's report features commentary on a number of interesting developments, including:
Updated guidance from the EU's ENISA on What is "state of the art" in IT security? and a new cybersecurity standard on internet-connected consumer devices.
New laws in China, including a draft specification which updates the legal framework regarding personal data collection and new rules on the administration of mobile internet application security verification.
The government of Mauritius emphasising the need to improve law enforcement and the judiciary in the investigation and prosecution of cybercrime as well as the enhancement of safety and security in cyberspace.
The government of Russia's approval of new laws which will enable the Federal Service for the Supervision of Communications, Information Technology and Mass Media to conduct new types of inspections of personal data operators, which give more predictability to individuals and businesses.
Poland's first fine issued under the GDPR for breaches of Article 14's transparency obligations.
We have also have a number of Spotlight on... briefings to share, including commentary on UK Court action: a strategic option for data security breach response, the UAE's new Healthcare IT Law and the "transfers from EU back into the UK conundrum"
Paula Barrett Co-Lead of Global Cybersecurity and Data Privacy T: +44 20 7919 4634 [email protected] eversheds-sutherland.com
Updata Edition 3 January to March 2019 | Executive summary
Michael Bahar Co-Lead of Global Cybersecurity and Data Privacy
T: +1 202 383 0882 [email protected] eversheds-sutherland.com
Jump to your region of interest
European Union Austria France
Germany Hungary Ireland
Italy Lithuania
Poland Romania Switzerland United Kingdom
China Mauritius United States
Russia UAE
1
Updates by territory
European Union
Contributors
Paula Barrett Co-Lead of Global Cybersecurity and Data Privacy
T: +44 20 7919 4634 [email protected] eversheds-sutherland.com
Lizzie Charlton Data Privacy Professional Support Lawyer
T: +44 20 7919 0826 [email protected] eversheds-sutherland.com
Development
Summary
Impact date
AG Opinion on scope of search engine de-listing
Following a previous Court of Justice of the European Union (CJEU) ruling that, subject to exceptions, search engines are required to "de-reference" a webpage, or URL, from their search results when requested to do so by an individual if the webpage in question contains personal data which is inaccurate, inadequate, irrelevant or excessive, Advocate General Szpunar has issued an Opinion in respect of Case C-507/17 Google v CNIL that the CJEU should limit the scope of the de-referencing that search engine operators are required to carry out, to the EU only.
10 January 2019
European Union Agency for Network and Information Security (ENISA) report on eIDAS auditing framework for trust providers issuing qualified website authentication certificates
ENISA has published a report assessing the routes to global acceptance of the eIDAS auditing framework for trust providers issuing qualified website authentication certificates.
15 January 2019
New PCI Security Standards
The PCI Security Standards Counsel published two new standards, the PCI Secure Software Standard and the PCI Secure Lifecycle Standard (Secure SLC Standard), as part of a new PCI Software Security Framework. The framework is a collection of software security standards and associated programs for the secure design, development and maintenance of modern payment software. The Standards will replace the current PCI Payment Application Data Security Standard (PA-DSS) which will be retired in 2022.
16 January 2019
Links
Opinion Press statement
Report
PCI Security Standards blog post PCI Security Standards library
Updata Edition 3 January to March 2019 | Updates by territory
2
European Union
Development
ENISA report on security and privacy and the Internet of Things European Data Protection Supervisor (EDPS) report on smart glasses and data protection
European Data Protection Board (EDPB) report on second annual joint Privacy Shield review
Summary
Impact date
ENISA has published analysis mapping existing security standards 17 January 2019 against requirements on security and privacy in the area of the Internet of Things.
The EDPS has issued a report which aims to clarify the state of play of smart glasses (wearable computer devices with mobile internet connection, to be worn as or mounted on eye-glasses), official positions on related data privacy issues and future developments. The report examines the data privacy issues associated with smart glasses, such as facial and voice recognition and the collection of "invisible" personal data like device identifiers in the form of Wi-Fi or Bluetooth radio signals.
The EDPS summarises that given the GDPR provides stakeholders with a harmonised set of principles and a system of tools to assess and control the impact of smart glasses on data privacy, "...an urgent need for technology specific legislative initiatives does not appear to be justified. However, the development of smart glasses and similar connected recording devices underlines the need to establish a robust framework for privacy and electronic communications, as proposed with the ePrivacy Regulation".
18 January 2019
The EDPB adopted a report on the Second Annual Review of the EU-US Privacy Shield. The report contains commentary on concerns already expressed by the EDPB's predecessor, the Article 29 Working Party, on the lack of concrete assurances that indiscriminate collection and access of personal data for national security purposes are excluded. In addition, the EDPB notes that the Ombudsperson is not vested with sufficient powers to remedy non-compliance, and that checks regarding compliance with the substance of the Privacy Shield's principles are not sufficiently strong.
The EDPB also highlights additional concerns in relation to checks to comply with the onward transfer requirements, the scope of meaning of HR Data and the recertification process, and a list of remaining issues raised after the first joint review which are still pending.
22 January 2019
Links
Report Report Press statement
Press statement Report
Updata Edition 3 January to March 2019 | Updates by territory
3
European Union
Development
EDPB sixth plenary
New Open Data and Public Sector Information Directive
Summary
Impact date
The EDPB met on 22 and 23 January for their sixth plenary session. Topics discussed included:
Privacy Shield the EDPB's report on the Second Annual Review of the EU-US Privacy Shield was adopted (see update below).
Brexit EDPB members agreed to cooperate and exchange information regarding their preparations and the tools available to transfer data to the UK post-Brexit.
Clinical trials the EDPB have adopted an opinion on the clinical trials Q&A, which addresses the adequate legal bases in the context of clinical trials and the secondary uses of clinical trial data for scientific purposes.
Data protection impact assessment (DPIA) lists the EDPB adopted opinions on the DPIA lists submitted by Liechtenstein and Norway.
Guidelines on certification the EDPB adopted the final version of the guidelines on certification. The guidelines explore the rationale for certification as an accountability tool, provide explanations for the key concepts of the certification provisions in Articles 42 and 43 GDPR, explain the scope of what can be certified and outline the purpose of certification.
Australian supervisory authority request the EDPB discussed a written request received from the Office of the Australian Information Commissioner regarding the publication of data breach notifications by supervisory authorities.
22-23 January 2019
The European Parliament, Council and Commission reached agreement on the text of the new Directive on Open Data and Public Sector Information, which sets out the conditions under which public sector non-personal data should be made available for re-use with the aim of making it more easily accessible.
23 January 2019
Links
News update
Press statement
Updata Edition 3 January to March 2019 | Updates by territory
4
European Union
Development
EU-Japan adequacy agreement
Artificial Intelligence (AI) and data protection
Supreme Court finds government system for disclosing criminal convictions is "disproportionate" and breaches Article 8 ECHR
EDPB news: February 2019
Summary
Impact date
The European Commission and Japan formally adopted a mutual adequacy arrangement enabling personal data to flow freely between the European Union and Japan.
The European Commission is also in the process of negotiating an adequacy decision with South Korea.
23 January 2019
The European Council's Convention 108 consultative committee has published a set of baseline guidelines on Artificial Intelligence and Data Protection, that governments, AI developers, manufacturers, and service providers should follow the guidelines to ensure that AI applications do not undermine the human dignity and the human rights and fundamental freedoms of every individual, in particular with regard to the right to data protection.
25 January 2019
Unlock (a charity for people with convictions) brought a claim against the Government concerning the way they implement the filtering system for criminal records disclosure, and the fact that it does not comply with Article 8 ECHR (right to respect for private and family life).
By way of background, there are three types of criminal record check available in the UK via the Disclosure and Barring Service. The searches are tightly regulated to ensure that they are only made where permitted by law and justified. The type of check which can be conducted and the information that the results of the check will contain, will depend on the relevant role.
The Government is now compelled to look at making changes to the rules and processes governing criminal records disclosure.
30 January 2019
The EDPB was involved in a number of projects in February, including:
hosting its seventh plenary on 12 February 2019. The plenary included discussions on Brexit, the 2019-2020 EDPB Work Program, the consultation on guidelines on codes of conduct, the Article 64 GDPR Opinion on the draft AA by the European Securities and Markets Authority (ESMA) and the International Organisation of Securities Commissions (IOSCO).
February 2019
Updata Edition 3 January to March 2019 | Updates by territory
Links
Press statement Factsheet
Guidelines
Judgment
Seventh plenary agenda 2019-2020 Work Program Consultation on guidelines on codes of conduct and monitoring bodies Opinion on transfers between EEA and non-
5
European Union
Development
Latest draft ePrivacy Regulation
Summary
publishing its 2019-2020 Work Program Among other things, the program includes issuing guidance on targeting social media users, reliance on Article 6(1)(b) in the context of online services, the concepts of controller and processor and the notion of legitimate interest of the data controller, video surveillance, data protection by design and default and connected vehicles.
launching a consultation on guidelines on codes of conduct and monitoring bodies under GDPR. The consultation ends on 2 April 2019.
publishing an opinion endorsing the draft arrangement by ESMA and IOSCO for the transfer of personal data between EEA financial supervisory authorities and nonEEA financial supervisory authorities.
publishing a GDPR overview report The report contains some interesting statistics on the implementation of the GDPR and the roles and means of the national supervisory authorities.
launching a consultation on Annex 2 to Guidelines 1/2018 on Certification and Identifying Certification Criteria in Accordance with Articles 42 and 43 of the GDPR, adopted on 23 January 2019. The consultation ends on 29 March 2019.
making the Norway and Leichtenstein DPIA lists available online.
publishing an opinion on clinical trials Q&A The opinion addresses, among other things, aspects related to the adequate legal bases in the context of clinical trials, and the secondary uses of clinical trial data for scientific purposes.
Impact date
The Romanian Presidency of the Council of the European Union published two further revisions to the proposed ePrivacy Regulation this quarter, ahead of discussions in WP TELE meetings on 19-20 February and 26 February.
Look out for our briefings on the proposed ePrivacy Regulation soon.
February 2019 and ongoing
Links
EEA financial supervisory authorities GDPR implementation overview report Consultation on Annex 2 to certification guidelines Norway and Leichtenstein DPIA lists Opinion on clinical trials Q&A
Draft ahead of 19-20 February meeting Draft ahead of 26 February meeting
Updata Edition 3 January to March 2019 | Updates by territory
6
European Union
Development
ENISA news: February 2019
Uploading video content online with identifiable people in the background
Summary
Impact date
ENISA publicised the following key updates in February:
Guidelines written by German IT security association, TeleTrusT in cooperation with ENISA on What is "state of the art" in IT security? The phrase "state of the art" is used in the GDPR Article 32 in relation to the security measures controllers and processors are required to implement.
ENISA is encouraging organisations to get involved in European Cyber Security Month 2019.
Smartphone Secure Development Guidelines ENISA has released SMAShiNG, an online tool that maps security measures for smartphone guidelines. The tool supports developers to build secure mobile applications. SMAShiNG touches upon crucial security measures such as: User authentication; Sensitive data protection; Secure software distribution; Device and application integrity; Protection from client side injections; and Correct usage of biometric sensors.
Internet of Things security checklist This new ENISA tool will help users save time when identifying threats and prioritising security areas of importance.
February 2019
In the case of Sergejs Buivids v. Datu valsts inspekcija (C-345/17), the CJEU ruled that someone who records video footage with identifiable people in the background and uploads that footage to an online platform allowing unrestricted access by third parties falls within the scope of the data protection framework, and outside the domestic purposes exemption. The impact of being within the data protection framework means that the person uploading the video needs to, among other things, register with or notify their national supervisory authority and provide appropriate privacy information to the data subjects in the footage, respond to access requests etc. and fulfil other responsibilities of a controller. The court referred the question of whether the GDPR derogation for journalistic purposes could be applied to "citizen journalists" back to the referring court.
14 February 2019
Links
What is "state of the art" in IT security? guidelines European Cyber Security Month 2019 Press statement SMAShiNG Press statement Internet of Things security checklist Press statement
CJEU ruling
Updata Edition 3 January to March 2019 | Updates by territory
7
European Union
Development
European Telecommunications Standards Institute industry standard on internet-connected consumer devices
Regulation strengthening the security of EU citizens' ID cards and residence documents
European Data Protection Board overview report on GDPR implementation
European Data Protection Supervisor annual report European Data Protection Board 8th plenary
Summary
Impact date
The European Telecommunications Standards Institute (ETSI) Technical Committee on Cyber-Security has issued the ETSI industry standard technical specification 103 645 on internetconnected consumer devices. The standard is based on the UK Government's Code of Practice, which was launched in October 2018 and provided guidance for consumers on how they can help set up and manage their smart devices to improve their safety and protect their personal information).
16 February 2019
On 19 February 2019, representatives of the Romanian Presidency of the Council and the European Parliament reached informal trialogue agreement on a proposal for a Regulation strengthening the security of EU citizens' ID cards and residence documents issued to EU citizens and their non-EU family members exercising their right of free movement.
19 February 2019
The EDPB published an overview report, in collaboration with the European Parliament's Civil Liberties, Justice and Home Affairs Committee (LIBE), on the implementation of the GDPR and the roles and means of the national supervisory authorities.
26 February 2019
The EDPS released his 2018 Annual Report, which provides an insight into all EDPS activities in 2018.
26 February 2019
On 12-13 March, the EDPB convened for their 8th plenary. The key outcomes from the plenary were:
Opinion on the interplay between the ePrivacy Directive and GDPR the opinion seeks to address whether the fact that the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive, limits the competences, tasks and powers of data protection authorities under the GDPR. The EDPB opines that data protection authorities are competent to enforce the GDPR. The mere fact that a subset of the processing falls within the scope of the ePrivacy directive, does not limit the competence of data protection authorities under the GDPR.
12-13 March 2019
Links
Industry standard
Press statement
Report Press statement
Press statement
Press statement Opinion on ePrivacy Directive and GDPR interplay ePrivacy Regulation statement Spain DPIA list Iceland DPIA list Statement on political campaigns
Updata Edition 3 January to March 2019 | Updates by territory
8
European Union
Development
Summary
Statement on ePrivacy Regulation in this short statement the EDPB calls on the EU legislators to intensify efforts towards the adoption of an ePrivacy Regulation.
Two opinions on national DPIA lists (Spain and Iceland).
Statement on use of personal data in political campaigns the EDPB highlights a number of key points to be taken into consideration when political parties process personal data in the course of electoral activities.
Impact date
European Commission welcomes provisional agreement to better protect whistleblowers
The European Parliament and the Member States have reached a provisional agreement on rules that will guarantee a high level of protection for whistleblowers who report breaches of EU law. The rules cover anti-money laundering and corporate taxation, data protection, protection of the EU's financial interests, food and product safety and environmental protection and nuclear safety.
12 March 2019
EU Cybersecurity Act
The European Parliament adopted the EU Cybersecurity Act. It establishes the first EU-wide cybersecurity certification scheme to ensure that certified products, processes and services sold in EU countries meet cybersecurity standards. It also reinforces the mandate of the ENISA, upgrading this to a permanent EU Cybersecurity Agency, so as to better support member states in tackling cybersecurity threats and attacks.
The Act was subsequently approved by the European Council at first reading without discussion and has been published in the Official Journal.
12 March 2019 (adopted by Parliament)
Proposed EU measures to enhance cybersecurity
The EU is stepping up its capacity to protect Europe against cyber threats by creating a new structure to pool and network its expertise in cybersecurity research, technology and industrial development. The Council has granted the presidency a mandate to start talks with the European Parliament on:
establishing a top knowledge base for cybersecurity, the "European Cybersecurity Industrial, Technology and Research Centre", which will enhance coordination of research and innovation in cybersecurity; and
12 March 2019
Links
Press statement Press statement
Press statement Briefing paper (European Parliament)
Updata Edition 3 January to March 2019 | Updates by territory
9
European Union
Development
Summary
setting up a Network of National Coordination Centres with technological expertise in cybersecurity.
The intention is that these structures will help secure the digital single market and increase the EU's autonomy in the area of cybersecurity.
Impact date
Security and privacy considerations in autonomous agents
ENISA released a report, which discusses the main security and privacy considerations of artificial intelligence technology used in autonomous agents in the modern society such as unauthorised autonomous systems, hijacking and misuse transparency and accountability, pervasiveness, retention and opacity of processing. The report also provides a set of recommendations for relevant stakeholders and policy makers, including on supporting the adoption of security and Privacy By Design principles, developing a collaborative approach on the identification and exchange of best practices, endorsing existing initiatives on the protection of human rights through the establishment of appropriate ethical conditions related to autonomous agents, and establishing a relevant framework for policy development, emerging technologies and new application areas.
14 March 2019
ENISA study on privacy standards for information security
ENISA published a study, which provides insights into the stateof-the-art of privacy standards in the information security context by mapping existing standards available and standardisation initiatives alike.
15 March 2019
EU Law Enforcement Emergency Response Protocol
The Council of the EU has adopted a protocol, which will support EU law enforcement authorities in providing an immediate response to major cross-border cyber-attacks.
18 March 2019
AG opinion on cookies and consent in Planet49 case referred from German court
In the German case, Planet49 GmbH v Bundesverband der Verbraucherzentralen und Verbraucherverbnde Verbraucherzentrale Bundesverband e.V. the Advocate General Szpunar gave an opinion, which echoes the long-held interpretation that pre-ticked boxes do not amount to valid consent for cookies. Notable comments include:
21 March 2019
Links
Report
Press statement Press statement Opinion (English)
Updata Edition 3 January to March 2019 | Updates by territory
10
European Union
Development
Summary
"The activity a user pursues on the internet (reading a webpage, participating in a lottery, watching a video, etc.) and the giving of consent cannot form part of the same act."
"for the purposes of the application of Articles 5(3) and 2(f) of Directive 2002/58 in conjunction with Article 2(h) of Directive 95/46 it makes no difference whether the information stored or accessed constitutes personal data."
Impact date
Links
Updata Edition 3 January to March 2019 | Updates by territory
11
Contributors
Austria
Georg Roehsner Partner
T: +43 15 16 20 16 0 [email protected] eversheds-sutherland.at
Michael Roehsner Associate
T: +43 15 16 20 [email protected] eversheds-sutherland.at
Manuel Boka Senior Associate
T: +43 15 16 20 [email protected] eversheds-sutherland.at
Development
Summary
Impact date
Amendment Austrian constitution regarding competence for Data Protection matters
(Federal Gazette I. No. 14/2019)
The Austrian Parliament passed a constitutional law which clarified that (almost) all matters of Data Protection are within the competence of the Austrian Federal Government.
The effect is that the Austrian States have (almost) no legislative or administrative competence in matters of Data Protection.
1 January 2020
Austrian Data Protection Authority (DPA)
The Austrian DPA published their Quarterly Report - there currently are 134 administrative penal proceedings under GDPR/the Austrian Data Protection Act.
However, no significant penalties have been imposed yet. The highest (published) penalty to date was EUR 4,800 for a non-compliant CCTV installation.
11 January 2019
Austrian Privacy NGO "nyob" fils complaints against 8 streaming services
The Austrian Privacy NGO "none of your business" (noyb), under the leadership of Max Schrems, filed a complaint against eight streaming services (including Netflix, Spotify, Youtube and AppleMusic) for violations of Article 15 GDPR, the right of access.
18 January 2019
Austrian Postal Services Scandal involving sale of
Investigative journalists discovered that the Austrian Postal Services collected a large amount of personal data on almost all Austrians from public and nonpublic sources. The data was combined to calculate predictions about the data
12 February 2019
Links
Federal Gazette I. No. 14/2019
Quarterly Report by the Austrian DPA (in German)
Press statement
Press statement by the Austrian DPA (in German)
Updata Edition 3 January to March 2019 | Updates by territory
12
Austria
Development
personal data regarding political affiliation
Summary
subjects' political affiliations. The personal data was sold for marketing purposes without the data subjects' consent.
The Austrian DPA ruled that this behaviour constitutes a violation of both GDPR and Austrian National Data Protection Law. The Austrian Postal Services were ordered to stop processing and delete the data. Furthermore, they were ordered to repeat their Data Protection Impact Assessment and to change entries in their Records of Processing Activities.
Impact date
Links
Austrian DPA rules that legal entities have a right to Data Protection
Before the introduction of the GDPR, the Austrian Data Protection Act included a right to data protection for both natural persons and legal entities.
When the old Data Protection Act was replaced by GDPR, all references to a right to data protection for legal entities were removed.
As, however, the right to Data Protection is guaranteed as a basic right by the Austrian Constitution, there was debate about whether the right to data protection still applies to legal entities or not.
A recently published judgment by the Austrian DPA clarified that legal entities cannot claim the rights under GDPR. However, based on the Austrian Constitution, legal entities still have a basic right to the protection of their data.
As it is still highly disputed what rights this right to Data Protection of legal entities includes, we are awaiting further clarifications by the Austrian DPA and/or the Constitutional Court regarding its application and scope.
13 September 2018 (decision date)
13 March 2019 (publication date)
Decision by the Austrian DPA (in German)
Data Breach at Austrian Allergy Treatment Facility - Austrian DPA investigation finds severe GDPR violations
A small Austrian Allergy Treatment Facility filed a data breach notification to the Austrian DPA. Following the notification, the DPA launched an investigation and found several violations of GDPR by the facility, among which are:
no DPO was appointed, despite being obligatory for such facilities;
no DPIA was conducted, although this would have been necessary for at least six data processing operations;
patients were requested to give their consent for medical documents to be transferred via unencrypted emails such consent is invalid, as security obligations according to Article 32 GDPR cannot be excluded by the data subject's consent (nevertheless, the DPA stated that the transfer of such data via encrypted email is not obligatory); and
16 November 2018 (decision date)
14 March 2019 (publication date)
Decision by the Austrian DPA (in German)
Updata Edition 3 January to March 2019 | Updates by territory
13
Austria
Development
Summary
the data protection notice given pursuant to Articles 13 and 14 GDPR was insufficient, as (amongst other reasons) it did not clearly indicate which categories of data are collected from the data subject and which are collected from other sources.
It is not known whether an administrative penal proceeding was initiated as well.
Impact date
Links
Updata Edition 3 January to March 2019 | Updates by territory
14
France
Development
Google fined by the CNIL
Contributors
Gatan Cordier Partner
T: +33 1 55 73 40 73 [email protected] eversheds-sutherland.com
Vincent Denoyelle Partner
T: +33 1 55 73 42 12 [email protected] eversheds-sutherland.com
Camille Lehuby Associate
T: +33 1 55 73 42 09 [email protected] eversheds-sutherland.com
Summary
Impact date
On 21 January 2019, the CNIL announced its first fine under the GDPR, imposing a record financial penalty of EUR 50 million against Google LLC. Google was sanctioned for lack of transparency, inadequate information and lack of valid consent regarding ad personalisation.
CNIL had received two complaints from consumer associations (None of Your Business and La Quadrature du Net) immediately after entry into force of the GDPR accusing Google of not having a valid legal basis for the processing of users' personal data in particular regarding ad personalisation services offered on Android equipped devices.
In the context of cross-border processing operations, the CNIL began its investigation by reporting the complaints to the other European Data Protection Authorities (DPAs) in accordance with the one-stop-shop mechanism. The DPAs came to the conclusion that Google did not have a main establishment in the EU, even if it has a European headquarter in Ireland, and that the one-stop-shop was not applicable. Indeed, the authorities analysis was that the Irish headquarter did not have decision-making powers on the processing activities at issue. Consequently, the CNIL was competent to take a decision on the complaints filed.
21 January 2019
Links
Press statement
Updata Edition 3 January to March 2019 | Updates by territory
15
France
Development
Reinforcement of the cooperation between the CNIL and the DGCCRF
Summary
Further to its online investigations, the CNIL found that Google was not providing easily accessible information to users, infringing the GDPR's transparency obligation. Essential information was scattered, and sometimes unclear or unintelligible, preventing users from fully understanding the extent of the processing of their personal data and from giving an informed consent where consent was required.
The CNIL also found that Google did not have a valid legal basis for processing user data for the purpose of ad personalisation. Google was relying on consent, however the consent they obtained was not valid. Google was also using pre-ticked boxes in the ad personalisation options where a positive action is necessary. The user was also asked to give a single consent for all the processing activities for which Google was relying on consent, therefore the consent was not specific enough.
Google announced on 23 January 2019 that it was appealing the CNIL's decision before the Conseil d'Etat (the French supreme administrative court).
Impact date
On 31 January 2019, the CNIL and the DGCCRF (French General Directorate for Competition Policy, Consumer Affairs and Fraud Control) reinforced their cooperation protocol (initially signed in January 2011) to offer better protection to consumers in the context of the development of IoT and expansion of e-commerce. These authorities had already cooperated on the processing of personal data by social networks, unfair commercial practices related to compliance with the GDPR and the use of personal data in e-commerce.
The main areas of cooperation they have strengthened include:
raising consumer awareness of the risks involved in communicating their personal data and disseminating good practices implemented by professionals;
exchanging more information relating to non-compliance with consumer law and data protection law;
31 January 2019
Updata Edition 3 January to March 2019 | Updates by territory
Links
Press statement 16
France
Development
Renewal of the CNIL's college
CNIL's guidelines on personal data transfers in the event of a no-deal Brexit
Summary
carrying out joint controls and pool their expertise in particular regarding investigation techniques; and
jointly proposing actions at the European level, and sharing their analysis on developments in the legislative and regulatory framework regarding protection of consumers and of their personal data.
An annual review will be conducted to ensure the follow-up of this cooperation.
Impact date
The CNIL announced the new members of its college which is partially renewed. In particular, the CNIL's former president, Isabelle Falque-Pierrotin is replaced by Marie-Laure Denis who previously worked at the French audiovisual supervisory authority (Conseil Suprieur de l'Audiovisuel) and at the French authority regulating postal and electronic communication (ARCEP).
14 February 2019
If the UK leaves the European Union without a withdrawal agreement in place and provided that the European Commission has not issued any adequacy decision acknowledging that the UK ensures an adequate level of protection, any transfers of personal data to the UK will have to comply with the GDPR provisions applicable to transfers to third countries.
On 20 February 2019, the CNIL issued a few recommendations to help French organisations to prepare to a no-deal Brexit.
The CNIL recommends organisations follow five steps, in line with the EDPB information note published on 12 February 2019:
carry out a data mapping of the processing operations which involve a data transfer to the UK;
choose the most appropriate safeguard in light of your specific situation;
implement the relevant safeguard before the date of Brexit;
20 February 2019
Updata Edition 3 January to March 2019 | Updates by territory
Links
Press statement Guidelines
17
France
Development
First trends in the accountability of IT service providers
Summary
update the internal documentation to mention that data transfers will be made to the UK; and
update information notices provided to data subjects to inform them about such transfers.
The CNIL also took the opportunity to remind organisations about the data transfer instruments available to safeguard transfers from the EU to the UK (i.e. Standard Contractual Clauses, Binding Corporate Rules and codes of conduct and certification mechanisms), and that the derogations set out in Article 49 of the GDPR will also be available on an exceptions only basis.
Impact date
For the 2018 edition of the "Sweep" on Privacy accountability, the CNIL published the results of its investigation into the accountability of IT service providers.
The CNIL observed that the good practices implemented by IT service providers to meet their new obligations were as follows:
all the organisations surveyed have carried out analysis to determine the need to appoint a Data Protection Officer;
the vast majority of companies have also examined the question of their status under the GDPR, i.e. data processor or joint data controller;
major organisations have put in place comprehensive procedures to disseminate a privacy culture;
the most advanced organisations have introduced privacyby-design into their project methodologies; and
the majority of the organisations surveyed reported that they had implemented actions to raise awareness of data protection among their employees, ranging from documentation to training sessions.
The progress margins identified during the survey were as follows:
5 March 2019
Links
Press statement
Updata Edition 3 January to March 2019 | Updates by territory
18
France
Development
The CNIL launches free online GDPR training open to everyone
Summary
some companies interviewed mentioned that they have no security incident management procedures in place; and
few actors assist their clients in the preparation of data protection impact assessments or procedures to respond to data subjects exercising their rights.
Impact date
The CNIL launched the free and open MOOC "L'Atelier RGPD" to train people on GDPR. This training tool is mainly addressed to Data Protection Officers (DPOs), future DPOs, and other professionals wishing to understand privacy, and it can be easily followed by anyone curious about data protection.
The MOOC is composed of four modules each lasting approximately five hours, with videos, animated and interactive content, free consultation of complementary documentary resources, and examples drawn from the daily issues encountered by companies.
There are also some questionnaires, allowing participants to assess their learning outcomes and to receive a certificate at the end of the training.
11 March 2019
Links
MOOC website
Updata Edition 3 January to March 2019 | Updates by territory
19
Contributors
Germany
Alexander Niethammer Partner
T: +49 89 54 56 52 45 [email protected] eversheds-sutherland.com
Nils Mller Principal Associate
T: +49 89 54 56 51 94 [email protected] eversheds-sutherland.com
Lutz Schreiber Partner
T: +49 40 80 80 94 444 [email protected] eversheds-sutherland.com
Constantin Herfurth Associate
T: +49 89 54 56 52 95 [email protected] eversheds-sutherland.com
Development
Summary
Impact date
Concretization of requirements for communication via e-mail
Email communications require (as a minimum) transport encryption, as offered by the well-known European providers as standard. The transport encryption should be implemented in accordance with the technical guideline "BSI TR-03108 Secure E-Mail Transport"; deviations are possible in view of the protection requirements of the data. It should be noted that in the case of transport encryption, emails on email servers are shown as plain text and can always be viewed. For sensitive data, single transport encryption may not be sufficient and additional technical and organizational measures, such as end-to-end encryption, may be required. The subject of the email should not contain any personal information.
January 2019
The DSGVO as insufficient basis for deletion claims from Google search results
The Higher Regional Court Dresden ruled that deletion of Google search results, based on Article 17 GDPR, is only possible in rare cases if legal infringement is obvious. It is necessary to conduct a comprehensive assessment of legal interests between the interests of the person concerned and the interests of the public. The significance of search engines in the context of public opinion formation is a particular consideration against the deletion of Google search results.
7 January 2019
"Information about the collection of personal data" from the State Commissioner for Data Protection and Information
The guide suitable for small and medium-sized companies provides information on the implementation of the information requirements under Articles 13, 14 and 21 GDPR. It is recommended to divide the notice into two parts: part 1 contains general information on the processing of personal
11 January 2019
Links
Information sheet
Decision Implementation guide
Updata Edition 3 January to March 2019 | Updates by territory
20
Germany
Development
Security of North RhineWestphalia (LfDI)
Summary
data and the rights resulting from processing; and part 2 informs about the right of objection to the processing.
Impact date
Recent GDPR fine for missing data processing agreement
The State Commissioner for Data Protection and Information Security of the State of Hamburg stated after an inquiry of "Kolibri Image" that the responsibility for drawing up a data processing agreement is also the responsibility of a controller, not just a responsibility of the service provider acting as data processor. Companies that fail to provide such a contract could face a fine of EUR 5,000 as proposed by the LfDI.
20 January 2019
Scope of a press-right information claim concerning a convicted police officer
The Administrative Court of Dresden obliged the competent authority to provide information to the press about whether a formerly convicted police officer is still within police service and to what extent he has been assigned official duties, after journalists requested the court to do so. However, this information claim of the press is limited to the general information about the employment of that person and does not include specific information on the outcome of the (non-public) disciplinary proceedings and the precise use of this person within the police service In essence, the Court ruled that the public interest in information protected by Article 5(1) German Constitution prevails over the private interests of the person concerned.
23 January 2019
Urgent motion against the test data transmission for the population census in Germany in 2021 unsuccessful
Germany is obliged to submit statistical data for a planned population census to the European Commission for the reference year 2021.
The legal basis for this process is the German Census Preparation Act. This Act shall ensure the quality of data that will be send from the many competent authorities throughout Germany to the central registration office. It also includes the possibility to load (non-anonymized) data of all individuals that have been reported to the Federal Statistical Office into the software for test purposes (by January 13th 2019).
The applicants claimed that this may be a violation of their right to informational self-determination (so called Informationelle Selbstbestimmung). Specifically, the transmission of non-anonymised data would allow conclusions about the core area of private life. Therefore, the operation of the Act should be temporarily suspended.
The Federal Constitutional Court now rejected this urgent motion. Based on an impact assessment the Court decided that the possible adverse effects for the data subjects do not outweigh such a significant restriction of the legislator's scrutiny.
6 February 2019
Links
No official statement available Press statement
Decision
Updata Edition 3 January to March 2019 | Updates by territory
21
Germany
Development
Summary
However, this decision only applies to the urgent motion at hand and does not pre-determinate the outcome of a potential later constitutional complaint.
Impact date
Federal Cartel Office prohibits Facebook from combining user data from various sources
Among other things, Facebook asked their users for permission to collect and merge data from different sources (e.g. Internet, smartphones). This use of data has now been prohibited by the German Federal Cartel Office (FCO). The FCO is concerned about the market-dominant position of Facebook in the field of social networks. Facebook would have abused its strong market position for data collections. The Office also argued that the consents obtained were not voluntary as users have no choice but to agree to the use of data in order to be able to access the services.
7 February 2019
Information claim against Instagram for insults and fake accounts
The District Court of Frankfurt am Main has ordered Instagram to publish personal data (e.g. IP address, date, time, e-mail address of the applicant) after a woman was distressed over the use of her photograph by a fake Instagram account. Initially, Instagram had claimed in front of the Court that the information claim was too far-reaching and that instead only the data needed to enforce a civil suit should be reported. The Court did not follow this argumentation and ruled that Instagram is a social network within meaning of Art. 1(3) of the Network Enforcement Act of 2017. This leads to the obligation of Instagram, under German Telecommunication law, to submit the information in question.
18 February 2019
Federal Court of Justice refers questions to the European Court of Justice regarding obligation to provide information from YouTube in case of copyright infringement by its users
When uploading videos to YouTube, users must register and provide their name, e-mail address and date of birth, and sometimes a phone number. In addition, users must agree to the storage of their IP addresses. Copyrighted films were uploaded to YouTube by three different users, and the owner of the exclusive rights to the films has asked YouTube for information about the users. It is unclear how far the copyright claim is. The Federal Court of Justice has submitted this question to the European Court of Justice.
21 February 2019
Website operator not held liable for alleged content management system (CMS) hack
A copyrighted image has been uploaded to a website. When the copyright owner asserted his rights out of court through a written warning, the affected company explained that none of their employees had uploaded the image. Rather, an unknown third party hacked the website, added a subpage and deposited numerous contents (over 39,000 files). The plaintiff saw this as a mere protection allegation and requested an injunction. The district court of Hamburg considered the website operator not breaching
22 February 2019
Links
Press statement (German) Press statement (English)
Decision
Press statement
No official statement available
Updata Edition 3 January to March 2019 | Updates by territory
22
Germany
Development
The use of a GPS positioning system for own vehicle fleet violates GDPR
Advocate General of European Court of Justice: Opt-in is necessary for effective consent on websites
DSGVO has no effect on orders prior to its entry into force
Summary
their due diligence obligations, because it was not certain whether the obsolete CMS had been outdated at the time of the hack.
Impact date
A cleaning company equipped its own company vehicles with a GPS system, which stored any driven routes with start and finish points including the time travelled and the status of the ignition for a period of 150 days. It was not possible to simply switch the system on/off. In addition, the license plates of the affected vehicles were recorded and assigned to the respective operational users. The company justified the use of data for theft prevention and field staff planning purposes, for example, in case of illness. In addition, the company sought consent from employees. The Administrative Court found the previously imposed prohibition order by Lower Saxony's DPA lawful. The system was inappropriate and the consent ineffective in respect of theft prevention and the co-ordination of staff. The staff were only partially informed about the pursued purposes and the reference to the right of objection was missing.
19 March 2019
In Planet49 GmbH v Bundesverband der Verbraucherzentralen und Verbraucherverbnde Verbraucherzentrale Bundesverband e.V., a German lottery provider used a preselected clause on their website that allowed it to use a web analytics service and to set cookies. Whether this represents an infringement should finally decide the federal court. Among other things, he asked the European Court of Justice (ECJ) whether this was sufficient consent for the purposes of Article 4(11) GDPR. In his Opinion, the Advocate General confirmed that an "opt in" is necessary for effective consent.
21 March 2019
The Federal Administrative Court ruled that the GDPR does not apply to orders that were issued before they came into force. Decisions made before 25 May 2018 will not be retrospectively measured against the new EU legislation.
27 March 2019
Links
Decision
Opinion (German) Opinion (English)
Press statement
Updata Edition 3 January to March 2019 | Updates by territory
23
Hungary
Development
Bank fined for data accuracy failings
Credit management company fined for transparency failings
City council fined for revealing identity of whistleblower
Contributors
gnes Szent-Ivny Partner
T: +36 13 94 31 21 [email protected] eversheds-sutherland.hu
Katalin Varga Partner
T: +36 13 94 31 21 [email protected] eversheds-sutherland.hu
dm Takcs Trainee
T: +36 13 94 31 21 [email protected] eversheds-sutherland.hu
Summary
Impact date
In Resolution of the NADP No. 2019/363/2, the Hungarian data protection authority (NADP) issued a resolution in a case regarding a bank sending SMS messages to a wrong number and not taking appropriate measures to restrict data processing. The bank was fined to HUF 500,000 (approx. EUR 1,550).
The NADP highlighted the importance of the principle of accuracy laid down in Article 5 of the GDPR.
8 February 2019
In Resolution of the NADP No. 2019/1841, the NADP issued a resolution in a case regarding the data processing practice of a credit management company. A fine of HUF 500,000 (approx. EUR 1,550) was imposed.
20 February 2019
The company breached the principle of transparency stated in Article 5 when it refused to provide information of the processing to the data subject.
The data subject also asked for the erasure of its data stored by the company. The NADP pinpointed that if a financial institution is legally required to make backups, this is a statutory data management under GDPR, therefore, in the case of a request for erasure, need not be deleted immediately. In case the backups are not legally mandated, the controller needs to demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims, as Article 21 details it.
In Resolution of the NADP No. 2019/596/3, a whistleblower informed the City of Kecskemt about its employer, which also was entity of the city council. As a result, the employer terminated the whistleblower's employment. In this resolution NADP imposed a fine of HUF 1,000,000 (approx. EUR 3,100) to the City for revealing the personal data of an anonymous informant.
28 February 2019
Links
NADP statement (Hungarian language only)
NADP statement (Hungarian language only)
NADP statement (Hungarian language only)
Updata Edition 3 January to March 2019 | Updates by territory
24
Hungary
Development
Summary
The NADP stated that revealing personal data in this case had no legal basis and is a data protection incident with grave consequences to the data subject.
Although the City reported the incident and informed the data subject, it failed to describe the consequences of the data breach.
Impact date
Loan provider fined for breaching data minimisation princple
In Resolution of the NADP No. 2019/2526/2, a loan providing company refused to erase the phone number of the data subject on the basis of the legitimate interest of enforcing its legal claims.
The NADP noted that
the interest balancing test should be performed separately for each data processing purpose;
the business interests of the controller cannot automatically override the legitimate interests of the data subject;
prior to further processing, the controller shall provide the data subject with information on that other purpose; and
the company breached the data minimisation principle by retaining the phone number, while it had other ways of contacting the data subject, such as sending a letter.
A fine of HUF 1,000,000 (approx. EUR 3,100) was imposed as a result of the breaches.
4 March 2019
Ministry of Interior ordered to inform data subjects about data security breach
In Resolution of the NADP No. NAIH/2019/721, the users of the Vehicle Service Platform operated by the Ministry of Interior (MoI) could access the personal data of previous owners of the vehicles contrary to the rules of GDPR. The MoI was informed of the breach, yet it failed to communicate the breach of a personal data to the data subject, thus breached GDPR Article 34.
The NADP ordered the MoI to inform the data subjects of the breach and the erasure of the personal data unlawfully processed.
19 March 2019
Political party fined for data security breach
In Resolution of the NADP No. NAIH/2019/2668, the login credentials of website users of the party Democratikus Koalci were posted online. The data could be used to determine political orientation; thus the data breach was constituted high risk.
21 March 2019
Links
NADP statement (Hungarian language only)
NADP statement (Hungarian language only)
NADP statement (Hungarian language only)
Updata Edition 3 January to March 2019 | Updates by territory
25
Hungary
Development
Summary
The NADP imposed a fine of HUF 11,000,000 (approx. EUR 34,500) to the party for its failure to communicate the breach of a personal data to the data subject, laid down in GDPR Articles 33 and 34.
Impact date
Links
Updata Edition 3 January to March 2019 | Updates by territory
26
Ireland
Development
Data Protection Commission (DPC) opens statutory inquiry into Twitter
DPC issues statement on proposed integration of Facebook, WhatsApp and Instagram
DPC calls for adult's and children's views on children's
Contributors
Marie McGinley Partner T: +35 31 64 41 45 7 [email protected] eversheds-sutherland.ie
Neasa N Ghrda Senior Associate
T: +35 31 66 44 25 8 [email protected] eversheds-sutherland.ie
Fiona Lipsett Trainee
T: +35 31 64 41 47 0 [email protected] eversheds-sutherland.ie
Kirsty Farrell Trainee
T: +35 31 66 44 94 1 [email protected] eversheds-sutherland.ie
Stephanie White Trainee
T: +35 31 66 44 92 0 [email protected] eversheds-sutherland.ie
Holly Traynor Legal Intern
T: +35 31 66 44 46 7 [email protected] eversheds-sutherland.ie
Summary
Impact date
On 25 January, the DPC announced that it opened a new statutory inquiry into Twitter (additional to an ongoing inquiry that commenced in November 2018) following notification of the latest data breach received by Twitter on 8 January 2019. The DPC commented that this inquiry will examine a discrete issue relating to Twitter's compliance with Article 33 of the GDPR (notification of a personal data breach to the supervisory authority).
Ongoing
On 28 January, the DPC published a statement on their website regarding the proposed integration of the three platforms. The DPC noted that while they understood this proposal was at a very early stage of development, they had requested from Facebook Ireland an urgent briefing of what was proposed with a view to closely scrutinising the plans particularly where it involves the sharing and merging of personal data between different Facebook companies.
The DPC commented that previous proposals to share data between Facebook companies have given rise to significant data protection concerns and the DPC noted it will be seeking `early assurances' that all such concerns will be considered. The DPC emphasised that the integration can only occur in the EU if it is capable of meeting all of the requirements of the GDPR.
Ongoing
In December 2018, the DPC began the first stream of a public consultation process aimed at collecting views of adult stakeholders on important data
12 April 2019
Links
Press statement Press statement
Press statement
Updata Edition 3 January to March 2019 | Updates by territory
27
Ireland
Development
personal data and data protection rights
Summary
protection issues concerning children by way of an online consultation document.
The second stream of the consultation launched on International Data Protection Day (28 January 2019) and aims to engage children and young people in the classroom by way of a lesson plan specifically designed by the DPC. The DPC has invited all schools to participate using the lesson plan which will help teachers to deliver a lesson on personal data and data protection rights and to facilitate a discussion where students can express their views on important issues.
The DPC intends to use the feedback from both streams to shape future guidance in this area.
Impact date
DPC publishes guidance on Transfers of Personal Data from Ireland to the UK in the event of a 'No-Deal' Brexit
On 8 February 2019 the DPC published updated guidance aimed to assist Irish organisations that transfer personal data to the UK (including Northern Ireland) in the event of a 'No-Deal' Brexit.
The DPC noted that in a no-deal scenario, the UK will no longer be a member of the EU and instead will become a 'Third Country' which means transfers of personal data from Ireland to the UK will be treated in the same way as transfers to countries such as Australia, India or Brazil. In practice, this means that in order to comply with GDPR an Irish company intending to transfer personal data to the UK will need to put specific safeguards in place to protect the data in the context of its transfer and subsequent processing usually by way of Standard Contractual Clauses. Further information can be found on the DPC website.
Ongoing
DPC publishes first Annual Report since GDPR covering the period 25 May - 31 December 2018
The report was published on 28 February detailing the work of the Irish DPA following the introduction of the General Data Protection Regulation (GDPR) on 25 May 2018. Some highlights include:
56% increase in total number of complaints compared to 2017;
70% increase in total number of valid data security breaches recorded compared to 2017;
136 cross-border processing complaints were received by the DPC through the new 'One-Stop-Shop' mechanism that were lodged by individuals with other EU data protection authorities;
Almost 31,000 contacts were received through the DPC's Information and Assessment Unit.
28 February 2019
Links
Guidance Report
Updata Edition 3 January to March 2019 | Updates by territory
28
Ireland
Development
Global Privacy Enforcement Network (GPEN) 2018 `Sweep'
Summary
Further information can be found within the report or on the DPC website.
The GPEN's annual intelligence gathering operation (`Sweep') examined organisations' self-reporting of their implementation of the core concepts of accountability. Participating GPEN members made contact with 356 organisations in 18 countries during the `Sweep' and the results are highlighted within the report. In general, there were examples of good practice reported, but it was found that a number of organisations reported that they had no processes in place to deal with the complaints and queries raised by data subjects and were not equipped to handle data security incidents appropriately. In Ireland, the Sweep was conducted by contacting 30 randomly-selected organisations across a range of sectors.
Further information can be found within the 2018 International Report.
Impact date
5 March 2019
Links
DPC comments Report
Updata Edition 3 January to March 2019 | Updates by territory
29
Contributors
Italy
Massimo Maioletti Partner
T: +39 06 89 32 70 1 [email protected] eversheds-sutherland.it
Sebastian Vanegas Trainee
T: +39 06 89 32 70 56 [email protected] eversheds-sutherland.it
Andrea Zincone Partner
T: +39 02 89 28 71 [email protected] eversheds-sutherland.it
Edoardo Coia Trainee
T: +39 06 89 32 70 34 [email protected] eversheds-sutherland.it
Development
Summary
Impact date
Public consultation on general authorization
The Italian data protection authority (IDPA) issued an official Press statement communicating the beginning of a public consultation regarding the measure, distinguishing the provisions of the General Authorizations to the processing of personal data in certain contexts, which are compatible with the GDPR and the Legislative Decree 101/2018, bringing the reformation of the Italian Data Protection Law.
11 January 2019
Publication of deontological rules
IDPA announced the publication in the Italian Official Journal of deontological rules, to be annexed to Legislative Decree 196/2003 (Italian Privacy Code) in various contexts: deontological (ethical) rules for journalists; deontological rules for data processing for statistical and scientific research purposes (including in the context of the Italian national statistical system); deontological rules for data processing to carry out defensive investigations or to exercise or defend a right before courts; and deontological rules for processing for archiving purposes in the public interest or for historical research purposes.
16 January 2019
Explanatory leaflet
IDPA published a leaflet summarising the outcomes of the first months of application of the GDPR in Italy (25 May-31 December 2018).
30 January 2019
IDPA's Newsletter N 449 of 7 February 2019
IDPA published its newsletter mentioning the following:
7 February 2019
Links
IDPA's Press statement (Italian language only)
IDPA's Press statement (Italian language only)
IDPA's leaflet (Italian language only) IDPA's response
Updata Edition 3 January to March 2019 | Updates by territory
30
Italy
Development
Summary
IDPA answered to the questions by the Italian professional association of labour consultants regarding their privacy roles.
Impact date
IDPA's explanatory page
IDPA published an explanatory page, also referring to EDPB's notes, regarding data transfers in case of a "Hard Brexit".
18 February 2019
IDPA's Newsletter N 451 of 25 March 2019
IDPA published its newsletter mentioning the following:
IDPA issued a general measure regarding data protection in the healthcare sector, given the innovations some of which still in progress - as a consequence of the GDPR and of the amendment of Italian Data Protection Law, to favour a standardized interpretation and application. Such measure is complemented by an explanatory leaflet;
IDPA issued its investigation plan for the first semester of 2019. IDPA declared that its investigations will be focused in particular on data processing carried out by some categories of public and private subjects, including banks, companies carrying out marketing activities and companies carrying out profiling activities of data subjects adhering to fidelity card programs. IDPA's controls will also regard lawfulness conditions of the processing, provision of appropriate information notices and data retention periods. In such investigation activities, IDPA may also avail of the dedicated Privacy Corp of the Italian Tax Police. The above is without prejudice to further investigations and controls that IDPA may carry out, also as a consequence of reports and complaints, or under art. 62 GDPR;
In the context of the Council of Europe and of the Convention 108/1981 on data protection, the Consultative Committee of the Convention for the protection of individuals with regard to automatic processing of personal data, issued the Guidelines on Artificial Intelligence and Data Protection, stating some relevant principles. IDPA prepared an Italian version of such guidelines.
25 March 2019
Links
(Italian language only)
IDPA's page (Italian language only) IDPA's measure (Italian language only) IDPA's leaflet
IDPA's decision (Italian language only)
Guidelines on AI and data Protection Guidelines on AI and data Protection (Italian version)
Updata Edition 3 January to March 2019 | Updates by territory
31
Poland
Contributors
Lithuania
Rimtis Puisys Partner
T: +370 5 239 2373 [email protected] eversheds.lt
Linas Mockevicius Associate
T: +370 5 239 2391 [email protected] eversheds.lt
Development
Summary
Impact date
Lithuanian State Data Protection Inspectorate recommendations regarding data transfers in the event of a no-deal Brexit
The Lithuanian State Data Protection Inspectorate recommends that data controllers and processors transferring data to and receiving data from UK, take preparatory steps for a no-deal Brexit scenario.
The Inspectorate points out that in case of a no deal Brexit, the UK will be considered as a third country for the purpose of data transfers, and as such, organizations will be under obligation to comply with the GDPR's requirements governing the transfer of data outside of the EEA countries, including implementation of appropriate safeguards, such as Standard Contractual Clauses.
No-deal Brexit
Lithuanian State Data Protection Inspectorate plan for preventive audits for 2019
On 4 February 2019, the preventive audits plan of the Lithuanian State Data Protection Inspectorate has been adopted. According to the plan, it is expected to conduct 75 planned audits.
Most of the audits will be carried out in the following types of organization:
sports clubs: concerning the legality of processing of biometric data;
sport and tourism goods and services companies: concerning the implementation of data minimisation principle when processing the personal data for the purpose of conclusion and execution of rent agreements and provision of information to data subjects about the personal data processing;
hotels: concerning the implementation of data minimisation principle while processing the guests' personal data;
public authorities: concerning the agreements, concluded with data processors; and
consumer credit entities: concerning security of data processed for the purpose of conclusion and execution of consumer credit agreements.
4 February 2019
Links
Press statement
Press statement
Updata Edition 3 January to March 2019 | Updates by territory
32
Lithuania
Development
List of data processing operations subject to DPIA
Summary
These controllers were chosen for audit due to the new requirements for the processing of biometric data, as established in the GDPR, due to the claims of data subjects' and having regard of the results of public opinion polls re data processing, as conducted in Lithuania.
The companies referred to in the audits plan are recommended to prepare for the audits. Noteworthy, that other companies may be audited as well, even if not mentioned in the plan for audits.
Impact date
The Lithuanian State Data Protection Inspectorate approved the list of data processing operations, which are subject to a data protection impact assessment.
Some of the most relevant cases provided in the list include the situations when:
processing of personal data takes place when video surveillance is conducted along with sound recording, or at healthcare, social care, detention establishments and other agencies where services are provided for vulnerable data subjects, and in certain other cases;
recording of telephone conversations takes place;
processing of personal data of children for direct marketing purposes takes place, or in case of assessment of personal aspects of children which is based on automated processing, including profiling; and/or
processing of personal data of employees takes place for the purpose of monitoring or control over employees: processing of personal video and/or sound data in a workplace and/or data controller`s premises or territories where its employees work; processing of personal data related to monitoring of employees' communication, behaviour, place or movement.
The approved list is without prejudice to the scope of GDPR and the cases prescribed therein that the DPIA shall be performed.
15 March 2019
Links
Press statement
Updata Edition 3 January to March 2019 | Updates by territory
33
Poland
Poland
Development
Standard contractual clauses for the data processing
Sector audits of the PUODO
First fine in Poland for GDPR non-compliance
Contributors
Marta Gadomska-Golb Partner
T: +48 22 50 50 732 [email protected] eversheds-sutherland.pl
Aleksandra Kunkiel-Kryska Partner
T: +48 22 50 50 775 [email protected] eversheds-sutherland.pl
Agnieszka Sagan-Jeowska Senior Associate
T: +48 22 50 50 730 [email protected] eversheds-sutherland.pl
Summary
Impact date
The Polish data protection authority (PUODO) intends to adopt standard contractual clauses for the matters referred to in Articles 28(3)-(4) (pursuant to Article 28(7)) GDPR. The scope of the clauses will include inter alia how to document the data processing instructions from the controller, how to verify confidentiality obligations by persons authorized to process data, how precisely should the security measures be indicated in the data protection agreement, how to comply with the obligation to provide the information necessary to ensuring the compliance with the obligations pursuant to Articles 32-36 GDPR, how to ensure compliance of the processing the personal data by another processor with the provisions of the data processing agreement concluded with the controller.
14 January 2019
PUODO published the yearly plan of sectoral audits. The plan includes the following sectors:
Private sector telemarketing, data brokers in the scope of the legal basis of the processing the personal data, profiling in the banking and insurance.
Education CCTV usage.
Employment CCTV usage, data processing in regard to the recruitment.
Healthcare disclosing personal data in regard to patient's right to obtain a copy of the medical documentation.
24 January 2019
PUODO imposed its first fine under the GDPR for failure to fulfil the information obligation in accordance with the Article 14 GDPR.
The controller was a data broker collecting and disclosing business data to its customers. The PUODO's investigation focussed on the processing of business to business (B2B) data obtaining by the controller from the public sources
26 March 2019
Links
Press statement
Press statement
Press statement
Updata Edition 3 January to March 2019 | Updates by territory
34
Poland
Development
Summary
only, particularly from the public registers of entrepreneurs and companies. The relevant personal data comprised information relating to sole entrepreneurs and board members of the companies. The controller addressed its GDPR information obligations via email to individuals whose email addresses were stored in the controller's database. As for the remaining individuals, the controller published certain information on its website the controller decided not to send letters by post. During the proceedings, the controller referred to the exemption in Article 14(5)(b) GDPR, citing that sending about 6.6 million letters to sole traders (the number of the data records without email address in the controller's B2B database) would involve a disproportionate effort and would cost an estimated PLN 33 million (approx. EUR 7.7 million) having regard to the type of data subjects (professionals). The PUODO didn't support the controller's interpretation. Pursuant to the PUODO's decision, the controller should have fulfilled the information obligation in relation to the data subjects, that is it should have informed them about the controller's processing of their personal data and provided the outstanding information in accordance to the Article 14(1)-(3) GDPR. The controller plans to contest the decision through the courts.
The controller is a local entity of a European data broker which has companies in 16 European countries, and is a business partner of one of the biggest American corporate data brokers.
The fine totalled PLN 943,000 PLN (approx. EUR 220,000) which is around 4% of the controller's annual turnover.
The PUODO's decision is controversial in many respects, particularly in light of a previous decision about the processing of personal data of company board members by another data broker. In that previous decision, the PUODO stated that where the controller does not process the private postal addresses of the board members, it is not obliged to fulfil the information obligation. The fact that the controller processed the corporate postal addresses of the board member data subjects, which could have been used to meet the information obligation, was not taken into consideration.
Impact date
Links
Updata Edition 3 January to March 2019 | Updates by territory
35
Contributors
Romania
Mihai Guia Managing Partner
T: +40 21 31 12 56 1 [email protected] eversheds.ro
Alexandra Sulea Senior Associate
T: +40 21 311 2561 [email protected] eversheds.ro
Irina Vascan Junior Associate
T: +40 21 311 2561 [email protected] eversheds.ro
Development
Summary
Impact date
Law no. 363/2018 on the processing of personal data by the competent authorities for crime prevention, investigation, detection and prosecution
This new law has entered into force in Romania. It transposes Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.
7 January 2019
Law 362/2018 on ensuring a common high level of security of the networks and information systems
This new law transposes Directive (EU) 2016/1148 concerning measures for a common standard of security for network and information systems across the EU and has been published in Romania's Official Gazette.
The public authority in charge of the implementation of this law is CERT-RO / The Romanian National Computer Security Incident Response Team.
The law establishes notification obligations for security incidents, both mandatory for providers of essential services and voluntary, for other operators. Additionally, the providers of essential services are required to register at the Registry of Essential Services maintained by the public authority.
12 January 2019
Links
Official register (Romania)
CERT-RO press statement
Updata Edition 3 January to March 2019 | Updates by territory
36
Switzerland
Contributors
Michel Verde Senior Associate
T: +41 44 20 49 28 6 [email protected] eversheds-sutherland.ch
Development
Summary
Impact date
Schengen Data Protection Act
The Schengen Data Protection Act (SDPA) is intended as a transitional law (until the full revision of the data protection law is finalized) to bring Swiss law in line with European legislation. It gives the Federal Data Protection and Information Commissioner (FDPIC) investigative powers and the authority to issue rulings within the framework of the application of the Schengen acquis in criminal matters.
The SDPA applies in particular to the processing of personal data by federal bodies in criminal matters. The SDPA does not apply to cantonal authorities.
The SDPA introduces the following concepts and points to note:
sensitive personal data includes genetic and biometric data that uniquely identify a person;
the term 'profiling' replaces the term 'personality profile';
data protection through technology and data protection-friendly default settings (privacy by design and default);
rules on automated individual decisions;
under certain circumstances, federal bodies must conduct data protection impact assessments and, in certain cases, consult the FDPIC;
federal bodies must report data breaches to the FDPIC that are likely to pose high risks to the fundamental rights of the person concerned;
the FDPIC can open new investigations and issue rulings as an administrative measure.
It is expected that the above provisions will be introduced in the revised Federal Act on Data Protection.
1 March 2019
Links
Schengen Data Protection Act text in German
Updata Edition 3 January to March 2019 | Updates by territory
37
United Kingdom
Contributors
Paula Barrett Co-Lead of Global Cybersecurity and Data Privacy
T: +44 20 7919 4634 [email protected] eversheds-sutherland.com
Lizzie Charlton Data Privacy Professional Support Lawyer
T: +44 20 7919 0826 [email protected] eversheds-sutherland.com
Development
UK data protection legal regime post-Brexit
Privacy Shield and Brexit FAQs
Summary
Impact date
The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019/419 (DPPECRs) and the associated statutory instrument which amends them, use powers conferred by the European Union (Withdrawal) Act 2018 (Withdrawal Act) to merge the EU GDPR and the applied GDPR regimes currently set out in the Data Protection Act 2018, creating a single data protection regime in the UK after exit day the "UK GDPR".
The DPPECRs mirror the extra-territorial scope found in the EU GDPR so that non-UK controllers or processors processing personal data of UK residents will be covered by UK GDPR in certain circumstances. The DPPECRs also, among other things, confer powers on the Secretary of State to make adequacy regulations and to issue Standard Contractual clauses and authorise Binding Corporate Rules.
You can find out more about the impact of Brexit on data protection issues in our briefing.
Exit day (UK leaves the EU)
The US Department of Commerce has published FAQs on Privacy Shield and Brexit explaining steps certification participants must take to receive personal data from the UK post-Brexit. In order to receive personal data from the UK in reliance on the Privacy Shield, participants must complete certain steps before: (i) in the event the Withdrawal Agreement is agreed the end of the transition period (31 December 2020); or (ii) in the event of no-deal, 29 March 2019. The steps to be completed are:
i. Update your public commitment to comply with the Privacy Shield to include the UK. (Note: If you plan to receive Human Resources (HR) data from the UK in reliance on Privacy Shield, you must also update your HR privacy policy)
Exit day (UK leaves the EU)
Links
Eversheds Sutherland briefing Withdrawal Act DPPECRs DPPECRs (No 2)
FAQs statement
Updata Edition 3 January to March 2019 | Updates by territory
38
United Kingdom
Development
UK data protection legal regime post-Brexit
Summary
ii. Maintain your Privacy Shield certification by recertifying annually.
Impact date
DCMS guidance
The Department for Digital, Culture, Media & Sport (DCMS) has published guidance to help stakeholders prepare for a no deal Brexit.
The guidance explains the amendments which will be made to UK data protection law upon the UK's departure from the EU under the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (DPPECRs). The DPPECRs were originally laid before Parliament in December 2018, were subsequently changed and laid again on 14 January 2019 to correct minor typos. They amend UK data protection legislation with the aim of ensuring that the UK legal framework for data protection continues to function correctly after exit day.
The DPPECRs use powers conferred by the European Union (Withdrawal) Act 2018 (Withdrawal Act) to merge the EU GDPR and the "applied GDPR" regimes currently set out in the Data Protection Act 2018 (DPA 2018), creating a single data protection regime in the UK after exit day the "UK GDPR".
Keeling schedules
DCMS has helpfully published two "keeling schedules" which show (in Tracked Changes) how the DPPECRs will amend the GDPR and the DPA 2018 postBrexit.
DPPECRs amendments
The draft Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) (No 2) Regulations 2019 (DPPECRs No 2) amend the draft DPPECRs to ensure that UK to US data transfers reliant on the Privacy Shield framework are not impinged should the UK leave the EU without a Withdrawal Agreement (no deal scenario). They provide that such data transfers may only take place if the certified Privacy Shield organisation has updated its privacy policy to refer to personal data transfers from the UK, as already confirmed by the US Department of Commerce in their Privacy Shield and Brexit FAQs (as previously reported in January's bulletin).
European Data Protection Board (EDPB)
Exit day (UK leaves the EU)
Links
DCMS guidance and keeling schedules
Withdrawal Act
DPPECRs
DPPECRs (No 2)
DPPECRs amendments and Explanatory memorandum
Privacy Shield Brexit FAQs
EDPB guidance on BCRs
EDPB guidance on data transfers
Updata Edition 3 January to March 2019 | Updates by territory
39
United Kingdom
Development
Government report on disinformation and fake news
Code of conduct for data-driven health and care technology
Information Commissioner's Office (ICO) news: February 2019
Summary
The EDPB has published new guidance on: (1) Binding Corporate Rules (BCRs) if the UK leaves the EU without a deal in place and the ICO no longer has a role in the BCR community; and (2) data transfers under the GDPR.
Impact date
As reported in Competition section above, the DCMS Commons Select Committee published its final report on Disinformation and fake news. The report finds that electoral law `not fit for purpose' and calls for:
a compulsory Code of Ethics for tech companies overseen by independent regulator;
a regulator given powers to launch legal action against companies breaching code;
the Government to reform current electoral communications laws and rules on overseas involvement in UK elections; and
social media companies to be obliged to take down known sources of harmful content, including proven sources of disinformation.
18 February 2019
The Government and NHS England have developed a Code of conduct for data-driven health and care technology which sets out the behaviours expected from those developing, deploying and using data-driven technologies, to ensure they abide by the ethical principles for data initiatives developed by the Nuffield Council on Bioethics. One of the code's principles requires organisations to "explain algorithms to those taking actions based on their outputs" and "undertake ethical examination of data use specific to this use-case".
19 February 2019
The ICO has been working on a number of initiatives, including:
The ICO and Financial Conduct Authority (FCA) have signed a memorandum of understanding establishing a framework for cooperation, coordination and information sharing.
The ICO is focussing on the world of ad-tech, programmatic advertising and real-time bidding (in line with their Tech Strategy), and both online tracking and artificial intelligence are priority areas. They have identified three main areas of interest: transparency, lawful basis for processing and security.
Criminal prosecution/fine for ignoring a DSAR The ICO has reminded organisations that they could face criminal prosecution if they
February 2019
Links
DCMS report
Code of conduct
ICO and FCA memorandum of understanding Ad-tech commentary DSAR prosecution news Data protection fee blog post Regulatory sandbox discussion paper
Updata Edition 3 January to March 2019 | Updates by territory
40
United Kingdom
Development
Summary
fail to respect people's right to access their personal information, by reporting that a housing developer was fined 300 by Westminster Magistrates for ignoring a DSAR (under the DPA 1998 regime).
ICO blogs on non-payment of data protection fees The blog post explains why small businesses need to pay the data protection fee.
Regulatory sandbox The ICO has published a discussion paper on their sandbox intiative. The purposes of the sandbox are: (1) to support the use of personal data in innovative products and services that can be shown to be in the public interest; (2) to help develop a shared understanding of what compliance in particular innovative areas looks like; and (3) to support the UK in its ambition to be an innovative economy.
Council officer fined for disclosing recruitment data A senior council officer was prosecuted for disclosing personal information of rival job applicants (including CVs) to his partner.
Impact date
Links
Press statement relating to fined council officer
Phone-paid Services Authority consultation on retention of data
The Phone-paid Services Authority (PSA) has launched a consultation on draft guidance aimed to clarify the PSA's expectations for the retention period of certain types of relevant data. The proposals for the guidance are aimed to support the PSA's access to such data in the event of an investigation into a service provider. The closing date for responses is 3 April 2019.
3 April 2019 (consultation closes)
Consultation
Investigatory powers updates
New regulations
On 4 February 2019, the Investigatory Powers Act 2016 (Commencement No. 11) Regulations 2019 (SI 2019/174) were made. These Regulations brought into force certain sections of the Investigatory Powers Act 2016 (IPA 2016) which remain outstanding, including: Section 11 (offence of unlawfully obtaining communications data) and Part 3 (sections 61-86) (authorisations for obtaining communications data).
IPCO 2017 Annual report
The Investigatory Powers Commissioner's Office (IPCO) published their first annual report on the use of investigatory powers during 2017. The report is a comprehensive account of the oversight work carried out by IPCO and their predecessor organisations (the Office of the Surveillance Commissioners, the Interception of Communications Commissioner's Office and the Intelligence Service Commissioner.
5 February 2019 31 January 2019
Investigatory Powers Act 2016 (Commencement No. 11) Regulations 2019 (SI 2019/174)
Explanatory note
IPCO annual report
Press statement
Updata Edition 3 January to March 2019 | Updates by territory
41
United Kingdom
Development
Summary
Impact date
No deal Brexit: SIs published this month
The Electronic Communications (Amendment etc.) (EU Exit) Regulations 2019 amend legislation relating to the notification of personal data breaches by providers of electronic communications services (including Directive 2002/58/EC and Commission Regulation (EU) 611/2013), and revoke direct EU legislation which is redundant or otherwise inappropriate to retain on the UK's statute book after exit from the EU.
Exit day (UK leaves the EU)
New guidance for local authorities on the flow of personal data from the UK to the EEA
The government has published new guidance for local authorities on the flow of personal data from the UK to the EEA that collates stakeholder and sector guidance on Brexit, focusing on preparing for the no-deal Brexit scenario.
Exit day (UK leaves the EU)
National Data Guardian empowered to publish guidance on processing of health and social care data
The Health and Social Care (National Data Guardian) Act 2018 (Commencement) Regulations 2019 were made on 14 March 2019, and they will bring the Health and Social Care (National Data Guardian) Act 2018 (HSCNDGA 2018) into force on 1 April 2019. The HSCNDGA 2018 empowers the National Data Guardian for Health and Social Care (Data Guardian) to publish guidance about the processing of health and adult social care data in England.
1 April 2019
ICO adtech developments
The Information Commissioner's Office (ICO) commissioned research which has been published in partnership with Ofcom as a very interesting report on consumers' attitudes towards and awareness of personal data used in online advertising. According to Ofcom: "Advertising technology known as "adtech" refers to the different types of analytics and digital tools used to direct online advertising to individual people and audiences. It relies on collecting information about how individuals use the internet, such as search and browsing histories, and personal information, such as gender and year of birth, to decide which specific adverts are presented to a particular person. Websites also use adtech to sell advertising space in real-time." The research finds that 54% of participants would rather see relevant online adverts. But while 63% of people initially thought it acceptable for websites to display adverts, in return for the website being free to access, this fell to 36% once it was explained how personal data might be used to target adverts.
The ICO also published a summary report of their Adtech Fact Finding Forum held on 6 March.
March 2019 and ongoing
Links
Electronic Communications (Amendment etc.) (EU Exit) Regulations 2019
Guidance
Regulations
ICO and Ofcom report Adtech Fact Finding Forum summary report
Updata Edition 3 January to March 2019 | Updates by territory
42
United Kingdom
Development
Summary
Impact date
ICO calls for participants in the development of its auditing framework for AI
Simon McDougall (ICO's Executive Director for Technology Policy and Innovation) announced that the ICO will be developing a framework for auditing the use of personal data in artificial intelligence (AI) and invited organisations to participate in the development process. In addition to its audit function, the framework will also provide guidance to assist organisations develop and apply AI in compliance with data protection law, including information on assessing and managing the data protection risks of AI applications. The ICO expects to publish a formal consultation paper on the subject by January 2020 and the final AI auditing framework and associated guidance to be published by spring 2020.
Ongoing
Court of Appeal holds that Government's collection and storage of data from an individual's public statements did not infringe privacy
In R (Butt) v Secretary of State for the Home Department [2019] EWCA Civ 256, the court agreed that the Government's collection and storage of data from an individual's public statements did not infringe privacy and did not constitute unauthorised covert directed surveillance under the Regulation of Investigatory Powers Act 2000.
8 March 2019
ICO conducts raids on businesses suspected of making nuisance calls
The ICO searched two addresses as part of an investigation into businesses suspected of making live and automated nuisance calls. Following a year-long investigation, two teams of ICO enforcement officers executed search warrants at offices in Brighton and Birmingham. The businesses are suspected of making millions of calls to UK landline and mobile numbers. The ICO has received nearly 600 complaints about the businesses. The calls mainly concerned road traffic accidents, personal injury claims, and insurance for household goods. People who received the calls were unable to identify who the calls were from or opt out of them.
12 March 2019
Two Birmingham workers fined for data protection breaches
Two workers in Birmingham were prosecuted for breaching the Data Protection Act 1998 by unlawfuly obtaining personal data in one case by accessing certain personal data without a business need to do so, and in another case for forwarding work email containing customer and staff personal data to a personal email account.
18 March 2019
FCA publication provides insights on cyber resilience good practice
The FCA has published a document bringing together industry insights on cyber resilience. Part of the FCA's role is to help firms become more resilient to cyber-attacks, so reducing the risk and frequency of disruption. The FCA says the publication may be particularly relevant for small and medium-sized firms, but encourages all firms to consider whether these insights may be useful to them.
8 March 2019
Updata Edition 3 January to March 2019 | Updates by territory
Links
Blog post
Judgment Press statement
Press statement Report
43
United Kingdom
Development
Summary
Impact date
Government "Cyber Governance Health Check" report
The Government's 2018 "Cyber Governance Health Check" report examines the UK's FTSE 350 companies' approach to cybersecurity and found that boards at many of those companies still haven't grasped the severity of the impact that a cyber-attack can have on their business.
March 2019
Public authorities compliance with consultation requirements under GDPR
DCMS has released guidance to help public authorities comply with Article 36(4) GDPR (the requirement for public authorities in the UK to consult with the ICO on any proposals for legislative or statutory measures they are developing which involve the processing of personal data).
26 February 2019
Investigation into bias in the use of algorithms in criminal justice
The Centre for Data Ethics and Innovation will be partnering with the Cabinet Office's Racial Disparity Unit to explore the potential for bias in the use of algorithms in crime and justice, financial services, recruitment and local government.
Ongoing
New artificial intelligence advisory committee
Lord Burnett of Maldon, the current Lord Chief Justice, has set up a new AI Advisory to provide the senior judiciary with guidance on: (i) the likely impact of developments in AI on the Judiciary and the court system; (ii) ways of ensuring that judges are sufficiently trained on AI and its impact; and (iii) the most pressing legal, ethical, policy, cultural and economic effects of AI.
Ongoing
Links
Report
Guidance
Press statement
Press statement
Updata Edition 3 January to March 2019 | Updates by territory
44
United Kingdom
Updata Edition 3 January to March 2019 | Updates by territory
45
Contributors
China
Jack Cai Partner
T: +86 21 61 37 1007 [email protected] eversheds-sutherland.com
Jerry Wang Associate
T: +86 21 61 37 1003 [email protected] eversheds-sutherland.com
Sam Chen Senior Associate
T: +86 21 61 37 1004 [email protected] eversheds-sutherland.com
Development
Summary
Impact date
Provisions on the Administration of Blockchain Information Services (Blockchain Provisions)
The aim of the Blockchain Provisions is to regulate blockchain information service activities within the PRC. It defines blockchain information services as "information services provided to the public in such forms as Internet websites and application programs based on blockchain technologies or systems" and identifies blockchain information service providers as subjects or nodes that provide blockchain information services to the public and the institutions or organizations that provide technical support to such subjects.
The Blockchain Provisions also specify the requirements that must be satisfied for blockchain information service providers to provide services to users such as identity verification and for new services/functions and products to be submitted to the relevant cyber administration for security assessment.
15 February 2019
Information Security Technology Personal Information Security Specification (Draft) (Draft Specification)
The Draft Specification updates the previous Personal Information Security Specification which took effect in 1 May 2018 and further restricts certain areas of personal data collection. This includes prohibiting the bundling of consent authorisation for personal data collection and establishes rules in the context of third party personal data collection.
The Draft Specification also specifically identifies and tackles situations where elements of coercion is used such as prohibiting personal data collecting parties from lowering service quality or restricting functionalities if an individual refuses to consent to personal data collection.
1 February 2019 (Published)
Links
Link (Chinese)
Link (Chinese)
Updata Edition 3 January to March 2019 | Updates by territory
46
China
Development
Summary
Rules on the Administration of Mobile Internet Application (App) Security Verification Implementation (App Rules)
The App Rules provide for the assessment and verification of the personal data collection features and functionalities of mobile internet applications in the People's Republic of China, setting out the following procedure for certification and post-certification regulation: (i) technical verification by a recognised testing institution; (ii) on-site verification by the certification authority; and (iii) continuing post-certification regulation by the certification authority (either on a daily basis or a targeted review when personal data breaches arise).
The App Rules also specify circumstances when app creators are disqualified from applying for certification, such as non-compliance with applicable laws and regulations and when major personal data security breaches have occurred within the past twelve months.
Impact date
15 March 2019
Links
Link (Chinese)
Updata Edition 3 January to March 2019 | Updates by territory
47
Contributors
Mauritius
Nitish Hurnaum Partner
T: +230 211 0550 [email protected] eversheds-sutherland.mu
Jessimee Mootoosamy Associate
T: +230 211 0550 [email protected] eversheds-sutherland.mu
Development
Summary
Impact date
Government highlights the need to improve law enforcement and the judiciary in the investigation and prosecution of cybercrime
A three-day workshop on Cybersecurity Capacity Assessment and Cybersecurity Capacity Maturity Model for Nations was organised by the Mauritian Ministry of Technology, Communication and Innovation in collaboration with the World Bank and the University of Oxford.
13-15 February 2019
The aim of the workshop was to increase the scale and effectiveness of cybersecurity capacity-building, by gaining a more comprehensive understanding and review of the current national cybersecurity capacity landscape.
The Government of Mauritius highlighted that this understanding and review is important, in view of the considerable changes in the cybersecurity landscape of Mauritius. The necessity to improve law enforcement as well as the judiciary in the investigation and prosecution of cybercrime as well as the enhancement of safety and security in cyberspace, while also respecting core human rights' values and interests, such as privacy and freedom of expression, are measures which the Mauritian Government intends to adopt.
Mauritius becomes the first jurisdiction to offer a regulatory framework for the custody of Digital Assets as from 1 March 2019
Following consultations and discussions with the Organisation for Economic Cooperation and Development on the governance and regulation of digital financial assets, the Mauritius Financial Services Commission (FSC) has implemented rules for the grant of Custodian Services (Digital Asset) Licences, effective as of 1 March 2019.
Through the implementation of this regulatory framework, Mauritius positions itself as the first jurisdiction globally to offer a regulated landscape for the custody of digital assets.
These rules shall apply to any person carrying out custodian services for digital asset and whose objects shall be limited to the safe-keeping of the digital asset and operations arising directly from it.
1 March 2019
Links
Cybersecurity Capacity Maturity Model Workshop
Financial Services (Custodian Services (Digital Asset)) Rules 2019
Updata Edition 3 January to March 2019 | Updates by territory
48
Mauritius
Development
Summary
After local recognition of Digital Assets as an asset-class for investment by Sophisticated and Expert Investors in September 2018, these new rules bring the Mauritius International Financial Centre a step closer to its objective of becoming the FinTech hub, in and for, Africa.
Impact date
Government's wishes to apply AI and Blockchain technologies for a more effective public service delivery
During the 5th Edition of the Annual (State Informatics Ltd) e-Gov conference, aimed at sharing new technological trends that affect governments around the world with regards to artificial intelligence and blockchain, the Government of Mauritius emphasised on its continuous efforts to promote innovation and new technologies as essential tools for an effective public service delivery.
Among the intended initiatives of the Government of Mauritius is the digital transformation of the procedures at the National Transport Authority (NTA) for the registration of vehicles, by using blockchain technology. Historically criticised for its cumbersome procedures in place, the NTA may well become the first public service organisation in Mauritius to adopt such technology.
28 March 2019
Links
5th Annual (SIL) eGov Conference on AI and Blockchain
Updata Edition 3 January to March 2019 | Updates by territory
49
Contributors
United States
Michael Bahar Partner
T: +1 202.383.0882 [email protected] eversheds-sutherland.com
Ali Jessani Associate
T: +1 202.383.0950 [email protected] eversheds-sutherland.com
Development
Summary
Impact date
NFA Amends Interpretive Notice Regarding Cybersecurity Information Systems Security Program
On 7 January, the National Futures Industry (NFA) amended its interpretive notice regarding cybersecurity. The amendments, set to go into effect on 1 April 2019, will update the current Information Systems Security Program (ISSP) requirements that NFA members have to comply with in three important ways. First, the amendments require members to provide cybersecurity training to employees at least annually and more frequently if warranted, in addition to training upon hiring as is currently required. Second, the amendment clarifies the appropriate officers that may approve the ISSPs. Finally, and perhaps most importantly, the amendment to the interpretive notice requires members to notify the NFA of a security incident in certain circumstances. The rule does not yet specify how long companies will have to make the notification.
1 April 2019
Massachusetts Updates Data Breach Notification Law
On 10 January, Massachusetts Governor Charlie Baker signed a bill amending the state's data breach notification requirement. Set to go into effect on 11 April 2019, the amendments will require:
1) Companies that suffer data breaches involving social security numbers to provide credit monitoring services for 18 months to affected consumers free of charge; this requirement is 42 months if the company that suffered the breach is a credit monitoring agency;
2) Post-breach notice sent to the Massachusetts Attorney General and the state's Office of Consumer Affairs and Business Regulation (OCABR) to include whether the company has a written information security program in place and the type of information compromised; and
3) Corporations providing post-breach notification to consumers to identify any parent or affiliated corporations.
11 April 2019
Links
NFA Amendment Legal Alert
H. 4806
Updata Edition 3 January to March 2019 | Updates by territory
50
United States
Development
Summary
These amendments will make Massachusetts' data breach notification laws one of the more onerous in the country.
Impact date
Illinois Supreme Court Finds that Plaintiffs Need Not Show Actual Harm under BIPA
In a unanimous decision on 25 January 2019, the Illinois Supreme Court found that a plaintiff need not show actual harm to seek relief under the state's Biometric Information and Privacy Act (BIPA). Instead, the court held that a procedural harm is sufficient to bring forth a claim under the law. This will likely open up the floodgates in terms of the lawsuits brought under BIPA.
25 January 2019
US District Court Dismisses Vast Majority of Claims against CareFirst
On 30 January, DC District Court Judge Christopher R. Cooper, in Attias v Carefirst, Inc., agreed with Eversheds Sutherland attorneys Matt Gatewood and Robert Owen when he dismissed the vast majority of claims against the health insurer. Judge Cooper held that while plaintiffs' "alleged injuries may be enough to establish standing at the pleading stage of the case, they are largely insufficient to satisfy the `actual damages' element of nine of their state-law causes of action." He concluded that the Complaint's allegations of future risk of identity theft, loss of the benefit of the bargain, prophylactic purchase of credit monitoring, and emotional distress were not enough to clear the requirement that actual damages be stated.
29 January 2019
Deadline Passes in California Assembly to Introduce Bills Amending CCPA
22 February marked the last day that new bills could be introduced in the California Assembly. There were a number of proposals introduced before or on this date to amend the impending California Consumer Privacy Act (CCPA). Most notable is SB-561, which would expand the private right of action under the CCPA to all violations of consumer rights. Currently, the law only allows for a private right of action if a consumer's personal information is subject to a data breach as a result of a business failing to maintain reasonable security procedures. The CCPA is still set to go into effect on 1 January 2020.
1 January 2020
FTC Issues Largest Fine Ever Under COPPA
On 27 February, the Federal Trade Commission announced a settlement with video social networking app TikTok, in which the company agreed to pay $5.7 million for violating the Children's Online Privacy Protection Act (COPPA), the largest fine issued under the law to date. According to the FTC, the company was aware that children under 13 were using the app but failed to obtain parental consent prior to collecting the children's names, email addresses, and phone numbers, among other information. The FTC also alleged the company failed to inform parents of its information collection practices and delete children's collected personal information upon request by their parents. Along
27 February 2019
Links
Rosenbach v. Six Flags Entertainment Corp. Legal Alert Attias v. Carefirst, Inc.
SB-561
FTC Press statement
Updata Edition 3 January to March 2019 | Updates by territory
51
United States
Development
Summary
with the penalty, the FTC's settlement requires the company's information collection practices to be in compliance with COPPA going forward.
Impact date
NDYFS Third-Party Service Provider Requirement Goes Into Effect
As of 1 March 2019, the New York State Department of Financial Services' (NYDFS) cybersecurity regulation, 23 NYCRR Part 500, requires financial services institutions regulated by NYDFS to implement policies and procedures to address the cybersecurity risks posed by third-party service providers to the institutions' nonpublic information (NPI). To manage the risks and potential liability that come with this "first of its kind" cyber regulation, covered entities must implement an ongoing program that in most cases will reflect a sea change from their prior practices. In particular, the required oversight and management of third-party service providers, or TPSPs, will expand well beyond traditional vendor management functions and deep into contracting, diligence and stakeholder review.
1 March 2019
FTC Proposes Amendments to Safeguards and Privacy Rule under Gramm-Leach-Bliley Act
On 5 March 2019, the FTC announced that it was seeking comments regarding proposed changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act (GLBA). Among other changes, the FTC is proposing more detailed requirements for what companies need to include in the information security plan required under the Safeguards Rule. The proposed rule would alter existing requirements of an information security program and add several new elements. For example, the current rule states requires covered entities to designate "an employee or employees to coordinate [their] information security program." The amended rule would require the designation of a single qualified individual (the Chief Information Security Officer) responsible for overseeing the information security program. The amended rule would further require financial institutions to restrict access to physical locations containing customer information only to authorized individuals.
The rule would also expand the definition of "financial institution" under both the Safeguards Rule and Privacy Rule to include those individuals who charge a fee to connect consumers who are looking for a loan from a lender.
The rule otherwise rejects calls to add more specificity to what companies need to do to safeguard non-public personal information. Instead, it states that security is not a "check the box" exercise, especially in light of changing technology and changing threats.
Comments must be made within 60 days of when the rule was published in the federal register.
5 March 2019
Links
23 NYCFR 500 Article on Legal Tech News
FTC Press statement
Updata Edition 3 January to March 2019 | Updates by territory
52
United States
Development
Summary
Impact date
Washington State Senate Passes its Version of the GDPR
On 6 March 2019, Washington state's senate passed a comprehensive data privacy bill that more closely mirrors the GDPR than does California's 2018 Consumer Privacy Act, but contains many of the same obligations on companies. Among other things, it would create enhanced transparency requirements and would allow consumers to access what data companies collect; correct inaccurate data; and oblige companies to delete consumer data under certain conditions. The law also requires companies using facial recognition technology for profiling to employ meaningful human review prior to making final decisions based on such profiling where such final decisions product legal effects and to obtain consumer consent prior to deploying facial recognition services in physical premises open to the public. The bill still needs to be reconciled with the Washington State's House version of the bill, and then signed by the Washington Governor, before it can become law. Recent developments indicate that it will not pass into law in 2019, but that could still change.
6 March 2019
Links
SB 5376
Updata Edition 3 January to March 2019 | Updates by territory
53
Russia
Development
Inspections of personal data operators
Contributors
Ivan Kaisarov Associate
T: +7 812 363 3377 [email protected] eversheds-sutherland.ru
Ekaterina Mironova Senior Associate
T: +7 495 662 6434 [email protected] eversheds-sutherland.ru
Victoria Goldman Managing Partner
T: +7 812 363 3377 [email protected] eversheds-sutherland.ru
Summary
The Russian government has approved new rules (which came into force on 23 February 2019 and replaced prior regulations), according to which the Federal Service for the Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) will conduct inspections of personal data operators. Overall, the new provisions are more detailed and provide more predictability for individuals and businesses.
Under the new rules, routine inspections can be carried out, but only once three years has passed after:
the personal data operator officially registered as a company or as an individual entrepreneur; or
the end of the last scheduled inspection of the personal data operator.
However, the rule above does not apply to the following personal data operators, which can be inspected every two years:
personal data operators which collect biometric personal data and special categories of personal data (data on ethnicity, political views, religious or philosophical beliefs, health, intimate life);
personal data operators which transfer personal data to foreign countries which do not provide an adequate level of data protection (for example the USA); or
Impact date
23 February 2019
Links
Inspections of personal data operators
Updata Edition 3 January to March 2019 | Updates by territory
54
Russia
Development
Summary
Russian companies that are processing personal data on behalf of a foreign company that is not registered in Russia.
Previously, inspections, whether scheduled or unannounced, could be both onsite inspections or document-based inspections. Under the new rules, unscheduled document-based inspections will no longer be performed. For a document-based check, which can now only be carried out as part of a scheduled inspection, the deadline for submitting documents to Roskomnadzor is reduced (from ten to five business days), as is the deadline for submitting explanations related to any inconsistency in the information provided (three business days instead of ten).
The Russian government has introduced a new legal basis to initiate unannounced inspections, namely by decision of the head of Roskomnadzor (or any of its regional branches). The decision must nevertheless be based on violations that were identified through the daily monitoring of personal data operator's activity. This provision provides Roskomnadzor with extensive discretionary powers to perform unscheduled inspections. However, the duration of such inspections is now halved compared to the older rules (ten business days instead of twenty).
In addition, the new regulation introduces a rather long list of grounds for extending the period of inspection. Previously, the duration of the inspection could be increased only if it required complex investigations. Now, other grounds can be invoked by the regulator, such as the operator's failure to submit necessary documents, if a law-enforcement agency transmits evidence indicating violations of data protection rules, or if unforeseen circumstances have occurred.
The new regulation also introduces a deadline of six months for remedying violations of data protection rules. The previous regulation did not provide such a deadline.
Impact date
Updating the list of countries which provide an adequate level of data protection
Russian law applies more lenient rules for cross-border transfers of personal data when the data is sent to:
foreign countries which have ratified the European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108); or
foreign countries which provide an adequate level of data protection according to Roskomnadzor.
16 February 2019
Links
Publication on the official website
Updata Edition 3 January to March 2019 | Updates by territory
55
Russia
Development
Summary
The list of countries which provide an adequate level of data protection was recently updated by Roskomnadzor. Japan was added to this list, and therefore the transfer of personal data to Japan no longer requires specific written consent from the personal data subject.
Impact date
Links
Updata Edition 3 January to March 2019 | Updates by territory
56
Contributors
UAE
Geraldine Ahern Partner
T: +9712 494 3632 [email protected] eversheds-sutherland.com
Erica Crosland Senior Associate
T: +9714 389 7034 [email protected] eversheds-sutherland.com
Development
Summary
Impact date
Onshore Dubai Smart Dubai AI Ethics Guidelines
The technology arm of the Dubai government, known as Smart Dubai, has published a new Ethical AI Toolkit. The Toolkit includes:
a comprehensive document setting out the overarching principles of ethical AI accompanied by a set of guidelines that expand on the ethical principles and provide practical examples; and
a Self-Assessment Tool that allows AI developers and operators to evaluate the ethical level of their AI systems.
Smart Dubai, together with its AI Ethics advisory board, are currently reviewing the legal framework to support the implementation of ethical AI across the emirate of Dubai.
8 January 2019
DIFC - Data Protection Policy Guidance published
The Commissioner of Data Protection in the DIFC published policy guidance on direct marketing and electronic communications.
The guidance note covers all personal data processed for electronic direct marketing purposes and includes a helpful Do's and Don'ts section.
10 January 2019
Federal New law on IT and data protection for healthcare sector
UAE Federal Law No. 2 of 2019 regarding the use of information and communication technology in the healthcare sector (Healthcare IT Law) is expected to come into force in May of this year.
The law will be the first federal law to specifically address data and privacy issues in the UAE, albeit it is limited to the Healthcare sector. For more information, see our Spotlight on... briefing.
TBC
Links
Press statement
Guidance Eversheds Sutherland briefing
Updata Edition 3 January to March 2019 | Updates by territory
57
Spotlight on...
Irish Data Protection
Commission publishes first UK's Privacy and Electronic
annual report since GDPR
We examine the Irish Data Protection Commissioner's first annual report since the introduction of GDPR on 25 May 2018. Read more...
Communications (Amendment) Regulations 2018
We consider the impact of the recently passed Privacy and Electronic
Romanian implementation of the GDPR
Communications (Amendment) Regulations 2018, which empowered the ICO to issue to directors and other
We report on Romania's recently
company officers for breaches of the
introduced data protection law, focussing on the provisions relating to the processing of national identification
rules governing electronic direct marketing communications. Read more...
Data Protection and Brexit what you can do to
numbers and the rules on the use of
prepare
CCTV and monitoring in an employment Organisations in the UAE
context. Read more...
prepare for new Healthcare
Court action: a strategic
IT Law
We set out the key actions that businesses can take to help prepare for a "no deal" Brexit. Read more...
option for data security breach response a UK
We explore the UAE's impending Healthcare IT Law the first federal
law to address privacy issues within the
The "transfers from EU back into the UK
perspective
context of data processing in the UAE
conundrum"
We consider various options offered by
(albeit limited to the healthcare sector)
We discuss the issue of EU-based
UK Courts which can help companies
which will introduce new obligations for
processors ensuring lawful transfers
take action against the perpetrators of
entities in the healthcare sector. Read
back to the UK. Read more here (Part
cyber attacks. Read more...
more...
1) and here (Part 2)
Updata Edition 3 January to March 2019 | Spotlight on...
58
For further information, please contact:
Paula Barrett Co-Lead of Global Cybersecurity and Data Privacy T: +44 20 7919 4634 [email protected]
Lizzie Charlton Data Privacy Professional Support Lawyer T: +44 20 7919 0826 [email protected]
Michael Bahar Co-Lead of Global Cybersecurity and Data Privacy
T: +1.202.383.0882 [email protected]
@ESPrivacyLaw
eversheds-sutherland.com
Eversheds Sutherland 2019. All rights reserved.
Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP are part of a global legal practice, operating through various separate and distinct legal entities, under Eversheds Sutherland. For a full description of the structure and a list of offices, please visit www.eversheds-sutherland.com.
This information is for guidance only and should not be regarded as a substitute for research or taking legal advice.
LON_LIB1\20293367\6
