Sent to subscribers in January 2017

The first half of 2016 focused primarily on the finalization and final approval of the EU General Data Protection Regulation (GDPR), which replaces Directive 95/46/EC. The GDPR will apply and enforcement will commence as of May 26, 2018. Now, most of the European Union and European Economic Area (EU/EEA) is focusing on the preparation of the transition to the new data protection regime. Member States are working on guidelines and on provisions supplementing the GDPR. We will hear more details in the next supplement.

The early days of July 2016 also saw the approval of the EU-US Privacy Shield, which replaces the Safe Harbor, invalidated in October 2015. U.S.-based companies doing business with EU/EEA-based entities are now recovering from the whirlwind of activities and the uncertainties of the first part of 2016. Many of them are preparing for, or may already have filed for, self-certification under the Privacy Shield, ensuring that they are better prepared for further attacks to crossborder data transfer structures.

The second half of 2016 has been much quieter than the first half. As a result, Supplement 22 does not bring as many sensational developments as did the prior ones published in 2016.

The most significant development occurred in France, as we were completing our set of updates for Supplement 22.

In early October 2016, France passed Loi No. 2016-1321 Pour Une République Numérique. The law introduces new provisions that will regulate the digital economy as a whole, such as open data, online cooperative economy, revenge porn, and access to the Internet. It also introduces key amendments to the existing 1978 Loi Informatique et Libertes (the current    national data protection law) ahead of the May 2018 enforcement date of the EU GDPR.

Among the key points of the Law 2016-1321 you should note higher fines (up to EUR 3 million), removal of data residency rules, and enhanced rights for individuals, including right to be forgotten and the right to data portability.

Best wishes for 2017. It will be a very interesting year for data privacy and cybersecurity.