Updates

Supplement #27

To be sent to subscribers in September 2018

At long last, the GDPR is in force.  It has been a long process.  I still remember reviewing the first draft of a GDPR in November 2011, and after that, all the successive drafts, wondering how long it would take to get to launch.

Here we are, almost 7 years later, GDPR is in effect! When you receive this set of supplements, GDPR will be celebrating the four-month anniversary of its enforcement date. It is still taking baby steps.  In the meantime, the first sets of lawsuits claiming violation of individuals’ rights under GDPR were filed on the inaugural day, May 25, 2018.

The GDPR grants Member States the ability to supplement some of its provisions. It was hoped that EU Member States would take advantage of the two-year period between signature of the law and the enforcement date to take the measures necessary to implement the GDPR into their national laws and take advantage of their ability to supplement it.  Some did take advantage of this opportunity. Germany and Austria were the first to have completed the process. Nevertheless, a significant number of EEA Member States are still struggling.  In numerous cases, bills are pending and still being discussed. Others are almost done; for example, Italy

While not a member of the European Economic Area, Switzerland is also in the midst of changing its data protection law to keep up with the changes that result from the passage of the GDPR as part of its agreements with the EEA Member States.  The Swiss parliament is said to be working on a draft.

Outside the EEA region, countries are actively working on the improvement or development of their data protection laws.  On August 14, 2018, the president of Brazil signed the country first data protection law.  That laws contains numerous references to the GDPR.  Across the Andes, Chile is also working actively on developing further its existing data protection law, to bring it to current international standards.

At end of June 2018, California passed the California Consumer Privacy Act (CCPA).  Like the GDPR, the statute has a very broad reach. It applies to most business entities that collect personal information of California residents and operate in California. In the next Supplement, we will provide a summary of the CCPA, and describe the circumstances of its very turbulent launch.

According to its terms, the statute becomes effective as of January 1, 2020. However, because of its controversial content, the statute has been attacked for a variety of reasons, and the launch date is becoming uncertain.  Since its signature by the California Governor, numerous activities have been ongoing in California to attempt to amend the statute and delay its enforcement date. There are also discussions at the Federal level, which are aiming at drafting a federal law that would supersede the California statute.

One of the most amazing features of the CCPA is its definition of “personal information.” It is probably the longest of all definitions of that term, worldwide. It is 345 word-long and extends over 13 paragraphs.

While the CCPA has been presented by some as a “mini GDPR,” it is much more liminted than the GDPR.  For example, unlike the GDPR, it does not contain general data processing principles and does not require a legal basis for the processing of personal information. CalCPA focuses primarily on providing consumers with a number of rights, such as a right of access and right of portability, in a manner similar to the GDPR. It also grants consumers the right to obtain from businesses that they cease selling, sharing or disclosing their personal information with or to third parties for commercial purposes.

CCPA grants a private right of action to California residents whose personal information was compromised in a breach of security. This addition to the existing California security breach landscape is likely to significantly increase litigation.

Read More

Supplement #26

Sent to subscribers in May 2018

It is just a few weeks before the May 25, 2018, deadline to implement the General Data Protection Regulation (GDPR), and it seems that the privacy and data protection world is frozen. The Member States of the European Union and European Economic Area have not done much to take advantage of the numerous GDPR provisions that allow Member States to draft additions and adaptations to the GDPR. Austria, Germany, and Belgium are the exceptions.

Germany has added numerous changes to the GDPR. One of the most significant additions is the obligation for companies to appoint a data protection officer if (1) at least 10 persons in the organization deal with automated processing of personal data or (2) the company is required to conduct data protection impact assessments. The German additions to the GDPR also grant significant supplemental powers to the supervisory authorities. Austria has expanded the scope of the provisions that give individuals the ability to be represented by a non-profit organization that focuses on data protection issues to allow such mechanism to be used for actions not only against organizations but also against the supervisory authority.  Austria has also identified 14 as the age of consent.

In addition to Germany and Austria, Belgium has developed its local additions to the GDPR.  In the case of Belgium, the changes have focused on establishing a Data Protection Supervisory Authority and providing it with supervisory powers and punitive functions.  The Belgian additions to the GDPR grant the Supervisory Authority the power to give warnings, work on investigations, and impose administrative fines.

A few other Member States have developed drafts but, as we go to press, have not achieved finalization. These include, for example, France, Ireland, Latvia, the Netherlands, Spain, and the United Kingdom. The remainder of the European Union and European Economic Area Member States have not made any tangible progress.

While not a member of the European Union or European Economic Area, Switzerland is also in the midst of changing its data protection law to keep up with the changes that result from the passage of the GDPR and that affect the remainder of Western Europe.  The Swiss parliament, however, has not yet published a draft. The word is that a draft should be coming soon.

Read More

Supplement #25

Sent to subscribers in January 2018

Supplement #25 to our two-volume treatise Global Privacy and Security Lawreflects a period of significant transition in the European Union and European Economic Area where the Member States are still working on integrating the EU General Data Protection Regulation (GDPR) into their laws. Few countries have published any tangible information about their views on the transition to the new regime under the GDPR.

The Article 29 Working Party has been prolific and has published several guidelines, which are detailed in Chapter 6A. The Article 29 Working Party has already published Guidelines on Data Protection Officers, Data Portability, Lead Supervisory Authority, Data Protection Impact Assessments, and Administrative Fines. It has also published, for consultation, Guidelines on Data Security Breach and Guidelines on Automated Decision-Making and Profiling. Guidelines on the concept of consent, and cross border data transfers are expected to be published by the end of 2017 or early 2018.
The Asia Pacific Region, China continues to make made significant changes to its laws governing the protection of personal information.

The global privacy and security framework keeps evolving. The effect of the EU General Data Protection is clear.  Countries outside the EU/EEA block, such Switzerland are looking at potential changes to their own data protection framework are looking at the challenges posed by the EU General Data Protection Regulation, and exploring how to keep up with the changes to the data protection framework that the GDPR is bringing.

Best regards

Read More

Supplement #24

Sent to subscribers in September 2017

This Supplement #24 to our two-volume treatise Global Privacy and Security Law reflects a period significant transition in the European Union and European Economic Area where the member states are still working on interpreting the EU General Data Protection Regulation (GDPR) into their laws. Few countries have published any tangible information about their views on the transition to the new regime under the GDPR.

On the other hand, the Article 29 Working Party has been prolific and has published several guidelines which are detailed in our Chapter 06A. The Article 29 Working Party has already published on Guidelines on Data Protection Officers, Data Portability, and Lead Supervisory Authority. It has also published for consultation Guidelines on Data Protection Impact Assessment, and is working on additional Guidelines on the concept of Consent, which are expected to be published by the end of 2017. Details on these Guidelines are provided in Chapter 06A.

In the Middle East, Israel has significant updated its Information Security Regulations, to expand upon the old regulations to prevent the misuse of data. The new Regulations are intended to realize the objectives of the original law and include several innovations, of which the most significant are intended to protect the privacy of registered users in a computerized database.
The Asia Pacific Region has also seen sig

nificant developments. For example, in June 2017, South Korea became the fifth country to join the CBPR system. Japan and China have made significant changes to their laws governing the protection of personal information.

In Latin and South America, Uruguay has welcome the EU-US Privacy Shield and now recognizes as providing “adequate protection” the US companies that are listed on the EU-US Privacy Shield list. In Colombia, The Superintendence of Industry and Commerce of Colombia (SIC) has prepared a draft regulation with a series of dispositions, that would clarify the obligations of managers and controllers in connection with the transfer and transmission of data to thirds Countries. Chile is working on a bill that would update its current privacy law and would increase the level of privacy protection to meet the guidelines of the Organization for Economic Cooperation and Development (OECD), which Chile joined in 2010.

The global privacy and security framework keeps evolving. While technology evolves faster than laws, throughout the world, legislators and litigators are paying attention to the many uses and potential misuses of personal information.

Read More

Supplement #23

Sent to subscribers in May 2017

With the European Union and the European Economic Area (EU/EEA) in a period of transition, there is much activity but still insufficient tangible results. EU/EEA Member States are both attempting to fathom the changes that the adoption of the General Data Protection Regulation (GDPR) will bring to the region as a whole, to understand how their own countries will or should implement the new rules, and whether and in what ways they can or should supplement the basic provisions of the GDPR when that is possible. Thus, numerous documents, decisions, guidelines, and the like are still in gestation or being revised and reshaped. On the other hand, some of the Member States, such as France, Germany, and the Netherlands, have made substantial progress and have been especially active.

The next supplement will bring updates on the final versions of several guidelines drafted by the Article 29 Working Party. These guidelines are about to be adopted in their final forms, but their final texts are not public as of press time. These guidelines provide some clarity on the interpretation of certain provisions of the GDPR.

Elsewhere, some countries are preparing major changes. This is the case, for example, for China and Turkey, but the changes came in too close to press time, and the details of their application are still too scarce for an analysis to be included in this supplement. A more detailed report will be published in the next supplement.

Stay tuned!

Read More

Supplement #22

Sent to subscribers in January 2017

The first half of 2016 focused primarily on the finalization and final approval of the EU General Data Protection Regulation (GDPR), which replaces Directive 95/46/EC. The GDPR will apply and enforcement will commence as of May 26, 2018. Now, most of the European Union and European Economic Area (EU/EEA) is focusing on the preparation of the transition to the new data protection regime. Member States are working on guidelines and on provisions supplementing the GDPR. We will hear more details in the next supplement.

The early days of July 2016 also saw the approval of the EU-US Privacy Shield, which replaces the Safe Harbor, invalidated in October 2015. U.S.-based companies doing business with EU/EEA-based entities are now recovering from the whirlwind of activities and the uncertainties of the first part of 2016. Many of them are preparing for, or may already have filed for, self-certification under the Privacy Shield, ensuring that they are better prepared for further attacks to crossborder data transfer structures.

The second half of 2016 has been much quieter than the first half. As a result, Supplement 22 does not bring as many sensational developments as did the prior ones published in 2016.

The most significant development occurred in France, as we were completing our set of updates for Supplement 22.

In early October 2016, France passed Loi No. 2016-1321 Pour Une République Numérique. The law introduces new provisions that will regulate the digital economy as a whole, such as open data, online cooperative economy, revenge porn, and access to the Internet. It also introduces key amendments to the existing 1978 Loi Informatique et Libertes (the current    national data protection law) ahead of the May 2018 enforcement date of the EU GDPR.

Among the key points of the Law 2016-1321 you should note higher fines (up to EUR 3 million), removal of data residency rules, and enhanced rights for individuals, including right to be forgotten and the right to data portability.

Best wishes for 2017. It will be a very interesting year for data privacy and cybersecurity.

Read More

Supplement #21

Sent to subscribers in September 2016

After a lengthy drafting process, the EU General Data Protection Regulation, which replaces Directive 95/46/EC, was formally approved by the EU Parliament in April 2016. It was published in the EU Official Journal in May 2016. Following a two-year transition period, the General Data Protection Regulation will apply and enforcement will commence through the European Union from late May 2018.

The General Data Protection Regulation is not just simply an update of a 20-year-old directive that was drafted at the dawn of the Internet era. The approval of the General Data Protection Regulation is a seminal development in the shaping of the data protection law throughout the EU Member States as a cohesive, homogenous whole, where one single law becomes the primary vehicle governing the activities of very diverse countries. The General Data Protection Regulation attempts in different ways to increase the consistency among the legal regimes of the EU Member States in order to reduce several of the current obstacles that companies face when they carry out business in numerous countries in the European Union.

Although the General Data Protection Regulation is intended to bring uniformity, we should not lose sight of the fact that a number of its provisions give leeway to Member States to enact additional measures beyond those stipulated in the Regulation.

Over the next two years, companies that fall under the jurisdiction of the General Data Protection Regulation are expected to modify their practices to ensure compliance. This is a significant task, not only for the companies impacted, but also for the Member State’s respective data protection regulators and governments as they seek to integrate and enforce a uniform law within their own legal frameworks. The next two years are going to be a very interesting time, requiring close collaboration between private companies and public institutions, both at the Member State and at European levels, in order to successfully implement the General Data Protection Regulation.

An overview of the other updates in Supplement 21 is provided below.

(more…)

Read More

Supplement #20

Sent to subscribers in May 2016

Given the developments over the last number of months regarding the EU-US Privacy Shield and the EU General Data Protection Regulation, it is not surprising that the updates for this Supplement are heavily concentrated on our European chapters.

In December 2015, agreement was reached between the European Commission, the European Parliament, and the Council on a compromised text of the General Data Protection Regulation. Although this was the last major obstacle in the drafting and negotiation process, the text of the Regulation may still undergo some further changes. Consequently, we have taken the decision not to update the content of Chapter 6A Proposed EU Data Protection Regulation until the Regulation has been formally adopted. The main provisions of the General Data Protection Regulation, in addition to the formal adequacy decision that will be adopted by the EU Commission giving effect to the EU-US Privacy Shield, will be analyzed in detail in the next few supplements of Global Privacy and Security Law.

An overview of the other updates in Supplement 20 is provided below.

(more…)

Read More

Supplement #19

Sent to subscribers in January 2016

What a whirlwind the last number of months has been!

On a personal note, I am delighted to announce that I have joined Greenberg Traurig LLP as a Shareholder/Partner in its Silicon Valley Office.

The invalidation of the EU-US Safe Harbor Framework by the CJEU shocked many in the privacy community. As a result of the CJEU October 6, 2015, decision and the associated fall-out, all data transfers from the EEA, Switzerland, Israel, and DIFD to companies located in the United States that have self-certified that they adhere to the Safe Harbor principles are illegal. The ruling affects approximately 4,600 US companies and their respective trading partners. It is also important to recognize that the consequences of the ruling are much broader and deeper than just the mere invalidation of the Safe Harbor program and the immediate need to identify and implement alternative means of exchanging data with foreign customers, business partners or affiliated entities.

In addition to the short-term immediate need to find quick-fix alternatives to the Safe Harbor for day-to-day exchanges, there are significant long-term issues regarding cross-border transfers. In its 35-page analysis, the CJEU repeatedly asserts that personal data when on the US territory are subject to massive surveillance, and that the current legal regime in the United States requires companies to “disregard …without limitation” the prospective rules laid down by Safe Harbor when they conflict with US national security and public interest. The CJEU opinion also points at other deficiencies in the US legal regime, such as a lack of access and correction rights. The CJEU decision, in conjunction with some of the advice issued by data protection authorities in the aftermath of that decision, seems to undermine the entire framework of model clauses, binding corporate rules and other methods that are currently used to address the “adequate protection” requirement under EU Member State data protection laws.

However, at the time of the printing of this supplement it is not clear how many of these issues are going to be addressed. Work is currently underway on finalizing the negotiations on Safe Harbor 2.0, and it is hoped that this revised agreement will address many of the issues raised by the CJEU. In addition to developments on the Safe-Harbor issue, negotiations on the EU General Data Protection Regulation are drawing to a close and it is anticipated that the Regulation will be published toward the end of 2015. All of these developments will be covered in detail in the next few supplements of Global Privacy and Security Law.

Suffice to say that we are in for a very interesting couple of months in the data protection and privacy world. An overview of the other updates in Supplement 19 is provided below.

(more…)

Read More

Supplement #18

Sent to subscribers in September 2015

This Supplement is dedicated to the memories of Antonio Millé and Santiago Jaramillo-Caro, both of whom were contributors to Global Privacy and Security Law. Both Antonio and Santiago were highly accomplished and distinguished attorneys, and were involved with Global Privacy and Security Law from the early days of its creation.

We would like to offer our heart felt condolences to their family, friends, and colleagues. They will be missed.

An overview of the updates in Supplement 18 is provided below.

(more…)

Read More