On 12 February 2019, the European Data Protection Board (“EDPB”)[1] adopted its first opinion on an “administrative arrangement,” which provides a new mechanism for the transfer of personal data between European Union (“EU”) financial supervisory authorities and securities agencies and their non-EU counterparts.

Under the EU’s General Data Protection Regulation 2016/679 (“GDPR”), personal data cannot be transferred from the European Economic Area (“EEA”) to a third country unless the European Commission has decided that such third country is “adequate” from a data protection laws perspective, or “appropriate safeguards” are in place to ensure that the treatment of personal data in the hands of the recipient reflects the GDPR’s high standards. Article 46 of the GDPR provides for various safeguarding options, including the possibility of “provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.[2] No such “administrative arrangements” have been approved by the EDPB until now. Continue Reading EDPB Issues First Opinion on Administrative Arrangements Under the GDPR for Cross-Border Data Flows Between EU and Non-EU Securities Agencies

In summer 2018, a new Indian Personal Data Protection Bill was released by a Committee of Experts formed under the Chairmanship of Justice B.N. Srikrishna (the “Bill”), accompanied by a report titled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians.” After several months’ hiatus, reports are emerging of renewed impetus from India’s Ministry of Electronics and Information Technology (“MEITY”) for the Bill to be put before Parliament.

The proposed introduction of the Bill continues a global trend in the revision of data protection laws: from California to Canada, from Bahrain to Brazil, many jurisdictions have recently proposed, or are in the process of adopting, new, stricter data protection legislation that, to varying degrees, bears the hallmarks of the recently-effective EU General Data Protection Regulation (“GDPR”).

As the global data protection map evolves, what should multinational organisations do to remain compliant? National legislatures are contributing to a global patchwork of data protection policy and each new law has been shaped by different political and cultural motivations. Consequently, areas of incompatibility between regimes are becoming visible.

This article recaps on the key provisions of the proposed Bill, examines potential incompatibilities with the GDPR, and concludes with what this means for multinational organisations who may be required to navigate both frameworks.

Please click here to read the full article.

On February 7, 2019, the German antitrust agency, the Federal Cartel Office (“FCO”), imposed limitations on Facebook’s current practice of collecting and processing user data and prohibited using the related terms of service.  After an almost three-year long investigation, the FCO found that some of Facebook’s business practices amounted to an abuse of a dominant position.  For the first time, the FCO based its abuse-of-dominance analysis also on whether the dominant company complied with the GDPR – throwing compliance with the GDPR into their competition law assessment.[1] Continue Reading Germany Limits Facebook’s Data Collection and Processing, Refers to GDPR

In 2018, data privacy and cyber breaches made headlines throughout the year.

Major companies continued to suffer data breaches, highlighting the risks and potential costs of cyber incidents across industries.  At the same time, a growing and overlapping thicket of data security and privacy regulations—within the U.S., European Union, Latin America, and elsewhere—continued to increase compliance costs and regulatory risks.  This memo surveys some of the key cybersecurity and data privacy developments of 2018, including the major data breaches and cyberattacks, regulatory and legislative actions, and notable settlements and court decisions.

In addition, we identify some key takeaways from 2018, which include the importance of rapid response and timely disclosure, cyber diligence in M&A transactions, effective management of third-party vendor risk, and protecting privilege.  We also highlight key areas to watch in 2019, including GDPR enforcement, efforts to pass a U.S. federal privacy law, responses and potential changes to California’s new privacy law, the adoption of comprehensive privacy laws in more U.S. states and non-U.S. jurisdictions, and heightened U.S. litigation and enforcement risk.  Data security and privacy will undoubtedly remain a priority for boards and senior management, as well as regulators and enforcement authorities.

Please click here to read the full alert memorandum.

The European Data Protection Board (“EDPB”)[1] adopted its highly anticipated guidelines on the territorial scope of the General Data Protection Regulation (“GDPR”) (the “Guidelines”), which are currently open for public consultation until January 18, 2019.

The extraterritorial application of the GDPR to entities located in non-EU countries marks a significant shift in the legal framework compared to the GDPR’s predecessor (Directive 95/46/EC).

The GDPR’s extraterritorial scope is based on two main criteria described in its Article 3:

  • the “establishment” criterion, according to which the GDPR applies where processing of personal data is undertaken by a person in the context of the activities of an establishment in the European Union regardless of whether the processing takes place in the European Union or not, and
  • the “targeting” criterion, according to which the GDPR applies where processing activities conducted by a person established outside the European Union relate to the offering of goods or services or the monitoring of behavior of data subjects in the European Union.

As a result of these two criteria, businesses which did not previously need to consider the applicability of EU data protection law to their processing activities may now be caught within the GDPR’s territorial scope. The Guidelines  are intended to bring clarity to non-EU businesses doing business with the EU, either directly or through “establishments”, which must undertake a careful assessment of their data processing activities in order to determine whether the GDPR applies. The full text of the Guidelines can be accessed here and their key features are summarized below. Continue Reading EDPB Publishes Draft Guidelines on the Territorial Scope of the GDPR

Knuddels GmbH & Co KG, a German social media app, has received the first administrative fine issued by a German supervisory authority under the General Data Protection Regulation (“GDPR”).

The fine of € 20,000 has been levied on Knuddels by the Commissioner for Data Protection and Freedom of Information in Baden-Württemberg (one of 16 regional data protection authorities in Germany) following a hack reported by Knuddels in September which resulted in the personal data of approximately 330,000 users being stolen and subsequently published. Such personal data included users’ emails addresses and passwords. Continue Reading First German Fine Issued Under the GDPR

The £16.4 million fine imposed by the UK Financial Conduct Authority on Tesco Personal Finance plc provides a salutary lesson on the regulatory exposure associated with failing adequately to prepare for and respond to a cyber-attack – one of the FCA’s stated regulatory priorities.

The episode illustrates how cybersecurity failures can expose a business not only to increasingly draconian penalties under the EU’s General Data Protection Regulation where personal data is involved (effective from 25 May 2018), but also to regulatory enforcement penalties where systems are not in place or are not operated effectively in a crisis.

It highlights the critical importance for businesses of:

  • Establishing cybersecurity and data protection compliance firmly on the management and risk agenda. More than just the costs of doing business in the digital economy, these can give rise to serious regulatory and franchise exposure;
  • Taking effective action to prevent foreseeable cyber-attacks;
  • Establishing appropriate crisis management procedures and providing training to staff on how to invoke them, including through desktop exercises that provide scenario planning training; and

Engaging constructively and immediately with the relevant authorities and stakeholders to mitigate even greater damage to the business once an attack has occurred.

Please click here to read the full alert memorandum.

The UK Information Commissioner’s Office (ICO) has provided Facebook with a Notice of Intent to issue a monetary penalty against the social media platform for its lack of transparency and failure to maintain the security of its users’ personal data in relation to the Cambridge Analytica scandal. The ICO’s fine is the maximum possible under the Data Protection Act 1998 (the UK implementing legislation for the former EU data protection regime under the Data Protection Directive). Facebook will have the opportunity to make representations to the ICO before the ICO’s decision is finalised.

Continue Reading UK Data Protection Regulator Set to Levy Maximum Fine on Facebook in Cambridge Analytica Case

On the heels of the European Union’s implementation of the General Data Protection Regulation (“GDPR”) and public outcry over the Cambridge Analytica scandal, on June 28, 2018, California enacted the most comprehensive data privacy law to date in the United States. The California Consumer Privacy Act of 2018 (the “CCPA”) was hastily passed by the California legislature to secure the withdrawal of an even more far-reaching measure that had qualified for the November ballot. Legislative amendments to the law are expected before it goes into effect on January 1, 2020.

The CCPA requires covered businesses to comply with requirements that give California consumers broad rights to know what personal information has been collected about them, the sources for the information, the purpose of collecting it, and whether it is sold or otherwise disclosed to third parties. It also gives consumers the right to access personal information about them held by covered businesses, to require deletion of the information and/or to prevent its sale to third parties. Other key provisions limit the ability of a covered business to discriminate against consumers who exercise their rights under the statute by charging them higher prices or delivering lower quality products or services.  The rights provided under the CCPA are similar in many respects to those afforded EU residents under the GDPR, but there are distinctions in approach on some key issues.

Please click here to read the full alert memorandum.