How Might a No-Deal Brexit Impact Your Organisation’s Data Protection Obligations?

The UK Parliament has today, 15th January 2019, rejected the Government’s Brexit withdrawal agreement with the EU. This turn of events, which was widely anticipated, increases the prospect of a no deal Brexit, i.e. a break-up without a divorce settlement. According to law, the UK will leave the EU on 29th March 2019 with no deal unless Parliament has accepted the withdrawal agreement, or a modified version of it, or a new agreement has been reached with the EU and accepted by Parliament, before then. Although no deal remains an unlikely scenario, it would have consequences for your data protection obligations.

What does this mean for your organisation and the way you manage personal data? Continue Reading

The ICO’s New Year’s Resolutions

The ICO has published a draft Regulatory Action Policy (“Policy”) on 28 June 2018 available here, supplementing its Information Rights Strategic Plan for 2017-2021 (here) and International Strategy for 2017-2021 (here). This Policy provides an overview of how and to what extent the ICO will use its newly expanded regulatory enforcement powers provided by the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA”). Continue Reading

What Does the New European Electronic Communications Code Mean for OTT’s?

As users increasingly use nontraditional modes of communication, such as social media and instant messaging applications, email and VoIP, in place of traditional telephone and data services, so too must privacy laws evolve. The European Electronic Communications Code, proposed on December 4, 2018, expands the definition of electronic communications services to include these “over-the-top services.” As a result, these services become subject to data processing regulations under the existing ePrivacy Directive.

In an article written for IAPP’s Privacy Tracker, Rosa Barcelo and Matthew Buckwell discuss which obligations will apply to OTTs, whether the GDPR takes precedence over the ePD, and what service providers need to evaluate in advance of the December 21, 2020 effective date.

California to Hold Public Forums on California Consumer Privacy Act as Part of Rulemaking Process

California’s Consumer Privacy Act of 2018 (“CCPA”) which was signed into law in June 2018 will take effect on January 1, 2020.

California Attorney General Xavier Becerra has announced that the California Department of Justice has organized six public forums throughout the State that will provide those impacted by the new law an opportunity to comment on the rulemaking process. Continue Reading

Does the GDPR Allow for the Use of Consent for the International Transfer of Data?

Many data controllers would like to use the consent of data subjects to transfer data to countries outside the European Economic Area. Has the General Data Protection Regulation 2016/679 (“GDPR”) made it easier use consent as a basis for international transfer than was the case under the Directive 95/46?

Rules on international transfer under GDPR

Chapter V of GDPR offers several legal bases for the transfer of personal data to third countries or international organizations:

  1. The suitability of the recipient country or entity on the basis of an adequacy decision of the European Commission (Article 45).
  2. The establishment of “appropriate safeguards” by the recipient (Article 46) such as standard contractual clauses adopted by the European Commission or BCRs (Article 47).
  3. The “Derogations for specific situations” provided by Article 49 (1) of the GDPR, which provides that transfers, where neither of the above applies, may be carried if one of the listed conditions is fulfilled. One of the derogations is the case where “the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards”.

Continue Reading

Data Subject Access Rights – and the Requirement to Issue a Copy of the Undergoing Processing

Within the last couple of months, we have noted that Companies increasingly struggle with data subject access requests.

The Wording of Art. 15 para. 3 GDPR is Ambiguous

As much as Companies understand that they need to confirm whether they process personal data of the individual that issued the request, they oftentimes seem to struggle with the requirement and the meaning of issuing a copy of the underlying processing as stipulated by Art. 15 para. 3 GDPR. Continue Reading

The Impact of Data Protection on Children

Many readers may be reading this blog when a notification from their fitness tracker pops up instructing them to stand up. Children are now beginning to wear trackable devices too. These devices are connected to the internet and may process a child’s personal data. Many children have and use social media accounts and there is the additional digitisation of health and school records, which increases the online data trail of a child. Continue Reading

Have You Paid Your Data Protection Fee?

The Data Protection (Charges and Information) Regulations 2018 came into force in May 2018. Generally, these Regulations mean that Controllers must pay the ICO an annual data protection fee unless they are exempt. The exemptions are relatively limited. The requirement to pay an annual fee replaces the previous requirement to register with the ICO. The fee ranges from £40 to £2900, depending on the tier of organisation. The fee helps to fund the ICO. Continue Reading

ICO’s Consultation on Direct Marketing Code of Practice

Direct marketing has been a focus of the UK data protection regulator, the Information Commissioner’s Office (ICO), for the last several years. Direct marketing for these purposes includes promotional messages that are sent directly to an individual recipient electronically (email or text), by post or communicated by phone. Such messages are considered to be unsolicited communications, as opposed to marketing messages that were specifically requested by individuals. Continue Reading

Illinois Supreme Court to Resolve the Conflict over the Scope of BIPA’s Private Right of Action.

In Illinois, the courts are grappling with an issue akin to the Article 3 standing issues that courts have been analyzing in post-breach cases for years, that is, whether a plaintiff must claim actual harm as a result of a statutory violation or whether the violation is sufficient by itself to support standing to sue.

Continue Reading

LexBlog