To any good lawyer, the answer is ‘both’ are important. However, most in-house counsel know the answer is which receives the limited available budget. Compliance budgets usually follow the greatest risks for the company. Therefore, in Europe, where the EU’s General Data Protection Regulation is the scariest new compliance issue, it stands to reason that data privacy will take a larger portion of the budget than cybersecurity. However, in the US, where the penalties for poor cybersecurity can be huge (from governmental penalties, to class action and shareholder derivative lawsuits), I believe it is generally the opposite. Continue Reading
The GDPR has impacted how organizations in many industries, including advertising, operate. For example, the Committee of Advertising Practice, which authors the UK Code of Non-broadcast Advertising and Direct & Promotional Marketing “CAP Code”, is in the process of updating its prize promotion rules to comply with the stricter requirements under the GDPR, primarily as related to obtaining consent from competition participants.
For further information on the forthcoming update to the CAP Code and its expected impact on advertising, please read the post prepared by my colleagues Carlton Daniel, Ailin O’Flaherty and me, which has published on Squire Patton Boggs Global IP & Technology Law Blog.
California has become the first state in the US to adopt a cybersecurity law governing Internet of Things (IoT) devices, or those capable of connecting to the internet. In this rapidly growing industry, the law is a first step toward developing regulations to improve the security of IoT. While it does require manufacturers to equip devices with “reasonable” security features, it is short on details as to the type of security features that are expected. The bill will go into effect January 1, 2020.
Read more about the first US law guiding the security of IoT devices here.
Article 35(4) of the EU General Data Protection Regulation (“GDPR”) states that the supervisory authorities of the EU Member States (“SAs”) shall establish, publish and communicate to the European Data Protection Board (“EDPB”) a list of processing operations that are subject to a requirement for a data protection impact assessment (“DPIA”) under the GDPR.
Just because 25 May 2018 has passed does not mean that data protection compliance has ended! The Data Protection Act 2018 (“DPA”) works with the GDPR, and introduces additional requirements that businesses will need to watch out for; there are however a number of derogations that are intended to better accommodate business needs. Continue Reading
On 19th September 2018, the Information Commission Officer (“ICO”) fined credit reference agency Equifax Limited £500,000 for breaching the Data Protection Act 1998 (“DPA”). Finding that Equifax Limited failed to protect the personal data of up to 15 million UK individuals, the ICO awarded the maximum penalty for a breach under the DPA.
The ICO found that of the eight data protection principles established in the DPA, Equifax breached five. The finding considered how Equifax handled personal data, the purpose of processing the personal data and the transfer of the UK data to the US. Continue Reading
Amendments to California’s expansive Consumer Privacy Act of 2018 (“the Act”) include new provisions that may significantly impact the timing of enforcement and provide exemptions for large amounts of personal data regulated by other laws.
The Act, signed into law in June, is a sweeping data privacy law that regulates the processing of personal data of California residents. Because the Act was hastily passed in order to prevent a similar ballot initiative proceeding to a vote in the November elections, it was expected that the Act would undergo significant amendments before it enters into effect on January 1, 2020.
On 5 September 2018, the EU Commission commenced proceedings to adopt an Adequacy Decision in relation to Japan’s protection of personal data by issuing a draft ‘Commission Implementing Decision’. This is an important step towards the culmination of discussions between the EU and Japan that were initiated in January 2017, with the aim of permitting the free flow of personal data between the parties. These discussions were part of the broader free trade negotiations between Japan and the EU, which concluded with a successful agreement on 17 July 2018. Continue Reading
The General Data Protection Regulation (GDPR) was incorporated into the EEA Agreement by the EEA Joint Committee in Brussels and entered into force in mid-July. The European Economic Area (EEA) currently includes all EU Member States, including, for the time being, the UK, as well as the three out of four EFTA States meaning Iceland, Liechtenstein and Norway(the fourth one being Switzerland). Additionally, on 15 July 2018, a new Act on Data Protection and the Processing of Personal Data, No. 90/2018, entered into force in Iceland. Continue Reading
The General Data Protection Regulation (GDPR) applicable since 25 May 2018 , modifies the legal rules on the use of biometric data. The processing of biometric data for the purpose of “uniquely identifying a natural person” is, as a matter of principle, prohibited under Article 9 GDPR . Amongst the authorised exceptions is the processing “necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment […] in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject “ Continue Reading