GDPR

Privacy Commissioner of Hong Kong Issues a GDPR Guidance Document

Written by

On April 3, the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) announced the publication of the “European Union General Data Protection Regulation (GDPR) 2016” guidance document.  The PCPD explains that the publication was issued to raise awareness among organizations and businesses in Hong Kong of the possible impact of the new regulatory framework for data protection in the GDPR.  The guidance document covers various provisions of the GDPR, including extra-territorial application of the GDPR and new data privacy governance requirements.  It also contains a chart [...] Read more

Council of the European Union publishes new draft ePrivacy Regulation

Written by

The Council of the European Union published a new draft of the ePrivacy Regulation (link here) for discussion purposes on 22 March. This draft aims to facilitate discussions as we are moving towards the final version of the ePrivacy Regulation. As such, the changes outlined below are not final, but rather indicative of the direction that the ePrivacy Regulation is taking. Of particular interest to companies are the provisions relating to cookie settings, and direct marketing communications:   Cookie Settings The new draft clarifies that a one-off consent for a cookie in the context [...] Read more

German DPAs Publish Model GDPR Processing Records – Translations Provided

Written by

In just under 100 days, the EU General Data Protection Regulation (GDPR) enters into force. One of the major changes the GDPR introduces is a duty for in-scope controllers and processors to maintain written records of their processing activities.  Under Article 30 GDPR, companies will need to inventory all “processing activities under [their] responsibility” and memorialize them in a written record setting forth, inter alia, the purposes of processing operations, international transfers, and retention periods. Article 30 GDPR thus creates a new kind of documentation obligation.  This obligation [...] Read more

100 Days Until GDPR Effective Date – Sharing Our GDPR Experience

Written by and

In less than 100 days, the General Data Protection Regulation (GDPR) will go into effect. This means that as of May 25, 2018, each national Supervisory Authority will have the authority to apply and enforce the GDPR. The GDPR raises the bar in terms of requirements substantially higher than the Data Protection Framework Directive. For instance, it recognizes new rights for data subjects (e.g. right to be forgotten and right to data portability), introduces data breach notification requirements, introduces the concept of a Data Protection Officer, and brings enhanced accountability obligations. Given [...] Read more

Privacy & Data Security Team Launches Unique GDPR Tracker Website

Written by

“To Harmonize or Not To Harmonize: That Is the Question.” With the the GDPR fast approaching on May 25, 2018, European Member States are getting ready with the implementation of national legislation. Although the GDPR is a regulation, and directly applicable in all Member States, it has left room for country-specific legislation in several different regards (such as the processing of employee data or individual rights restrictions). Most Member States still only have draft legislation at this point, but the expectation (or at least intention) is that each country will have adopted legislation [...] Read more

ECJ Rules against Schrems Class Action, Sets Up Jurisdictional Questions for GDPR Class Actions

Written by

In late 2015, the European Court of Justice (ECJ) issued its initial Schrems decision, invalidating the EU/US Safe Harbor and leading to important developments in the rules for transferring personal data from the EU to the US.  Since that decision, Mr. Schrems has pursued two further legal proceedings in the EU. The first involves Mr. Schrems’ challenge in the Irish courts to EU Standard Contractual Clauses, which permit data to be transferred internationally between contract parties.  In the trial,  Alston & Bird Special Counsel Peter Swire testified as an expert on US national [...] Read more

Data Protection Litigation to Become a New Reality in Belgium

Written by

On November 16, 2017 the Belgian Senate adopted an “Act on the Establishment of the Data Protection Authority” (the “Act”). Following Austria, Germany, and the UK, Belgium is the fourth EU Member State to pass a domestic statute implementing the General Data Protection Regulation 2016/679 (“GDPR”) prior to its effective date of 25 May 2018. The new Belgian Act sets forth the structure and legal organization of the Data Protection Authority (“DPA”), which will serve as the successor of the current Belgian Privacy Commission. More importantly, the Act significantly broadens the DPA’s [...] Read more

An English-Language Primer on Germany’s GDPR Implementation Statute: Part 5 of 5

Written by

Over the past year, the German government has been working on legislation to implement the EU’s General Data Protection Regulation (GDPR).  On July 6, 2017, Germany did so by passing a statute titled the Data Protection Amendments and Implementation Act. The Act repeals Germany’s venerated Federal Data Protection Act (Bundesdatenschutzgesetz, or BDSG) and replaces it with an entirely new BDSG, aptly referred to as the “BDSG-New.” Germany becomes the first EU Member State to pass a GDPR implementation statute. Given Germany’s reputation as one of, if not the, most serious privacy jurisdiction [...] Read more

Article 29 Working Party Issues Guidance on Administrative Fines

Written by

The Article 29 Working Party (“WP29”) recently issued much-anticipated guidance on administrative sanctions under the General Data Protection Regulation (the “GDPR”). This guidance focuses on the holistic factors which Supervisory Authorities (the “SAs”) are to use in issuing assessments for violations of the GDPR. These factors make clear that WP29 views sanctions issued under the GDPR as a key deterrent and enforcement mechanism. Context Article 83 of the GDPR states the general conditions for imposing fines for non-compliance. These fines must be “effective, proportionate [...] Read more

WP29 issues Guidelines on Automated Individual Decision-Making and Profiling in the GDPR

Written by

On October 18, 2017, the Article 29 Working Party (the “WP29”) published Guidelines clarifying the new profiling and automated decision-making provisions of the General Data Protection Regulation (“GDPR”).  European Union regulatory authorities and the WP29 consider that technological developments that facilitate the creation of individual profiles, such as big data analytics, AI and machine learning, have created new risks to data protection.  As the majority of industries (insurance, marketing and finance, and even healthcare) already apply and use these new techniques today, the WP29 [...] Read more