It is just over four years since Datonomy reported on the leak of the Commission's original DP reform proposals and, as most readers will have heard by now, last night the EU institutions reached political agreement on the General Data Protection Regulation. Agreement was also reached on the other part of the reform package, the less-reported-on Data Protection Directive for the police and criminal justice sector.  We do not have  final texts, although  key Council analysis documents of the compromise texts for both the GDPR and the Directive  have been leaked on  the Statewatch website, and this, combined with reports from sources in Brussels, gives us an indication of where the key aspects of the Regulation have ended up. Datonomy will of course be analysing the finalised  texts once these become available. What's next? When will the new rules be in force? The compromise texts will now  go back to the Council and the … Continue Reading ››
Late yesterday (7 December) the EU institutions reached a deal on the Network and Information Security Directive. The Directive will introduce new cyber security requirements for providers of key infrastructure, and oblige them to report details of cyber attacks to the authorities.  The deadline for bringing the new rules into force will be in Q3 2017. Businesses which fall within the Directive’s definition of “digital service providers” – including online market places, cloud computing and search engines – will also be subject to security and breach notification requirements. The final text of the Directive is still awaited. Datonomy will provide further analysis once the text becomes available. What’s new? On 7 December, after many months of trilogue negotiations, the EU institutions reached a compromise on the text of the NISD. The European Commission issued this press release and the Council of the European Union followed suit swiftly with this … Continue Reading ››
On 15th October 2015 the Spanish Supreme Court handed down its first ruling[1] on the so-called digital “right to be forgotten" in which it states that harmful information affecting individuals without public relevance should not be accessible to Internet search engines when the news has lost relevance over time. The background of the case The decision of the Court is based on the following facts: in the 1980s two people were involved in drug-trafficking and consumption. After being arrested, they were finally convicted for drug smuggling and imprisoned. A few years ago, after having served their sentence imposed for these facts and having remade their personal, family and professional life, they found out that by typing their names in the major Internet search engines (particularly, Google and Yahoo!), the news that once was published in a newspaper (El País) now appeared among the first search results, because such newspaper had … Continue Reading ››
Last Friday, the German legislator passed the highly disputed new German Data Retention Act (“GDRA”). The topic has a certain history in Germany as in 2010 the German Constitutional Court declared the previous data retention act invalid. The new GDRA puts quite extensive storage obligations on telecommunications providers. It is expected that claims seeking invalidation of this new GDRA will be launched very soon. In more detail, the act provides for the following: Telecommunication Services - storage of the following data:
  • Numbers of caller and called person;
  • Date, start and end of connection;
  • Location data (stored only for four weeks); and
  • SMS: inevitably, content will also have to be stored.
Internet Services - storage of the following data:
  • IP-address;
  • Identification of telephone connection; and
  • Date, start and end of connection.
Stored data may only be used on the basis of a judicial order for prosecution of severe criminal offences, such as formation of a terrorist group, murder or sexual abuse. The full … Continue Reading ››
Late on Friday 16 October, Europe’s data protection regulators issued an opinion enabling ongoing transfers of personal information from the EU to the US, at least for the time being. This followed on from the CJEU’s 6 October decision in the Schrems case that the so-called “safe harbor” regime used by more than 4000 US companies to legitimize the import of EU personal information was invalid. Following that decision a number of German data protection authorities ruled that “model clauses”, another mechanism used by thousands of other organisations to legitimize EU to US transfers, were also invalid. There was growing concern that the Article 29 Working Party, an influential body representing Europe’s data protection authorities, would follow the German approach creating more uncertainty and removing one of the few remaining limbs to support transfer. Businesses on both sides of the Atlantic can breathe a sigh of relief.  The opinion, although far from categorically … Continue Reading ››
The likely demise of the US Safe Harbor is dominating the data news headlines - but what else is happening in the world of data and cyber regulation? Datonomy provides a round up of other recent developments in Europe and Asia. With contributions from Andreas Splittgerber and Christian Leuthner in Germany, Sofia Fontanals in Spain and Matthew Hunter, Daniel Jung and Aisling O’Dwyer in Asia, in this update we cover:
  • EU policy and regulation including latest news from Brussels on the GDPR and NISD
  • News from the UK
  • News from Germany
  • News from Spain
  • News from Asia
EU POLICY AND REGULATION
  • GDPR and NISD: Commission President Junker has yet again affirmed the “swift adoption” of the GDPR and NISD as priorities in this open letter of 9 September to the European Parliament. Below we take a more detailed look at the recent procedural progress of these two (not-so-swift) proposals.
One of Europe’s most senior lawyers, Advocate General Bot, today declared the EU-US Safe Harbour regime invalid.  His opinion has profound implications for organisations transferring personal data to the US or importing personal data from Europe.   Olswang explains the practical implications for companies transferring personal data from Europe to the US. What is safe harbour? The Data Protection Directive (95/46/EC) requires companies which collect personal data relating to EU citizens to retain such data within the European Economic Area unless it is being transferred to a jurisdiction which ensures ‘adequate’ protection for such personal data. Adequacy can be established in a number of ways, one of which is a declaration of approval of a particular jurisdiction’s regime for protecting personal data by the European Commission. In a decision of 26 July 2000, the European Commission declared that the safe harbour scheme established with the US provided adequate protection of personal data and … Continue Reading ››