Category Archives: EU Data Protection Reform

The ICO on the 4th of July 2017 took a step forward with regards to privacy protection for the UK public from overseas data protection threats and risks, by publishing its first ever International Strategy document. This document supports the earlier ICO 'Information Rights Strategic Plan 2017 - 2021' document and is set to help the ICO meet overseas data protection challenges in a globalised world, including those in relation to key areas such as the GDPR and Brexit. The document sets out what the ICO sees as its main international concerns over the next four years, which are:
  • Operating as an effective and influential data protection authority at European level while the UK remains a member of the EU and when the UK has left the EU, or during any transitional period.
  • Maximising the ICO’s relevance and delivery against its objectives in an increasingly globalised world with rapid growth of online technologies.
  • Ensuring that UK … Continue Reading ››
In order to support the application of the General Data Protection Regulation (GDPR) the European Commission’s Directorate-General for Justice and Consumers is establishing a new expert group to be comprised of various stakeholders including academics, legal practitioners and organisations. The 27-member group will support the early preparation of possible implementing and/or delegated acts, and provide stakeholders with an opportunity to share their experiences in applying the GDPR. As Datonomy readers will already be familiar, there are a number of issues in the GDPR where there is scope for the detailed application to be fleshed out by means of these Commission-made measures. Organisations may well want to take the opportunity to influence this detail. Specifically, this year the Commission intends to launch studies on certification mechanisms and standardised icons in order to assess whether there would be added value in adopting delegated and/or implementing acts in these areas. The Commission would therefore … Continue Reading ››
Since its hotly awaited publication in January, the Proposal for an ePrivacy Regulation ("Proposal") has come under scrutiny from various stakeholders. Recently both the Article 29 Working Party ("WP29"), and the European Data Protection Supervisor ("EDPS"), have joined the chorus. Though both independent bodies are pleased with the concepts in the legislation, both express various concerns, with WP29 describing theirs as particularly 'grave'. Those (grave) concerns, alongside some recommendations are explored in detail below. EDPS: concerns over consent, tracking and cookies. As expected in his Opinion the EDPS welcomes various parts of the Proposal, including the legislators' choice for a regulation rather than a directive, and the extension of scope to over-the-top (“OTT”) communications services such as Skype and WhatsApp. The Commission's ambition to bring all publically accessible networks and services within the scope of the confidentiality requirements is also praised. However, though the EDPS … Continue Reading ››
Impact of Brexit on data protection: EU Home Affairs Sub-Committee hears evidence The EU Home Affairs Sub-Committee continues to hear evidence from various experts on the implications of Brexit on the "EU data protection package". Particularly notable are the comments of Elizabeth Denham, the UK's Information Commissioner, regarding her hopes for the UK post-Brexit. Unsurprisingly for Denham and perhaps reassuringly for business, "the right way forward… is to fully adopt the general data protection regulation". However should the UK do so, questions persist as to the ICO's role, particularly in relation to its standing with the European Data Protection Board (EDPB). Denham was keen to emphasise that the Government should do anything it can to ensure the ICO has "some status" on the EDPB. Should it not, the UK will be at the mercy of the Board's decisions, but be without influence over its policy. Lord O'Neil of Clackmannan, a Labour peer, was … Continue Reading ››
With the GDPR on the horizon, the EU is now overhauling and expanding the reach of the more specific privacy rules which relate to direct marketing, cookies and other forms of online monitoring. The ability of social media and messaging services to track users is one of many areas touched on in the European Commission's newly proposed ePrivacy Regulation, which was officially unveiled last week. We highlight some key impacts for the tech and media sectors, provided the proposed draft passes through the legislative process without dramatic changes. Businesses should incorporate these new requirements into their GDPR readiness planning. Why are the rules being updated?
  • The regime for electronic communications, based on the EU's Privacy and E-communications Directive (PECD), which dates back to 2002, is being overhauled as part of the Commission's Digital Single Market package.
  • Since the last review of the PECD in 2009, a new … Continue Reading ››
Yesterday, 10 January, the European Commission (EC) presented its formal proposals for the new ePrivacy Regulation. On initial analysis, the first official draft of the Regulation appears broadly similar to last month's leaked version, explored by Datonomy here. Datonomy will be providing a fuller analysis, however in the meantime the EC's Fact Sheet provides a useful starting point. The Commission's aim is to have the new Regulation adopted by 25 May 2018 when the GDPR takes effect. Olswang's Head of Digital and Data, Elle Todd, and Alex Dixie, the firm's Head of Adtech, will be taking a first look at the practical impacts of the new proposals in a webinar at 15:00 UK time on Thursday 19 January. Follow this link to register. In particular the webinar will examine:
Just before the festive break, the Article 29 Working Party ("WP29"), the group representing national data protection regulators in the EU, issued new guidance on several key aspects of the new General Data Protection Regulation ("GDPR"). This is the first guidance of its kind issued by the WP29, and as such represents the first time the data protection authorities have revealed their thoughts on the interpretation of the GDPR. The guidance consists of three separate sets of guidelines and FAQs:
  • an explanation of the role of the now mandatory Data Protection Officer ("DPO");
  • a guide to the new right to data portability; and
  • guidance regarding the "one stop shop" mechanism for establishing the lead data protection authority in cases of cross-border data processing.
Although the guidance has been formally "adopted", the WP29 is welcoming comments from stakeholders until the end of January 2017, so it is possible that elements may be … Continue Reading ››