Just before the festive break, the Article 29 Working Party
"), the group representing national data protection regulators in the EU, issued new guidance
on several key aspects of the new General Data Protection Regulation ("GDPR
"). This is the first guidance of its kind issued by the WP29, and as such represents the first time the data protection authorities have revealed their thoughts on the interpretation of the GDPR.
The guidance consists of three separate sets of guidelines and FAQs:
- an explanation of the role of the now mandatory Data Protection Officer ("DPO");
- a guide to the new right to data portability; and
- guidance regarding the "one stop shop" mechanism for establishing the lead data protection authority in cases of cross-border data processing.
Although the guidance has been formally "adopted", the WP29 is welcoming comments from stakeholders until the end of January 2017, so it is possible that elements may be … Continue Reading ››
Yesterday (13 December) in time-honoured tradition, a draft proposal of the European Commission's (EC) new ePrivacy Regulation was leaked
. The official draft of the proposal is not expected to be published by the EC until January 2017, and it is possible some of the detail will change before then. Datonomy will be providing fuller analysis of the real thing in the near future, but an initial look at the leaked draft – which (typos aside) gives a good indication of what to expect - reveals the following:
- It's a Regulation rather than a Directive (as predicted by Datonomy here)
As with the GDPR, this is intended to provide additional harmonisation and simplification. However, there are a number of areas where Member States can nuance provisions.
- A fining regime similar to GDPR
Offenders can expect turnover based fines. For example, fines of up to 2% of turnover, or up to 10,000,000 … Continue Reading ››
Recently Datonomy attended the second of two conferences
Draft ePrivacy Regulation on the horizon
Perhaps the headline news from the day was the strong support for the review of the ePrivacy Directive to result in the implementation of a new ePrivacy Regulation (therefore directly effective). It was argued the Regulation should extend the scope of the current ePrivacy Directive to cover new tech including, for example, OTT Providers, publically used private networks and the Internet of Things.
According to the European Commission
the draft proposal … Continue Reading ››
Last week, as part of Olswang's GDPR readiness and Talking Retail webinar series', lawyers from the firm's data protection and retail sector teams hosted a webinar looking at the implications of the GDPR on the use of data by the retail industry during an online transaction. In this session our speakers looked at the following:
- Targeted and non-targeted advertising
- Privacy policies
- Processing customer payment details
- Post purchase analysis
- Data breaches
- GDPR implementation
The webinar was hosted by Katie Nagy de Nagybaczon
, a partner in the Corporate Team, who focuses on the retail, eCommerce and technology sectors. The two speakers were:
- Sven Schonhofen, an associate in the Commercial Team of the Munich office. He specializes in advising clients in all areas of IT law, in particular on data protection law.
- Emily Dorotheou, an associate in the Commercial Team who has experience of working on procurement, technology and logistics contracts for a variety of retail and technology clients.
Please follow this … Continue Reading ››
On 19 October 2016, the European Court of Justice rendered a decision in the infamous Breyer case
, which provided more clarification as to the qualification of personal data in our continuously growing digital economy. The Court ruled that dynamic IP addresses can constitute personal data even when the data controller must seek additional information from a third party in order to truly identify a person. The implications of this outcome are not to be underestimated, especially given the liability and compliance obligations of controllers, which are a lot more lenient when the data in question is not considered "personal" data. It also remains to be seen how this decision will relate to the harmonization attempts of the GDPR as Breyer seems to leave the door open for interpretation depending on other national laws that affect the concept of personal data.
Dynamic IP addresses
The case was referred to the CJEU … Continue Reading ››
The General Data Protection Regulation ("GDPR") comes into force on 25 May 2018. It is binding for all member states and provides for a harmonisation of the data protection regime throughout the EU. However, various opening clauses provide member states with discretion to introduce additional national provisions to further specify the application of the GDPR. The German legislator has been among the first to draft such provisions supplementing the GDPR.
What areas does the General Federal Data Protection Act cover?
Recently a draft of the German Federal Ministry of the Interior for a General Federal Data Protection Act
, "GFDPA") has been leaked. This is meant to replace the current Federal Data Protection Act (Bundesdatenschutzgesetz
, "FDPA"). The draft includes new provisions in areas that are subject to the opening clauses of the GDPR. For example:
- Data protection officer: Sec. 14 (1) GFDPA extends the scope of the GDPR and requires the … Continue Reading ››
In the past year, we have seen Safe Harbor declared invalid and the EU-US Privacy Shield put in place, as well as the start of the countdown to GDPR compliance. Datonomy contributors Elle Todd and Rob Bratby join Jamie Davies from Telecom to discuss all things data and reflect on the changes to EU data protection regulation over the past twelve months. Find the article here