Just before the festive break, the Article 29 Working Party
"), the group representing national data protection regulators in the EU, issued new guidance
on several key aspects of the new General Data Protection Regulation ("GDPR
"). This is the first guidance of its kind issued by the WP29, and as such represents the first time the data protection authorities have revealed their thoughts on the interpretation of the GDPR.
The guidance consists of three separate sets of guidelines and FAQs:
- an explanation of the role of the now mandatory Data Protection Officer ("DPO");
- a guide to the new right to data portability; and
- guidance regarding the "one stop shop" mechanism for establishing the lead data protection authority in cases of cross-border data processing.
Although the guidance has been formally "adopted", the WP29 is welcoming comments from stakeholders until the end of January 2017, so it is possible that elements may be … Continue Reading ››
For months, data protection lawyers have been warning businesses in the UK to make preparations for the pending General Data Protection Regulation (the "Regulation
"), due to come into force in May 2018. The Regulation provides for a ratcheting up of data protection obligations and a hefty new fining regime for breaches of these obligations of up to 4% of global turnover.
The question which arises is whether in light of the referendum vote in favour of Brexit, those preparations are still appropriate. We consider that they are, because we believe that the Regulation is still likely to constitute our data protection law as from May 2018. This is for the following reasons.
EEA members must comply with European Union data protection law
One likely option for the UK will be to join the European Economic Area (the "EEA
"), along with Norway, Iceland and Lichtenstein. The rules of the EEA and in particular its … Continue Reading ››
On 2 February the ICO announced
that it had published a new code of practice
relating to privacy notices, transparency and control, which aims to keep pace with the increasingly complex digital landscape and also take into account the broader transparency rules under the GDPR. The ICO’s current guidance, from 2010, is here
‘Transparency’ under the GDPR
Although organisations are already required to provide certain details in relation to the identity of the data controller and the purposes for which the data is being collected, the GDPR will increase the amount of information which must be provided to individuals, including the rights available to them, information on data transfers and the source of the data. All information must be presented in a concise, transparent, intelligible and easily accessible form, using clear and plain language and tailored to the specific audience (including children). Organisations which fail to meet these requirements … Continue Reading ››
Late yesterday (7 December) the EU institutions reached a deal on the Network and Information Security Directive. The Directive will introduce new cyber security requirements for providers of key infrastructure, and oblige them to report details of cyber attacks to the authorities. The deadline for bringing the new rules into force will be in Q3 2017. Businesses which fall within the Directive’s definition of “digital service providers” – including online market places, cloud computing and search engines – will also be subject to security and breach notification requirements. The final text of the Directive is still awaited. Datonomy will provide further analysis once the text becomes available.
On 7 December, after many months of trilogue negotiations, the EU institutions reached a compromise on the text of the NISD. The European Commission issued this press release
and the Council of the European Union followed suit swiftly with this … Continue Reading ››
With cyber attacks now routinely in the headlines, with the global cost of cybercrime estimated at $400 billion for this year and with governments responding with a host of counter-measures, The Datonomy team is launching a weekly round-up to help you stay up to date the latest legal, regulatory and news developments from around the world. Given the inextricable link between data privacy and cybersecurity, we hope that Datonomy’s growing readership will find this update useful. We look forward to hearing your comments, and welcome news and updates from Datonomy readers around the globe.
- Cyber security was again front page news last week with the announcement by the UK and US that they will stage cyber attack war games, initially in the financial services sector, and improve the exchange of cyber intelligence between the two powers – read the BBC’s coverage here. In related news, twelve UK cyber … Continue Reading ››
in our first edition, there are two proposals making their way through the Brussels legislature which will change the legal landscape for the reporting of cyber attacks. These are the draft Network and Information Security Directive
, which will impose reporting obligations on providers of critical infrastructure, and the draft General Data Protection Regulation
which will impose data breach reporting requirements on all data controllers. The summer has seen much institutional change in the EU, first with the European Parliament elections in May, the start of Italy’s Council Presidency in July and now with the reorganisation of the European Commission and appointment of a new Commission President and Commissioners with effect from 1 November. The summer has seen little procedural progress, although trilogue negotiations on the NISD have now begun, and on the GDPR the Council (representing the Member States) has, according to this Council press release
, … Continue Reading ››