Cybersecurity, Privacy & Data Protection Alert

Similar documents
The European Union General Data Protection Regulation (GDPR) Barmak Nassirian, Federal Director Thursday, February 22, 2018

BASECONE DATA PROCESSING AGREEMENT (BASECONE AS PROCESSOR)

Presentation to IAPP November 18, EU Data Protection. Monday 18 November 13

International Privacy Laws: Those New EU Data Protection Regulations Do Apply to You!

Privacy International's comments on the Brazil draft law on processing of personal data to protect the personality and dignity of natural persons

DATA PROTECTION (AMENDMENT) REGULATIONS Amendments to the Data Protection Regulations Insertion of new sections...

General Data Protection Regulation

Overview Status of European Union Data Protection Law Reform (Aug. 2015) Martin Braun

16 March Purpose & Introduction

European Data Protection Supervisor Transparency in the EU administration: Your right to access documents

THE PERSONAL DATA PROTECTION BILL, 2018: A SUMMARY

T he European Union s Article 29 Data Protection

SKILLSTAR 2018 NONPROFIT KFT. DATA PROTECTION POLICY

EU Data Protection Law - Current State and Future Perspectives

A Modern European Data Protection Framework. Bruno Gencarelli DG JUSTICE and CONSUMERS

The modernised Convention 108: novelties in a nutshell

European Data Protection Supervisor Your personal information and the EU administration: What are your rights?

AGREEMENT FOR ACCESS, WHICH MAY RESULT IN PERSONAL DATA PROCESSING

Principles and Rules for Processing Personal Data

Data Protection Bill [HL]

EU GDPR - DATA PROCESSING ADDENDUM INSTRUCTIONS FOR CDNETWORKS CUSTOMERS

GDPR. EU General Data Protection Regulation. ebook Version 1.2

Opinion 6/2015. A further step towards comprehensive EU data protection

PREPARING FOR NEW PRIVACY REGIMES: PRIVACY PROFESSIONALS VIEWS ON THE GENERAL DATA PROTECTION REGULATION AND PRIVACY SHIELD

DATA PROTECTION LAWS OF THE WORLD. Ukraine

PRIVACY POLICY. 1. OVERVIEW MEGT is committed to protecting privacy and will manage personal information in an open and transparent way.

DATA SHARING AND PROCESSING

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

SSLI \6.0 v1.0

Annex - Summary of GDPR derogations in the Data Protection Bill

ANNEX CORRIGENDUM. (Official Journal of the European Union L 119 of 4 May 2016) On page 14, recital (71), fifth and sixth sentences: for:

Personal Data Protection Act

A Modern European Data Protection Framework Safeguarding Privacy in a Connected World

COMP Article 1. Article 1 Subject matter and objectives

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT

Law Enforcement processing (Part 3 of the DPA 2018)

In the present analysis, we cover the most problematic points of the Directive. For our views on the Regulation, please go to our document pool.

GDPR: Belgium sets up new Data Protection Authority

EUROPEAN PARLIAMENT Committee on the Internal Market and Consumer Protection

60 th UIA CONGRESS Budapest / Hungary October 28 November 1, UIA Biotechnology Law Commission Sunday, October 30, 2016

DATA PROTECTION (JERSEY) LAW 2018

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

Working Document Setting Forth a Co-Operation Procedure for the approval of Binding Corporate Rules for controllers and processors under the GDPR

TEMPLATE FOR PROCESSOR AGREEMENTS BETWEEN MUNICIPALITIES AND IT SUPPLIERS - version 1.0 of 3 April 2017

The NATIONAL CONGRESS decrees: CHAPTER I PRELIMINARY PROVISIONS

Data Protection Bill [HL]

Five Year Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)

SIMON READHEAD Q.C. PRIVACY NOTICE

Fragomen Privacy Notice

COMMENTS OF THE AMERICAN BAR ASSOCIATION SECTIONS OF ANTITRUST LAW AND INTERNATIONAL LAW ON THE PRELIMINARY BILLS FOR THE PROTECTION OF PERSONAL DATA

Information leaflet about processing of personal data for Newsletter Recipients (hereinafter Data Subject)

ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 DATA PROTECTION WORKING PARTY

BJB Motor Company Limited (BJB) - Data Protection Act 1998 Policy & Procedures

Annex 1: Standard Contractual Clauses (processors)

SAFE HARBOR: STAYING ALIVE?

PE-CONS 71/1/15 REV 1 EN

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

DATA PROCESSING AGREEMENT

European, Middle East, and Latin American Privacy and Cyber Developments For In-House Counsel

Factsheet on the Right to be

EVIDENCE ON THE DATA PROTECTION BILL. For the House of Commons Public Bill Committee by Open Rights Group and Chris Pounder

BACKGROUND INFORMATION

BINDING CORPORATE RULES PRIVACY policy. Telekom Albania. Çaste që na lidhin.

L 346/42 Official Journal of the European Union

Module 1 - Introduction

REGULATION (EC) No 767/2008 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 9 July 2008

CHAPTER [INSERT] DATA PROTECTION BILL Acts [insert] ARRANGEMENT OF SECTIONS PART I PART II

9091/17 VH/np 1 DGD 2C

Official Journal of the European Union L 94/375

32000D0520. Official Journal L 215, 25/08/2000 P

Act on Alternative Dispute Resolution in Connection with Consumer Complaints (Act on Consumer Complaints)1)

Interest Balancing Test Assessment regarding data processing for the purpose of the exercise of legal claims

PERSONAL DATA PROTECTION POLICY OF GOPET

5418/16 AV/NT/vm DGD 2

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

Legal Insights. Discovery under the GDPR. Introduction

AmCham EU Proposed Amendments on the General Data Protection Regulation

Is information about legal entities personal data? No. The DPA only applies to information about individuals as opposed to legal entities.

Indian data protection regime Close to reality? Personal Data Protection Bill, 2018

EXECUTIVE SUMMARY. 3 P a g e

What Schools Should Know About New Title IX Rules

Energy Alert. Mexico Energy Reform. Introduction. Overview of the Reform

Comments. made by the Conference of the German Data Protection Commissioners of the Federation and of the Länder. of 11 June 2012

REGULATION (EU) 2016/679 General Data Protection Regulation

the general policy intent of the Privacy Bill and other background policy material;

LEGAL BASIS OBJECTIVES ACHIEVEMENTS

29 October 2015 Conference of the Independent Data Protection Authorities of the Federation and the Federal States

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 11 January /07 Interinstitutional File: 2004/0287 (COD) LIMITE VISA 7 CODEC 32 COMIX 25

Will the GDPR Kibosh EU-US Discovery? November 7, 2017

RESTREINT UE/EU RESTRICTED

DIRECTIVE ON ALTERNATIVE DISPUTE RESOLUTION FOR CONSUMER DISPUTES AND REGULATION ON ONLINE DISPUTE RESOLUTION FOR CONSUMER DISPUTES

OTrack Data Processing Terms

1. What sort of passenger information will be transferred to US authorities?

ANNEX ANNEX. to the. Proposal for a Council Decision

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 20 December /06 Interinstitutional File: 2004/0287 (COD) LIMITE

Mexico Modifies Its Labeling Requirements Pursuant to NAFTA

Transcription:

Cybersecurity, Privacy & Data Protection Alert December 21, 2015 If you read one thing The new EU-wide legal framework will have an extremely significant impact on how businesses collect, store, transfer and use data. The Data Protection Authorities at the national level (and below, where applicable) will all apply and interpret the same law, thereby harmonizing data protection rules across the EU to the benefit of the increasing number of cross-border businesses. Although the regulation won t become effective until two years after the approvals, companies should engage now to begin devising a comprehensive compliance program, including data mapping, hiring privacy compliance staff, resource allocation planning, budgeting, testing and implementing, and also analyzing potentially significant changes in business practices. The EU General Data Protection Regulation On December 15, 2015, European Union ( EU ) politicians and officials reached a political agreement on a new EU-wide legal framework to govern data sharing and collection and related consumer privacy rights. It is called the General Data Protection Regulation (the Regulation ) and it will have an extremely significant impact on how businesses collect, store, transfer and use data. The Regulation consists of a rule package of more than 200 pages and represents the biggest update to EU privacy law in two decades. Although the text of the agreement has yet to be finalized or published, and refinements are possible until final approval is given by the European Parliament (the Parliament ) and the Council of the EU (the Council ), the version that is now publicly available is likely to be very close to what is eventually published. After the approvals, the Regulation will be translated and published in 24 languages, likely around May, and will become effective two years after that. While companies may be tempted to sit back until just before the Regulation becomes effective, ensuring timely compliance will require a substantial lead-in time in order to allow for data mapping, hiring privacy compliance staff, resource allocation planning, budgeting, testing and implementing, and also analyzing potentially significant changes in business practices. Background In January 2012, the European Commission (the EC ) first proposed a new data protection framework to replace the EU Data Protective Directive of 1995 (the Directive ). As a Regulation rather than a Directive, the new law will directly apply to and bind the 28 EU Member States, and not require national 2015 Akin Gump Strauss Hauer & Feld LLP. This document is distributed for informational use only; it does not constitute legal advice and should not be taken as such.

adoption. The Data Protection Authorities ( DPAs ) at the national level (and below, where applicable) will all apply and interpret the same law, thereby harmonizing data protection rules across the EU to the benefit of the increasing number of cross-border businesses. Up until now, there has been a patchwork quilt of varying privacy rules, from the stricter, more formalistic jurisdictions (led by Germany), to the more principles-based and flexible jurisdictions (including the United Kingdom). Following numerous amendments to the EC draft proposed by the Parliament in 2014, it was left to the Council which shares legislative powers with the Parliament to put its proposal on the table. Next came the Trialogue negotiations, during which the EC, the Parliament and the Council negotiated their draft proposals. Finally, on December 15, 2015, the Parliament and the Council announced a political agreement with respect to a consolidated text of the Regulation. The Regulation will replace the Directive in its entirety. Key Rules Under the Regulation New Requirements for Business Expanded scope. The Regulation applies to any controller or processor of EU citizen data, regardless of where the controller or processor is headquartered or keeps its servers. This means that virtually any business that offers its products or services to EU consumers will fall within scope. In particular, the Regulation will apply to the online activities of non-eu companies that offer goods or services to, or monitor the behavior of, EU residents, including third-party technology service providers who may not have been formally covered by rules in many Member States. This is likely to have a major impact on the cloud industry. For example, cloud-based processing performed outside of the EU for an EU-based company is covered by the Regulation. Personal data. The Regulation expands the Directive s definition of personal data, defining it as any information relating to an identified or identifiable natural person 'data subject'; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. In addition, two new categories of data, genetic and biometric data, join the prior list of sensitive or special personal data: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life and sexual orientation. Consent. As it was under the Directive, consent is one of several possible bases for processing personal data. Consent must be freely given, specific and informed, and demonstrated by a clear affirmative action by the data subject. There are also several new limitations on consent, including that consumers cannot be asked to agree to any unfair contract terms in exchange for their consent. Moreover, consent will not be deemed valid in the context of any contract if the data subject is required to give consent to use his or her personal data that is unnecessary for performance of the contract or service. 2

International data transfers. The Regulation will maintain the general prohibition of data transfers to non-eu countries that are not officially recognized as adequate by the EU, including the United States, but stricter conditions will apply for obtaining such adequate status. The Schrems decision of the Court of Justice of the EU recently torpedoed the Safe Harbor agreement between the United States and EU as one available method for ensuring U.S. legal adequacy (and may have implications for other methods) and those who rely on it have been told that enforcement against them is unlikely before January 31, 2016. Observers are hopeful that by that time there might be a new agreement in place between the U.S. government and the EC to replace Safe Harbor. Data protection officer. Many companies, including all public bodies processing data, all companies where data processing is a core activity, and all companies where sensitive data is processed on a large scale will now be required to appoint a data protection officer. Data protection officers will be more akin to in-house compliance officers, although there may also be an opportunity to outsource this function; a high level of independence will be key. Breach notification. The Regulation will require companies to notify regulators of any data breach that creates significant risk for the data subjects involved within 72 hours of discovery of the breach. Higher fines. The maximum fines for violations of data protection law will increase dramatically under the Regulation, with DPAs able to impose fines for noncompliance up to 4% of a company s global revenue in some instances. European policymakers had been concerned that the lighter penalties previously associated with privacy violations were inadequate and an effort was made to more closely follow the model of EU competition law, which can result in penalties up to 10% of a company s global revenues. More centralized enforcement. The Regulation will allow businesses to deal primarily with a single national privacy regulator in Europe. Although EU officials have used the term one-stop-shop, in practice this promises to be more complex. Companies that operate in multiple EU countries may need to interact with DPAs in various Member States prior to going before a pan-european board of regulators. New Individual Rights The Regulation creates or clarifies rights for individuals to control their personal data. Among other things, the Regulation will codify that individuals have a right to be forgotten and create a right to easily transfer personal data from one service or product to another ( right to data portability ). The Regulation also boosts the digital age of consent from 13 to 16 years old. This last development may raise challenging issues for companies in light of the substantially increased number of consents they may need to obtain, from an age group with very active online lives, their own money and possibly lighter parental supervision. Next Steps The final text of the Regulation will be submitted for a formal vote of the Parliament and the Council early next year. The Regulation will take effect two years after its adoption i.e., likely in the first half of 2018. Given the complexity of the Regulation, the scope of its impact on the way multinational corporations collect, store, transfer and use data, and the lead times on IT projects, we are advising clients to engage 3

now to begin devising a comprehensive compliance program, including a road map and implementation timeline. Akin Gump s privacy and data protection experts are available to start the compliance conversation and data-mapping process to prepare you for these upcoming changes. Stay tuned for Akin Gump s privacy and data protection event in late Winter/early Spring, to be held in Washington, D.C. 4

Contact Information If you have any questions regarding this alert, please contact: Davina Garrod davina.garrod@akingump.com +44 20.7661.5480 London Natasha G. Kohne nkohne@akingump.com +971 2.406.8520 Abu Dhabi +1 415.765.9500 San Francisco* Michelle A. Reed mreed@akingump.com +1 214.969.2713 Dallas David S. Turetsky dturetsky@akingump.com +1 202.887.4074 Washington, D.C. Jo-Ellyn Sakowitz Klein jsklein@akingump.com +1 202.887.4220 Washington, D.C. Isabelle R. Gold igold@akingump.com +1 212.872.7482 New York *Licensed to practice for 15 years in New York. Practicing in California under the supervision of the partners of Akin Gump Strauss Hauer & Feld LLP. Application for admission to the California Bar pending. 5

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback