On 17 July 2018, the EU Commission (“Commission”) and Japan concluded the negotiations on a reciprocal finding of an adequate level of data protection by both sides.
Under the General Data Protection Regulation (“GDPR”) which became effective across Europe on 25 May 2018, an adequacy decision adopted by the Commission is one of the ways which allows personal data to be transferred outside the European Economic Area (“EEA”). An adequacy decision is adopted if the Commission, after its assessment of the level of protection in the recipient jurisdiction, decides that the recipient jurisdiction ensures an adequate level of protection to the personal data of EU data subjects.
This is the first time the Commission and a third country have agreed on reciprocal recognition in respect of data protection adequacy. The other countries or territories which have been assessed by the Commission as having an adequate level of protection of personal data are all based on the Commission’s unilateral decisions (e.g. New Zealand, Canada and Switzerland). Reciprocal recognition means that not only can personal data be transferred from the EEA to Japan in compliance with the GDPR, it can also be transferred from Japan to the EU in compliance with the Japanese law.
In the cases of Clarkson Plc v Person(s) Unknown (“Clarkson”) and PML v Person(s) unknown (“PML”), the court has created a new tool in the fight against cyber attackers. The defendants who are unknown person(s) gained unauthorised access to the claimants’ IT systems and acquired a considerable quantity of information. The unknown defendant(s) then threatened to publicise the information unless a substantial sum was paid. Despite not being able to identify the attackers directly the court was prepared to grant an injunction. Continue reading
The EU Network and Information Systems Directive (“NISD”) was required to be implemented into national law by 9 May 2018. The UK implementing regulations (the Network and Information Systems Regulations 2018) (“Regulations”) are now in force.
The Regulations impose cyber security standards on operators of essential services (“OES”) and certain digital service providers (“DSPs”) to help ensure that cyber attacks do not damage the wider economy. Continue reading
In light of the booming market of the Internet of Things (“IoT”) and of the General Data Protection Regulation (“GDPR”), the Information Commissioner’s Office (“ICO”) has published an article focusing on the key factors manufacturers and retailers of IoT devices should be thinking about. This follows the ICO’s draft guidance on data controller and processor liability issued in September last year, which can be found here.
The GDPR came into force on 25 May 2018 and brought with it additional rights for individuals and additional obligations for organisations. It also extends its reach beyond European borders and applies not just to companies within the EEA but also to some organisations outside the EEA.
With the legislation now in force, all eyes will turn towards the regulators to see how this piece of legislation will be enforced. We have already heard from the Information Commissioner in the UK that high fines can and will be levied on those that persistently, deliberately or negligently flout the law. And the ICO’s specified areas of focus are reportedly cyber security, artificial intelligence and device tracking. How this will all play out in practice remains to be seen.
For those organisations still on the compliance journey, there is a wealth of information to assist. We have published a GDPR hub, accessible here, which includes a series of briefings and webinars that take a deeper dive into some of the key considerations in any compliance programme. Copies of the briefings are accessible by clicking on the links below:
- The GDPR: the “whole of business” issue at the top of your board agenda
- The rise of the intelligent business: spotlight on employers
- Extending the long arm of the law: Extra-territoriality and the GDPR
- Data use – protecting a critical resource
- Supply Chain Arrangements: The ABC to GDPR Compliance
With increased outsourcing to the cloud or other third party external service providers and an increasingly complex supply chain for businesses, modern strategies for leveraging data can bring significant business efficiencies, competitive edge and growth opportunities, but also a range of risks that need to be understood and mitigated.
This has been mapped by a rise in the increased relevance of data protection and associated regulation. In the words of the Information Commissioner, the EU General Data Protection Regulation (the “GDPR”) represents an “evolution” rather than a “revolution” in data protection regulation. Whilst existing data protection obligations have certainly been “tightened up” a notch, fundamentally, the current underlying data protection principles remain largely unchanged.
The new EU data protection framework does, however, introduce some key changes that are giving rise to closer scrutiny of the supply chain protections in place between controllers and processors and, in turn, we are seeing a shift in the approach adopted by both parties in negotiating and implementing data processing arrangements.
We are living in an increasingly inter-connected digital society where the services of many organisations are global in nature, and yet internet activities are still being tackled by national laws and regulations. The online world does not respect physical or geographical boundaries, often giving rise to the question of which law is applicable in the case of online activities. In the data protection and privacy space, the new General Data Protection Regulation (“GDPR“) seeks to tackle this online transnational data and privacy issue through its extra-territorial application.
Click here for the full briefing.
Described by some as the “new oil” for the digital economy, there is no doubt that data are now seen as critical for organisations to succeed. Data are a powerful and lucrative fuel for productivity. If not adequately protected, data are vulnerable to leaks that can cause widespread damage, and their true value is only realised once they have been processed and refined. They are, however, an almost infinite resource when compared with the finite supply of oil.
Data affect all businesses and industries, and dealing with data is an issue for the whole business as it affects every team within an organisation. In this article we examine:
- Market trends in the ballooning use of data worldwide.
- Some of the legal implications of dealing with data, particularly in light of the General Data Protection Regulation (679/2016/EU) (GDPR) which will apply from 25 May 2018, including in particular, GDPR compliance, cyber security and employee monitoring.
Click here for the full briefing.
A version of this article was first published as the lead feature in the January/February 2018 issue of PLC Magazine.
This briefing is the second in our multi-disciplinary GDPR series which aims to help you successfully navigate the GDPR as 25 May 2018 approaches. Here we place the spotlight on key compliance considerations in the employment sphere.
Data is ubiquitous in the employment context: it is processed from the point at which a job application or CV is received if not before (such as profiling of potential candidates through LinkedIn, for example), right through to beyond the termination of employment (for example when references are given). The employer will handle “core” categories of employee data on an employee’s personnel file (for example, their address, national insurance number, performance appraisals, grievance and disciplinary records), but also data generated and processed in the context of pension schemes and share plans, as well as in liaising with third party providers such as insurers, payroll providers and occupational health professionals. It is worth noting that whilst we refer to “employees” in this briefing, the contents apply equally to employees, workers and self-employed contractors.
In particular, we consider some of the key requirements of the GDPR in the employment context, together with practical tips on how to implement the required changes.
Please read our full briefing for more on the following issues:
- Identifying a legal basis for processing employee data;
- Employee rights under the GDPR;
- How to transition to the new regime;
- Sensitive personal data;
- Monitoring and profiling; and
- Training and awareness.
Click here for the full briefing.