The European Data Protection Board (EDPB) has published its Annual Report covering the period from 25 May – 31 December 2018. It provides an overview of the EDPB’s activities last year, and discusses the areas it intends to focus on in 2019-2020.
Continue Reading EDPB Publishes Annual Report for 2018
On 17 April 2018, the European Commission proposed new rules in the form of a Regulation and an accompanying Directive, which aim to improve law enforcement authorities’ cross-border access to e-evidence.
The proposed Regulation on European Production and Preservation Orders enables a judicial authority in a Member State to obtain electronic evidence in criminal matters directly from a service provider in another Member State. The Directive complements the Regulation, as it sets out the rules for the appointment of service providers’ legal representatives, whose role is to receive and respond to judicial orders. The new rules will ensure swift access to e-evidence, with service providers being required to respond to judicial orders within 10 days and in emergency cases within 6 hours, compared to 10 months under the current Mutual Legal Assistance process.
Continue Reading European Council reaches position on proposed e-evidence Directive
The Data Protection Commission (DPC) has published its Annual Report for 25 May-31 December 2018. As always, the Report reveals some interesting statistics and case studies. In the coming months, the DPC expects to conclude a number of statutory inquiries, which it launched in 2018, into multinational technology companies with EU headquarters situated in Ireland. The DPC anticipates that the conclusion of those inquiries will provide precedents for better implementation of the principles of the GDPR across key aspects of internet and ad tech services. This briefing note sets out some of the highlights of the Report.
Continue Reading DPC publishes Annual Report for May-December 2018
The European Commission has published an infographic on compliance with and enforcement of the GDPR since from May 2018 to January 2019. The infographic reveals some interesting statistics, including:
Continue Reading European Commission publishes statistics on GDPR enforcement activities
The UK Court of Appeal has dismissed an appeal against the High Court’s decision that Morrisons is vicariously liable to 5,000 employees for misuse of their personal data by a rogue employee.
The decision is causing shockwaves amongst businesses, as it shows that a company may be held vicariously liable for a data breach caused
Speaking at A&L Goodbody’s breakfast seminar, ‘GDPR – The Last Lap‘, Anna Morgan, Deputy Data Protection Commissioner, has warned that companies who ‘over-report’ and adopt an overly conservative approach to the GDPR’s breach notification requirements may risk enforcement action from the Data Protection Commission (DPC).
Continue Reading Over-Reporting Data Breaches to Data Protection Commission may result in enforcement action, warns Deputy Data Protection Commissioner
The European Commission (EC) has issued a notice reminding stakeholders that due to the UK’s intention to leave the EU, they will be considered a ‘third country’ for the purposes of data transfers from 10 March 2019 (available here).
Continue Reading European Commission reminds stakeholders that UK is a third country for data transfers from 10 March 2019
In its recent Report on the Privacy Shield, the Article 29 Working Party (WP29) recognised the progress of the Privacy Shield in comparison with the invalidated Safe Harbour, and the efforts made by the U.S. authorities and the Commission to implement the Privacy Shield. However, the WP29 identified a number of concerns. Like the European Commission (EC), in its first annual review of the EU-US Privacy Shield, the WP29 called for the appointment of a permanent Privacy Shield Ombudsperson (and further explanation of the rules of procedure including by declassification), and filling the remaining positions on the Privacy and Civil Liberties Oversight Board (PCLOB). The WP29 requested these concerns to be prioritised and addressed prior to 25 May 2018, when the GDPR comes into force.
The WP29 further called for clear guidance on the Privacy Shield Principles, HR data and onward transfers, and increased supervision of compliance with the Privacy Shield principles. The US authorities are also requested to clearly distinguish the status of processors from that of controllers both at the time of their self-certification and at the time of further check. The WP29 demands these remaining issues to be resolved, at the latest, at the time of the next annual review of the Privacy Shield. If no remedies are brought to address the concerns raised by the WP29 within these time frames, the WP29 warned it will bring the Privacy Shield adequacy decision to the national courts for them to make a reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling.
Continue Reading What’s the current status of the Privacy Shield?
We have updated our GDPR Guide for Businesses to take account of new EU regulatory guidance. The guide is a ‘living document‘, which we will expand as more regulatory guidance is published.
The EU Article 29 Working Party has published guidance on a number of key changes introduced by the GDPR, including: administrative fines,
At its plenary meeting this month, the WP29 adopted the final version of its Data Protection Impact Assessment (DPIA) guidelines.
It also adopted draft guidelines on data breach notification and profiling, and administrative fines, which will be open for public consultation for 6 weeks before their final adoption. The guidelines are expected to be