The European Parliament, Council and Commission have reached a compromise on the text of the new Copyright Directive (previously discussed here). The proposed Directive targets digital use of press publications by information society service providers, such as news aggregators and media monitoring services. As discussed below, the two most controversial provisions are Articles 11 and 13, known respectively as the “link tax” and “upload filtering” provisions. The Commission has issued a press release, but not an official copy of the compromise text.
The EDPB has published information notes on Data Transfers under the GDPR in the Event of a No-Deal Brexit, and on BCRs for Companies Which Have ICO as BCR Lead Supervisory Authority to help organisations prepare for a no-deal Brexit. The information notes build on guidance already issued by the UK ICO and Irish Data Protection Commission (discussed here).
The Information Note on Data Transfers warns that, in the event of a no-deal Brexit, the UK will be a ‘third country’ from 30 March 2019. As a result, personal data cannot be transferred from the EEA to the UK unless organisations implement a data transfer mechanism under the GDPR, such as standard contractual clauses; ad hoc contractual clauses; binding corporate rules (BCRs); codes of conduct and certification mechanisms, or a derogation. In regard to data transfers from the UK to the EEA, the UK Government have confirmed the current practice, which permits personal data to flow freely from the UK to the EEA, will continue in the event of a no-deal Brexit.
The European Data Protection Board (EDPB) has published its work program for the next two years. The program lists the guidelines, consistency opinions, and other types of activities the EDPB intends to carry out. The program is based on the needs identified by the EDPB as priority for individuals, stakeholders, as well as the EU legislator planned activities. The Guidelines due to be published over the coming two years include:
- Guidelines on reliance on Art. 6(1) b in the context of online services (i.e. the contractual necessity legal basis)
- Guidelines on concepts of controller and processor (Update of the WP29 Opinion)
- Guidelines on the notion of legitimate interest of the data controller (Update of the WP29 Opinion)
- Guidelines on the Territorial Scope of the GDPR (finalisation after the public consultation)
The European Data Protection Board (EDPB) has adopted an Opinion (3/2019) on the interplay between the EU Clinical Trials Regulation (536/2014) (CTR) and the GDPR, following a request from the European Commission to review its Q&A on the topic. The CTR, which is expected to enter into force in 2020, aims to harmonise the rules for conducting clinical trials throughout the EU. It does not contain any derogations from the GDPR and will therefore apply simultaneously with the GDPR.
The EDPB’s Opinion focuses on: (1) the legal basis under the GDPR for processing personal data in the course of a clinical trial protocol (primary use), and (2) further use of clinical trial data for other scientific purposes (secondary use). Some highlights of the EDPB’s Opinion are set out below.
The European Commission has published an infographic on compliance with and enforcement of the GDPR since from May 2018 to January 2019. The infographic reveals some interesting statistics, including:
- 95,180 complaints have been made to EU national data protection authorities (DPAs) by individuals who believe their rights under the GDPR have been violated. The majority of these complaints concerned telemarketing, promotional emails, and video surveillance/CCTV.
It looks unlikely that the draft e-Privacy Regulation will come into effect before 2021. European Council negotiations on the text of the draft Regulation are currently ongoing, and trilogue discussions by the Council, Parliament and Commission will then take place. However, the upcoming May 2019 European elections may lead to a delay in the Council adopting a common position and the trilogue discussions commencing. In addition, the latest draft text of the Regulation, published by the European Council, provides that it will apply 24 months from the date it is adopted, with the result that even if it is adopted imminently, it may not come into effect until 2021.
The European Commission has adopted an adequacy decision on Japan, creating the world’s largest area of safe data flows. The decision means that EU organisations can transfer personal data to organisations in Japan, without having to put in place a transfer mechanism laid down in Chapter 5 of the GDPR (such as the Commission’s standard contractual clauses or Binding Corporate rules). Japan has adopted an equivalent decision, making it simpler for Japanese organisations to transfer personal data to the EU. The adequacy decision, as well as the equivalent decision on the Japanese side, came into force on 23 January 2019.
The Government has published its Legislation Programme for Spring 2019. Preparing for Brexit is the central feature of the Spring Legislation Programme (which covers the period January-March 2019). The Brexit omnibus bill, the Miscellaneous Provisions (Withdrawal of the United Kingdom from the European Union on 29 March 2019) Bill, is the primary item in the Spring Programme.
The Brexit omnibus bill comprises vital legislation across 17 elements that will need to be enacted prior to Brexit in the event of a no-deal Brexit. Part 17 of the proposed Bill will provide for amendments to the Data Protection Act 2018. While the possibility of introducing a number of Brexit-related bills was considered, the Government believes that a single, standalone bill, that contains a number of parts, is the most efficient and effective way of preparing for Brexit. In addition, the Government has stated that many of the provisions will be provided for through statutory instruments that will be ready for signing should they be required in the event of a no-deal Brexit.
While Brexit is the priority, the Government has indicated that work is continuing on other legislation across all Government departments and a number of bills that are at an advanced stage will be introduced in the coming weeks, and progressed alongside those currently on the Dáil Order Paper.
The Data Protection Commission (DPC) has issued guidance in relation to the transfer of personal data to and from the UK in the event of a ‘no deal’ Brexit. The DPC’s guidance is in line with the ‘no deal’ Brexit guidance published on 13 December 2018 by the UK Government (supplementing its September 2018 Technical Note) and by the UK Information Commissioner’s Office (ICO). Some highlights of the guidance issued by the Irish and UK regulators, and UK government, are set out below.
The European Commission has published its Report and Staff Working Document on the second annual review of the Privacy Shield. The Report concludes that the U.S. continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the EU to the 3850 participating companies in the U.S. It notes that the steps taken by the U.S. authorities to implement the recommendations made by the Commission in last year have improved the functioning of the framework.
However, the Commission expects the US authorities to nominate a permanent Ombudsperson by 28 February 2019 to replace the one that is currently acting. The Ombudsperson is an important mechanism that ensures complaints concerning access to personal data by U.S. authorities are addressed. If the Ombudsperson is not appointed by that date, the Commission will consider taking appropriate measures, in accordance with the GDPR.