Global Privacy & Security Compliance Law Blog

DIFC Issues New Direct Marketing and Electronic Communications Guidelines

Posted in GDPR, Legislative & Regulatory Developments, Privacy

The DIFC guidelines provide practical guidance for DIFC-registered entities engaging in electronic direct marketing, including useful “dos” and “don’ts”.

By Brian A. Meenagh, Fiona M. Maclean, and Laura Holden

What Do DIFC-Registered Entities Need to Know?

In January 2019, the Commissioner for Data Protection for the Dubai International Financial Centre (DIFC) issued new Direct Marketing and Electronic Communications Guidelines, aimed at DIFC-registered entities that collect and maintain personal data for electronic direct marketing purposes.

The document provides practical guidance on the rules relating to the collection, maintenance, and use of personal data for electronic direct marketing purposes set out in the Data Protection Law, DIFC Law No.1 of 2007 (DP Law), which is based on the (now superseded) UK Data Protection Act 1998 and EU Data Privacy Directive 1996. However, the guidelines also take into account the latest direct marketing requirements under the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Directive 2002, providing practical examples of “do’s” and “don’ts” for entities to consider. The guidelines also appear to leverage provisions from the October 2018 draft of the EC’s new e-Privacy Regulation (ePR) which is currently anticipated to come into force in 2021. Continue Reading

European Commission Adopts Adequacy Decision for Japan

Posted in GDPR, Legislative & Regulatory Developments

The European Commission adopted its adequacy decision for Japan on 23 January 2019, opening the doors for personal data to flow freely between the two major global economies.

By Fiona M. Maclean and Laura Holden

The Adequacy Decision

Following two years of dialogue between the European Union (EU) and Japan, the European Commission (EC) adopted its mutual adequacy decision (Decision) for Japan on 23 January 2019. As noted in the EC’s press release, the decision is effective immediately.

Japan now joins a list of select jurisdictions recognised as adequate by the EC, notably: Andorra, Argentina, Canada (for private entities only), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and the United States (EU-U.S. Privacy Shield). The Decision is the first of its kind adopted since the General Data Protection Regulation (GDPR) became applicable in May 2018. Continue Reading

5 Ways for Companies to Limit GDPR Penalties

Posted in GDPR, Privacy

EU data protection authorities are imposing increased penalties under the GDPR, with more proceedings forecast for 2019.

By Tim Wybitul, Prof. Dr. Thomas Grützner, Dr. Wolf-Tassilo Böhm, and Dr. Isabelle Brams

The General Data Protection Regulation (GDPR) has been in effect since May 2018. Although the French data protection authority (CNIL) has imposed the highest fine to date — €50 million on 21 January 2019 — German federal data protection authorities have already imposed fines for GDPR infringements in 41 cases nationwide and say that they have “very many” additional fine proceedings in progress. This first wave of fines has come from five German authorities, with 11 authorities having not yet imposed any fines under the GDPR.

Under the former German data protection law, companies faced a maximum penalty of €300,000 for violations. However, the GDPR provides authorities with different disciplinary options and they can now impose fines of up to €20 million or more. The maximum fine may amount to up to 4% of the worldwide annual turnover. Hence, corporates with an annual revenue of more than €500 million may face fines exceeding the €20 million threshold. Continue Reading

French Data Protection Authority Issues €50 Million Fine in Landmark GDPR Case

Posted in GDPR, Legislative & Regulatory Developments, Privacy

The CNIL decision handed down on 21 January 2019, which cites violations of several GDPR obligations, provides important insights for groups wishing to benefit from the “one-stop-shop mechanism”.

By Gail E. Crawford, Myria Saarinen, Camille Dorval, and Laura Holden

The Complaints

Not more than a week after the General Data Protection Regulation 2016/679 (GDPR) came into force on 25 May 2018, the French data protection authority (CNIL) received separate complaints about Google LLC (Google) from two non-profit organisations —La Quadrature du Net’ and ‘None Of Your Business’, the latter founded by activist lawyer Max Schrems. The complaints, made by the organisations on behalf of nearly 10,000 individuals, can be summarised as follows:

  • None Of Your Business claimed that users of Android mobile devices had no choice but to accept Google’s privacy policy and terms of use, which included having to consent to the use of their data for targeted behavioural advertising, if they wanted to be able to use the devices.
  • La Quadrature du Net claimed that Google processed personal data for targeted advertising without a valid legal basis.

Continue Reading

What a “No Deal” Brexit Means for UK Data Privacy

Posted in GDPR, Legislative & Regulatory Developments, Privacy

Understanding the practical implications of a “No Deal” Brexit (as compared to an exit under an approved Withdrawal Agreement) following last week’s vote against the current withdrawal proposal.

By Gail E. Crawford and Jane Bentham

“No Deal” Brexit

Unless the UK can agree on a deal with the EU that meets the approval of the majority of the UK Parliament, withdraws its Article 50 notice, or can negotiate with the EU an extension to the 29 March 2019 departure (Exit Date), the UK will leave the EU without a ratified Withdrawal Agreement or an agreed Political Declaration (together, the Deal). The political uncertainties around the different scenarios warrant that businesses prepare for a “No Deal” Brexit in all areas, including in relation to the processing of personal data.

Under a “No Deal” Brexit scenario, the General Data Protection Regulation (GDPR) will form part of UK domestic law as “retained EU law” as a result of the EU (Withdrawal) Act 2018 (EUWA), with certain amendments made to it and also to the Data Protection Act 2018 and the UK Privacy and Electronic Communications (EC Directive) Regulations 2003 under the (draft) Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (Privacy Exit Regulations), which is intended to come into force on the Exit Date. This is collectively being referred to as the “UK GDPR”. Continue Reading

Clinical Trials Under the GDPR: What Should Sponsors Consider?

Posted in GDPR, Legislative & Regulatory Developments

Sponsors outside the European Union conducting clinical trials in the EU should consider current guidelines and the Breyer case to understand whether GDPR requirements will apply to them.

By Gail Crawford and Frances Stocks Allen

Many sponsors of clinical trials believe that companies based outside the EU who sponsor clinical trials conducted in the EU through clinical research organisations (CROs) and/or clinical sites do not themselves need to comply with the General Data Protection Regulation (GDPR). Sponsors believe the GDPR does not apply to them as they do not conduct the research directly but only receive results in key-coded form, and only their CROs and/or clinical sites will have access to the raw data and/or the key that connects the key-coded data to individual patients. However, sponsors need to reconsider this presumption in light of current guidelines and the Breyer case. Similar issues arise in other fields, for example, data and market research, in which only key-coded data is received by the organisation commissioning the research. But following the GDPR and the Breyer decision these organisations may still be subject to the requirements of the GDPR.

Is Key-Coded Data Personal Data?

The GDPR defines “personal data” broadly to include any information relating to an identified or identifiable natural person. For this purpose, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person (Article 4(1) GDPR). Continue Reading

EDPB Publishes Regulatory Guidance on Territorial Scope of GDPR

Posted in GDPR, Security

The Guidance provides helpful clarifications for service providers and their customers on both sides of the Atlantic.

By Robert Blamires, Fiona M. Maclean, and Danielle van der Merwe

Long-awaited guidance on the territorial scope of the General Data Protection Regulation (GDPR) has been published by the European Data Protection Board (EDPB) for public consultation (Guidance). Under Article 3, the GDPR applies to the processing of personal data which meets the “establishment” test (Article 3(1)), or, failing that, meets the “targeting” test (Article 3(2))[i].

“Establishment” Test

The GDPR applies to the processing of personal data by a controller or processor established in the EU in the context of activities of that establishment, regardless of whether the processing itself takes place in the EU. “Establishment” is not defined in the GDPR, but the Guidance refers to pre-GDPR case law to assist with its interpretation. Continue Reading

German GDPR Fine Proceedings Conclude Favourably for Defending Company

Posted in GDPR, Legislative & Regulatory Developments, Privacy, Security

Germany’s first GDPR fine offers lesson for companies planning a data breach policy.

By Tim Wybitul, Wolf-Tassilo Böhm, and Isabelle Brams

In November 2018, Germany’s first fine under the General Data Protection Regulation (GDPR) was imposed — and it was much lower than many expected. The favourable outcome of the proceedings for the defending company demonstrates that, with a proper defence strategy, GDPR infringements may not necessarily end in a worst-case scenario for companies.

In July 2018, Knuddels GmbH & Co. KG (Knuddels), operator of the chat community Knuddels.de, noted the loss of 1.8 million user data records (including a file with unencrypted user passwords) as the result of a cyberattack. After reporting this incident to the appropriate supervisory authority, Knuddels was investigated for infringement of the GDPR. Because the authority deemed that the company’s IT security was not state-of-the-art, there was a high risk that the supervisory authority would impose a large fine on Knuddels.

Continue Reading

GDPR & PSD2: Squaring the Circle

Posted in Legislative & Regulatory Developments, Privacy, Security

GDPR and PSD2 are two legal initialisms that have both generated a great deal of press coverage in recent months, but they are seldom considered together.

By Christian F. McDermott, Calum Docherty and Brett Carr

There were around 122 billion non-cash payments in the European Union (EU) in 2016, with card payments accounting for 49% of all transactionsi  and the trend is continuing: UK Finance recently reported that UK debit card payments overtook the number of cash transactions for the first time in the final quarter of 2017. As Europeans increasingly swap cash for cards and live their lives online, businesses have tremendous opportunities to take advantage of the vast amount of personal data generated by the increased use of payment services.

In the EU, activities in the payments sector are subject to the revised Payment Services Directive (2015/2366, known as PSD2). PSD2 was transposed in the UK primarily by the Payment Services Regulations 2017, the majority of which came into force on 13 January 2018.

Continue Reading

A New Era for Data Protection in Brazil

Posted in Legislative & Regulatory Developments, Security

Brazilian Congress passes a data protection bill that seeks to improve privacy and cybersecurity.

By Amadeu Ribeiro and Thiago Luís Sombra (Mattos Filho, Veiga Filho Marrey Jr e Quiroga Advogados) and Jennifer Archie and Terese Saplys

The Brazilian Congress has been working on a bill relating to the protection of personal data for over eight years. The Senate approved the bill, known as the General Data Protection Act (GDPA), on 10 July 2018, and the bill was sent to the President for execution.  A window of 15 business days (i.e., up to and including 13 August 2018) within which the President may veto the bill now follows. If the President does not actively reject the bill, it automatically becomes law. Thereafter, businesses will have an 18-month grace period (i.e., up to and including 13 February 2020) to adjust to the change in law before it becomes effective on 14 February 2020.

What Is the GDPA?

The GDPA was motivated in part by Brazil’s desire to be admitted to the OECD and to prevent disruption in its commerce with the European Union and other important trading partners. As such, the GDPA seeks to match the level of protection afforded to data subjects by the laws of these trading partners.

Continue Reading

LexBlog