Global Privacy & Security Compliance Law Blog

GDPR & PSD2: Squaring the Circle

GDPR and PSD2 are two legal initialisms that have both generated a great deal of press coverage in recent months, but they are seldom considered together.

By Christian F. McDermott, Calum Docherty and Brett Carr

There were around 122 billion non-cash payments in the European Union (EU) in 2016, with card payments accounting for 49% of all transactionsⁱ and the trend is continuing: UK Finance recently reported that UK debit card payments overtook the number of cash transactions for the first time in the final quarter of 2017. As Europeans increasingly swap cash for cards and live their lives online, businesses have tremendous opportunities to take advantage of the vast amount of personal data generated by the increased use of payment services.

In the EU, activities in the payments sector are subject to the revised Payment Services Directive (2015/2366, known as PSD2). PSD2 was transposed in the UK primarily by the Payment Services Regulations 2017, the majority of which came into force on 13 January 2018.

A New Era for Data Protection in Brazil

By Latham & Watkins LLP on August 9, 2018 Posted in Legislative & Regulatory Developments, Security

Brazilian Congress passes a data protection bill that seeks to improve privacy and cybersecurity.

By Amadeu Ribeiro and Thiago Luís Sombra (Mattos Filho, Veiga Filho Marrey Jr e Quiroga Advogados) and Jennifer Archie and Terese Saplys

The Brazilian Congress has been working on a bill relating to the protection of personal data for over eight years. The Senate approved the bill, known as the General Data Protection Act (GDPA), on 10 July 2018, and the bill was sent to the President for execution. A window of 15 business days (i.e., up to and including 13 August 2018) within which the President may veto the bill now follows. If the President does not actively reject the bill, it automatically becomes law. Thereafter, businesses will have an 18-month grace period (i.e., up to and including 13 February 2020) to adjust to the change in law before it becomes effective on 14 February 2020.

What Is the GDPA?

The GDPA was motivated in part by Brazil’s desire to be admitted to the OECD and to prevent disruption in its commerce with the European Union and other important trading partners. As such, the GDPA seeks to match the level of protection afforded to data subjects by the laws of these trading partners.

FCA Speaks Out on the Ethics of Big Data

By Latham & Watkins LLP on July 16, 2018 Posted in Privacy, Security

FCA Chair hints that new regulation addressing data ethics in the FinTech space may be on the horizon.

By Nicola Higgs, Fiona Maclean and Terese Saplys

Will societies of the future be ruled by algocracy, in which algorithms decide how humans are governed? Charles Randell, Chair of the Financial Conduct Authority (FCA) and Payment Systems Regulator, addressed how to avoid this hypothetical scenario in a broad-ranging speech on that he delivered on 11 July 2018 in London.

Randell’s Remarks

Contributing Factors to an Algocracy

According to Randell, the following three conditions could collectively give rise to a future algocracy:

If a small number of major corporations were to hold the largest datasets for a significant number of individuals (as is currently the case)
Continuing vast and rapid improvements in artificial intelligence and machine learning that allows firms to mine Big Data sets with greater ease and speed
Further developments in behavioural science allowing firms to target their sales efforts by exploiting consumers’ decision-making biases

California Consumer Privacy Act of 2018 May Usher in Sweeping Change

By Latham & Watkins LLP on June 30, 2018 Posted in Legislative & Regulatory Developments, Privacy

Businesses active in California should promptly assess whether the law applies to their practices and start planning towards compliance with the new law.

By Jennifer Archie, Michael Rubin, and Scott Jones

Key Points:

A sweeping new privacy law — the California Consumer Privacy Act of 2018 — was signed into law on June 28, 2018.
The Act imposes substantial new obligations on businesses that collect, process, and disclose the data of California residents.
The Act was drafted, voted on, and enacted in a matter of days, but it will not go into effect for another 18 months: on January 1, 2020. Given this rushed process, changes to the law before its effective data can be expected.

Facing pressure from a significantly stronger ballot measure in the state, on Thursday, June 28, 2018, the Governor for the State of California signed into law the California Consumer PrivacyAct of 2018 (the CCPA). Effective January 2020, this law ushers in widespread changes to California’s law on the information practices for covered businesses collecting, processing, and disclosing information gathered from or about California consumers or their devices. Continue Reading

Update: California’s Consumer Right to Privacy Ballot Initiative

By Latham & Watkins LLP on April 16, 2018 Posted in Legislative & Regulatory Developments, Privacy

California ballot initiative, Consumer Right to Privacy Act of 2018, gathers momentum for a November vote, spurring some telecom and internet businesses to organize opposition.

By Michael H. Rubin, Roxana Mondragón-Motta, and Scott C. Jones

Businesses are preparing to oppose a California ballot measure that could impose new data privacy and security obligations, with the threat of significant civil liability for non-compliance. Signatures are being gathered to put the Consumer Right to Privacy Act of 2018 (the “CRPA Measure”) on the November 2018 California ballot. The CRPA Measure, introduced by two California citizens, claims to give California consumers an “effective way to control their personal information” by providing them with (1) a right to request certain information about what personal information covered businesses have collected and sold or disclosed within the last year and (2) the right to opt-out from having their personal information disclosed by a covered business. The initiative also provides multiple avenues for enforcement (private civil actions; attorney general or local prosecutor enforcement; and whistleblower actions).
Continue Reading

New Home for Our Interactive GDPR Implementation Tracker – GDPR.lw.com

By Latham & Watkins LLP on April 9, 2018 Posted in Legislative & Regulatory Developments

The General Data Protection Regulation (GDPR) comes into effect on May 25, 2018. As an EU Regulation, it will be directly effective in each EU member state, but all member states are expected to pass national implementing legislation.

Latham’s GDPR Implementation Tracker is an interactive, web-based tool to help companies doing business in Europe stay abreast of the latest developments. The Implementation Tracker is now available at gdpr.lw.com.

Updates will be provided regularly, with additional informative features still to come.

National Cyber Security Centre Releases NIS Directive Guidance

By Latham & Watkins LLP on February 21, 2018 Posted in Legislative & Regulatory Developments, Security

The UK agency’s principles-based guidance on cybersecurity for OES adds important detail to NIS Directive obligations.

By Gail Crawford, Mark Sun, Fiona Maclean, and Malika Sajdik

The National Cyber Security Centre (NCSC) has published introductory guidance for operators of essential services (OES) on the new cybersecurity rules under the EU’s Security of Network and Information Systems Directive (NIS Directive). The NIS Directive is the first EU-wide legislation on cybersecurity and must be transposed into member state domestic legislation by 9 May 2018. (Additional information on the NIS Directive, and the UK’s approach to implementation, is available in this blog post.) The NCSC’s guidance, released 28 January 2018, aims to help OES improve their security infrastructure and reduce their likelihood of suffering a cyber incident. Continue Reading

Cybersecurity: UK Government Releases Response to Public Consultation on NIS Directive

By Latham & Watkins LLP on February 20, 2018 Posted in Legislative & Regulatory Developments

Proposed changes provide indication of the yet-to-be-published contents of the NIS Directive’s implementing regulation.

By Gail Crawford, Mark Sun, Fiona Maclean, and Malika Sajdik

The UK government moved closer to implementing the Security of Network and Information Systems Directive (NIS Directive) with the release of its consultation response.

The NIS Directive is the first EU-wide legislation on cybersecurity that aims to enhance network and information system security across vital business sectors within the EU. The UK government launched a public consultation in autumn 2017 to obtain feedback on its proposed approach to implementation. Although the consultation response indicated broad support for the proposals, the UK government has proposed changes to address certain areas of concern. The consultation response, which was released on 28 January 2018, focuses on the following topics.

Updated: Latham’s GDPR National Implementation Tracker

By Latham & Watkins LLP on February 14, 2018 Posted in Legislative & Regulatory Developments

By Gail Crawford and Mark Sun

With the assistance of colleagues across the EU, Latham & Watkins has updated its GDPR National Implementation Tracker.

With just over three months to go until the GDPR go-live date on 25 May 2018, two EU member states (Belgium, Slovakia) have joined Austria and Germany in successfully implementing the GDPR in their national laws.

Since our last update in October 2017:

Six additional member states have published draft implementing legislation for a total of 16 member states with legislation in progress.
Eight member states, however, still have yet to publish any draft.

As the various member state legislation take shape, we will provide further updates on the implementation process. We will also compile an analysis of key areas of derogation from the GDPR for each member state in relation to bases for processing special personal data, exemptions to data subject rights or notice requirements, additional sanctions for breach, and others. Get updates on this and other key data privacy insights by subscribing to our e-mail in the sidebar.

US Government Contractors Face New Cybersecurity Requirements

By Latham & Watkins LLP on December 22, 2017 Posted in Legislative & Regulatory Developments, Security

By Jennifer Archie, Serrin Turner, Kyle Jefcoat, Dean Baxtrasser and Morgan Maddoux

As of December 31, 2017, many United States government contractors face a new compliance requirement involving cybersecurity. This requirement will govern most new Department of Defense (DoD) contracts and, significantly, will apply to many current DoD contracts that include the applicable standard contract clause.

On October 21, 2016, DoD issued a final rule, Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 (DFARS Rule), which is intended to address “enhanced safeguarding for certain sensitive DoD information.” The DFARS final rule requires contractors to safeguard information systems and imposes investigation and reporting requirements in the case of cyber incidents.

Under the DFARS rule, contractors will be required to comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 — a requirement that goes into effect at the end of this month. The DFARS Rule focuses on protecting “covered defense information” (CDI) — that it defines broadly — and stipulates the basic security requirements a defense contractor must implement and maintain. A defense contractor generally must implement the security requirements in the version of NIST SP 800-1717, which were developed for use on contractors’ internal systems and should enable contractors to comply with the requirements using their existing systems and practices — rather than forcing contractors to build a new system and develop practices from scratch in order to be in compliance. Continue Reading