EU Updates:
Spanish Ministry of Justice Launches Public Consultation on GDPR. On February 7, 2017, the Spanish Ministry of Justice launched a public consultation as a preliminary step before drafting a new bill implementing the General Data Protection Regulation (GDPR). The press release clarifies that although the GDPR has direct effect in the European member states, its implementation into Spanish law is not a straightforward exercise because the obligations in existing data protection legislation need to be maintained or amended (as the case may be) and other sector-specific laws containing provisions on data protection need to be updated.
What Will Trump’s Executive Order Do to U.S. Privacy Law and EU–U.S. Data Transfers? On the third day of his presidency, President Trump signed an immigration-related Executive Order raising significant questions about the future of U.S. privacy law and EU–U.S. data transfers. The order, “Enhancing Public Safety in the Interior of the United States,” directs agencies to “ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” The Executive Order has raised a number of questions, such as what will happen to the rights of non-U.S. persons (meaning those who are not U.S. citizens or lawful permanent residents) under the Privacy Act and the Judicial Redress Act, and how might EU–U.S. data transfers under the Privacy Shield be affected?
Spanish DPA Issues GDPR Guidelines. On January 26, 2017, the Spanish data protection authority (AEPD) published three guidance papers on the implementation of the GDPR. Although the guidance is primarily directed at small and medium-sized companies, it gives a snapshot on how the AEPD reads the GDPR and is thus relevant for all companies with operations in Spain.
Article 29 Working Party Identifies GDPR Implementation Priorities for 2017. In a press release published on January 16, 2017, the Article 29 Working Party (WP29) outlined its strategy for 2017 on implementation of the GDPR. Under the plan, the WP29 will finalize work begun in 2016 on data protection certification mechanisms, processing activities likely to result in “high risk” processing and data protection impact assessments, administrative fines, administrative issues presented by the establishment of the European Data Protection Board (EDPB) and establishment of the “one-stop shop” and the EDPB consistency mechanism.
WP29’s Guidance on the Lead Supervisory Authority. The WP29 issued detailed guidance on companies’ obligations under three key provisions of the GDPR. Alston & Bird offered a series of posts explaining this guidance:
-
Part 1 reviews data protection officer obligations under the GDPR.
-
Part 2 analyzes the right to data portability.
-
Part 3 addresses the “one-stop shop” mechanism that aims to simplify the way companies with operations in multiple EU countries interact with the EU supervisory authorities.
France Adopts New Regime For Privacy Class Actions. A few weeks ago, France passed the Digital Republic Act, which significantly enhances French citizens’ rights to privacy by offering new avenues to exercise rights and granting new powers to the French data protection authority. A recent amendment to the Data Protection Act, adopted November 18, 2016, goes a mile farther and introduces a new type of class action for privacy-related matters. Class actions were introduced into the French Consumer Code quite recently, in 2014.
UK Launches Public Consultation on GDPR Consent Guidance. The GDPR will come into force on May 25, 2018, replacing the UK’s Data Protection Act 1998. It is still unclear how Brexit will play out, yet in the meantime the United Kingdom is moving to adopt the GDPR principles so that it adequately protects the personal data transferred within the EU. The GDPR sets a high standard for consent and compliance, which means that companies must start preparing for this transition. The Information Commissioner’s Office (ICO) issued guidance on the GDPR consent on March 2, explaining its recommended approach to compliance and the definition of a valid consent. The ICO also provides examples and practical advice that assist companies to decide when a consent is unbiased and when other alternatives must be sought.
U.S. Updates:
Smart Television Manufacturer Settles by Paying $2.2 Million to the FTC and the State of New Jersey. The Federal Trade Commission (FTC) and the State of New Jersey recently announced a $2.2 million settlement with Vizio Inc. for tracking consumer behavior using its smart television devices. The complaint alleged that Vizio acted unfairly by collecting, storing (indefinitely) and sharing consumer data with third parties without consent and in an unexpected manner. Further, the complaint alleged that Vizio had misrepresented the functionality of the feature in their smart devintelevisions that collected such data.
FTC Staff Releases Report on Cross-Device Tracking. The FTC recently released its staff report on cross-device tracking. Cross-device tracking refers to the tracking of consumer activity across multiple devices such as smartphones, desktops, tablets and other connected devices.
Swiss–U.S. Privacy Shield Finalized. On January 11, U.S. and Swiss authorities announced final agreement on the Swiss–U.S. Privacy Shield Framework. The Framework defines standards for handling personal data exported from Switzerland to the U.S. and enables U.S. companies to meet Swiss legal requirements to protect personal data transferred from Switzerland. The Framework is a successor to the former Swiss–U.S. Safe Harbor framework, which was declared invalid by the Swiss data protection commissioner following the invalidation of Safe Harbor by the European Court of Justice.
New York Financial Services Regulator Issues Revisions to Proposed Cybersecurity Regulation. The New York Department of Financial Services (DFS) has released a revised version of the proposed cybersecurity regulations that it first issued in September. According to a press release issued by DFS Superintendent Maria Vullo, the new version of the proposed rules will be finalized following a 30-day notice and public comment period. Among the most notable changes are an extension of the effective date to March 1, 2017, an array of longer transition periods for various sections of the regulation, increased emphasis on risk assessment and a slight reduction in the extremely broad scope of the term “nonpublic information” from the previous draft.
[View source.]
