The proposed ePrivacy Regulation: EDPS and WP29 express concerns with consent and tracking walls provisions and other issues
Since its hotly awaited publication in January, the Proposal for an ePrivacy Regulation (âProposalâ) has come under scrutiny from various stakeholders. Recently both the Article 29 Working Party (âWP2…
This app will read out GDPR regulations to send you to sleep
A meditation app will read out the text of Europe’s lengthy new data protection rules to get users to relax and send them to sleep.
Dozens of American News Sites Blocked in Europe as GDPR Goes Into Effect Today
Â© Photo: GettyThe European Unionâs digital privacy law, known as the General Data Protection Regulation (GDPR), officially went into effect today. But some websites in the U.S. have decided to block t…
GDPR: The simple guide to Europe’s new data privacy law
How to find out what Facebook knows about youA revolution in how companies handle your personal information is happening. The General Data Protection Regulation (GDPR) comes into effect across the Eur…
GDPR Resource Library
On May 25, 2018, the EU General Data Protection Regulation (âGDPRâ) will impose significant new obligations on all U.S. companies that handle personal data
Make Your Email Marketing GDPR Compliant (No Checkboxes Needed)
The new European data protection regulations (GDPR) are right around the corner and many website owners are in a panic. Thereâs been a lot of talk about rules, regulations and hefty fines that await t…
The Myths of GDPR
25th May is just a few days away and Iâm sure youâre swimming in emails asking you to âstay in touchâ.Thereâs been a hell of a lot of confusion over this rather significant change in the law, with peo…
What Google’s GDPR Compliance Efforts Mean for Your Data: Two Urgent Actions
Posted by willcritchlowIt should be quite obvious for anyone that knows me that Iâm not a lawyer, and therefore that what follows is not legal advice. For anyone who doesnât know me: Iâm not a lawyer,…
No oneâs ready for GDPR
The General Data Protection Regulation will go into effect on May 25th, and no one is ready â not the companies and not even the regulators. After four years of deliberation, the General Data Protecti…
The privacy pro’s guide to explainability in machine learning
With the GDPR’s implementation date looming, there has been much discussion about whether the regulation requires a “right to an explanation” from mach…
What WP29 requires for Privacy Shield and when they want it
At its 113th plenary meeting held on Nov. 28, 2017, in Brussels, the Article 29 Data Protection Working Party adopted its EU-U.S. Privacy Shield Report, w…
Everything you’ve ever wanted to know about DPO but never dared to ask – Privacy, Security and Information Law Fieldfisher
As the entry into force of the General Data Protection Regulation (GDPR) approaches, more and more companies are assessing whether they need to designate a Data Protection Officer (DPO) and, at times,…
Top tips for drafting global data protection terms – Privacy, Security and Information Law Fieldfisher
Here’s a challenge for privacy practitioners everywhere. Laws, by their nature, are national (or in some cases, like the GDPR, regional) but the businesses we represent often consume, process and sha…
How To Protect Your Users With The Privacy By Design Framework — Smashing Magazine
In these politically uncertain times, developers can help to **defend their users’ personal privacy** by adopting the _Privacy by Design (PbD)_ framework. These common-sense steps will become a requir…
In a response (4-page / 224KB PDF) to a Treasury consultation on the implementation of the revised EU Payment Services Directive (PSD2) in the UK, the ICO urged firms involved in facilitating open banking to engage with it on the project, and highlighted the potential open banking has for aiding compliance with the General Data Protection Regulation (GDPR).
“We encourage industry to maintain an open dialogue as it designs and implements an open API standard,” the ICO said. “The information commissioner views open banking as a key way in which individuals’ rights to data portability under article 20 of GDPR may be given practical effect, and it should therefore help financial institutions meet their data portability obligations.”
Under the GDPR, data controllers must make the personal data they possess available to consumers in “a structured, commonly used and machine-readable format” so that those consumers can share that data with rival companies “without hindrance” and to provide that data direct to other businesses at the request of consumers where it is “technically feasible”.
Those data portability obligations only apply to data controllers that process personal data based on customer consent or to perform a contract involving the data subject and if the processing takes place by “automated means”.
The data portability obligations will apply from 25 May 2018 when the GDPR takes effect. However, banks and other businesses in the payments market face further new regulation under PSD2 and the UK’s open banking initiative. Open APIs are seen as an enabler of both open banking and the PSD2 reforms.
The Competition and Markets Authority (CMA) has mandated the establishment of new standards that will allow businesses and consumers to share their own transaction data from their current accounts with other banks and third parties and to manage multiple providers through a single app.
Under PSD2, banks and other PSPs will be obliged to enable access to their accounts by third parties acting on the request of customers. The move is aimed at supporting the growth of payment initiation service providers (PISPs) and account information service providers (AISPs) – such as businesses that allow customers to access information from their payment accounts in one place – which have emerged into the payments market in recent years as technology has advanced.
In its consultation response, the ICO referred to the data security obligations that businesses in the payments market will have under PSD2, including the regulatory technical standards on strong customer authentication and secure communication which have been developed by the European Banking Authority (EBA).
National laws implementing PSD2 will come into effect from 13 January 2018. However, certain provisions on security, and the standards on strong customer authentication and secure communication, will not apply until the autumn of 2018. The ICO reminded firms in the payments market, though, that they will still face obligations on data security during the transitional period before the PSD2 security measures and standards on strong customer authentication and secure communication take effect.
“Both the DPA (UK Data Protection Act) and GDPR require organisations to take appropriate technical and organisational measures to protect the security and integrity of any personal data that they process,” the ICO said. “Payment service providers therefore need to ensure that they have adequate systems in place to protect the security and integrity of the personal data they process as soon as they begin processing this data.”
“We would agree that as the draft RTS (regulatory technology standard) is now available, systems and procedures should be designed in line with the RTS wherever possible in order to ensure minimal disruption when the RTS eventually comes into force. We are keen to ensure that the provisions of PSD2 are implemented in a way that is harmonious with, and complements, data protection requirements. To this end, we will continue to engage with HM Treasury, the Financial Conduct Authority, industry bodies and other relevant stakeholders about this matter,” it said.
The General Data Protection Regulation (GPDR) (EU) 2016/679 of 27 April 2016 which comes into force in May 2018, will introduce major changes to the law on the processing of personal data in the European Union. Over the next ten months, several European Union and United States law firms we work very closely with will join us in providing you with more information on the GDPR. Different themes will be tackled month by month to help you prepare for the GDPR deadline.
Part 1 of this GDPR Series is brought to you by FIDAL, a French law firm. Subsequent blog entries in this series will be brought to you by the law firms of Mills & Reeve, Graf von Westphalen (Germany) and VanBenthem & Keulen (Netherlands) as well as Robinson & Cole (United States).
GPDR Effective Date & Geographical Scope of Application
The GDPR will apply as of 25 May 2018. It provides a single set of innovative rules directly applicable in the entire European Union (EU), without the need for national implementing measures – which means that any personal data processing ongoing at this date must comply with the GDPR. This leaves one year for companies to ensure compliance.
The GDPR provides for a scope of application wider than processing undertaken in EU countries. It will also apply to data controllers or subcontractors not established within the EU, but which process data with the aim of providing goods and services to EU residents or monitoring EU residents’ behaviour.
Several steps should be taken by businesses in order to achieve compliance with provisions of the GDPR:
- Changes to internal processes to comply with the accountability rules
In order to effectively manage personal data protection within your business, an individual should be nominated to take charge of information and counsel, as well as organization of personal data activities. For many organisations, it will make sense to appoint a Data Protection Officer or "DPO" as of now in order to assess compliance as soon as possible, even outside the three mandatory legal circumstances imposed by the GDPR (public bodies, large scale monitoring and large scale processing of criminal convictions etc). In any event, an audit of personal data held and processing undertaken makes sense.
The nominated person can then map data processing within the business and build a record of all ongoing data processing. On the basis of this information, a list of necessary actions can be prepared and prioritized in the light of risks to data subjects’ rights.
In practical terms, the principle of accountability means that businesses must track and document their compliance with data protection rules and keep these records available to respond to an inspection by state authorities.
- Promoting a risk-based approach
If any processing is identified as carrying a high risk to data subjects’ rights, the business should then conduct a Privacy Impact Assessment (PIA).
In addition, internal processes should be developed in order to respond to events likely to trigger the controller’s liability, such as security breach, requests to access or rectify data, update of processed data, change of subcontractor, etc.
Data protection safeguards shall be built into products and services from the earliest stage of development ("Privacy by Design"), making use of techniques such as pseudonymisation and encryption.
- Data transfers
Data transfers outside the EU are subject to EU law for any subsequent processing and transfer. Standard Contractual Clauses, Binding Corporate Rules and the Privacy Shield scheme may still be used for transfers outside the EU.
- Agreements between data controllers and their subcontractors
Data controllers’ agreements with their subcontractors agreements will have to incorporate new mandatory elements set out by the GDPR. Existing long-term agreements may need to be redrafted. Subcontractors will now have their own direct obligations in certain key areas such as record-keeping and security, separately from the obligations on data controllers.
- A single data protection authority
In future, businesses will deal with one single supervisory authority in the EU country in which they are mainly based, rather than having to engage with authorities in all relevant countries. The lead authority will then work with other national data protection authorities to achieve an EU-wide approach.
- Negative impacts in case of a legal breach
Whereas the existing EU legislation (Directive 95/46/EC) leaves to Member States the task of determining and applying sanctions, the GDPR is more prescriptive. It provides for administrative fines to be imposed on data controllers and subcontractors. The amount of those fines can go up to the greater of 20 million Euros, and 4% of annual global turnover.
In the event of a serious data breach, companies will have to inform the relevant data protection supervisory authority within tight timescales, as well as the data subjects themselves in the event of the most serious breaches.