The proposed ePrivacy Regulation: EDPS and WP29 express concerns with consent and tracking walls provisions and other issues
Since its hotly awaited publication in January, the Proposal for an ePrivacy Regulation (âProposalâ) has come under scrutiny from various stakeholders. Recently both the Article 29 Working Party (âWP2…
This app will read out GDPR regulations to send you to sleep
A meditation app will read out the text of Europe’s lengthy new data protection rules to get users to relax and send them to sleep.
Dozens of American News Sites Blocked in Europe as GDPR Goes Into Effect Today
Â© Photo: GettyThe European Unionâs digital privacy law, known as the General Data Protection Regulation (GDPR), officially went into effect today. But some websites in the U.S. have decided to block t…
GDPR: The simple guide to Europe’s new data privacy law
How to find out what Facebook knows about youA revolution in how companies handle your personal information is happening. The General Data Protection Regulation (GDPR) comes into effect across the Eur…
GDPR Resource Library
On May 25, 2018, the EU General Data Protection Regulation (âGDPRâ) will impose significant new obligations on all U.S. companies that handle personal data
Make Your Email Marketing GDPR Compliant (No Checkboxes Needed)
The new European data protection regulations (GDPR) are right around the corner and many website owners are in a panic. Thereâs been a lot of talk about rules, regulations and hefty fines that await t…
The Myths of GDPR
25th May is just a few days away and Iâm sure youâre swimming in emails asking you to âstay in touchâ.Thereâs been a hell of a lot of confusion over this rather significant change in the law, with peo…
What Google’s GDPR Compliance Efforts Mean for Your Data: Two Urgent Actions
Posted by willcritchlowIt should be quite obvious for anyone that knows me that Iâm not a lawyer, and therefore that what follows is not legal advice. For anyone who doesnât know me: Iâm not a lawyer,…
No oneâs ready for GDPR
The General Data Protection Regulation will go into effect on May 25th, and no one is ready â not the companies and not even the regulators. After four years of deliberation, the General Data Protecti…
The privacy pro’s guide to explainability in machine learning
With the GDPR’s implementation date looming, there has been much discussion about whether the regulation requires a “right to an explanation” from mach…
What WP29 requires for Privacy Shield and when they want it
At its 113th plenary meeting held on Nov. 28, 2017, in Brussels, the Article 29 Data Protection Working Party adopted its EU-U.S. Privacy Shield Report, w…
Everything you’ve ever wanted to know about DPO but never dared to ask – Privacy, Security and Information Law Fieldfisher
As the entry into force of the General Data Protection Regulation (GDPR) approaches, more and more companies are assessing whether they need to designate a Data Protection Officer (DPO) and, at times,…
Top tips for drafting global data protection terms – Privacy, Security and Information Law Fieldfisher
Here’s a challenge for privacy practitioners everywhere. Laws, by their nature, are national (or in some cases, like the GDPR, regional) but the businesses we represent often consume, process and sha…
How To Protect Your Users With The Privacy By Design Framework — Smashing Magazine
In these politically uncertain times, developers can help to **defend their users’ personal privacy** by adopting the _Privacy by Design (PbD)_ framework. These common-sense steps will become a requir…
In a response (4-page / 224KB PDF) to a Treasury consultation on the implementation of the revised EU Payment Services Directive (PSD2) in the UK, the ICO urged firms involved in facilitating open banking to engage with it on the project, and highlighted the potential open banking has for aiding compliance with the General Data Protection Regulation (GDPR).
“We encourage industry to maintain an open dialogue as it designs and implements an open API standard,” the ICO said. “The information commissioner views open banking as a key way in which individuals’ rights to data portability under article 20 of GDPR may be given practical effect, and it should therefore help financial institutions meet their data portability obligations.”
Under the GDPR, data controllers must make the personal data they possess available to consumers in “a structured, commonly used and machine-readable format” so that those consumers can share that data with rival companies “without hindrance” and to provide that data direct to other businesses at the request of consumers where it is “technically feasible”.
Those data portability obligations only apply to data controllers that process personal data based on customer consent or to perform a contract involving the data subject and if the processing takes place by “automated means”.
The data portability obligations will apply from 25 May 2018 when the GDPR takes effect. However, banks and other businesses in the payments market face further new regulation under PSD2 and the UK’s open banking initiative. Open APIs are seen as an enabler of both open banking and the PSD2 reforms.
The Competition and Markets Authority (CMA) has mandated the establishment of new standards that will allow businesses and consumers to share their own transaction data from their current accounts with other banks and third parties and to manage multiple providers through a single app.
Under PSD2, banks and other PSPs will be obliged to enable access to their accounts by third parties acting on the request of customers. The move is aimed at supporting the growth of payment initiation service providers (PISPs) and account information service providers (AISPs) – such as businesses that allow customers to access information from their payment accounts in one place – which have emerged into the payments market in recent years as technology has advanced.
In its consultation response, the ICO referred to the data security obligations that businesses in the payments market will have under PSD2, including the regulatory technical standards on strong customer authentication and secure communication which have been developed by the European Banking Authority (EBA).
National laws implementing PSD2 will come into effect from 13 January 2018. However, certain provisions on security, and the standards on strong customer authentication and secure communication, will not apply until the autumn of 2018. The ICO reminded firms in the payments market, though, that they will still face obligations on data security during the transitional period before the PSD2 security measures and standards on strong customer authentication and secure communication take effect.
“Both the DPA (UK Data Protection Act) and GDPR require organisations to take appropriate technical and organisational measures to protect the security and integrity of any personal data that they process,” the ICO said. “Payment service providers therefore need to ensure that they have adequate systems in place to protect the security and integrity of the personal data they process as soon as they begin processing this data.”
“We would agree that as the draft RTS (regulatory technology standard) is now available, systems and procedures should be designed in line with the RTS wherever possible in order to ensure minimal disruption when the RTS eventually comes into force. We are keen to ensure that the provisions of PSD2 are implemented in a way that is harmonious with, and complements, data protection requirements. To this end, we will continue to engage with HM Treasury, the Financial Conduct Authority, industry bodies and other relevant stakeholders about this matter,” it said.