On September 30, 2018, the U.S., Mexico and Canada announced a new trade agreement (the “USMCA”) aimed at replacing the North American Free Trade Agreement. Notably, the USMCA’s chapter on digital trade recognizes “the economic and social benefits of protecting the personal information of users of digital trade” and will require the U.S., Canada and Mexico (the “Parties”) to each “adopt or maintain a legal framework that provides for the protection of the personal information of the users[.]” The frameworks should include key principles such as: limitations on collection, choice, data quality, purpose specification, use limitation, security safeguards, transparency, individual participation and accountability. Continue Reading APEC Cross-Border Privacy Rules Enshrined in U.S.-Mexico-Canada Trade Agreement
Recently, the French Data Protection Authority (“CNIL”) published its initial assessment of the compatibility of blockchain technology with the EU General Data Protection Regulation (GDPR) and proposed concrete solutions for organizations wishing to use blockchain technology when implementing data processing activities. Continue Reading CNIL Publishes Initial Assessment on Blockchain and GDPR
On September 25, 2018, the French Data Protection Authority (the “CNIL”) published the first results of its factual assessment of the implementation of the EU General Data Protection Regulation (GDPR) in France and in Europe. When making this assessment, the CNIL first recalled the current status of the French legal framework, and provided key figures on the implementation of the GDPR from the perspective of privacy experts, private individuals and EU supervisory authorities. The CNIL then announced that it will adopt new GDPR tools in the near future. Read the full factual assessment (in French). Continue Reading CNIL Publishes Initial Assessment of GDPR Implementation
Recently, the UK Information Commissioner’s Office (“ICO”) fined credit rating agency Equifax £500,000 for failing to protect the personal data of up to 15 million UK individuals. The data was compromised during a cyber attack that occurred between May 13 and July 30, 2017, which affected 146 million customers globally. Although Equifax’s systems in the U.S. were targeted, the ICO found the credit agency’s UK arm, Equifax Ltd, failed to take appropriate steps to ensure that its parent firm, which processed this data on its behalf, had protected the information. The ICO investigation uncovered a number of serious contraventions of the UK Data Protection Act 1998 (the “DPA”), resulting in the ICO imposing on Equifax Ltd the maximum fine available. Continue Reading UK ICO Fines Equifax for 2017 Breach
On September 5, 2018, the European Commission (the “Commission”) announced in a press release the launch of the procedure to formally adopt the Commission’s adequacy decision with respect to Japan. Continue Reading EU Begins Formal Approval for Japan Adequacy Decision
Recently, the Department of Commerce updated its frequently asked questions (“FAQs”) on the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (collectively, the “Privacy Shield”) to provide additional clarification on a wide range of topics, including transfers of personal information to third parties, the application of the Privacy Shield Principles to data processors, and the relation of the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) to the Privacy Shield. Certain key insights from the updated FAQs are outlined below:
- Data processors. When responding to individuals seeking to exercise their rights under the Privacy Shield Principles, the FAQs state that a processor should respond pursuant to the instructions of the EU data controller. For example, in order to comply with the Choice Principle, a Privacy Shield-certified organization acting as a processor could, pursuant to the EU controller’s instructions, put individuals in contact with the controller that provides a choice mechanism or offer a choice mechanism directly.
- Onward transfers. The FAQs also provide additional guidance for organizations preparing to come into compliance with the Accountability for Onward Transfer Principle. For example, the FAQs state that organizations may use contracts that fully reflect the requirements of the relevant standard contractual clauses adopted by the European Commission to fulfill the Accountability for Onward Transfer Principle’s contractual requirements.
- CLOUD Act. The FAQs state that the CLOUD Act, which involves data transfers for law enforcement purposes, does not conflict with the Privacy Shield, which is unaffected by the enactment of the law.
View the full Privacy Shield FAQs.
On July 31, 2018, the Supreme Court of Ireland granted Facebook, Inc.’s (“Facebook”) leave to appeal a lower court’s ruling sending a privacy case to the Court of Justice of the European Union (the “CJEU”). Austrian privacy activist Max Schrems challenged Facebook’s data transfer practices, arguing that Facebook’s use of standard contractual clauses failed to adequately protect EU citizens’ data. Schrems, supported by Irish Data Protection Commissioner Helen Dixon, argued that the case belonged in the CJEU, the EU’s highest judicial body. The High Court agreed. Facebook’s request to appeal followed. Continue Reading Supreme Court of Ireland to Review Facebook Privacy Case
On July 10, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the European Data Protection Board (the “EDPB”) on its draft guidelines on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR (the “Guidelines”). The Guidelines were adopted by the EDPB on May 25, 2018, for public consultation. Continue Reading CIPL Submits Comments to EDPB’s Draft Guidelines on Certification and Identifying Certification Criteria in Accordance with Articles 42 and 43 GDPR
On July 12, 2018, British Prime Minister Theresa May presented her Brexit White Paper, “The Future Relationship Between the United Kingdom and the European Union,” (the “White Paper”) to Parliament. The White Paper outlines the UK’s desired future relationship with the EU post-Brexit, and includes within its scope important data protection-related issues, including digital trade, data flows, cooperation for the development of Artificial Intelligence (“AI”), and the role of the Information Commissioner’s Office (“ICO”), as further discussed below: Continue Reading Brexit White Paper Addresses Data Protection-Related Issues
On July 17, 2018, the European Union and Japan successfully concluded negotiations on a reciprocal finding of an adequate level of data protection, thereby agreeing to recognize each other’s data protection systems as “equivalent.” This will allow personal data to flow safely between the EU and Japan, without being subject to any further safeguards or authorizations. Continue Reading EU and Japan Agree on Reciprocal Adequacy