Articles filed under Data protection

In the wake of growing data protection concerns around the turn of the century, a framework dubbed “Safe Harbor” was agreed between the EU and the US in 2000, which essentially permitted transatlantic free-flow of personal data.

Towards the end of 2015, as a result of one of several legal challenges brought by prolific Austrian privacy campaigner Max Schrems, the European Court of Justice declared the Safe Harbor framework invalid on the grounds that it did not provide adequate safeguards for personal data.

One of the key changes brought about by the General Data Protection Regulation (GDPR), which came into force on 25 May 2018, was a substantial increase in the maximum fines available for data protection breaches, to the higher of €20 million or 4% of global annual turnover. Any breaches which occurred prior to this date were subject to a maximum of £500,000 set by the Data Protection Act 1998 – and this former upper limit was only invoked once, in the case of Facebook and its part in the Cambridge Analytica scandal. Many commentators pointed out that half a million pounds was “chump change” for the likes of tech giants. The same couldn’t be said of the £183 million fine which the Information Commissioner’s Office (ICO) levied on British Airways (BA) less than a year later.

The panic has receded. The frantic drafting has slowed down. The GDPR – widely regarded as the most ambitious data protection legal framework ever created – is in place and life goes on. As the dust left by the dramatic coming into effect of the GDPR settles, we are beginning to see what the GDPR means in practical terms. Many questions remain unanswered and many aspects of the law will take years – if not decades – to be fully interpreted and understood. However, among the numerous issues covered by the GDPR, some areas are emerging as the key strategic questions to address and becoming the focus of attention at an operational level.

One of the questions we’ve most commonly been asked in recent months is “does the GDPR mean we have to get fresh consents from our entire marketing database?” In many (indeed, perhaps most) cases, the answer is “no” – though the explanation for this is not all that straightforward, and so the confusion here is easy to understand.

To date, the main legacy of the Brexit referendum of 2016 appears to be a country split in half: some badly wish the UK would continue to be a member of the EU and some are equally keen on making a move. Yet, there seems to be at least one thing on which Remainers and Leavers will agree: nobody knows exactly what is going to happen. The same is true of the effect of Brexit on UK data protection. However, as Brexit day approaches, it is becoming imperative for those with responsibility for data protection compliance to make some crucial strategic decisions. To help with that process, here are some pointers about what we know and what we don’t know.

GDPR by Descrier

The General Data Protection Regulation (GDPR) comes into effect in 25 May 2018. It replaces the Data Protection Directive (implemented in the UK as the Data Protection Act 1998). This document addresses GDPR with the narrow focus of websites. For a broader discussion on the impact of GDPR on law firms, you might like to start with this article from the Law Society.

GDPR

“So, have I missed the boat to get ready for the GDPR?” “Will I get fined for not being fully up to speed?” “What is the worst thing that can happen if I am not complying by May 2018?” These are some of the most frequently asked questions currently accompanying the efforts (or lack of them) to prepare for the GDPR.

The GDPR is an ambitious, complex and strict law that will transform the way personal information is collected, shared and used globally. The organisational changes required to comply with this framework will be substantial and the potential consequences of not doing things properly can be severe. Therefore, it is not surprising that the climate around the GDPR and its compliance requirements is one of panic.

privat

After all of the 2016 drama, the start of a brand new year is a welcome development in itself – a clean sheet for a script yet to be written. However, 2017 will not be without challenges and the same applies to the world of privacy and data protection. Many of the big issues that arose during 2016 will need to be addressed in 2017. New questions will no doubt emerge.

secret

This article considers two recent developments relating to data protection and trade secrets: two sides of the same coin perhaps.

big-data

Towards the end of 2015, the EU institutions reached agreement on a new General Data Protection Regulation (GDPR) which will replace the 1995 Data Protection Directive, seeking to implement a stricter and more harmonised data privacy regime. The new GDPR, which was published in the Official Journal of the European Union on 4 May 2016 and is expected to come into force on 25 May 2018, is considered to be one of the most comprehensive overhauls of EU privacy legislation.

English Language Grunge Flag

For decades, overcoming the limitations of European data protection law to transfer personal data to countries outside the European Union has been a compliance priority for organisations operating internationally. Global data flows are part of the fabric of modern communications and everyday commercial and social interactions. This is especially true of the transatlantic relations between the European Union and the United States. However, countries such as the US that approach the regulation of personal data privacy from a different perspective than countries in Europe face a tough challenge when trying to demonstrate an adequate level of protection according to the European standard.

On 6 October 2015, the Court of Justice of the European Union (CJEU) declared the EU–US Safe Harbor framework invalid as a mechanism to legitimise transfers of personal data from the EU to the US. This decision effectively leaves any organisation that relied on Safe Harbor exposed to claims that such data transfers are unlawful and could have serious implications for transfers of personal data both within multinationals and to global service providers.

Background

Safe Harbor was jointly devised by the European Commission and the US Department of Commerce as a framework that would allow US-based organisations to overcome the restrictions on transfers of personal data from the EU. However, since its adoption, Safe Harbor was fraught with challenges. Although the data protection requirements set out in the Safe Harbor Privacy Principles were meant to match the standards of protection of European law, its self-certification nature and the non-European style of its provisions have attracted much criticism over the years. In particular, the revelations triggered by Edward Snowden in 2013 about the US intelligence surveillance operations led the European Parliament to adopt a resolution seeking its immediate suspension. The European Commission had no choice but to reopen the dialogue with the US government to find a way of strengthening the framework and restoring its credibility.