Tag:European Union

1
Provisional Political Agreement on Landmark AI Regulation in Europe
2
UK Government Approves Adequacy of UK-US Data Bridge
3
EU Digital Services Act: Fundamental Changes for Online Intermediaries?
4
New GDPR Guidelines on Data Transfers
5
UK unveils plan to diverge from GDPR
6
Reminder for One-Month Deadline to Implement New SCCs in New Contracts
7
Post-Brexit data protection – where are we now?
8
Insufficiency meets Punishment: Polish DPA issues largest fine for Insufficient Security and Organisational Measures
9
Sorry Sir, Our Data Breach Response Plan is Out of Stock
10
Russian-backed hacking targets Australian businesses

Provisional Political Agreement on Landmark AI Regulation in Europe

By: Giovanni Campi, Petr Bartoš, and Kathleen Keating

In a landmark development, EU lawmakers reached on 8 December 2023 a provisional political agreement on the Artificial Intelligence Act (AI Act). Once adopted, this regulation will be the first of its kind, and could set a global standard for AI laws around the world.

Read More

UK Government Approves Adequacy of UK-US Data Bridge

By Claude-Étienne Armingaud and Nóirín McFadden

The UK Government has laid adequacy regulations before Parliament that, once in force from 12 October 2023, will permit use of the UK – US “Data Bridge” as a safeguard for personal data transfers from the UK to the US under Article 44 UK GDPR.

Read More

EU Digital Services Act: Fundamental Changes for Online Intermediaries?

By Claude-Étienne Armingaud, Dr. Ulrike Elteste and Dr. Thomas Nietsch

The European Union has taken another step to set out its new legal framework for online intermediaries. Following the publication of the Digital Markets Act (Regulation (EU) 2022/1925) in the EU Official Journal on 12 October 2022, the Digital Services Act has now also been published in the EU Official Journal as Regulation (EU) 2022/2065.

While the Digital Markets Act focuses on the behavior of large “gatekeepers” towards other businesses, the Digital Services Act aims to fully harmonize the rules on the safety of online services and the dissemination of illegal content online. In particular, its Articles 4 to 10 replace the current provisions on the liability privilege enjoyed by online intermediaries in the eCommerce Directive 2000/31/EC. The privilege as such broadly remains intact, but is punctured in a number of ways. For example, the Digital Services Act encourages preemptive screening and provides that “trusted flaggers” must receive priority in the future. Providers of online platforms that allow consumers to enter into distance contracts with traders must obtain certain minimum information from the traders they admit to their platform. They may have to notify consumers if they become aware that products sold on their platform do not comply with legal requirements.

Again, “very large” online platforms and search engines receive the legislator’s (and the EU Commission’s) special attention. They must comply with additional transparency requirements and analyze and mitigate systemic risks.

But other intermediaries must also timely amend their terms of service, improve their complaint handling, and increase their transparency to avoid fines that can reach 6% of their global turnover. Specifically, online platforms must in the future provide clear information on “each specific advertisement presented to each individual recipient”, including “meaningful information directly and easily accessible from the advertisement about the main parameters used to determine the recipient to whom the advertisement is presented and, where applicable, about how to change those parameters”.

Most obligations bearing on companies subject to the Digital Services Act will start to apply on 17 February 2024. However, all but small online platforms and search engines will be required to publish information on the usage of their services (Statement) on their website, with an initial Statement to be published by 17 February 2023 at the latest. Intermediaries designated as “very large online platforms” or “very large online search engines” by the EU Commission will need to comply with most of their new obligations from four months after being notified of their “very large” status.

New GDPR Guidelines on Data Transfers

Claude-Étienne Armingaud, Camille Scarparo and Bastien Pujol

On 19 November 2021, the European Data Protection Board (“EDPB”) adopted new guidelines on the interplay between Article 3 GDPR (territorial scope) and Chapter V GDPR (transfer of personal data to third countries or international organization) of the General Data Protection Regulation (“GDPR”).

Those draft Guidelines aim at clarifying the mechanism of international transfers and more specifically provide a necessary assistance to controllers and processors in the European Union (“EU”) or otherwise subject to GDPR, including guidance on when a data importer would be subject to GDPR and an interpretation of the concept of international transfer.

In order to characterize a processing as a “transfer”, the EDPB relied on the three following cumulative criteria:

  1. The data exporter (a controller or processor) is subject to the GDPR for the given processing;
    • As a reminder, while GDPR generally applies to all entities processing personal data and established in the EU, it can also have an extra territorial reach for certain processing operations consisting in (i) offering products or services to individuals in the EU (e.g. ecommerce and apps) or (ii) monitoring of EU individuals’ behavior taking place in the EU (e.g. cookies and other tracking technologies).
  2. The data exporter transmits or makes available the personal data to the data importer (another controller, joint-controller or processor); and
    • In that regard, the mere remote access to the data would still qualify as a “data transfer” and it remains to be hopefully clarified in the final Guidelines whether the sharing of personal data among joint-controllers (both subject to GDPR from the inception of the processing operations) would in and of itself be considered as a data transfer.
  3. The data importer is in a third-country or is an international organization.

In addition, a processing that meets these three criteria will be considered a transfer when the importer is established in a third-country and subject to the GDPR following provisions of article 3.2 GDPR. The EDPB considered that when the controller located in a third-country is already subject to GDPR, “less protection/safeguards are needed”. Nevertheless, conflicting national laws, government access in the third-country as well as the difficulty to enforce and obtain redress against an entity outside the EU should be addressed when developing relevant transfer tools.

The EDPB specified that personal data directly collected from the data subjects, at their own initiative, should not to be considered as a transfer.

An online public consultation is opened on the matter until 31 January 2022.

UK unveils plan to diverge from GDPR

By Norin McFadden and Claude-Étienne Armingaud

The UK government has announced that it intends to consult on a new, post-Brexit data protection regime, potentially moving away from the UK General Data Protection Regulation that currently underpins the UK’s data protection legislation. The Digital Secretary, Oliver Dowden, said, “It means reforming our own data laws so that they’re based on common sense, not box-ticking.

A public consultation on the new legislation will follow, but it is clear that the United Kingdom must be careful about any changes it makes to its data regime in order to avoid disrupting the EU-UK adequacy decision with EU GDPR awarded just two months ago. The adequacy decision allows personal data from the European Union to flow freely to the United Kingdom (and vice versa), without businesses needing to put any additional paperwork in place. In granting the adequacy decision, the European Union placed particular emphasis on the fact that the United Kingdom was continuing to base its data protection laws on the same EU GDPR rules that had applied when it was a member of the European Union. A European Commission spokesperson commented that the EU will be closely monitoring any developments in UK data laws and noted that: “In case of problematic developments that negatively affect the level of protection found adequate, the adequacy decision can be suspended, terminated or amended, at any time by the Commission.

It will be interesting to see how far the United Kingdom diverges, particularly as the current trend is that other countries seem to be keen to state that their data protection laws closely follow the EU GDPR.

The UK government also announced that its preferred candidate to be the next Information Commissioner, head of the UK data protection regulator, will be John Edwards, currently in charge of New Zealand’s data regulator, a country that also maintains an EU adequacy decision.

Reminder for One-Month Deadline to Implement New SCCs in New Contracts

By Jake Bernstein and Jane Petoskey

In early June 2021, the European Commission published a new set of standard contractual clauses (SCCs) effective June 27, 2021 for cross-border data transfers and between controllers and processors.  The new SCCs cover changes in data protection laws, including the invalidation of the EU-US Privacy Shield and the fallout from the Court of Justice of the European Union’s (CJEU) Schrems II opinion (regarding US intelligence laws). The new cross-border data transfer SCCs also use a modular approach to allow for more accurate identification of roles and responsibilities of the contracting parties.  In terms of timing, organizations may use the old SCCs in new contracts until September 27, 2021, and contracts existing before September 27, 2021 must change to the new SCCs by December 27, 2022. For additional information on the SCCs, read our K&L Gates EU Data Protection Alert here.

Please do not hesitate to contact the K&L Gates LLP Cybersecurity and Privacy team of attorneys if you need assistance updating new or existing contracts with the new SCCs by the above deadlines.

Post-Brexit data protection – where are we now?

By Cameron Abbott and Michelle Aggromito

After years of political squabble and delays, Brexit day finally arrived on 31 January 2020. But what does it mean when we talk about the UK’s withdrawal from the EU and how will data protection regulation and compliance change?

There will be little change during the transition (also known as “implementation”) period that is expected to end on 31 December 2020. During this period, EU law will continue to apply in the UK, including the EU General Data Protection Regulation (GDPR), after which the GDPR will be converted into UK law.

Read More

Insufficiency meets Punishment: Polish DPA issues largest fine for Insufficient Security and Organisational Measures

By Cameron Abbott and Max Evans

Further to the Facebook and Tesco scandals, and the apparent statistic increase of enforcement fines issued, the Polish Data Protection Authority has issued a landmark fine of €645,000 against online retail company morele.net for insufficient security and organisational measures violating data confidentiality and integrity principles prescribed in the EU’s General Data Protection Regulation.

Read More

Sorry Sir, Our Data Breach Response Plan is Out of Stock

By Cameron Abbott, Michelle Aggromito and Max Evans

We are living in an era of online shopping, where consumers are more willing to hand over personal information for goods and services, and are less suspicious of whom they are divulging their personal information to. As a result, online businesses are in possession of a vast amount of their customers’ personal information. The recent hack of Sneaker Platform Stock-X reminds us yet again of the importance of businesses maintaining comprehensive and up to date security processes, and in particular, the necessity of having an adequate data breach response plan in place.

Stock-X, a platform for the re-sale of sneakers and apparel, was recently hacked, exposing over six million users’ personal data, including their real name, username, password, shoe size and trading currency. According to a Report by TechCrunch, Stock-X’s initial response was to reset customer passwords, stating that it was due to system updates. A spokesperson for Stock-X later disclosed to TechCruch that Stock-X was alerted to “suspicious activity”. TechCrunch reports; however, an unnamed data breach seller had contacted it claiming more than 6.8 million records were stolen from Stock-X in May, and that the records had been put up for sale and sold on the dark web for $300.

Read More

Russian-backed hacking targets Australian businesses

By Cameron Abbott, Allison Wallace and Sarah Goegan

Russian hackers are accused of penetrating up to 400 Australian businesses in 2017 as part of an alleged state-sponsored cyber-espionage campaign, targeting millions of computers across the world.

The Australian government made the announcement in light of an extraordinary joint statement from the US and UK governments pointing a stern finger at Russia for sponsoring cyber-attacks on government, private organisations, critical infrastructure providers and internet services providers.

Read More

Copyright © 2024, K&L Gates LLP. All Rights Reserved.