Free tools and resources for Data Protection Officers!

Tag Archives for " regulation "

Marriott attack adds urgency to calls for tougher privacy laws in US

Democratic senators are demanding tougher data privacy laws and bigger fines in the States for organisations that fall short in their duty to safeguard user data, the Inquirer reports.

The calls follow revelations of a hack suffered by the Marriott hotel chain that may have compromised the personal data of up to 500 million of the organisation’s customers.

Full article: Marriott attack adds urgency to calls for tougher privacy laws in US

EDPB’s common sense approach to the GDPR’s territorial scope

EDPB has produced a detailed 23-page document that is both authoritative and full of common sense.

The guidelines start by treading into well-known territory: the “establishment criterion.” Following a principle that already existed under the 1995 Data Protection Directive, the GDPR will apply to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU. So the EDPB relies on existing case law to consolidate its opinion on this criterion.

Full article: EDPB’s common sense approach to the GDPR’s territorial scope

New Law Could Give U.K. Unconstitutional Access to Americans’ Personal Data

This form of international data-sharing could put Americans’ privacy at risk and expose citizens to potential Fourth Amendment abuses, critics say. The possible agreement stems from the Clarifying Lawful Overseas Use of Data Act, or CLOUD Act, for which Justice Department officials have lobbied since 2016 and which President Donald Trump signed into law in March.

Full article: New Law Could Give U.K. Unconstitutional Access to Americans’ Personal Data, Human Rights Groups Warn

Data ethics and the rise of the “PEGs”

European data protection law has always been infused with ethical considerations around data use. Under the old Data Protection Directive, even if data use had a valid legal ground, unless the proposed use was also fair the law was still broken. But what is fairness when it comes to data?

Full article: Data ethics and the rise of the “PEGs”

EU says India’s data localisation unnecessary

The European Union has termed the data localisation requirements proposed by India as unnecessary, harmful and likely to have negative effects on trade and investments.

The proposed data protection policy in India requires every data fiduciary to store at least one copy of personal data collected on a local server or data centre.

Full article: GDPR-loving EU says India’s data localisation unnecessary – The Economic Times

Does the EDPB answer frequently asked questions on territorial scope?

The European Data Protection Board (EDPB , the successor to the Article 29 Working Party) has issued guidelines (for consultation) on one of the key foundation elements of the General Data Protection Regulation ( GDPR ); namely, Article 3 on territorial scope.

Article 3 is supposed to answer the important questions of when GDPR applies (depending on the location of an entity processing personal data, or of the individuals whose data is being processed). Unfortunately, Article 3 was drafted in a way that left many key concerns unanswered.

Source: Does the EDPB answer frequently asked questions on territorial scope?

GDPR vs. CCPA

The General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and the California Consumer Privacy Act of 2018 (‘CCPA’) both aim to guarantee strong protection for individuals regarding their personal data and apply to businesses that collect, use, or share consumer data, whether the information was obtained online or offline.

As highlighted by the Guide, the two laws bear similarity in relation to their definition of certain terminology; the establishment of additional protections for individuals under 16 years of age; and the inclusion of rights to access personal information.

Full article: FPF and DataGuidance Comparison Guide: GDPR vs. CCPA

GDPR territorial guide has ‘sting in tail’ for US companies

Guidance published by an EU data protection watchdog on the territorial scope of the General Data Protection Regulation (GDPR) is likely to raise concern about the costs to US companies of entering the EU market.

“The sting in this document is in the last line for US corporates,” Ann Henry of Pinsent Masons said. “It is the law-abiding companies that will appoint a representative. Arguably making a representative liable will make it more difficult to find people or bodies willing to take on the role of representative given the extent of potential liability both by means of regulatory enforcement and through private rights of action under the GDPR regime.”

Full article: GDPR territorial guide has ‘sting in tail’ for US companies

DP Impact Assessments: EDPB Differs Slightly from ICO Position

The European Data Protection Board (EDPB) has recently published its Opinion on the (United Kingdom) Information Commissioner’s list of processing activities which would require a Data Protection Impact Assessment under the GDPR.

In its Opinion, the EDPB appears to be moving away from the idea that processing of genetic or loca­tion data, on its own, might be enough to trigger the mandatory DPIA requirements of the GDPR. This news will perhaps come as a relief to organi­sations currently struggling to come to grips with the “new” DPIA process and the resources and time that it demands. But, should we be surprised by the EDPB’s Opinion and will it have a significant impact in practice on the way organisations consider and conduct DPIAs?

Full article: DP Impact Assessments: EDPB Differs Slightly from ICO Position

New EDPB Guidelines on the territorial scope of the GDPR

On 26 November 2018, the WP29’s successor, the European Data Protection Board (EDPB) published, Guidelines on the territorial scope of the GDPR (Art. 3). The proposed Guidelines are open for public consultation until 18 January 2019. The Guidelines provide some clarification around the boundaries of what constitutes an establishment in the EU, the status of tourists and factors that determine whether data subjects in the EU are being targeted.

The EDPB also provides some guidance on the conditions of appointment of an EU representative for non-EU controllers and processors. However, the Guidelines do not address other key interpretive questions arising from Art. 3 and Chapter V (transfer restrictions) and leave many key legal questions open.

Full article: EU: New EDPB Guidelines on the territorial scope of the GDPR

1 2 3 108
>