It seems that my recent post on Data Protection Officer vacancies not being GDPR compliant within Higher Education has garnered a lot of debate. I wanted to write a post to expand on what is clearly a topic of interest to many.
The digital media supply chain is about to get a whole lot smaller thanks to Europe’s General Data Protection Regulation (GDPR). The privacy legislation, which takes effect in May, dictates that data controllers could be held responsible for data privacy missteps made by their third-party partners.
As the Estonian Presidency of the Council of the European Union wraps up this month, it put forward a new draft of the pending ePrivacy Regulation , which was considered at the Council’s WP TELE meeting held Dec. 11. While it is a new consolidated draft, with many deviations from the initial Commission draft throughout, the new pieces for consideration in this draft are limited to articles 6 through 8, which concern the legitimate bases for processing electronic communications and metadata, plus rules around the retention, storage, and deletion of user data. The stated purpose of this most recent meeting was to consider these modifications to articles 6 through 8 and then begin discussion of Article 10, which regards the provision of privacy settings in apps and communications software.
This paper aims to analyse a tool of the so-called “soft law”, that is the certification in the field of data protection. Art. 42, paragraph 2 of EU Regulation 2016/679 defines certification as voluntary. However, it is, more appropriately, a regulated certification, since it is based on rules issued by official institutions: particularly, certification criteria are approved by the competent authority or by the Board.
Recently, the EU’s Article 29 Working Party (”Working Party”) held a plenary meeting to discuss, among other things, the implementation of the EU General Data Protection Regulation (“GDPR”) and the EU-U.S. Privacy Shield. As well as adopting its first Joint Annual Review Report on the Privacy Shield, the Working Party has been working on a number of documents that offer review and/or guidance on the GDPR.
The EU’s General Data Protection Regulation should not be viewed only as a compliance issue, says Belgium’s minister for privacy.
The European Commission is gearing up to propose a so-called adequacy decision with Japan to allow the free flow of data between Japan and the EU – possibly as early as January or February 2018. To assess how ready Tokyo is to meet the demands of the EU’s data protection regime, the European Parliament’s civil liberties, justice and home affairs (LIBE) committee sent a delegation to Japan from October 30 to November 3.
The UK’s data protection watchdog has raised concerns that proposed new UK laws threaten its ability to operate independently of the government.
Many companies have found themselves in an awkward position with respect to compliance with trade sanctions and data protection legislation. Specifically, I’m talking about US trade sanctions, which companies operating in the EU are not generally obligated to comply with under EU or national law. However, the US has set such a wide scope of application for the sanctions that even if a foreign company has only the slightest link to the US, it may find itself subject to the regulations set in the sanctions. A company is typically subject to US sanctions if its parent company is from the US or it has US employees.