2016 saw further seismic changes to the data protection framework globally and, in particular, the EU. The year heralded the long-negotiated GDPR, the NIS Directive, the Privacy Shield and ended with a flurry of further developments at EU and UK level.We have pulled together a summary of key developments as well as things to watch out for in 2017.Article 29 Working Party (“WP29”) Guidelines on GDPRThe WP29 adopted guidelines on three major GDPR requirements, namely:DPOLead…
The UK has voted to leave the European Union in the referendum of 23 June 2016.Brexit, what now?While the consequences of this result on the UK’s data protection regime will stem largely from how the UK Government chooses to maintain its relationship with the EU and how the UK legal regime will be untangled from the EU framework, the take-home message is clear: stay calm and keep compliant.It is likely that Article 50 of the…
With the year drawing to a close, it seems an opportune time to take stock of some of the key globally relevant data protection developments in 2015 and extract a few trends which are set to continue in 2016.1. Safe Harbor – Cross-border Data Transfers Top The Regulator Priority ListThe Schrems decision of the European Court of Justice invalidating the European Commission’s 2000 Safe Harbor adequacy decision must be the 2015 event that shook up…
In the European Union, the Data Retention Directive used to be the instrument laying down the rules for the retention of, and access to communications data for purposes of investigation, detection and prosecution of serious crime. It required telecommunication service providers to retain traffic, location and subscriber data for up to two years and make it available to law enforcement and security agencies upon request. The Directive had been transposed into national law by various…
The long arm of the GDPRThe GDPR will be significantly wider in scope than the existing Data Protection Directive. As explained in this post, this will result in numerous organisations across the globe having to comply with the provisions of the GDPR. Who Must Comply With The GDPR?Leaving aside public international law, the GDPR (like the Directive) distinguishes between organisations established within the EU and those not established within the EU.For organisations established in the…
Once the General Data Protection Regulation (GDPR) comes into effect, it will replace the EU Data Protection Directive as well as all national data protection legislation existing under the Directive (subject to certain matters not regulated by the GDPR). Consequently, the national data protection laws of all EEA countries (i.e., the 28 EU member states plus Iceland, Norway and Liechtenstein) will become obsolete. In our first post on the GDPR, we walked you through the implementation…
One question multinationals operating across multiple EU jurisdictions frequently grapple with is which of the various national data protection laws they need to comply with. Naturally, they strive to structure their operations so that they only have to comply with the fewest number of laws and regulatory requirements – ideally just one. A strategy frequently used by multinationals operating across numerous EU jurisdictions to reduce the compliance burden is to publicly appoint one EU based…
Binding Corporate Rules (BCRs) are increasingly an option being considered by multinational organisations as a method for legitimising cross-border data flows within a corporate group – even more so since Safe Harbour is no longer an option to legitimise data transfers from the EU to the US. However, the number of companies that actually go through the process of adopting BCRs remains relatively low due to the lengthy and costly approval process and other perceived…