A recent judgment of the European Court makes it clear that in many circumstances more than one party may be a joint data controller. Whilst the judgment pre-dates the GDPR, its consideration of what constitutes ‘control’ and ‘joint control’ remains good law under the GDPR. The judgment means that parties who may have considered themselves ‘data processors’ in the past should review whether they are in fact ‘joint data controllers’ with others. Continue Reading Are joint data control relationships now the norm rather than the exception?
On 13 September 2017, the Commission issued a proposal for a Regulation to strengthen the role of the EU Agency for Network and Information Security (ENISA) by:
- granting it a permanent mandate;
- clarifying its role as the information hub of the EU for cybersecurity; and
- tasking it with the responsibility of proactively contributing to policy in the area of network information and security.
The proposal also introduces EU-wide cybersecurity certification schemes for ICT products and services, which will be prepared by ENISA. This aims to address current market fragmentation and provide a comprehensive set of cybersecurity rules, technical requirements, standards and procedures. Continue Reading EU Commission proposes stronger mandate for ENISA and EU-wide cybersecurity certification
The UK Government has released a “Future Partnership” paper setting out its vision for UK-EU data flows post-Brexit. In particular, the paper anticipates seeking an early UK-EU agreement that each area’s data protection laws provide equivalent protection, which would allow data to continue to flow between the EU, the UK and other third countries post-Brexit. Continue Reading UK Government seeks EU equivalency for UK data protection law post-Brexit
With holiday season upon us, earlier this week Matt Hancock, the UK Government’s Digital Minister, announced proposals for a new UK data protection law. Previously covered on this blog here and here, little new of substance was announced, but in a slow news week, the announcement garnered significant UK media coverage and attention. Continue Reading UK’s Digital Minister announces changes to UK data protection law
Following the Government’s decision to include a revised data protection law in the Queen’s Speech last month, the House of Lords EU Home Affairs Sub-Committee reviewed the potential implications on national security, stability and public safety of the UK exiting the European Union without an agreement to ensure there is unhindered data flow between the two sides. The Committee issued a stark warning that it was “struck by the lack of detail” on how the Government would ensure that the UK data protection regime continues to allow data transfer with the European Union in a post-Brexit world.
A revised data protection law forms part of the new government’s legislative agenda for the UK. Key points in the Queen’s Speech on 21 June 2017 were that a new UK Data Protection Bill (the Bill) will replace the current Data Protection Act 1998; the new Bill will implement the EU General Data Protection Regulation (GDPR) in the UK (a fact that the party manifestos were silent on before the election); and the government intends to put the UK in the best position to maintain data sharing across the EU and internationally. These points remained unchallenged in the subsequent parliamentary debates, and the government’s express intention to implement the GDPR through national law in the UK was welcomed by many businesses. Continue Reading Proposal for a new UK Data Protection law
The European Commission’s January 2017 Communication on Building an European Data Economy (‘Communication‘) proposes a principle of free movement of data within the EU. Whilst the coming into force of the General Data Protection Regulation (‘GDPR‘) on 25 May 2018, significantly changes and tightens the rules relating to the collection and use of personal data in Europe, those changes need to be read alongside the Communication (and the accompanying staff working paper) to fully understand the regulatory environment for data in Europe. The Communication examines actual or potential blockages to the free movement of data and presents options to remove unjustified and or disproportionate data location restrictions in the EU. It also considers the barriers around access to and transfer of non-personal machine-generated data, data liability, as well as issues related to the portability of non-personal data, interoperability and standards. Continue Reading European data economy: the free movement of data principle and other tall tales…
On 10 May 2017, the European Commission published its mid-term review of the implementation of Europe’s Digital Single Market strategy. Launched in 2015, the ambitious strategy covered 16 actions under the three pillars: (1) improving access to digital goods and services for consumers and businesses across Europe; (2) creating the right conditions and a level playing field for digital networks and innovative services to flourish; and (3) maximising the growth potential of the digital economy. Despite a lot of activity, the Commission was only able to highlight one actual delivered improvement in its review – the abolition of retail roaming charges – although it looks forward to the imminent implementation of cross-border content portability in early 2018 and the expected approval of a proposal to address unjustified geo-blocking.
In January 2017, the European Commission published the proposed text of a new draft e-Privacy Regulation (ePR) as part of its ongoing drive to advance one of its key initiatives, the Digital Single Market.
Whilst the impending introduction of the GDPR has been dominating headlines for the past months, the ePR has somewhat gone under the radar. We set out the key points to look out for with regard to the ePR and who it is likely to apply to.
In 2015, the European Commission published a study (written by IDC) which provides an overview of Europe’s IoT digital ecosystem, its current status and anticipates a suggested vision of the same ecosystem in 2020. That study found:
The IoT (Internet of Things) is a pervasive innovative technology building on the universal connectivity of things and people, now moving in Europe from the pioneer phase to widespread adoption. In combination with cloud computing and Big Data the IoT is opening the new age of the hyper-connected society and acting as a powerful driver of business innovation, but also facing equally strong barriers in terms of security risks, concerns about privacy protection, and resistance to organizational change.”