Today, the Information Commissioner’s Office (“ICO”), the UK data protection authority, released for public comment its draft “Regulatory Action Policy,” a document in which the ICO seeks to set forth its objectives in taking regulatory action, present its new investigatory and enforcement powers, and explain how it aims to use them. The comment period will close on June 28, 2018.

With three weeks remaining until the General Data Protection Regulation (the “GDPR”) (Regulation (EU) 2016/679) takes effect, this draft document provides organizations with a much needed insight into how the ICO plans to proceed in the age of new data protection compliance realities. In addition to the GDPR, the ICO will be enforcing the upcoming update to UK’s national data protection law, the UK Data Protection Act 2018 (the “DPA”), which is still working its way through Parliament, but should be in place by May 25, 2018, as well as other established data protection legislation.

The “Regulatory Action Policy” explains that ICO will have the power to issue “urgent” information notices that will require a response within 24 hours, take notice recipients who fail to comply to court on contempt charges, inspect and assess compliance without notice, administer fines by way of penalty notices, and prosecute criminal offences in court. The ICO’s powers to prosecute failures to provide information and its ability to go to court to request a warrant to search premises will come from the DPA, not GDPR.

The DPA also will permit the ICO to issue “assessment notices” to data controllers and processors to allow the ICO to investigate whether the controller or processor is compliant with data protection legislation. The notice may require the organization to give the ICO access to premises and specified documentation and equipment. An “urgent” assessment notice may require access to non-domestic premises on less than 7 days’ notice, which in effect will allow the ICO to carry out a no-notice inspection. An organization that receives an “urgent” information notice, assessment notice, or enforcement notice may petition the court to overturn the urgency of that notice. Under the DPA, destruction or falsification of information the ICO is pursuing in its notice constitutes a criminal offence. However, similarly to the U.S. evidence spoliation principles, it appears that loss of information through routine operation of automated processes may be a defense to criminal charges.

Continue Reading UK’s ICO Explains Its Data Protection Enforcement Powers

Seyfarth Shaw Offers Data Privacy & Protection in the EU-U.S. Desktop Guide and On-Demand Webinar Series

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?

Seyfarth’s eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners are pleased to announce the release of Data Privacy & Protection in the EU-U.S.: What Companies Need to Know Now, which describes GDPR’s unique legal structure and remedies, and includes tips and strategies in light of the future passage of the GDPR.

How to Get Your Desktop Guide:

To request the Data Privacy & Protection in the EU-U.S. Desktop Guide as a pdf or hard copy, please click the button below:

GDPR Webinar Series

Throughout August and October of 2017, Seyfarth Shaw’s attorneys provided high-level discussions on risk assessment tools and remediation strategies to help companies prepare and reduce the cost of EU GDPR compliance. Each segment is one hour long and can be accessed on-demand at Seyfarth’s Carpe Datum Law Blog and The Global Privacy Watch Blog.

For updates and insight on GDPR, we invite you to click here to subscribe to Seyfarth’s Carpe Datum Law Blog and here to subscribe to Seyfarth’s The Global Privacy Watch Blog.

Seyfarth eDiscovery Partner Richard Lutkus, along with William Lederer from Relativity and Patrick Zeller of Gilead Sciences, Inc., will host a panel discussion titled “Brave New Words: Cloud Data Collection, Processing, and Hosting” at this year’s RelativityFest on October 24, 2017.

This session will provide attendees with information about new data collection methods with tools like Heureka and Harvester, along with considerations for working with RelativityOne, data privacy, and security. Additionally, best practices surrounding the General Data Privacy Regulation (GDPR), international data transfer with EU entities, secure management of hosting (wiping cloud data) and SSD wiping technologies will be discussed.

RelativityFest is an annual conference designed to educate and connect the e-discovery community. The three-day festival in Chicago will feature panel discussions, hands-on labs, and breakout sessions to discuss best practices. For more information, or to register to attend, please visit https://relativityfest.com/.

Seyfarth eDiscovery attorneys Jason Priebe and Natalya Northrip will present “A Practical Roadmap for EU Data Protection and Cross-Border Discovery” at this year’s RelativityFest on October 24, 2017.

This presentation will provide attendees with practical tips for leveraging the new Sedona International Principles to help in your compliance with stringent GDPR requirements, and in seeking immediate help under the EU-U.S. Privacy Shield.

RelativityFest is an annual conference designed to educate and connect the eDiscovery community. The three-day festival will feature panel discussions, hands-on labs, and breakout sessions to discuss best practices for eDiscovery, Information Governance, and Data Privacy. For more information, or to register to attend, please visit https://relativityfest.com/.

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?

Our experienced eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners will present a series of four 1-hour webinars in August through October of 2017. The presenters will provide a high-level discussion on risk assessment tools and remediation strategies to help prepare and reduce the cost of EU GDPR compliance. Continue Reading Is your organization ready for the new EU General Data Protection Regulation?

In January 2017, The Sedona Conference Working Group on International Electronic Information Management, Discovery, and Disclosure (WG6) issued the much-anticipated International Litigation Principles on Discovery, Disclosure & Data Protection in Civil Litigation (Transitional Edition). This publication updates the 2011  International Litigation Principles, which preceded the 2013 Snowden revelations and the Schrems decision invalidating the U.S.-EU Safe Harbor.  It also incorporates adoption and implementation of the EU-U.S. Privacy Shield, and the approval of the EU General Data Protection Regulation (GDPR), which is set to replace the 1995 EU Data Privacy Directive in May 2018.  Many of these developments are consistent with the focus on “proportionality” of discovery in the 2015 amendments of the U.S. Federal Rules of Civil Procedure.

Given the complex and dynamic EU data protection  landscape – where the new Privacy Shield has not been tested, and before the GDPR has even taken effect, – WG6 has aptly designated this as a “Transitional” edition.  This edition provides interim best practices and practical guidance for courts, counsel and corporate clients on safely navigating the competing and conflicting issues involved in cross-border transfers of EU personal data in the context of transnational litigation and regulatory proceedings.  Following are the publication’s Six Transitional International Litigation Principles:

Continue Reading The Sedona Conference WG6 Issues “Transitional” International Litigation Principles

The EU Article 29 Data Protection Working Party (WP 29) is continuing its work in preparation for the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which will take effect in May 2018. Last month, the WP29 released three sets of guidelines for controllers and processors of personal data, including guidelines on the right to data portability, on data protection officers, and on the lead supervisory authority. Key takeaways from these three guidelines can be found on our blog.

This month, WP29 announced that it adopted its “2017 GDPR Action Plan.” The Plan identifies two areas of focus: (1) follow up on 2016 topics, and (2) new 2017 priorities. The follow-up work will include finalizing guidelines on certification and processing likely to result in a high risk and Data Protection Impact Assessments, administrative fines, the setting up of the European Data Protection Board (EDPB), and the preparation of the one-stop-shop” and EDPB consistency mechanism.

This year, WP29 plans to prepare and release guidelines on the topics of consent, profiling, and transparency. The WP29 will also work on the update of already existing opinions on data transfers to third countries and data breach notifications. This year, companies that rely on transfers of personal data from the EU may have the following three opportunities to engage with the WP29 and EU Data Protection Authorities (DPAs):

  • On April 5-6, 2017, the WP29 will hold a Fablab meeting, where interested stakeholders will have an opportunity to present their views and comments on the identified 2017 priorities.
  • On May 18-19, 2017, the WP29 will organize an interactive workshop where non-EU counterparts will be invited to exchange views on the GPDR and its implementation by the WP29.
  • The press release also states that relevant public consultations “may be” launched at a national level by local DPAs.

The WP29 plans to review its 2017 plan periodically and prepare a new plan for 2018 to finish the preparation work. We will be commenting on the forthcoming GDPR guidelines as they are released by the WP29.

The Article 29 Data Protection Working Party (WP29) recently held its December plenary meeting to discuss certain issues related to the implementation of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which will take effect in May 2018, and of the Privacy Shield, which was opened for self-certification by companies in August.

During its December plenary meeting, WP 29 adopted three sets of guidelines and FAQs for controllers and processors of personal data (available for download on WP29’s website):

  • Guidelines and FAQs on the Right to Data Portability;
  • Guidelines and FAQs on Data Protection Officers (DPOs); and
  • Guidelines and FAQs on the Lead Supervisory Authority.

Below are the key takeaways from the three guidelines.

The Right to Data Portability

  • Scope.
    • Data portability is a data subject’s right to receive personal data processed by a data controller and to store it for further personal use on a private device, without transmitting it to another data controller. However, data subjects also have the right to transmit data from one controller to another controller “without hindrance.” As such, this right facilitates data subjects’ ability to move, copy or transmit personal data easily from one IT environment to another, thereby facilitating switching from one service provider to another and enhancing competition between services.
    • To fall within the scope of data portability, processing operations must be based (1) either on the data subject’s consent or (2) on a contract to which the data subject is a party (e.g., the titles of books purchased by an individual from an online bookstore).
    • Data portability applies only to data processing that is “carried out by automated means.” It does not apply to paper files.
    • Data portability covers the subject’s personal data that he or she provided to a data controller. This includes data actively and knowingly provided by the data subject (e.g., mailing address, user name, age) and observed data that is “provided” by the data subject by virtue of the use of the service or the device (e.g., search history, location data). This, however, does not include “inferred” data, i.e., data generated by the subsequent analysis of the data subject’s behavior.
  • Format. The data should be provided “in a structured, commonly used and machine-readable format” that supports re-use. Data controllers are expected to offer a direct download opportunity for the data subject but should also allow data subjects to directly transmit the data to another data controller. Furthermore, data controllers are expected to provide as many metadata with the data as possible to preserve the precise meaning of exchanged information.
  • Retention. Data portability does not impose an obligation on the data controller to retain personal data for longer than is necessary or beyond any specified retention period. (In fact, this right should encourage organizations to follow their records disposition policies to ensure that no data is kept once it outlives its usefulness or fulfills its preservation obligation.)
  • Notice.   Data controllers are required to inform the data subjects regarding the availability of the new right to portability.
  • Timing.  Data controllers must answer a portability request “without undue delay” and in any case “within one month of receipt of the request” or within a maximum of three months for complex cases, provided that the data subject has been informed about the reasons for such delay within one month of the original request.
  • Fees.  Data controllers are prohibited from charging a fee for the provision of the personal data, unless the data controller can demonstrate that the requests are manifestly unfounded or excessive, “in particular because of their repetitive character.”
  • Security. When transferring data, the data controller is responsible for taking “all the security measures” needed to ensure that personal data is securely transmitted (e.g., by use of encryption) to the right destination (e.g., by use of additional authentication information). When allowing data subjects to retrieve their personal data from an online service, the data controller, as a best practice, could recommend appropriate formats and encryption measures to help the data subject securely retrieve his data.

Continue Reading Key Takeaways from the Newly Released GDPR Guidelines

The Irish Data Protection Commissioner (DPC) has issued guidance on compliance with the General Data Protection Regulation (GDPR), which will come into force on May 25, 2018 and replace the existing European data protection framework under the EU Data Protection Directive.  The new data privacy regime is expected to result in enhanced transparency, accountability, and individuals’ rights, while optimizing organizational approach to governance and management of data protection as a corporate issue.

The guidance, titled “The GDPR and You, General Data Protection Regulation, Preparing for 2018,” urges all organizations to not delay the preparation for the GDPR and to “immediately start preparing for the implementation of GDPR by carrying out a ‘review and enhance’ analysis of all current or envisaged processing in line with GDPR.”  Proper preparation for the GDPR may help avoid regulatory fines, which can range up to €20,000,000 or 4% of total annual global turnover, whichever is greater.

The guidance consists of a checklist that aims to provide clear direction on how organizations can prepare for compliance with the GDPR in Ireland.  However, organizations will find it useful when preparing for the GDPR anywhere in Europe.  The checklist is organized around the following twelve points.

Continue Reading The Irish Data Protection Commissioner Issues the GDPR Preparation Checklist

As the companies doing business in Europe are trying to get their arms around the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), but so far not making substantial headways, the European Data Protection Authorities (DPAs) are doing their own GDPR preparation by securing increased budgets and additional workforce.

Last week, the Irish Data Protection Commissioner (DPC), Helen Dixon, has “welcomed” the additional funding of €2.8 million for her office’s 2017 budget, as announced by the Government, bringing the total funding allocation to the DPC to over €7.5 million. The 2017 budget increases are in line with the increases in 2015 and 2016, representing a 59% increase on the 2016 allocation and over four times the €1.9 million provided to the DPC in 2014.

Commenting on the 2017 funding allocation, Helen Dixon stated:

“The additional funding being provided by Government in 2017 will be critical to our preparations for the implementation of the EU General Data Protection Regulation in May 2018. In 2017 we will continue to invest heavily in building our capacity and expertise, including the recruitment of specialist staff, to administer our new enforcement powers and all of our additional responsibilities under the new law.

Continue Reading Irish Data Protection Commissioner Welcomes Increases in Budget in Preparation for the GDPR Enforcement