This post was originally posted on The Global Privacy Watch blog.

In a long awaited decision, the European Commission (“Commission’) adopted two new sets of standard contractual clauses (“SCCs”) to reflect the EU’s General Data Protection Regulation (“EU GDPR”) and ‘the realities faced by modern business’ (see the 

Today, the Information Commissioner’s Office (“ICO”), the UK data protection authority, released for public comment its draft “Regulatory Action Policy,” a document in which the ICO seeks to set forth its objectives in taking regulatory action, present its new investigatory and enforcement powers, and explain how it aims to use them. The comment period will close on June 28, 2018.

With three weeks remaining until the General Data Protection Regulation (the “GDPR”) (Regulation (EU) 2016/679) takes effect, this draft document provides organizations with a much needed insight into how the ICO plans to proceed in the age of new data protection compliance realities. In addition to the GDPR, the ICO will be enforcing the upcoming update to UK’s national data protection law, the UK Data Protection Act 2018 (the “DPA”), which is still working its way through Parliament, but should be in place by May 25, 2018, as well as other established data protection legislation.

The “Regulatory Action Policy” explains that ICO will have the power to issue “urgent” information notices that will require a response within 24 hours, take notice recipients who fail to comply to court on contempt charges, inspect and assess compliance without notice, administer fines by way of penalty notices, and prosecute criminal offences in court. The ICO’s powers to prosecute failures to provide information and its ability to go to court to request a warrant to search premises will come from the DPA, not GDPR.

The DPA also will permit the ICO to issue “assessment notices” to data controllers and processors to allow the ICO to investigate whether the controller or processor is compliant with data protection legislation. The notice may require the organization to give the ICO access to premises and specified documentation and equipment. An “urgent” assessment notice may require access to non-domestic premises on less than 7 days’ notice, which in effect will allow the ICO to carry out a no-notice inspection. An organization that receives an “urgent” information notice, assessment notice, or enforcement notice may petition the court to overturn the urgency of that notice. Under the DPA, destruction or falsification of information the ICO is pursuing in its notice constitutes a criminal offence. However, similarly to the U.S. evidence spoliation principles, it appears that loss of information through routine operation of automated processes may be a defense to criminal charges.Continue Reading UK’s ICO Explains Its Data Protection Enforcement Powers

Seyfarth Shaw Offers Data Privacy & Protection in the EU-U.S. Desktop Guide and On-Demand Webinar Series

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4%

Seyfarth eDiscovery Partner Richard Lutkus, along with William Lederer from Relativity and Patrick Zeller of Gilead Sciences, Inc., will host a panel discussion titled “Brave New Words: Cloud Data Collection, Processing, and Hosting” at this year’s RelativityFest on October 24, 2017.

This session will provide attendees with information about new data collection methods with tools

Seyfarth eDiscovery attorneys Jason Priebe and Natalya Northrip will present “A Practical Roadmap for EU Data Protection and Cross-Border Discovery” at this year’s RelativityFest on October 24, 2017.

This presentation will provide attendees with practical tips for leveraging the new Sedona International Principles to help in your compliance with stringent GDPR requirements, and in seeking

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?

Our experienced eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners will present a series of four 1-hour webinars in August through October of 2017. The presenters will provide a high-level discussion on risk assessment tools and remediation strategies to help prepare and reduce the cost of EU GDPR compliance.
Continue Reading Is your organization ready for the new EU General Data Protection Regulation?

In January 2017, The Sedona Conference Working Group on International Electronic Information Management, Discovery, and Disclosure (WG6) issued the much-anticipated International Litigation Principles on Discovery, Disclosure & Data Protection in Civil Litigation (Transitional Edition). This publication updates the 2011  International Litigation Principles, which preceded the 2013 Snowden revelations and the Schrems decision invalidating the U.S.-EU Safe Harbor.  It also incorporates adoption and implementation of the EU-U.S. Privacy Shield, and the approval of the EU General Data Protection Regulation (GDPR), which is set to replace the 1995 EU Data Privacy Directive in May 2018.  Many of these developments are consistent with the focus on “proportionality” of discovery in the 2015 amendments of the U.S. Federal Rules of Civil Procedure.

Given the complex and dynamic EU data protection  landscape – where the new Privacy Shield has not been tested, and before the GDPR has even taken effect, – WG6 has aptly designated this as a “Transitional” edition.  This edition provides interim best practices and practical guidance for courts, counsel and corporate clients on safely navigating the competing and conflicting issues involved in cross-border transfers of EU personal data in the context of transnational litigation and regulatory proceedings.  Following are the publication’s Six Transitional International Litigation Principles:Continue Reading The Sedona Conference WG6 Issues “Transitional” International Litigation Principles

The Article 29 Data Protection Working Party (WP29) recently held its December plenary meeting to discuss certain issues related to the implementation of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which will take effect in May 2018, and of the Privacy Shield, which was opened for self-certification by companies in August.

During its December plenary meeting, WP 29 adopted three sets of guidelines and FAQs for controllers and processors of personal data (available for download on WP29’s website):

  • Guidelines and FAQs on the Right to Data Portability;
  • Guidelines and FAQs on Data Protection Officers (DPOs); and
  • Guidelines and FAQs on the Lead Supervisory Authority.

Below are the key takeaways from the three guidelines.

The Right to Data Portability

  • Scope.
    • Data portability is a data subject’s right to receive personal data processed by a data controller and to store it for further personal use on a private device, without transmitting it to another data controller. However, data subjects also have the right to transmit data from one controller to another controller “without hindrance.” As such, this right facilitates data subjects’ ability to move, copy or transmit personal data easily from one IT environment to another, thereby facilitating switching from one service provider to another and enhancing competition between services.
    • To fall within the scope of data portability, processing operations must be based (1) either on the data subject’s consent or (2) on a contract to which the data subject is a party (e.g., the titles of books purchased by an individual from an online bookstore).
    • Data portability applies only to data processing that is “carried out by automated means.” It does not apply to paper files.
    • Data portability covers the subject’s personal data that he or she provided to a data controller. This includes data actively and knowingly provided by the data subject (e.g., mailing address, user name, age) and observed data that is “provided” by the data subject by virtue of the use of the service or the device (e.g., search history, location data). This, however, does not include “inferred” data, i.e., data generated by the subsequent analysis of the data subject’s behavior.
  • Format. The data should be provided “in a structured, commonly used and machine-readable format” that supports re-use. Data controllers are expected to offer a direct download opportunity for the data subject but should also allow data subjects to directly transmit the data to another data controller. Furthermore, data controllers are expected to provide as many metadata with the data as possible to preserve the precise meaning of exchanged information.
  • Retention. Data portability does not impose an obligation on the data controller to retain personal data for longer than is necessary or beyond any specified retention period. (In fact, this right should encourage organizations to follow their records disposition policies to ensure that no data is kept once it outlives its usefulness or fulfills its preservation obligation.)
  • Notice.   Data controllers are required to inform the data subjects regarding the availability of the new right to portability.
  • Timing.  Data controllers must answer a portability request “without undue delay” and in any case “within one month of receipt of the request” or within a maximum of three months for complex cases, provided that the data subject has been informed about the reasons for such delay within one month of the original request.
  • Fees.  Data controllers are prohibited from charging a fee for the provision of the personal data, unless the data controller can demonstrate that the requests are manifestly unfounded or excessive, “in particular because of their repetitive character.”
  • Security. When transferring data, the data controller is responsible for taking “all the security measures” needed to ensure that personal data is securely transmitted (e.g., by use of encryption) to the right destination (e.g., by use of additional authentication information). When allowing data subjects to retrieve their personal data from an online service, the data controller, as a best practice, could recommend appropriate formats and encryption measures to help the data subject securely retrieve his data.

Continue Reading Key Takeaways from the Newly Released GDPR Guidelines

The Irish Data Protection Commissioner (DPC) has issued guidance on compliance with the General Data Protection Regulation (GDPR), which will come into force on May 25, 2018 and replace the existing European data protection framework under the EU Data Protection Directive.  The new data privacy regime is expected to result in enhanced transparency, accountability, and individuals’ rights, while optimizing organizational approach to governance and management of data protection as a corporate issue.

The guidance, titled “The GDPR and You, General Data Protection Regulation, Preparing for 2018,” urges all organizations to not delay the preparation for the GDPR and to “immediately start preparing for the implementation of GDPR by carrying out a ‘review and enhance’ analysis of all current or envisaged processing in line with GDPR.”  Proper preparation for the GDPR may help avoid regulatory fines, which can range up to €20,000,000 or 4% of total annual global turnover, whichever is greater.

The guidance consists of a checklist that aims to provide clear direction on how organizations can prepare for compliance with the GDPR in Ireland.  However, organizations will find it useful when preparing for the GDPR anywhere in Europe.  The checklist is organized around the following twelve points.

Continue Reading The Irish Data Protection Commissioner Issues the GDPR Preparation Checklist