Amid fresh fears about data protection, on November 14th, France’s data protection authority, the Commission Nationale de l’Informatique et des Libertes (CNIL) published a checklist of recommended actions travellers should take to secure phones, computers and tablets when travelling outside the European Union.
International
U.S. and EU Agree in Principle on New Trans-Atlantic Data Privacy Framework
In a joint press conference on March 25, 2022, U.S. President Joseph Biden and European Commission President Ursula von der Leyen announced an agreement “in principle” on a framework, called the Trans-Atlantic Data Privacy Framework (“Privacy Shield 2.0”), to replace the U.S.-EU Privacy Shield. The EU General Data Protection Regulation…
Growing Risks to Corporate Groups and the Global PE Industry from Robust European Privacy and Cybersecurity Enforcement
Since the EU General Data Protection Regulation (“GDPR”) came into effect in May 2018 there have been numerous high-profile enforcement actions (~US$880m is the largest GDPR fine to-date) and private litigation (including class-action type claims). Notable fines have included the ~US$25m fine levied in October 2020 by the…
Navigating the New Standard Contractual Clauses for International Data Transfers under the GDPR
The final version of the new standard contractual clauses (“SCCs”) were published by the European Commission on June 4, 2021. Many organizations that transfer or receive personal data originating in the European Economic Area (“EEA”) outside the EEA will be required to implement these SCCs with their customers, suppliers and affiliates by December 2022 to comply with the EU General Data Protection Regulation (“GDPR”). This is perhaps the most significant GDPR development since the passage of the GDPR. We had foreshadowed this impending development last week.
French DPA Issues Robust Model Regulation for Biometric Access Controls in the Workplace
In late March, the French Data Protection Authority, Commission Nationale de l’Informatique et des Libertés (“CNIL”) released a model regulation (the “Model Regulation”) governing the use of biometric access controls in the workplace. Unlike many items of personal information, biometric data (such as a person’s face or fingerprints) is unique and, if stolen or otherwise compromised, cannot be changed to avoid misuse. Under Article 9 of the GDPR, biometric data collected “for the purpose of uniquely identifying a natural person” is considered “sensitive” and warrants additional protections. The GDPR authorizes Member States to implement such additional protections. As such, the French Data Protection Act 78-17 of 6 January 1978, as amended, now provides that employers – whether public or private – wishing to use biometric access controls must comply with binding model regulations adopted by the CNIL, the first of which is the Model Regulation.
The European Parliament Approves EU-Wide Standard for Whistleblower Protection
EU Agrees to Set the Floor for Whistleblower Protection Across All Member States
According to a press release issued by the European Commission today, the European Parliament and the Member States have agreed to adopt new rules that set the standard for protecting individuals who blow the whistle on breaches of EU law from dismissal, demotion, and other forms of retaliation. This reform,…
Is Blockchain Technology Compatible with GDPR? French Data Protection Regulator Provides Guidance
Uncertainty regarding the compatibility of blockchain technology and the European Union’s General Data Protection Regulation (GDPR) has often been highlighted as a potential obstacle to the development and widespread implementation of blockchain systems involving personal data.
To address tensions between blockchain technology and the GDPR, Commission Nationale de l’Informatique et…