The EU General Data Protection Regulation and the incoming Data Protection Bill (UK) will introduce a range of new liabilities into the data protection landscape. Data controllers have been warned of a corresponding increase in data protection claims under the new regulatory regime for some time. These warnings have largely focused on the level of fines and new data breach response requirements. However, the brewing perfect storm surrounding compensation claims should also be firmly on solicitors' radars.
The EU General Data Protection Regulation (GDPR) will come into full effect on May 25 2018 and will impact New Zealand businesses that do business with EU residents or entities or have a presence in the European Union. In addition, the privacy commissioner recently released a report recommending that the Privacy Act be substantially amended (including to comply with the GDPR) and the Ministry of Justice has indicated that privacy reform is a key initiative.
The European Commission's recent communication shows that only two member states have adopted the national legislation required to implement the EU General Data Protection Regulation. Others, Croatia included, are at different stages of the process. To meet the May 25 2018 deadline, Croatia should promptly address its national approach to open issues – in particular, its policies surrounding administrative fines.
The Crown Commercial Service has published a procurement policy note (PPN) in relation to the new data protection legislation that will be implemented shortly. The PPN highlights the fact that the EU General Data Protection Regulation now strikes a more even balance between data processors and data controllers and requires organisations to act immediately to ensure compliance. As the new legislation will apply to the wider public sector, other public bodies may wish to apply the principles of the PPN.
The Federal Trade Commission has announced an agreement with electronic toy manufacturer VTech Electronics Limited and its US subsidiary settling charges that VTech violated the Children's Online Privacy Protection Act by collecting personal information from hundreds of thousands of children without providing direct notice or obtaining their parent's consent and failing to take reasonable steps to secure the data that it had collected.
To date, data breach plaintiffs have struggled to find a way to access insurance monies in directors and officers (D&O) liability insurance policies. Recently, plaintiffs have pivoted to securities suits as a potential new way to trigger the deeper pockets associated with D&O policies. Insurers are no doubt monitoring this growing trend of litigation, so insureds should pay close attention to cyber-related exclusions in their D&O policies.
The recently announced Data Protection Bill (which will replace the existing Data Protection Act) will transpose the EU General Data Protection Regulation (GDPR) into UK law and will be applicable despite Brexit. The new enhanced regime will affect all businesses that process data relating to an identified or identifiable natural person. Companies need to be actively preparing to ensure that they are GDPR compliant by identifying what steps are needed to comply with the regime.
The extent to which the data subject access request (DSAR) regime will change under the EU General Data Protection Regulation and how this will affect employers is becoming clear. For example, the fee for responding to a DSAR will be abolished and the deadline for compliance will be reduced. While there will be some practical differences, an employer that has appropriate systems and procedures in place to deal with DSARs under the existing regime will not need to radically rethink its approach.
The chair of the US Federal Communications Commission recently outlined plans to bury the internet rules promulgated under the Obama administration that required internet service providers (ISPs) to treat all web traffic equally. Under the proposed changes, ISPs would be allowed to offer web-based services at different speeds and differing service quality. In addition, they could enable more favourable speed or quality, or both, for websites that pay a fee.
Switzerland is in the process of adopting legislation on electronic identification. The Federal Council published a preliminary draft e-ID Act and opened it for consultation by any interested actors. The Federal Council recently shared the consultation findings and commissioned the Federal Department of Justice and Police to prepare a revised draft act by Summer 2018.
The US District Court for the District of New Jersey recently granted Travelers' motion to dismiss Posco Daewoo America Corporation's suit for coverage under the computer fraud provision of its crime insurance policy. Daewoo had sought coverage for amounts that had been designated for payment to it by a third-party supplier and stolen after a criminal impersonated a Daewoo employee. The court held that the crime policy did not cover the lost sums because Daewoo had not owned the stolen money.
Data protection law is set for a radical overhaul in 2018 and accountancy firms should be preparing now for the changes and the compliance challenges that this will bring. The EU General Data Protection Regulation (GDPR) is an attempt to harmonise data protection laws across Europe. The United Kingdom's recently announced Data Protection Bill (which will replace the existing Data Protection Act) will transpose the GDPR into UK law and will be applicable despite Brexit.
Recent judicial interpretations of the Illinois Biometric Information Privacy Act present potential litigation risks for retailers that employ biometric-capture technology. Federal judges in various district courts have allowed cases to move forward against companies such as Facebook, Google and Shutterfly, and retailers that use biometric data may also become litigation targets as federal judges decline to narrow the statute's applicability and additional states consider passing copycat statutes.
The EU General Data Protection Regulation left room for member states to introduce their own laws in certain areas, including in relation to employment law. As such, the government has now released the draft Data Protection Bill, which is the first glimpse of what will eventually evolve into the Data Protection Act 2018. The bill does not contain major surprises from an employer's perspective, but there is increasing emphasis on the importance of policy documents and record keeping.
The Federal Council recently issued a draft of the revised Federal Data Protection Act. This draft marks yet another decisive step towards the overhaul of the Swiss data protection landscape. The act's revision is an ongoing process intended to modernise Switzerland's data protection landscape and align it with revised EU legislation.
The government recently issued a statement of intent to publish a new Data Protection Bill. The bill will bring into law the EU General Data Protection Regulation, which takes effect in the United Kingdom in May 2018 and will be the most comprehensive overhaul of data protection law this generation. The new regime for handling personal data has challenges for employers in their capacity as data controllers with increased rights for individuals and enhanced fines for non-compliance.
The Hangzhou Internet Court was recently inaugurated. It has first-instance jurisdiction over a range of disputes, including contract disputes arising from online shopping services and small loans, disputes over internet copyright ownership and infringement, and product liability claims for goods purchased online. This move comes after the Supreme People's Court piloted a programme in May 2017 which granted the Hangzhou Railway Transport Court jurisdiction over five categories of internet-related civil cases.
The telecoms sector is on the move, with numerous revisions being made to upcoming legislation. The first to enter into force is the revision of the Intelligence and Security Act, followed by the revision of the Lawful Interception Act. The other revisions have yet to reach Parliament. The pending revisions request that providers remain alert and continually adapt their processes in order to remain compliant.
The Data Protection Authority recently published two guidelines on the implementation of Law 6698 on the Protection of Personal Data on its website. Although these guidelines are not pieces of legislation or legally binding, they include detailed information on the implementation of data protection concepts and procedures regulated under the law. Therefore, it is important to review these guidelines to understand the Data Protection Authority's perspective on data protection-related obligations.
The widely publicised amendments to the Act on the Protection of Personal Information recently came into force. In addition to changing how companies must handle personal information, the amendments reflect a significant shift in how such obligations are regulated and enforced. They also mark the establishment of the Personal Information Protection Commission, which will be the regulatory body responsible for managing and ensuring compliance with the amended act.