Companies regularly store information about their customers, clients, employees, investors, partners and vendors. Privacy and data security are therefore important aspects of most M&A transactions. Although the risk of non-compliance with privacy laws may result in severe negative consequences, many M&A agreements still lack adequate privacy-related representations and warranties.
Members of Parliament recently filed an application to amend the Data Protection Act 2018 in order to clarify certain aspects which have led to confusion over the past couple of months. In addition to several provisions relating to competence, the proposed act, among other things, contains a rephrased version of the fundamental right to data protection, introduces the mandatory appointment of data protection officers and suggests enabling the matching of images with explicit consent.
Approximately one year before the General Data Protection Regulation will come fully into force, the Austrian legislature has officially started a six-week consultation process for the national Data Protection Amendment Act 2018. If and to what extent the legislature will make use of the competencies provided for by the 'opening clauses' in the General Data Protection Regulation is highly relevant to companies, and the amendment act has answered this question.
A draft law amending the Federal Act against Unfair Competition 1984 and the Price Labelling Act was recently published for public consultation. The draft law intends to introduce a ban on most-favoured nation clauses in contracts between online travel agencies and hotel operators. Commercially, the draft law puts online travel agencies' business model at risk and may even deter innovation and investments beyond this niche industry.
The Austrian registry operator recently initiated the launch process for approximately 5,000 one and two-character domain names under the top-level domain (TLD) '.at'. Owners of trademarks consisting of one or two characters should consider requesting delegation of their short trademarks as domains under the '.at' TLD in order to use them or at least prevent unauthorised third parties from taking advantage of their marks.
The Personal Information Protection Act (PIPA) was introduced to regulate and protect the use of personal information and embodies eight core privacy principles which are internationally recognised and accepted. As with the PIPA, the General Data Protection Regulation (GDPR) was enacted to govern the use of personal information and data. Bermuda companies should seek legal advice to determine whether the GDPR applies to their operations and, if so, how.
The European Union's legal framework for e-signatures recently came into effect via the eIDAS Regulation. The British Virgin Islands was one of the first jurisdictions to recognise the validity of e-signatures and electronic records. Along with other BVI statutory developments, the BVI Electronic Transactions Act 2001 provides flexibility in cross-border transactions involving BVI companies.
The National Information Security Standardisation Technical Committee recently released the Information Security Technology – Guide to the Personal Information Security Impact Assessment (Draft for Comment). The guide provides direction on the personal information specification and stipulates the basic concepts, framework, methods and procedures regarding personal information security impact assessments.
The State Internet Information Office recently released the Digital China Construction and Development Report (2017), laying a foundation for further enhancing China's network security protection capabilities. The report urges China to, among other things, establish a 'correct' view of cybersecurity, strengthen the top-level design of its network security and improve its network security laws and regulations.
The EU General Data Protection Regulation (GDPR) recently came into force, with impact on a global scale. On the same day, the secretariat of the National Information Security Standardisation Technical Committee published the Network Security Practice Guidelines: EU GDPR Key Issues, setting out some key areas of the GDPR which Chinese companies should account for in their practices.
The People's Bank of China (PBC) recently released its Circular on Further Intensifying the Management of Credit Information Security. According to the circular, the PBC will intensify its management of credit information security by, among other things, practically raising awareness around the management of such information and strengthening information subjects' responsibilities in this regard. It will also optimise operational and control procedures for credit-related businesses.
The Ministry of Industry and Information Technology (MIIT) recently released its Notice to Further Clear and Regulate the Internet Access Service Market. According to the notice, the campaign to clear and regulate the internet access service market has been extended to March 31 2019 in order to solidify the accomplishments achieved and investigate the issues found thus far pursuant to the notice of the same name issued by the MIIT in January 2017.
The European Commission's recent communication shows that only two member states have adopted the national legislation required to implement the EU General Data Protection Regulation. Others, Croatia included, are at different stages of the process. To meet the May 25 2018 deadline, Croatia should promptly address its national approach to open issues – in particular, its policies surrounding administrative fines.