Recent Trends in EU Data Protection Jurisprudence
Recent Trends in EU Data Protection Jurisprudence James Mullock, Partner 29 January 2016
EU developments: The last 4 months You wait 4 years for a new DP law and ……
• EU: GDPR's text agreed • EU: Network & Info Security Directive text agreed • Germany: IT Security Act passed • Netherlands: Data Protection Act amended
• Plus: • UK: Talk Talk cyber attack • CJEU: Weltimo and Schrems cases Page 2 © Bird & Bird LLP 2016
The GDPR and N&IS What next and what's included?
• For full summaries: See www.twobirds.com • GDPR: • • •
Draft to be laid before EU Parliament & Council Will take effect 2 years after they formally adopt it Q1 2018?
• N&IS: • • •
Draft to be laid before EU Parliament & Council Member States to implement w/in 21 months (+ 6 months to define operators of essential services) Q4 2017 / Q1 2018?
Page 3 © Bird & Bird LLP 2016
Headlines for Indian companies (1) The stakes will be raised
1. 4% of worldwide turnover! •
Contract negotiations will immediately be impacted
2. Data processor responsibility •
Triple jeopardy: customers, regulators, end users
3. Controllers obliged to demand more from processors •
Commitments: e.g. breach notification, encryption
4. Processors to tell controller if instructions will breach DP law •
What's your strategy?
Page 4 © Bird & Bird LLP 2016
Headlines for Indian companies (2) Data Governance: new customer and regulator expectations
1. Accountability •
Cost and resource demand increases will result
2. Privacy by design •
E.g. Policies called out – are yours up to scratch?
3. Privacy Impact Assessments (PIAs) • •
You need to understand when required How to run & when regulators must be notified
4. Data Protection Officers (DPOs) •
What will your customers expect?
5. Processing record obligations Page 5 © Bird & Bird LLP 2016
Headlines for Indian companies (3) Data Breach notification: Are you processes slick enough?
1. Multiple notification laws are coming • •
GDPR & N&IS Directive In addition to existing laws (e.g. US state by state laws)
2. Aggressive deadlines •
E.g. w/in 72 hours of awareness
3. Differing criteria •
N.B. N&IS is not personal data legislation
4. To different regulators Page 6 © Bird & Bird LLP 2016
Headlines for Indian companies (4) Jurisdiction and the 1 stop shop principle
1. The territorial scope of EU laws is expanding • The CJEU: Google (RTBF) & Weltimo cases • Does all your processing meet EU DP standards, e.g. EU staff data processing in India
2. It's time to identify & get close to your lead regulator • GDPR's 1 stop shop principle
3. Harmonisation? • •
Some regulators are more laissez faire than others If you have multiple EU customers….
Page 7 © Bird & Bird LLP 2016
What does the future hold? Conclusions
1. The bar is about to be raised significantly 2. Customers will expect more – contractually & in RFPs 3. Much planning and preparation is needed – is it time to undertake a GDPR gap analysis? 4. Binding Corporate Rules for Processors - if your competitors obtain them can you afford not to? 5. Data / network breach disputes will increase 6. Check your insurance position - the cyber insurance market will develop in the EU Page 8 © Bird & Bird LLP 2016
James Mullock Partner London +44 20 3017 6901 [email protected]
Clear, matter of fact advice and down to earth manner” Chambers UK 2013
“Appreciates the business imperatives and isn’t too legalistic” Chambers UK 2015
Bird & Bird – Top ranked in L500 and Chambers for Data Protection
Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated businesses. www.twobirds.com
© Bird & Bird LLP 2016
EU developments: The last 4 months You wait 4 years for a new DP law and ……
• EU: GDPR's text agreed • EU: Network & Info Security Directive text agreed • Germany: IT Security Act passed • Netherlands: Data Protection Act amended
• Plus: • UK: Talk Talk cyber attack • CJEU: Weltimo and Schrems cases Page 2 © Bird & Bird LLP 2016
The GDPR and N&IS What next and what's included?
• For full summaries: See www.twobirds.com • GDPR: • • •
Draft to be laid before EU Parliament & Council Will take effect 2 years after they formally adopt it Q1 2018?
• N&IS: • • •
Draft to be laid before EU Parliament & Council Member States to implement w/in 21 months (+ 6 months to define operators of essential services) Q4 2017 / Q1 2018?
Page 3 © Bird & Bird LLP 2016
Headlines for Indian companies (1) The stakes will be raised
1. 4% of worldwide turnover! •
Contract negotiations will immediately be impacted
2. Data processor responsibility •
Triple jeopardy: customers, regulators, end users
3. Controllers obliged to demand more from processors •
Commitments: e.g. breach notification, encryption
4. Processors to tell controller if instructions will breach DP law •
What's your strategy?
Page 4 © Bird & Bird LLP 2016
Headlines for Indian companies (2) Data Governance: new customer and regulator expectations
1. Accountability •
Cost and resource demand increases will result
2. Privacy by design •
E.g. Policies called out – are yours up to scratch?
3. Privacy Impact Assessments (PIAs) • •
You need to understand when required How to run & when regulators must be notified
4. Data Protection Officers (DPOs) •
What will your customers expect?
5. Processing record obligations Page 5 © Bird & Bird LLP 2016
Headlines for Indian companies (3) Data Breach notification: Are you processes slick enough?
1. Multiple notification laws are coming • •
GDPR & N&IS Directive In addition to existing laws (e.g. US state by state laws)
2. Aggressive deadlines •
E.g. w/in 72 hours of awareness
3. Differing criteria •
N.B. N&IS is not personal data legislation
4. To different regulators Page 6 © Bird & Bird LLP 2016
Headlines for Indian companies (4) Jurisdiction and the 1 stop shop principle
1. The territorial scope of EU laws is expanding • The CJEU: Google (RTBF) & Weltimo cases • Does all your processing meet EU DP standards, e.g. EU staff data processing in India
2. It's time to identify & get close to your lead regulator • GDPR's 1 stop shop principle
3. Harmonisation? • •
Some regulators are more laissez faire than others If you have multiple EU customers….
Page 7 © Bird & Bird LLP 2016
What does the future hold? Conclusions
1. The bar is about to be raised significantly 2. Customers will expect more – contractually & in RFPs 3. Much planning and preparation is needed – is it time to undertake a GDPR gap analysis? 4. Binding Corporate Rules for Processors - if your competitors obtain them can you afford not to? 5. Data / network breach disputes will increase 6. Check your insurance position - the cyber insurance market will develop in the EU Page 8 © Bird & Bird LLP 2016
James Mullock Partner London +44 20 3017 6901 [email protected]
Clear, matter of fact advice and down to earth manner” Chambers UK 2013
“Appreciates the business imperatives and isn’t too legalistic” Chambers UK 2015
Bird & Bird – Top ranked in L500 and Chambers for Data Protection
Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated businesses. www.twobirds.com
© Bird & Bird LLP 2016
