May 2019 Legislative Updates

May 14, 2019

Share on facebook
Share on google
Share on twitter
Share on linkedin

EU Common Identity Repository

On April 23rd, InfoSecurity reported that the European Parliament approved plans to implement the Common Identity Repository (CIR), which would be a centralized database of EU citizens’ personal data – including names, addresses, photos, and fingerprints. The information would be a consolidation of five separate systems within the EU government.

EU-US Privacy Shield

On April 26th, Federal Trade Commission (FTC) Bureau of Consumer Protection Director Andrew Smith said in an interview that it is a goal of the FTC to bring more actions for substantial violations of the EU-U.S. Privacy Shield. According to Director Smith, the FTC will take Privacy Shield enforcement cases “as the FTC finds them.” The Privacy Shield provides European and American companies a framework to move data freely between Europe and the U.S. in compliance with privacy protection laws and governs approximately $260 billion in transatlantic data transfers annually.

French Data Protection

On April 15th, the French data protection authority, CNIL, published its annual report summarizing its initiatives in 2018 and its focus for 2019. Due to the EU General Data Protection Regulation (GDPR) taking effect in 2018, the CNIL received a record number of complaints and compliance inquiries from organizations. In 2018, CNIL carried out 310 investigations and issued 49 orders. In 2019, CNIL seeks to:

  • Establish an investigation strategy based on the complaints CNIL receives to meet citizens’ expectations;
  • Focus investigations on the data collection practices of children’s data and the sharing of responsibility between processors and subcontractors; and
  • Establish CNIL credibility as an expert source of information on areas of technical expertise.

General Data Protection Regulation

The Czech Republic approved two bills that would codify in Czech law the provisions of the European Union’s General Data Protection Regulation (GDPR). The Czech Data Protection Act, which repeals the existing Act on Personal Data Protection, provides exceptions to administrative fines for the public sector and expands the authority of the Data Protection Office. The Act is awaiting the President’s signature to become law. The International Association of Privacy Professionals published an article about the Act here, or read the text (in Czech) here.

UK Data Breach Response

On April 25th, the UK National Cyber Security Centre (NCSC) and the UK Information Commissioner’s Office (ICO) signed a memorandum of understanding (MOU), establishing a framework for collaboration in response to data breaches. The MOU establishes separate roles and responsibilities for each organization in aiding victims of data breaches. The NCSC will engage with victims directly and connect victims with appropriate resources to mitigate the damage of a data breach. The ICO will focus on preventing data breaches and other cyber incidents and mitigating the risks to individuals. The ICO will also be responsible for investigating data breaches after they occur. The NCSC and the ICO agreed to share anonymized and aggregated information as necessary.