Monthly Archive: May 2017

GLOBAL: GDPR – One Year to Go!

It is one year to the day until the European General Data Protection Regulation comes in to force. The clock is now ticking to fines of up to 4% of total worldwide annual revenue for failing to comply with the requirements of the EU GDPR. To assist your organisation with preparing for 25 May 2018 we have developed a suite of useful tools.














Explore GDPR Mobile App

  • Our Explore GDPR mobile app is now available for downloading from both Apple’s App Store and Google Play. The app has been developed to make the text of the new EU General Data Protection Regulation (GDPR) easily accessible. It not only provides the full Regulation text but is also fully searchable and links each article to each of the relevant recitals. In addition, articles from the EU GDPR are linked to corresponding articles from its predecessor, the EU Data Protection Directive 95/46/EC.

GDPR Microsite

  • We maintain a dedicated GDPR microsite where you can find useful information to help you learn about the EU GDPR – what it covers, the impact it is likely to have on organisations across different sectors, actions to take now to prepare, as well as regular updates and information on our webinars and events. You will also find our summary Guide to the GDPR which many organisations find to be a helpful quick guide to the key requirements of the GDPR.

Data Protection Officer Training Academy

  • We have developed a Data Protection Officer Training Academy aimed at IT, compliance and legal professionals, or those taking on the role of Data Protection Officer. The course provides practical, interactive guidance on how to establish and manage compliance as a DPO, consistent with the many requirements of the GDPR.

Data Privacy Scorebox

  • Our Data Privacy Scorebox is an online tool to help you assess your data protection maturity level. It requires completing a survey covering areas such as storage of data, use of data, and customers’ rights. Once completed, a report summarising your organisation’s alignment with 12 key areas of global data protection is produced. The report also includes a practical action point check list and peer benchmarking data.

Data Protection Laws of the World Guide

  • Our Data Protection Laws of the World Guide offers a succinct overview of the areas of data protection law that have the most practical significance to businesses. The Handbook covers over 90 jurisdictions.

About DLA Piper’s Data Protection, Privacy and Security Group
The DLA Piper Data Protection, Privacy and Security Group includes over 150 privacy lawyers worldwide. We provide business-oriented legal advice on achieving effective compliance wherever you do business. For more information, please do not hesitate to contact us at

Permanent link to this article:

CHINA: PRC Cybersecurity Law – one week to go, and there are still new developments

The final countdown is on. The PRC Cybersecurity Law comes into force on 1 June 2017. This date marks a significant evolution in both the legal and enforcement environment for data protection in China, and organisations can no longer afford to ignore it.

Indeed, there have been important new developments in the last few weeks and days:

  • If you breach or ignore data protection laws: new criminal sanctions have been introduced. In early May, the Chinese authorities made clear that unauthorised collection, disclosure and receipt of “citizen’s personal information” now constitutes a criminal offence under the PRC Criminal Law, with a range of sanctions taking into account (amongst other things) the degree of harm, amount of illegal gains and repeat offences, including fines of up to five times the amount of any illegal gains. This is according to the Interpretations of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases Involving Infringement of Citizens’ Personal Information. This should act as a further incentive to organisations to get their house in order prior to 1 June 2017.
  • If you use cookies in China: notice and consent requirements apply. Separately, the above mentioned interpretations clarify that information reflecting an individual’s activities, but which does not necessarily identify an individual, constitutes “citizen’s personal information”, which appears to indicate that collection of information via cookies in China does require notice/consent. This has not always been standard practice in China, so organisations are advised to review and update online privacy policies.
  • If your organisation provides “important network products and services” to KIIOs or other networks and information systems that relate to national security in China: the new supervisory assessment regime will also come into force on 1 June 2017. It was confirmed earlier this month that the new security and controllability assessments scheme for network products and services purchased by KIIOs that may impact national security, or other networks and information systems that relate to national security, will come into force on the same date as the PRC Cybersecurity Law. For further information, see our update: New Cybersecurity watchdog suggests greater compliance challenges ahead for overseas companies in China. It has also been suggested that products and services that fail these assessments will be blacklisted from future procurement by KIIOs. Therefore, it is important for suppliers of such products/services to be addressing compliance issues now, and factoring in potential delays in procurement processes in the coming months. If your organisation is a KIIO, you need to plan ahead and consider how to source replacements if any of your existing products/services fail the assessments.
  • If your organisation is regulated by the securities regulator: you may have keep certain data within China. The CSRC has recently published for public consultation the draft Measures for the Information Technology Management of Securities and Funds Operators (Draft Measures) which, if implemented propose introducing data localisation rules for securities and funds operators (Operators) as regards: (i) “Important Information Systems” (i.e. systems that support an Operator’s key business functions which, if breached, would have a significant impact on the securities market and investors, such as trading systems, sales and account opening systems/sites and clearing and audit systems); (ii) “important data” (currently undefined); and (iii) “Customer Information” (which includes customer’s name, ID number, bank account number, contact information, transaction password, transaction history, commission and inquiry records, transaction terminal information and transaction-related customer behaviour information), in each case collected and generated from business activities of securities and funds, subject to certain exemptions (including transactions with foreign counterparties or on foreign trading platforms (where permitted) and currency exchange transactions). These are wider restrictions than the existing data localisation rules imposed on the banking industry in China by the CBRC. The Draft Measures also propose (amongst other measures): specific data protection and data security obligations on Customer Information, including apparent restrictions on data sharing “to other organisations and individuals”; and regular (at least annual, and in some cases quarterly) IT management internal audits.
  • If your organisation uses or provides encrypted products and encryption-related services in China: a proposed new encryption law may impose additional obligations. A new Draft Encryption Law was published for public consultation by the Chinese authorities in April 2017, proposing a more standardised approach to encryption and IT security, with different national standards applying to “core encryption” and “common encryption” (for state secrets) and “commercial encryption”. While use of encryption would now be mandatory for some networks and data, it appears encryption will remain a heavily regulated area in China and the requirement for licences for encryption technologies will remain. A likely source of concern to some international businesses operating in China is the requirement for decryption support: for national security reasons or for criminal investigations, certain Government bodies would be legally entitled to require telecommunication operators and internet service providers to provide “decryption technology support”. In practice, if passed this will increase the compliance obligations on those providing and using encryption technologies in China.

What should I do?

For those organisations who have not yet done anything about updating their China data protection compliance programme, now is the time to do it. Our overview of the key requirements under the PRC Cybersecurity Law is here: see Significant changes to data and cybersecurity practices in China and China Data Protection Update (January 2017)

For those who have started work on complying with the PRC Cybersecurity Law, you are strongly advised to monitor and act on the latest developments mentioned above as well.

Don’t forget that other draft regulations are still under consideration by the Chinese Government, so yet more changes may be on the way. These include: the Draft E-Commerce Law and proposed changes to consumer protection laws, both of which would impose additional data protection obligations; draft regulations regarding the handling of minors’ data; and proposed changes to guidance in China on the definition of “sensitive personal information”

What about overseas data transfers?

Finally, we recently reported on the draft measures proposing conditions, restrictions and, in some cases, absolute prohibitions on transfers of certain data outside of China: see China’s new cyber security law is only 6 weeks away. We see this as being one of the most potentially disruptive and involved aspects of the new China data protection/security environment, particularly on international organisations operating in China. The consultation period has now closed, and early indications are that the authorities propose to bring the measures into force on 1 June as well, but are now considering an 18 month grace period. We understand a revised draft of the measures are now under consideration, with some amendments proposed as a result of feedback during the consultation, including some more practical guidance on what organisations may have to do, particularly regarding the scope and form of security assessments and how to obtain consent, and as regards the thresholds for regulatory assessments. We will provide another update on progress of the draft measures as details further unfold.

Permanent link to this article:

AUSTRIA: Draft GDPR Implementation Act

On 12 May 2017 a Draft GDPR Implementation Act (“Draft“) has been submitted to the Austrian Parliament and is now to be reviewed, assessed and commented by various public bodies, organisations and groups.

With the GDPR Implementation Act the present Data Protection Act 2000 (Datenschutzgesetz 2000) will be repealed and a new Data Protection Act is issued which will become effective on 25 May 2018.

General overview

At first glance the Draft covers only a bare minimum of implementation: the major part of the Draft includes only the provisions necessarily required by the GDPR, but only few of the facultative opening clauses are actually included. A large part of the Draft concerns only the implementation of Directive 2016/680.

The review of the explanatory notes confirms this first impression as they state that the Draft shall mainly include the necessary implementation of the GDPR and only few of the opening clauses. The ministerial working party has deliberately not used the openings within the GDPR as it is their opinion that the GDPR is already providing a general rule which shall now apply without further specification in Austria.

Furthermore, in the explanatory notes it is stated that the majority of the opening clauses do not address general data protection matters and are therefore not to be included in the Draft. The ministerial working party was of the opinion that such “special” opening clauses should rather be implemented within the relevant specific laws, e.g. (presumably) Employment Act or Criminal Act.

On the other hand, the concern that the Austrian legislator will retain certain specific regulations of the current Data Protection Act 2000, which would not comply with the GDPR, has not been fulfilled due to the very minimalistic approach the ministerial working party took. As such, the various provisions of the Data Protection Act 2000 which were specific to Austria, such as the filing procedure or an obligation to obtain approval of the Data Protection Authority for an international data transfer even if the EU Model Clauses have been concluded, are not included in the Draft and will presumably not be part of the Austrian law anymore.

Scope of applicability and general provisions

The major change of the Austrian law which is implemented by the Draft is that, following the scope of applicability of the GDPR, its applicability is limited to natural persons, meaning legal persons are no more included in the material scope as they are now in the currently applicable Data Protection Act 2000. In this point as well the Draft follows the provisions of the GDPR.

In its first section the Draft also stipulates the fundamental right to data protection, which has already been included in the current Data Protection Act 2000. In both versions it is formulated as a constitutional provision and as a human right, but the new wording is more comprehensible than the previous one. Furthermore, as the GDPR does not apply to legal persons, the scope of the fundamental right in the Draft has also been limited to natural persons.

Data protection officers and Data Protection Authority

The first of the main implementation aspects of the Draft are the specifications regarding data protection officers. The Draft states an explicit duty of confidentiality for data protection officers, even though this shall not apply to information requests of the Data Protection Authority. Further, the Draft is providing additional provisions regarding the data protection officer in the public sector.

Another main aspect of the Draft is the specification of the supervisory authority, which will be the Data Protection Authority (“Datenschutzbehörde“) organized as the sole national supervisory authority.

Remedies, Liability And Penalties

The third section of the Draft provides specifying provisions regarding the implementation of remedies, liability and penalties. The implementation of administrative fines provides to a certain extent a possibility to impose fines primarily to legal persons, however in a very limited manner.

Thereunder, the Data Protection Authority shall only be able to impose a fine on a legal person if one of its organs holding a management position is subject to a negligence or breach of supervision. As of the scope of this provision the ministerial working party refers in its explanatory notes to a similar provision within the Austrian Banking Act (“Bankwesengesetz“), whereby the primary liability of the legal person only applies where organs of the legal person are concerned and not when an employee is acting on instructions. Therefore this limitation may not be in accordance with the GDPR as it is not providing an opening clause for the Member State to implement such limitation.

That said, the GDPR also does not specify how the remedies, liability and penalties provisions must be implemented as concerns the responsible persons, beyond the requirement that the remedies are “effective”, so it remains to be seen whether and how this manner of implementation is in line with the GDPR.

Processing for Specific Purposes

The provisions within section 5 of the Draft address data processing for specific purposes, as stated in Article 6 Sec 2 GDPR, and address points such as processing for the purpose of scientific research and statistics or in case of catastrophes.

This is one of the rare occasions in which the ministerial working party has made use of an opening clause. Unfortunately, the ministerial working party did not use the other opening clauses where in our opinion the GDPR is rather incomplete and further national legislation seems necessary. This concerns in particular the opening clauses provided in Articles 6 Sec 4 (processing for compatible purposes set out by member state law), 9 (processing of special categories of personal data) and 10 (processing of personal data relating to criminal convictions and offences) of the GDPR, even though this would have been necessary due to the very general regulation of the GDPR. It remains to be seen whether such provisions will be included in other laws; however, it is our opinion that provisions implementing the above mentioned opening clauses should in any case be included in the Draft itself and not in other laws as the ministerial working party suggests.

Processing of Employees Data

Similarly, as concerns employee data the Draft is providing only a provision stating that the existing provisions of the Employment Act (“Arbeitsverfassungsgesetz“) shall fulfil the requirements of Article 88 GDPR. According to the explanatory notes the ministerial working party wanted to clearly express with this provision that the specifics of processing employee data shall not be included in the Draft but rather in the relevant labour laws. It remains to be seen whether the legislator will stand by this decision and create provisions in the relevant laws or if there will be a modification in the Draft.

Video Surveillance / Processing of Image Data

It is quite surprising that the ministerial working party found it to be necessary to include in section 6 of the Draft provisions regarding the processing of images and video surveillance, especially in light of the very minimalistic approach implementing the GDPR. The explanatory notes explain the implementation to be based on Article 6 Sec 2 and 3 in connection with Article 23 GDPR, even though we have major doubts this approach is in line with the GDPR. It is at least our opinion that a clarification regarding the processing of data related to criminal convictions and offences or employee data would have been of greater importance than the processing of images.

Conclusion and outlook

To summarize, the Draft is taking a very minimalistic approach implementing the GDPR and leaves open many vital issues. As such, the Draft leaves the impression that the main intention was to initiate the legislative procedure and the discussion on the implementation, whereas the majority of important decisions regarding the implementation are postponed. Therefore, it remains to be seen how this draft will develop during the legislative procedure, but we are expecting either major amendments before the law is passed or further implementation actions amending other statutory laws.

Permanent link to this article:

EUROPE: Practical impacts of GDPR on the employment relationship

In this article we focus on some of the practical impacts of GDPR on the employment relationship and what businesses can do to manage these and prepare for implementation by May 2018.

Data subject access requests

Under the GDPR, employees will have the right to much more detailed, transparent and accessible information about the processing of their data. Data subject access requests will be easier for employees. In most cases employers will not be able to charge for complying with a request and normally will have just a month to comply, rather than the current 40 days. The removal of the £10 subject access fee is a significant change from the existing rules under the Data Protection Act (DPA).

Where requests are complex a two month extension is possible, giving a total of three months to comply. Where requests are manifestly unfounded or excessive, in particular because they are repetitive, employers can  either charge a reasonable fee (not capped) taking into account the administrative costs of providing the information, or refuse to respond.

Guidance will hopefully give an indication in due course of what sorts of requests could be viewed as complex, unfounded or excessive. However, the ICO is very unlikely to consider a request from an employee as complex, unfounded or excessive, even if they are asking for all their data, unless they have made a previous request recently. The ICO will expect employers to keep information in a manner which means they can locate and supply information within the initial month.

Where an employer intends to delay the response or refuses to respond to a request, the employer must write promptly to the individual within the month explaining why the request is refused or delayed. The employer must also inform them of their right to complain to the supervisory authority and to a judicial remedy.

The DPA contains various exemptions to the duty to disclose such as in relation to legal privilege but at present, the GDPR contains no such exemptions which an employer can rely on to avoid provision of the employee’s personal data. It may be that, in the UK at least, the doctrine of privilege will ‘trump’ data protection rights, but that remains to be tested.

Employers need to update procedures and plan how to handle requests within the new timescales. The GDPR introduces a new best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information. This will not be appropriate for all organisations, but there are some sectors where this may work well. In any event the ICO will expect employers to keep employee personal data in a manner which means that requests for access can be responded to promptly.

What this means in practice is that employers will need sophisticated policies and IT systems to manage DSARs within reasonable timeframes. In order to prepare for compliance, employers should take steps now to:

  • Update procedures and plan how to handle SARs and provide any additional information within the new timescales;
  • Develop template response letters to ensure that all elements of a response to a SAR under the GDPR are complied with;
  • Assess the organisation’s ability to isolate data pertaining to a specific individual quickly and to provide data in compliance with the GDPR’s format obligations;
  • Ensure that employees are trained to recognise and respond quickly and appropriately to SARs.
  • Consider putting a ‘data subject access portal’ in place allowing an individual to access their information easily online.

Automated processing and profiling

Employees have a right under the GDPR to not be subject to a decision made solely by automated processing where that decision significantly affects them. This includes decisions based on profiling (any form of automated processing to evaluate certain personal aspects of individuals, in particular to analyse or predict indicators such as their performance at work, health, personal preferences, reliability, and behaviour).

The ICO recently published a discussion paper on profiling in which it set out its initial thoughts on where automated processing may significantly affect an employee. In their view this includes processing that:

  • Limits rights or denies an opportunity;
  • Affects individuals’ financial or economic status or circumstances;
  • Leaves individuals open to discrimination or unfair treatment;
  • Involves the analysis of the special categories of personal data or other intrusive data;
  • Causes, individuals to change their behaviour in a significant way; or
  • Has unlikely, unanticipated or unwanted consequences for individuals.

It is not difficult to see how these might be the outcome of automated processing of HR data. Areas where employers might currently use automated decision-making, which they should therefore review, include:

  • Recruitment, including automated rejection or shortlisting;
  • Performance management/triggers for sickness absence;
  • Eligibility for attendance bonuses;
  • Holiday or shift rostering;
  • Employee monitoring; and
  • Profiling, particularly where this may impact on selection for talent programmes or career progression rather than purely for development purposes.

From a practical perspective employers need to ensure that where they use automated decision making they can explain how it works and there is another way to make an equivalent assessment of the individual if he/she objects.

Permanent link to this article:

AUSTRALIA: Privacy Awareness Week Update – Industry Debrief: Mapping the community’s privacy expectations

By Sinead Lynch and Jessica Noakesmith

Today our Australian IPT team attended the ‘Industry Debrief: Mapping the community’s privacy expectations’ presented by the Australian Information and Privacy Commissioner, Timothy Pilgrim, and Principal from The Wallis Group, Jayne Van Souwe.

We heard some of the key issues raised by the 2017 Australian Community Attitudes to Privacy Survey and part of the Office of the Australian Information Commissioner’s (OAIC) plan to address rising privacy concerns in Australia. It was also notable that the survey confirmed many Australians as being comfortable with and welcoming the new mandatory data breach notification rules due to come into effect in early 2018.

Survey findings:

  • 83% of all Australians viewed online interactions are inherently more risky in privacy terms (although many privacy breaches that the OAIC currently handle are offline and low tech).
  • 25% never ask why their personal information is being collected.
  • 9 in 10 Australians are concerned about personal information being transferred overseas and confirm they do not like it.
  • 79% are uncomfortable with sharing their data in a commercial sector.
  • Young Australians under 35 are the most likely to exchange data for benefit.
  • The health sector continues to be regarded as the most trustworthy, with financial institutions and government sector following closely behind.

Some notable key points:

  • there is a considerable gap between privacy concern and actions of all Australians;
  • consumer’s decision making relies on existing goodwill and trust in an organisation over detailed policies – for example, many Australians are not likely to read a long and complex privacy policy; OAIC confirming that simplifying privacy policies will be a core focus; and
  • there is significant personal responsibility in personal information protection. Everyone has a role to play.

The Commissioner, Mr. Pilgrim, highlighted some actions the OAIC has recently undertaken and some currently in progress, including:

  • working with CSIRO to develop tools to assist with de-identification of data and information – the OAIC posing the question “Can you really de-identify personal information?”;
  • preparing the OAIC response to the Productivity Commission report on Data Availability and Use that was released last week;
  • working with the Prime Minister’s public data groups to establish how data can be used for “good purposes” and how to avoid the impact on individuals – in line with a trend towards open and effective use of data;
  • exploring the social / economic use of personal information – a possible social licence for innovative data use, including options of notice and consent;
  • their recently published guide to “personal information” on the OAIC website;
  • the final Australian businesses and the EU General Data Protection Regulation guidance is to be released within the coming weeks. See the draft resource here – according to the Privacy Commissioner, the GDPR is “extraordinarily important” to Australian businesses; and
  • educating Australians about the Right of Access to personal information, indicating a potential focus point on data subject access right here also.

Permanent link to this article:

ITALY: The privacy authority issues its guidelines on the GDPR

The European privacy regulation (GDPR) can now rely on detailed guidelines from Italian data protection authority on how to comply with it.  Read the rest of this entry »

Permanent link to this article: