A recent Court of Justice of the European Union (CJEU) ruling—Schrems II—could lead to significant changes for companies that rely on the EU-US Privacy Shield for transferring personal data from the European Economic Area (EEA) to the United States, including increased due diligence on the part of data exporters.
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS
The UK Financial Conduct Authority (FCA) announced on July 8 that the guidelines issued by the European Insurance and Occupational Pension Authority (EIOPA) on outsourcing to cloud service providers are not applicable to regulated activities (in this instance, insurance and reinsurance undertakings) within the UK jurisdiction.
In its statement, the FCA noted that this is due to the fact that the EIOPA guidelines will enter into force on January 1, 2021, which is after the end of the EU withdrawal transition period.
The European Securities and Markets Authority (ESMA) published its draft guidelines on outsourcing to cloud service providers on June 3. Steven Maijoor, the chair of ESMA, indicated that the purpose of the guidelines is to “help firms understand and mitigate the risks that they are exposed to when outsourcing to cloud service providers.”
Morgan Lewis recently published an article on the 2019 Novel Coronavirus (COVID-19) outbreak and its effect on General Data Protection Regulation (GDPR) in the European Union. This article discusses the nature of the temporary suspension of some data-protection rights in times of crisis, and how the need to address the ongoing health crisis is being balanced with data-protection rights in Italy, France, and Germany.
The German Federal Office for Information Security (BSI) has determined the suitability of an industry-specific security standard (B3S) with which hospitals can align their IT security measures. The B3S standard was developed by the German Hospital Association (DKG).
The EU Commission issued its report on the third annual review of the functioning of the EU-US Privacy Shield (Privacy Shield) on October 23. The annual review and corresponding report is required of the Commission by the its July 2016 adequacy decision in which it found that the Privacy Shield ensures an adequate level of protection for personal data that has been transferred from the European Union (EU) to the United States. The goal of the review is to evaluate and publicly report on all aspects of the functioning of the Privacy Shield Framework.
A recent ruling by the Court of Justice of the European Union (CJEU) established that companies seeking to store “cookies” that are used to track online browsing behavior must obtain “active consent.” The ruling is likely to cause angst among companies, which often maintain websites that are not set up to obtain active consent, as well as with internet users who are increasingly frustrated by having to continually provide consent while visiting websites.
Many contracts in the United Kingdom and elsewhere contain amounts that are indexed to the Retail Price Index (RPI). Morgan Lewis partner Bruce Johnston recently published a LawFlash outlining how recent changes to the UK RPI could impact contracts that leverage the index.
More broadly, many clients take for granted that indexes published by third parties (for example, the Consumer Price Index in the United States) generally reflect the economic reality of their transactions. We recommend that before simply referring to a particular index, lawyers take a few extra steps to add value for their clients.
- Look up the index. Does it still exist? Consider adding a mechanism into the agreement that allows a new index to be selected in the event the chosen one is discontinued.
- Has the index been around for a while? If not, consider using something that has.
- Has the index changed recently? If so, alert your client.
- Are there other indexes that may more accurately address the economics of the transaction? For example, is the Producer Price Index potentially more applicable than the Consumer Price Index?
The EU Council Presidency on September 18 put forward to member states an 88-page compromise proposal on the Eprivacy Regulation with considerable changes and amendments. There are several proposed changes to the provisions on email marketing and cookie use that we think readers may find relevant. Here is the proposal of the Finnish Presidency. The main areas that were modified by the current proposal are:
- Email marketing
- The definition of direct marketing
- Procedures around direct marketing calls
- End user consent for cookies