The European General Data Protection Regulation (GDPR) took effect in May 2018, requiring companies that handle or process EU residents’ personal information to conform to practices that seek to more fully protect consumer sensitive information. Companies that fall under this category, known as data controllers, must secure consumer consent or another legally acceptable method of gathering personal information, notify individuals of the personal information that is collected and how it will be used, and limit the collection and maintenance to necessary information for a limited period of time. The individuals whose personal information is gathered also have a right to access the information, limit its use, and withdraw their consent from data controllers for such use.
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS
No one knows at the moment what the relationship will be between the United Kingdom and the European Union the day after Brexit on 31 October.
The life sciences sector is arguably the most closely harmonized within the European Union. Both medicinal products and medical devices are very much subject to Brussels-driven legislation. In addition to the regulatory issues that would result from Brexit, there could be substantial supply chain interference.
Russia has amended its main laws governing the internet to allow the government to restrict access to the internet and to control internet traffic in emergency situations.
Federal Law No. 90-FZ of 1 May 2019 introduced a set of amendments to the Federal Law on Communications and the Federal Law on Information, Information Technologies and on Protection of Information (the Amendments). The Amendments are colloquially referred to as the “sovereign runet law” or the “law on the secured internet.”
Russia’s Central Bank, the financial markets regulator in Russia, might soon receive the right to block websites. On 24 January, the State Duma, the lower house of the Russian parliament, approved amendments in the first reading to the Federal Law "On Information, Information Technologies and Protection of Information" and the Civil Procedure Code (the Proposed Amendments).
The Proposed Amendments are designed to give the Central Bank the right to block websites violating financial market legislation or used to maintain fraudulent activities.
Forbes has listed its top outsourcing trends in the Asia-Pacific (APAC) region for 2019. The APAC region has long been the dominant region for outsourcing, although it is facing competition from emerging outsourcing markets in other regions. Trends include the growing presence of outsourcing in Malaysia, shifting resource models, and personnel shortages.
As 2018 comes to a close, we have once again compiled all the links to our Contract Corner blog posts, a regular feature of Tech & Sourcing @ Morgan Lewis. In these posts, members of our global technology, outsourcing, and commercial transactions practice highlight particular contract provisions, review the issues, and propose negotiating and drafting tips. If you don’t see a topic you are interested in below, please let us know, and we may feature it in a future Contract Corner.
The United Kingdom government’s Cabinet Office (the central procurement department for central government) is requiring major government suppliers to draft “living wills.” These are intended to safeguard the provision of services to the public sector in the event of the collapse of a supplier.
This measure follows the insolvency of outsourcing provider, and major government supplier, Carillion in January 2018. The well-documented Carillion collapse led to significant debate about the role of outsourcing within the UK public sector, with pronouncements about the extent to which outsourcing for the public sector has “fallen out of fashion.”
During their webinar, Hot Topics in Data Privacy Regulation in Russia, Moscow partners Ksenia Andreeva, Anastasia Dergacheva, and Vasilisa Strizh will discuss trends in data privacy regulations in Russia for the upcoming year.
- News from the Russian data protection regulator (Roskomnadzor)
- New laws and legislative initiatives in the data privacy field
- Obtaining data subjects’ consents: views of the regulator
- Formalizing cross-border transfers from Russia and to Russia
- Localization rules: view from Roskomnadzor
The webinar will be held on Tuesday, November 27 from 9:00 to 10:00 am eastern time. You can register here.
From time to time, data controllers are confronted with the question of whether data subjects can raise claims for specific security measures against the controller under Article 32 of the EU General Data Protection Regulation (GDPR). These measures can be costly and cumbersome for the controller.
The Austrian Data Protection Authority (DPA) has decided that there is no such claim. In the relevant case (AZ: DSB-D123.070 / 0005-DSB / 2018), the DPA ruled on a claim by a data subject to pseudonymize personal data. The complainant had filed two complaints with the DPA alleging a violation of the fundamental right to data protection (Section 1 of the Austrian Data Protection Act) for an alleged failure to delete data or pseudonymize personal data. The respondents were two Austrian public authorities: the Federal Ministry for Europe, Integration and Foreign Affairs and the Federal Chancellery.
A significant fine imposed by the UK’s Financial Conduct Authority (FCA) on an established UK insurer is further evidence of the increased scrutiny being placed on outsourcing arrangements by the financial services regulator, and also of the importance the regulator places on issues that directly impact retail customers.
The FCA is the UK’s “conduct” regulator, with a focus primarily on the regular business conduct of financial services businesses, as compared to the “macro” focus (safety and soundness) of the Prudential Regulatory Authority (PRA) – although there is overlap between the stated remits of the FCA and the PRA, and outsourcing arrangements are subject to scrutiny by both bodies.