August

The General Data Protection Regulation (the Regulation) is now in an agreed form pending formal ratification by the EU. While implementation of the Regulation is still over two years away, the road to compliance is likely to be a long one for many organizations. The Regulation represents a significant strengthening of European data protection legislation, both in terms of obligations imposed on organizations and in terms of the rights granted to individuals. It will replace the Data Protection Act 1998 in the UK, which has been in force for over 15 years. With fines under the Regulation capped at a staggering 20 million Euros for a single breach, it is worth considering whether or not you are currently satisfied with your organization 's level of compliance? If not, urgent action is required if your organization is to be ready for the much more demanding obligations which will be imposed under the Regulation.

"On May 4th the European Parliament published the final text of the General Data Protection Regulation (GDPR), and the rules of the game have significantly changed. First, the GDPR changes the underlying approach to data protection law, with a new emphasis placed on accountability and risk-based approaches. Second, significant changes have been made to the obligations of ""controllers"" and ""processors"". These include specific criteria for having compliant privacy notices and vendor management contracts. Third, enforcement is now a very real, and potentially risky, thing. With the possibility of administrative fines being up to 4% of a business ' global gross revenue, private rights of action by individuals, and non-profit privacy watchdog groups having the right to complain of a company 's privacy practices directly to the local Data Protection Authorities, compliance with the GDPR will now be one of those risks that any business who touches EU data will need to seriously consider."

Following the CJEU 's judgment of October 2015 invalidating the European Commission 's Safe Harbor Decision, the Data Protection Authority Hamburg (DPA Hamburg) started investigations against 35 internationally operating companies in Hamburg. According to a press release of DPA Hamburg, these investigations revealed that the majority of the companies under investigation had used the six month grace period, as set by the Article 29 Working Party, to change their practices to be based on standard contractual clauses. However, according to DPA Hamburg, some companies under investigation have failed to implement alternative measures in order to legitimize data transfers to the United States. Consequently, DPA Hamburg determined that data transfers by those companies lack a sufficient legal basis and are, therefore, illegal. The investigations of DPA Hamburg demonstrate that German DPAs are keen to investigate and fine companies which have failed to take appropriate measures.