Happy 5th Birthday: GDPR (General Data Protection Regulation) 

The General Data Protection Regulation (GDPR) celebrates its fifth birthday this month, and what a half-decade it has been for organisations. During these past five years, organisations have had to adjust their business practices to ensure they comply with the stringent rules set by the GDPR. Organisations must consider GDPR and wider data protection obligations as part of their day-to-day business, and ensure personal data is collected, stored and processed in a compliant manner.  

This blog focusses on several ‘organisational level’ considerations that organisations should consider to become, and then remain compliant with the GDPR, including some examples of how these requirements have evolved over the past five years. Read the full blog here.

Data Protection and Digital Information Bill debated in Parliament 

The new UK Data Protection and Digital Information Bill (DPDI) was debated in Parliament during its second reading, and MPs flagged a number of concerns around the free flow of data. Concerns around whether the UK would maintain adequacy with the EU, the legal costs for businesses, and human interventions for automated decision-making. During the reading, Julia Lopez, Minister for Data and Digital Infrastructure, told the House of Commons that the new legislation would help rid small businesses of complex rules and help organisations save money. However, many have pointed out that the impact assessment for this new rendition of the bill has yet to be published. Opposition MPs raised concerns that the Bill does not go far enough and fails to “rise to challenges” presented by AI and social media companies, or is it anything radical, so merely changing paperwork and the role of DPO.

Customer data may have been breached in Capita's cyber attack 

Capita, an outsourcing group that runs services for the military and the NHS, has admitted that hackers have accessed potential customer, supplier, and staff data in an attack that took place in March. In a statement to the London Stock Exchange, Capita confirmed that the incident impacted access to internal Microsoft Office 365 applications. Capita has stated that it took immediate action to ensure the issue was isolated and contained. The Information Commissioner’s Office (ICO) put out a statement reminding organisations that are affected to consider their position and report breaches within 72 hours of becoming aware.

Bill C-27 passes second reading in the Canadian House of Commons

The Government Bill C-27, also known as the Bill for the Digital Charter Implementation Act 2022, passed its second reading in the Canadian House of Commons on the 24^th of April. Passing of the bill meant it could be referred to the Standing Committee on Industry and Technology. This bill is divided into three main parts: the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act. The first Act would repeal parts of the Personal Information Protection and Electronic Documents Act and replace them with a new legislative regime governing the use, collection, and disclosure of personal information for commercial use. Its aim is to modernise and extend the current rules while imposing new ones on the private sector and enhancing the role of the Privacy Commissioner. You can follow the bill's progress here and read more on each part of the bill.

The Dutch DPA issues a brief on Google products in education 

The Dutch Data Protection Authority (DPA) (Autoriteit Persoonsgegevens) issued a brief on the use of Google products in the education environment. The brief highlighted that clarity is required as to whether Google products can be used in schools and other educational institutions before the 2023-24 school year. The brief details that pupils and students have a right to the protection of their personal data and are entitled to specific protections in regards to the processing of their personal data. The DPA also stressed that education providers must assess how choices in software and cloud providers will affect the constitutional rights of children. You can find the brief here.

MEPs seal the deal on Artificial Intelligence Act

After months of protracted discussions, members of the European Parliament (MEPs) have reconciled their differences and come to a tentative political agreement on the first Artificial Intelligence rulebook in the world. The AI Act is one of the most prominent legislative proposals to control artificial intelligence, based on its potential for harm.  Following a political consensus among EU legislators on Thursday (27 April), the European Parliament is now moving closer to formalising its stance on the matter.

Prior to an important committee vote slated for May 11, the document may still need minor technical changes, but it is anticipated that the text will be put to a vote in the plenary in mid-June. You can read the full article here. 

Vietnam issues its first-ever data protection law

On April 17th, Vietnam issued its first-ever comprehensive data protection law (Decree No. 13/2023/ND on the Protection of Personal Data). The new decree will take effect on July 1, 2023, and will not have a transition period. All businesses (both foreign and national) located in Vietnam, or carrying out the processing of personal data in the country, must comply with the decree. The new Decree sets similar standards to the GDPR, including personal data and sensitive personal data; principles of processing; data subject rights; requirements around consent; mandatory breach reporting; impact assessments; rules around data transfers; and repercussions for violations.