Morgan Lewis recently published an article on the 2019 Novel Coronavirus (COVID-19) outbreak and its effect on General Data Protection Regulation (GDPR) in the European Union. This article discusses the nature of the temporary suspension of some data-protection rights in times of crisis, and how the need to address the ongoing health crisis is being balanced with data-protection rights in Italy, France, and Germany.
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS
Trainee associate Valeria Gaikovich contributed to this post.
Following adoption of the law on the preinstallation of Russian software on electronic devices in December 2019, the Russian Federal Antimonopoly Service (FAS) has developed draft guidelines to determine the types of electronic devices that will be subject to the new regulations, as well as the deadlines and procedures for the preinstallation of domestic software. The draft guidelines will not apply to electronic devices manufactured or released into circulation in Russia before July 1, 2020.
According to the draft guidelines, as of the dates set forth below, all touchscreen electronic devices with two or more functions (e.g., smartphones, tablets, smart watches) must have the following apps preinstalled:
The United States and the United Kingdom entered into the world’s first ever Clarifying Lawful Overseas Use of Data Act (CLOUD Act) agreement on October 3, 2019 (the Agreement). The Agreement, which will enter into force later this year after review by lawmakers in both countries, allows each country’s law enforcement agencies to demand, with proper authorization, electronic data regarding serious crime (defined in Article 1 of the Agreement as an offense punishable by a maximum term of imprisonment of at least three years) directly from technology companies based in the other country.
The German Federal Office for Information Security (BSI) has determined the suitability of an industry-specific security standard (B3S) with which hospitals can align their IT security measures. The B3S standard was developed by the German Hospital Association (DKG).
The EU Commission issued its report on the third annual review of the functioning of the EU-US Privacy Shield (Privacy Shield) on October 23. The annual review and corresponding report is required of the Commission by the its July 2016 adequacy decision in which it found that the Privacy Shield ensures an adequate level of protection for personal data that has been transferred from the European Union (EU) to the United States. The goal of the review is to evaluate and publicly report on all aspects of the functioning of the Privacy Shield Framework.
Morgan Lewis partners Ksenia Andreeva, Anastasia Dergacheva, Vasilisa Strizh, and Brian Zimbler and associate Anastasia Kiseleva contributed the chapter on Russia for the recently released Data Protection & Privacy 2020, the eighth edition of the Lexology Getting the Deal Through publication.
Lexology Getting The Deal Through provides international expert analysis in key areas of law, practice, and regulation for corporate counsel, cross-border legal practitioners, and company directors and officers. The publication addresses many of the most important data protection and data privacy laws in force or in preparation throughout the globe, with a discussion of the same key data protection and privacy questions with analysis from leading practitioners in each of the featured jurisdictions.
A recent LawFlash by Morgan Lewis partners Ksenia Andreeva and Vasilisa Strizh and associate Anna Pirogova discusses a draft law proposed in Russia that would introduce heavy fines for violations of Russia’s data protection law and a variety of internet activity laws.
The primary federal data privacy law in Russia, On Personal Data, dated July 28, 2006 (the Personal Data Law), applies to “personal data operators,” which are entities that organize and carry out the processing of personal data and determine the purpose of individuals’ personal data processing. The proposed draft law, On Amending the Code of Administrative Offences of the Russian Federation, relates to the “localization requirement” of the Personal Data Law, which creates on obligation for personal data operators to collect, store, and otherwise process personal data of Russian citizens using databases and servers located in Russia.
The Q2 2019 issue of Morgan Lewis’s Life Sciences International Review was recently released. The review includes updates relevant to the life sciences industry from across the world, including the United States, Europe, and Asia. The topics range from intellectual property and data privacy to international trade and labor and employment. We found it to be an excellent read for anyone interested in keeping up with current trends in the life sciences sector.
Two of the topics that we found to be of particular interest were about data privacy in the European Union and foreign investments in the United States biotechnology industry. The review looks at the opinion adopted by the European Data Protection Board (EDPB) regarding the interplay between the General Data Protection Regulation and the forthcoming Clinical Trials Regulation. The review also discusses the increased activity by the Committee on Foreign Investment in the United States (CFIUS) in scrutinizing life sciences transactions, which has led to several transactions being blocked or mitigated.
The Life Sciences International Review is a quarterly newsletter published by Morgan Lewis lawyers with important updates and insights for the life sciences sector. Be sure to look for the next publication coming in the fall!
The European General Data Protection Regulation (GDPR) took effect in May 2018, requiring companies that handle or process EU residents’ personal information to conform to practices that seek to more fully protect consumer sensitive information. Companies that fall under this category, known as data controllers, must secure consumer consent or another legally acceptable method of gathering personal information, notify individuals of the personal information that is collected and how it will be used, and limit the collection and maintenance to necessary information for a limited period of time. The individuals whose personal information is gathered also have a right to access the information, limit its use, and withdraw their consent from data controllers for such use.
No one knows at the moment what the relationship will be between the United Kingdom and the European Union the day after Brexit on 31 October.
The life sciences sector is arguably the most closely harmonized within the European Union. Both medicinal products and medical devices are very much subject to Brussels-driven legislation. In addition to the regulatory issues that would result from Brexit, there could be substantial supply chain interference.