Last Week In Privacy- August 7, 2018

Welcome to “Last Week in Privacy!” Each week, OneTrust’s in-house privacy experts will give you the top international privacy industry highlights from last week.

Here’s a quick recap of last week’s top privacy industry headlines:

  1. Adoption of the controversial and heavily lobbied ePrivacy Regulation appears to be getting pushed back even further, as the Austrian Presidency of the Council of the EU has stated the Council is unlikely to reach a common position on the draft text before the end of this year, and plans to release a status report instead. According to the IAPP’s Privacy Advisor, the European Parliament’s lead rapporteur is unhappy with this recent announcement, as the proposed legislation dealing with privacy in electronic communications was originally intended to come into force in May 2018 alongside the GDPR. According to recent reports, it’s likely that the task will be passed to the Romanian Presidency in 2019, and with Parliament elections taking place next May, it could be 2020 or later before a finalized Regulation takes effect.
  2. The Irish Data Protection Commission reported that it has received over 1,100 data breach notifications in the first two months of the GDPR. This is a significant up-tick, as the Commission previously averaged only 230 notifications per month in 2017. The increase clearly reflects the GDPR’s more stringent breach notification requirements, which include a 72-hour notification window after a data controller first becomes aware of a breach, as well as a potential over-reporting by organizations seeking to take a conservative approach to notification in the early months of the GDPR.
  3. Louisiana’s new data breach notification law has gone into effect. The law broadens the definition of personal information, requires that notice be made within 60 days of discovery of the breach, and that companies retain written records of breaches for five years and make them available to the state’s Attorney General upon request.
  4. The Council of the EU has agreed on a proposal for a cybersecurity certification framework. The proposal would create a tool to assist organizations engaged in information and communication technology products, services, and processes with cybersecurity requirements. According to the proposal, the framework would be legally recognized across the EU, and would contain three different levels of assurance that organizations could obtain.
  5. Spain has passed a decree clarifying GDPR procedural matters while they await legislation for their draft data protection act. The decree confirms investigative powers of Spanish data protection officials, clarifies responsibility and limitation periods for infringements of the GDPR, further explains how to conduct regulatory investigations, and more.

That’s all for this week, be sure to join us next week for Last Week in Privacy.

Wanting more from our privacy team? Read Brian Philbrook and Andrew Clearwater’s latest posts in CPO Magazine and in IAPP The Privacy Advisor.