Newly formed companies, and companies that have been on the market for some time, are becoming increasingly aware of their obligations under AML/FT regulations. Firms in various sectors, such as the technological sector, do not always realise that these obligations are only applicable to the types of entities listed in AML laws. Some businesses employ know your customer (KYC) identification procedures equivalent to those provided for in AML laws even though they are not subject to these laws. The problem is that overzealousness of this kind might be a breach of laws in other areas, especially personal data laws, above all the GDPR.
In the latest Rzeczpospolita Report on the legal aspects of blockchain and its applications, I briefly discussed the challenges related to applying data protection regulations in this context. It is a complicated issue as it appears that blockchain can potentially challenge the basic assumptions and regulatory approaches provided by the GDPR.
While the new data protection regulation provides for severe administrative penalties for failure to comply, it is well known that whether a penalty is effective is determined not by its severity but by its inevitability. Even though the personal data protection authority has been given broad powers, it does not have adequate means of exercising them. A solution could be a private enforcement mechanism within the regulation, whereby any person whose data has been breached can independently seek a judicial remedy.
Private enforcement is being used more and more as an addition to the public law mechanism for the enforcement of regulatory provisions. This solution has been introduced recently in compensatory liability cases for breach of competition law. A solution of this kind is also possible under the GDPR.
Dedicated Short Range Communication (DSRC) is a system in which information is shared between vehicles (V2V) and between vehicles and infrastructure (V2I). In general, this technology is intended to aid the flow of anonymised information on driving conditions. It seems however that DSRC might also entail collection and processing of personal data.
At a meeting summarising public consultations on a bill implementing the General Data Protection Regulation (GDPR) in Poland, the Ministry of Digital Affairs confirmed that during legislative work a change was approved providing for major exceptions to the GDPR. This change was proposed in October 2017 by the Ministry of Development. This proposed exception is an interesting example of how hard it can be to draft legislation properly aligned to the needs of a digital economy.
Two new documents were issued in December 2017 by the EU’s Article 29 Data Protection Working Party explaining how to interpret and apply the provisions of the General Data Protection Regulation on the consent that must be obtained from data subjects and the information that must be provided to data subjects for processing their data. The Guidelines on Consent under Regulation 2016/679 and the Guidelines on Transparency under Regulation 2016/679 demonstrate that the era of lengthy, fine-print terms and conditions is over. Data controllers will achieve better compliance with the GDPR by using brief and easily understood FAQ and notices.