On October 20, 2020, a consortium of U.S. federal financial regulators (Regulators), issued a proposed rule (Proposed Rule) that, if enacted, would codify that mere supervisory guidance that is not the product of notice and comment rulemaking—e.g., interagency statements, advisories, bulletins, policy statements, and FAQs—does not have the force of law. The Proposed Rule would further clarify that the Regulators will not take enforcement actions (including less draconian supervisory actions, like issuing “matters requiring attention”) based on violations of, or non-compliance with, such guidance.
The Board of Governors of the Federal Reserve System has recently indicated it may move forward with enhanced cybersecurity standards that had previously been floated by the Board, the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) back in 2016. Specifically, in October 2016, the Board, the three entities issued a joint advance notice of proposed rulemaking (ANPR) on enhanced cybersecurity standards before deprioritizing it in 2017. While the OCC and the FDIC withdrew their ANPRs earlier this Spring, the Board may revive the issue this coming Fall.
In what is a challenging sector—especially following recent revelations over “secretive” government-awarded post-Brexit contracts—the UK Government recently issued new guidance on outsourcing aimed at improving government procurement and delivering better public service. Released on February 20, 2019, the “Outsourcing Playbook” targets improvements in how government works with industry and delivers better public services, but there are lessons to be learned for the private sector, as well.
The long awaited and, one hopes, much prepared for new General Data Protection Regulations (GDPR) are just a few short months away from becoming law. To help companies look at the practical steps they need to take now in order to be ready, Pillsbury will be presenting “#ReadyforGDPR?” on February 20 from Noon – 1:00pm EST. We will discuss how these new laws will significantly impact companies doing business in Europe, even those without a physical EU presence, and the latest feedback from enforcers as to what will trigger fines. We hope you can join!
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (a.k.a. the General Data Protection Regulation or GDPR) will, as most business people are probably aware of by now, come into force across the EU on 25 May 2018.
This will be the case in the UK (notwithstanding Brexit) and every other member state, since EU regulations have direct applicability. In other words, they do not need an act of parliament in the member state to make them into law. By contrast, EU directives are not directly applicable. When passed they still need legislation to be passed before they become part of national law. The current regime of the 1995 Data Protection Directive, and the UK’s Data Protection Act of 1998, both of which are due to be replaced next year, are good examples of this.
To complete the picture, from a UK regulatory perspective, in terms of what is changing, the government has introduced a Data Protection Bill which is currently passing through parliament. The Bill does not replace GDPR in the UK. Instead it seeks to make the UK’s own data protection laws “fit for purpose” in a digital age, replacing 1998 Act and, amongst other things, implementing the “GDPR standards across all general data processing”.
Those of us who have been grappling with how best to approach GDPR compliance in outsourcing and other commercial contracts will be all too familiar with Article 28 of the GDPR. Article 28.3 builds on the limited obligations that existed under the existing regime but also include some significant enhancements to the minimum processor obligations to be addressed head on in the contract.
Processor’s obligation to notify infringing instructions
One requirement of Article 28.3 in particular, has provided clients and counsel alike with a degree of angst since the final draft of the GDPR was published in May 2016, and further back still for those of us who had followed the negotiations and multiple redrafts of the GDPR prior to its final publication.
The UK’s Financial Conduct Authority (‘FCA’) has now announced the participants in the second cohort of its regulatory sandbox, with the companies involved offering a range of ideas-based payment services and artificial intelligence software. In “The FCA Announces The Second Cohort For Its Regulatory Sandbox“, an article in Payments & FinTech Lawyer, Pillsbury partner Tim Wright provides an overview of the second cohort and their characteristics.
The UK Government has published a statement of intent containing details of its proposed Data Protection Bill. The full text of the Bill is expected in September 2017, when the UK Parliament returns from its summer break.
The Bill will enshrine the EU General Data Protection Regulation (GDPR) into UK domestic law. It will also implement the requirements of EU Directive 2016/680 (The Law Enforcement Directive) which covers the processing of personal data for crime prevention, and the free movement of such data.
Why is a UK bill needed?
Pharmaceutical and Life Sciences companies operate in a demanding environment and face diverse challenges such as pricing pressure, increased regulatory requirements and mounting costs. With this backdrop, they have, starting with non-core functions, such as IT, facilities management, finance and human resources, before moving to secondary core functions, such as research and development, manufacturing, logistics, warehousing and brokerage, increasingly looked to outsourcing so as to better focus on core competencies, access specialized expertise and achieve cost-saving benefits.
In this blog post, a closer look at some of the key challenges faced by those operating in the Pharmaceutical and Life Sciences sector is taken from an outsourcing perspective.
A number of major carriers have suffered high-impact IT events in the past several months. Estimates of losses in these cases have exceeded £100m. This is on top of (no doubt significant) remedial costs, reductions in share price and reputational damage.
Such high-impact events are, in theory, unlikely to occur—the result of a series of unlikely events which when taken together have a catastrophic impact. Unfortunately for corporates, the probability of a high impact IT event is increasing. This is partly due to the increasingly interconnected and complex nature of IT infrastructures but also due to heightened cybersecurity risks. Failures tend not to be not localised to a particular geography or business but have global reach.
We advise airlines to consider and revisit their current business continuity and disaster recovery (BCDR) arrangements. In our experience, the reality of BCDR arrangements often falls below the stated requirements or capabilities of such solutions, whether provided by third-party IT providers or in-house.