The overview of interesting Data & IT Law articles and news in April 2016!
Data protection and Mergers & Acquisitions in Canada
We have already covered the topic of mergers and acquisitions and data protection issues at dataitlaw.com. McMillan had published an article about privacy and cybersecurity issues in Canada.
Some of the interesting issues and recommendations:
- “broad and indiscriminate requests for personal information in the due diligence process are not permitted under Personal Information Protection and Electronic Documents Act. Rather, the parties should exchange only the minimum amount of personal information that is required in the circumstances.
- the need for the purchase agreement: specific requirements for the agreement between the parties when personal information will be disclosed in the due diligence process or upon closing of a transaction
- parties can only use and disclose personal information that was disclosed in connection with the transaction without obtaining consent from affected individuals.
- The personal information is necessary for carrying on the business or activity that was the object of the transaction; and
- One of the parties notifies individuals, within a reasonable time after the transaction is completed, that the transaction has been completed and that their personal information has been disclosed.”
Should local data protection authorities have a right to challenge EU Adequacy Decisions?
The Conference of German Data Protection Authorities published a resolution, in which they call for a right to challenge adequacy decisions of the EU Commission. DLA Piper’s Privacy matters analyzed the resolution in more detail.
The background for this request is the Schrems decision of the Court of Justice of the EU (more information here). “The CJEU held that national DPAs must be able to initiate legal proceedings if a person lodged a claim with the DPA concerning the protection of his rights with regard to the transfer of his personal data to a third country based on an adequacy decision of the EU Commission and the DPA considers that the objections of this person are well founded. The CJEU expressed that it is incumbent upon the national legislature to provide for legal instruments enabling the concerned national DPA to put forward the objections which it considers well founded before the national courts in order for them to request a preliminary ruling for the purpose of examination of the validity of the adequacy decision of the EU Commission.“
Blockchain as an answer to the health data security?
HealthITanalytics addresses the issues of health data protection and security. According to the article, “currently, most healthcare data is held in some type of centralized location: an EHR system, a data warehouse, or a repository run by a health information exchange.” The problem with these methods is the security and that “each system may have been developed independently and might generate and store the data in its own particular format, leading to the data siloes and interoperability woes that frustrate providers, patients, researchers, and facilitators.”
According to the article, the big potential of blockchain for health data would be: “No single entity is in charge of holding the data, yet all participants are responsible for ensuring data integrity and security. If no one can change the record without all stakeholders signaling approval of the edits, and no unauthorized party can access the health record without the participants giving collaborative permission, the healthcare industry can avoid two of its most dangerous big data risks at the same time.“
On a possibility to inherit child’s online profiles in Germany
The Berlin Regional Court held that parents would be able to access their deceased minor child’s online profile. In the article by Bloomberg, an intellectual property lawyer noted that “it’s not only the first ruling for a Facebook account, but for digital inheritance at all (…) There is no law on this in Germany, and there have been no court decisions on it previously, so it’s really a new precedent.”
The mother of the deceased child wanted to know if her daughter’s messages could help to determine if it really was a suicide. The court noted that “The user agreement between the user and Facebook was just like “any other binding agreement” and passed on to the user’s heirs, the regional court reasoned. The court also ruled that Facebook didn’t have any legitimate interests that would prevent parents from accessing their child’s profile.”