Privacy & Cybersecurity Law Blog

On February 11, 2009, the EU Article 29 Data Protection Working Party released its long-awaited Working Document (the “Working Document”) on reconciling U.S. civil discovery requirements with European data protection law. The guidelines the Working Document offers for data controllers highlight the challenges that multinational businesses face to comply with competing legal obligations in civil litigation.

The Criminal Court of Milan has suspended proceedings against four Google executives to allow time to address relevant procedural considerations.  The proceedings mark the culmination of a two-year investigation conducted by Italian authorities.  The investigation focused on video footage made available on Google Video that depicted a disabled boy being taunted by his fellow classmates.  As result of the video footage, Google executives face charges of defamation and privacy infringement.

For purposes of the criminal proceedings, Google is considered an internet content ...

In SACEM v. Cyrille Saminadin (Cour de Cassation, chambre criminelle, 13 janvier 2009), the SACEM (a representative body of authors, composers, and music editors) asked one of its agents to carry out an investigation and to collect evidence of copyright infringements on a peer-to-peer network. After selecting a peer-to-peer network, the agent manually typed in the title of a song belonging to one of the rights holders and searched for all available files corresponding to this title. The agent then randomly selected one of these files and saved all the information relating to it (IP address, country of origin, name of the internet service provider, etc.) onto a CD-ROM as evidence for use in filing a complaint. The question raised in this case was whether such activity constitutes data processing requiring the prior authorization of the French Data Protection Authority (CNIL).

On December 2, 2008, the European Court of Human Rights (ECHR) ruled in K.U. v. Finland that Article 8 of the European Convention on Human Rights requires national laws to protect individuals from serious online privacy infringements, but also that the national legal framework must allow for the identification and prosecution of offenders. This case involved an advertisement of a sexual nature, which was placed on an Internet dating site on behalf of the applicant, who was twelve years old at the time, without his knowledge ...

Wednesday, January 28, 2009, marks the second annual international Data Privacy Day, which brings together a broad coalition of privacy professionals from both the private and public sectors, as well as corporations, academics and policymakers, with the goal of promoting awareness and collaboration on a variety of data privacy issues.

A wide variety of events celebrating Data Privacy Day has been scheduled throughout the week across the United States, Canada and the European Union. The Triangle Center on Terrorism and Homeland Security and Intel Corporation are sponsoring a ...

The Centre for Information Policy Leadership’s Executive Director, Marty Abrams, brings you these thoughts on a recent data protection summit in Barcelona.

Harmonized international data protection rules have been privacy’s Holy Grail since the EU Directive was enacted in 1995. Harmonized, globally recognized rules would simplify life for privacy protection authorities and companies. Numerous efforts have been undertaken to create a harmonized code. The most recent, an international standards project led by the Spanish Data Protection Commissioner, began on January 12 as international privacy experts met in Barcelona. The Spanish Data Protection Commissioner leads the project, and the finished product — a harmonized privacy code that will be the basis for a data protection treaty— will be a center-piece of the 31st International Conference of Data Protection and Privacy Commissioners on November 2009 in Madrid. 

The Barcelona meeting focused on a draft standards document developed by the Spanish Data Protection Authority, Agencia Espanola de Proteccion de Datos.  The document integrates many of the elements from the OECD Privacy Guidelines, Council of Europe Convention, EU Directive and APEC Privacy Framework.  In its 30 sections, the document recognizes almost every concept found in this existing guidance.

On December 5, 2008, the Austrian data protection authority ("DPA") issued its first decision on the implementation of a whistleblowing hotline as required by the Sarbanes-Oxley Act ("SOX"), to be administered by the Austrian subsidiary of a U.S.-based company. The DPA partly approved the data transfers from the Austrian entity to the U.S. entity for the purpose of enabling it to prosecute "serious incidents" caused by the behavior of executive managers. The DPA ordered the Austrian subsidiary to implement a contract guarantying data subjects the ability to exercise their rights ...

On October 1, 2008, the Article 29 Working Party issued a toolkit on Binding Corporate Rules (BCRs) aimed at promoting them as a mechanism for transferring data to countries without an adequate level of data protection. The toolkit includes: (1) a table highlighting the elements and principles to be found in BCRs (WP 153); (2) a document setting up a framework for the structure of BCRs (WP 154); and (3) a revised version of the FAQs on BCRs (WP 155). The toolkit also announced the creation of a mutual recognition procedure between nine national data protection authorities ...