Privacy & Information Security Law Blog

On August 5, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP responded to the Office of the Privacy Commissioner of Canada’s (“OPC”) reframed consultation on transfers for processing. The reframed consultation replaced a previously suspended OPC consultation dealing with the same topic to which CIPL had also responded.

The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP recently published a Q&A document on organizational accountability in data protection (the “Q&A”).

While CIPL has written extensively about the concept of organizational accountability over many years, the Q&A is designed to clarify frequently raised questions about accountability and provide greater context and understanding of the concept, including for law and policy makers considering data privacy legislation around the globe.

The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP recently published a white paper on Organizational Accountability’s Existence in U.S. Regulatory Compliance and its Relevance for a Federal Data Privacy Law (the “White Paper”).

On June 12, 2019, Hunton Andrews Kurth and its Centre for Information Policy Leadership (“CIPL”) hosted a roundtable discussion in the firm’s Brussels office on the update of the EU Standard Contractual Clauses for international data transfers (“SCCs”). More than 30 privacy leaders joined together to discuss the challenges of the current SCCs and provide their insights on the updated versions. Hunton partner David Dumont led the discussion, while CIPL President Bojana Bellamy illuminated CIPL’s work in this area. The session also featured Cristina Monti, Policy Officer in the International Data Flows and Protection Unit of the EU Commission DG Justice and Consumers.

On May 31, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted comments to the UK Information Commissioner’s Office (the “ICO”) public consultation on its draft code of practice for age appropriate design for online services (the “Code”).

On May 31, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP issued a white paper on GDPR One Year In: Practitioners Take Stock of the Benefits and Challenges (the “White Paper”). In addition, CIPL submitted the White Paper along with a separate response to the European Commission’s questionnaire to prepare for the June 2019 stocktaking exercise on the application of the EU General Data Protection Regulation (“GDPR”).

As reported by Bloomberg Law, on May 24, 2019, the Office of the Privacy Commissioner of Canada (the “OPC”) suspended its public consultation on transborder data flows (the “Consultation”). The suspension follows the announcement of the Digital Charter by the Canadian government, which puts forward principles for digital reform, including improvements to Canadian privacy law.

On May 3, 2019, the International Association of Privacy Professionals (“IAPP”) honored Centre for Information Policy Leadership (“CIPL”) President Bojana Bellamy with the 2019 IAPP Privacy Vanguard Award during its Global Privacy Summit in Washington, D.C. The IAPP also honored European Data Protection Supervisor Giovanni Buttarelli with its 2019 Privacy Leadership Award. Since the early 2000s the IAPP has recognized professionals and organizations making a difference in the world of privacy through these yearly awards.

During the week of April 1, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP hosted its annual executive retreat in Washington, D.C. (the “Retreat”). During the Retreat, CIPL held a full-day working session on evolving technologies and a new U.S. privacy framework followed by a closed members only half-day roundtable on global privacy trends with special guest Helen Dixon, Data Protection Commissioner of Ireland.

On April 8, 2019, the European Commission High-Level Expert Group (the “HLEG”) on Artificial Intelligence released the final version of its Ethics Guidelines for Trustworthy AI (the “Guidelines”). The Guidelines’ release follows a public consultation process in which the HLEG received over 500 comments on its initial draft version. The Centre for Information Policy Leadership at Hunton Andrews Kurth LLP contributed its own comments during this process.

On March 29, 2019, the UK Information Commissioner’s Office (the “ICO”) announced that it has opened its sandbox beta phase for applications (the “Beta Phase”).

The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP has issued a white paper on Ten Principles for a Revised U.S. Privacy Framework (the “White Paper”). CIPL believes that the use of personal information and privacy can most effectively be regulated at the federal level, and puts forward ten principles that should be included in any new federal privacy framework to ensure appropriate protection for consumers while facilitating the digital economy, innovation and the responsible use of data.

On March 8, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP issued a white paper on Regulatory Sandboxes in Data Protection: Constructive Engagement and Innovative Regulation in Practice (the “White Paper”). The release of the White Paper follows a joint roundtable held by CIPL and senior staff from the UK Information Commissioner’s Office (“ICO”) on February 19, 2019. Over 35 CIPL members attended the full-day roundtable, exchanging views on how the regulatory sandbox should work in practice, discussing the benefits of participation and key questions around appropriate safeguards upon entering and exiting the sandbox, as well as sharing examples of innovative projects where a sandbox may be useful.

During the week of February 25, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP participated in the meetings of the APEC Data Privacy Subgroup (“DPS”) and Electronic Commerce Steering Group (“ECSG”) in Santiago, Chile. CIPL enjoys formal guest status and a seat at the table at these bi-annual APEC privacy meetings.

On January 30, 2019, the UK Information Commissioner’s Office (“ICO”) released a discussion paper on the upcoming beta phase of its regulatory sandbox initiative (the “Discussion Paper”). The ICO had launched a call for views on creating a regulatory sandbox in September 2018, and the feedback received facilitated developing systems and processes necessary to launch the beta phase.

On January 25, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted formal comments to the International Conference of Data Protection and Privacy Commissioners (the “International Conference”) on its Declaration on Ethics and Data Protection in Artificial Intelligence (the “Declaration”). The Declaration was adopted by the International Conference on October 23, 2018, for public consultation.

On January 18, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the European Data Protection Board (the “EDPB”) on its draft guidelines on the territorial scope of the GDPR (the “Guidelines”). The Guidelines were adopted by the EDPB on November 16, 2018, for public consultation.

On October 22, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP co-hosted a workshop in Brussels on “Can GDPR Work for Health Scientific Research?” (the “Workshop”) with the European Federation of Pharmaceutical Industries and Associations (“EFPIA”) and the Future of Privacy Forum (“FPF”) to address the challenges raised by the EU General Data Protection Regulation (“GDPR”) in conducting scientific health research.

The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP recently submitted formal comments to the U.S. Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) in response to its request for public comments on developing the administration’s approach to consumer privacy.

The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP recently published the first report in its project on Artificial Intelligence (“AI”) and Data Protection: Delivering Sustainable AI Accountability in Practice.

On November 12, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP published a legal note on the ePrivacy Regulation and the EU Charter of Fundamental Rights. It was written for CIPL by Dr. Maja Brkan, assistant professor of EU law at Maastricht University, David Dumont, Counsel at Hunton Andrews Kurth, and Dr. Hielke Hijmans, CIPL’s Senior Policy Advisor. 

On October 11, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted comments to the UK Information Commissioner’s Office (“ICO”) in response to its call for views on creating a regulatory sandbox.

On October 23, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP will host an official side event on The Concept of “Fairness” in Data Protection at the 40th International Conference of Data Protection and Privacy Commissioners in Brussels, Belgium.

On October 5, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP hosted a workshop on how to implement, demonstrate and incentivize accountability under the EU General Data Protection Regulation (“GDPR”), in collaboration with AXA in Paris, France. In addition to the workshop, on October 4, 2018, CIPL hosted a Roundtable on the Role of the Data Protection Office (“DPO”) under the GDPR at Mastercard and a pre-workshop dinner at the Chanel School of Fashion, sponsored by Nymity.

On September 26, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the Indian Ministry of Electronics and Information Technology on the draft Indian Data Protection Bill 2018 (“Draft Bill”).

On July 10, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the European Data Protection Board (the “EDPB”) on its draft guidelines on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR (the “Guidelines”). The Guidelines were adopted by the EDPB on May 25, 2018, for public consultation.

On July 23, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP issued two new discussion papers on the Central Role of Organizational Accountability in Data Protection. The goal of these discussion papers is to show that organizational accountability is pivotal to effective data protection and essential for the digital transformation of the economy and society, and to emphasize how its many benefits should be actively encouraged and incentivized by data protection authorities (“DPAs”), and law and policy makers around the globe.

During the week of June 25, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP hosted its annual executive retreat in San Francisco, California. The annual event consisted of a closed pre-retreat session for CIPL members, a CIPL Panel at the APPA Forum Open session followed by a CIPL reception and dinner and a special all day workshop with data protection commissioner members of the Asia Pacific Privacy Authorities (“APPA”) on Accountable AI.

On May 14, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP published a study on how the ePrivacy Regulation will affect the design and user experiences of digital services (the “Study”). The Study was prepared by Normally, a data product and service design studio, whom CIPL had asked for an independent expert opinion on user experience design.

On March 29, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the Article 29 Working Party (the “Working Party”) on its draft guidelines on the accreditation of certification bodies under the GDPR (the “Guidelines”). The Guidelines were adopted by the Working Party on February 6, 2018, for public consultation.

On March 20, 2018, the Centre for Information Policy Leadership ("CIPL") at Hunton Andrews Kurth LLP issued a factsheet outlining relevant GDPR provisions for negotiations surrounding the proposed ePrivacy Regulation (the "Factsheet").

On March 26, 2018, the Centre for Information Policy Leadership at Hunton & Williams LLP and AvePoint released its second Global GDPR Readiness Report (the “Report”), detailing the results of a joint global survey launched in July 2017 concerning organizational preparedness for implementing the EU General Data Protection Regulation (“GDPR”). The Report tracks the GDPR implementation efforts of over 235 multinational organizations, and builds on the findings of the first Global GDPR Readiness Report by providing insights on key changes in readiness levels from 2016 to 2017.

Hunton & Williams LLP is pleased to announce that Richard Thomas, Global Strategy Advisor to the Centre for Information Policy Leadership (“CIPL”), has been selected as Chair for the Bailiwick of Guernsey’s new data protection authority. Adding the appointment to his position at CIPL, Thomas will be formally appointed in May and will work with the Data Protection Commissioner and the States of Guernsey to support the island’s regulatory framework in conjunction with the introduction of its new data protection law. Thomas will work on a shadow basis until his formal appointment, and the role is expected to command between 10 and 15 days per year.

The Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP is pleased to announce that Nathalie Laneret will be joining CIPL as Director of Privacy Policy in May. She brings more than 20 years of experience in data protection policy both in-house and in private practice. She is admitted to the New York and Paris bars and has experience in both France and in the U.S. on data protection, IT and security matters, contracts, competition law, compliance issues and litigation.

On March 6, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on GDPR Implementation in Respect of Children’s Data and Consent (the “White Paper”). The White Paper sets forth guidance and recommendations concerning the application of GDPR requirements to the processing of children’s personal data. The White Paper also highlights and addresses several issues raised by the Article 29 Working Party (the “Working Party”) with regard to children in its guidelines on consent and issues raised by the UK Information Commissioner’s Office in its Consultation on Children and the GDPR.

On January 18, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP submitted formal comments to the Article 29 Working Party (the “Working Party”) on its updated Working Documents, which include a table with the elements and principles found in Binding Corporate Rules (“BCRs”) and Processor Binding Corporate Rules (the “Working Documents”). The Working Documents were adopted by the Working Party on October 3, 2017, for public consultation.

On January 29, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP submitted formal comments to the Article 29 Working Party (the “Working Party”) on its Guidelines on Consent (the “Guidelines”). The Guidelines were adopted by the Working Party on November 28, 2017, for public consultation.

On January 29, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP submitted formal comments to the Article 29 Working Party (the “Working Party”) on its Guidelines on Transparency (the “Guidelines”). The Guidelines were adopted by the Working Party on November 28, 2017, for public consultation.

On January 23, 2018, multinational consulting firm Capgemini interviewed Bojana Bellamy, President of the Centre for Information Policy Leadership at Hunton & Williams, for their “Jane Meets” video series with the Chief Information Security Officer (“CISO”). Bellamy spoke with the CISO of Capgemini about companies’ readiness to comply with the EU General Data Protection Regulation (“GDPR”). In response to a question about the key responsibilities of a CISO in GDPR compliance, Bellamy said, “…where I see great involvement for CISO also is in ensuring that the company is ready to deal with security breaches. So it’s not just about preventing the breach, which is obvious, but it’s also about readiness to deal with the breach and readiness to then manage the breach and notify individuals and regulators, because that is what [the] GDPR requires.”

Hunton & Williams LLP is pleased to announce that Richard Thomas, Global Strategy Advisor to the Centre for Information Policy Leadership, has been appointed by the UK Prime Minister to serve as a member of its Advisory Committee on Business Appointments (“ACOBA”), effective February 1, 2018.

On December 1, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP submitted formal comments to the Article 29 Working Party (the “Working Party”) on its Guidelines on Automated Individual Decision-Making and Profiling (the “Guidelines”). The Guidelines were adopted by the Working Party on October 3, 2017, for public consultation.

On December 1, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP submitted formal comments to the Article 29 Working Party (the “Working Party”) on its Guidelines on Personal Data Breach Notification (the “Guidelines”). The Guidelines were adopted by the Working Party on October 3, 2017, for public consultation.

The Centre for Information Policy Leadership at Hunton & Williams LLP (“CIPL”) recently submitted responses to the Irish Data Protection Commissioner (IDPC Response) and the CNIL (CNIL Response) on their public consultations, seeking views on transparency and international data transfers under the EU General Data Protection Regulation (“GDPR”).

The responses address a variety of questions posed by both data protection authorities (“DPAs”) and aim to provide insight on and highlight issues surrounding transparency and international transfers.

On October 19, 2017, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) narrowly voted to approve an amended version of the e-Privacy Regulation (“Regulation”). The committee vote is an important step in the process within the European Parliament. This vote will be followed by a vote of the European Parliament in its plenary session on October 23-26. If the plenary also votes in favor, the European Parliament will have a mandate to begin negotiations with the Member States in the Council. If these negotiations (commonly known as “trilogue”) succeed, the Regulation will be adopted.

Last week, the Centre for Information Policy Leadership (“CIPL”) and several privacy team members at Hunton & Williams LLP attended the 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong (the “Conference”). The weeklong event hosted by Stephen Kai-yi Wong, Privacy Commissioner for Personal Data, Hong Kong was attended by over 3000 privacy professionals from data protection authorities (“DPAs”), industry and research sectors. CIPL hosted two events at the conference, as well as a joint roundtable with Hunton & Williams and Citibank, throughout the week.

On September 25, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a discussion paper on Regulating for Results: Strategies and Priorities for Leadership and Engagement (the “Discussion Paper”). The Discussion Paper aims to stimulate dialogue about strategies and priorities for data protection authorities (“DPAs”) by putting forward a number of key questions. For example:

On September 8, 2017, the Council of the European Union published its proposed revisions to the draft E-Privacy Regulation (“EPR”), which was first published by the European Commission in January 2016. The revisions have been made based on written comments and discussions involving the Working Party for Telecommunications and Information Society (“WP TELE”) and serve as a discussion for further meetings of the group in late September 2017.

On September 11, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on the Proposal for an ePrivacy Regulation (the “White Paper”). The White Paper comments on the European Commission’s proposal to replace and modernize the privacy framework for electronic communications contained in the current ePrivacy Directive and to align it with the EU General Data Protection Regulation (“GDPR”).

With less than one year to go before the EU General Data Protection Regulation (“GDPR”) comes into force, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams and AvePoint have launched the second annual GDPR Organizational Readiness Survey. Last year, over 220 predominantly multinational organizations participated in the study which focused on key areas of impact and change under the GDPR such as consent, legitimate interest, data portability, profiling, DPIAs, DPOs, data transfers and privacy management programs. This year’s study revisits these important areas of impact and further considers additional topics. 

Recently, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on Recommendations for Implementing Transparency, Consent and Legitimate Interest under the GDPR (the “White Paper”). The White Paper sets forth guidance and recommendations on the key concepts of transparency, consent and legitimate interest under the EU General Data Protection Regulation (“GDPR”).

On June 2, 2017, in preparation for the first annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) framework, the European Commission has sent questionnaires to trade associations and other groups, including the Centre for Information Policy Leadership at Hunton & Williams LLP, to seek information from their Privacy Shield-certified members on the experiences of such organizations during the first year of the Privacy Shield. The EU Commission intends to use the questionnaire responses to inform the annual review of the function, implementation, supervision and enforcement of the Privacy Shield.

The Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP recently submitted formal comments (“Comments”) to the Article 29 Working Party’s (“Working Party’s”) Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (“DPIA Guidelines”) that were adopted on April 4, 2017. CIPL’s Comments follow its December 2016 white paper on Risk, High Risk, Risk Assessments and Data Protection Impact Assessments under the GDPR, which CIPL had submitted to the Working Party as formal initial input to its development of DPIAs and “high-risk” guidance.

On April 12, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a discussion paper on Certifications, Seals and Marks under the GDPR and Their Roles as Accountability Tools and Cross-Border Data Transfer Mechanisms (the “Discussion Paper”). The Discussion Paper sets forth recommendations concerning the implementation of the EU General Data Protection Regulation’s (“GDPR’s”) provisions on the development and use of certification mechanisms. The GDPR will become effective on May 25, 2018. The EU Commission, the Article 29 Working Party, individual EU data protection authorities (“DPAs”) and other stakeholders have begun to consider the role of GDPR certifications and how to develop and implement them. CIPL’s Discussion Paper is meant as formal input to that process.

On February 15, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP submitted two sets of formal comments to the Article 29 Working Party (the “Working Party”). CIPL commented on the Guidelines for identifying a controller or processor’s lead supervisory authority (“Lead Authority Guidelines”), and on the Guidelines on the right to data portability (“Data Portability Guidelines”). Both were adopted by the Working Party on December 13, 2016, for public consultation. 

On March 6 and 7, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP and over 100 public and private sector participants in CIPL’s GDPR Implementation Project will convene in Madrid, Spain, for CIPL’s third major GDPR implementation workshop.

On January 25, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP submitted formal comments to the Article 29 Working Party’s (“Working Party’s”) Guidelines on Data Protection Officers (DPOs) (“DPO Guidelines”) that were adopted on December 13, 2016. CIPL’s comments follow its November 2016 white paper on Ensuring the Effectiveness and Strategic Role of the Data Protection Officer under the General Data Protection Regulation, which CIPL submitted as formal initial input to the Working Party’s development of DPO implementation guidance under the EU General Data Protection Regulation (“GDPR”).

On December 21, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on Risk, High Risk, Risk Assessments and Data Protection Impact Assessments under the GDPR (the “White Paper”). The White Paper sets forth guidance and recommendations concerning the interpretation and implementation of the EU General Data Protection Regulation’s (“GDPR's”) provisions relating to risk and risk assessment, which will become applicable on May 25, 2018. While risk assessments already are required under the EU Data Protection Directive, the GDPR broadens the relevance of risk and risk assessment by explicitly and comprehensively incorporating a risk-based approach to data protection.

On November 30, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on The One-Stop-Shop and the Lead DPA as Co-operation Mechanisms in the GDPR (the “White Paper”). The White Paper sets forth guidance and recommendations concerning the interpretation and implementation of the GDPR’s provisions relating to the One-Stop-Shop (“OSS”) and lead DPA, which will become effective on May 25, 2018.

On November 17, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on Ensuring the Effectiveness and Strategic Role of the Data Protection Officer under the General Data Protection Regulation (the “White Paper”). The White Paper sets forth guidance and recommendations concerning the interpretation and implementation of the GDPR’s provisions relating to the role of the Data Protection Officer (“DPO”).

On November 20, 2016, the heads of state of the 21 member economies of the Asia-Pacific Economic Cooperation (“APEC”) forum reaffirmed the APEC Cross-Border Privacy Rules (“CBPR”) system in their Leaders’ Declaration at the APEC Leaders’ Meeting in Lima, Peru as follows: “We recall the APEC Leaders 2011 Honolulu Declaration and recognize the importance of implementing the APEC Cross-Border Privacy Rules System, a voluntary mechanism whose participants seek to increase the number of economies, companies, and accountability agents that participate in the CBPR system.” The fact that the CBPR system is mentioned in the Leaders’ Declaration reflects its priority status on the APEC agenda.

On November 9, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP and AvePoint released the results of a joint global survey launched in May 2016 concerning organizational preparedness for implementing the EU General Data Protection Regulation (“GDPR”). The GDPR replaces Directive 95/46/EC and will become applicable in May 2018.

On October 20, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP hosted a side workshop at the International Conference of Data Protection & Privacy Commissioners focused on transparency and risk assessment, entitled “The Role of Risk Assessment and Transparency in Enabling Organizational Accountability in the Digital Economy.” The workshop was led by Bojana Bellamy, CIPL’s President, and featured contributions from many leaders in the field, including the UK ICO, Belgium and Hong Kong’s Privacy Commissioners, and counsel and privacy officers from several multinational companies.

On October 21, 2016, the Vietnam e-Commerce and Information Technology Agency and APEC co-hosted an APEC Cross-Border Privacy Rules (“CBPR”) system capacity-building workshop in Da Nang, Vietnam, on the heels of last week’s bilateral affirmation of commitment between the U.S. and Japan to implement and expand the CBPR system. The workshop further signals the continuing growth of the CBPR system.

Recently, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP, a privacy and information policy think tank based in Brussels, London and Washington, D.C., and Telefónica, one of the largest telecommunications company in the world, issued a joint white paper on Reframing Data Transparency (the “white paper”). The white paper was the outcome of a June 2016 roundtable held by the two organizations in London, in which senior business leaders, Data Privacy Officers, lawyers and academics discussed the importance of user-centric transparency to the data driven economy.

In September, the Centre for Information Policy Leadership (“CIPL”) held its second GDPR Workshop in Paris as part of its two-year GDPR Implementation Project. The purpose of the project is to provide a forum for stakeholders to promote EU-wide consistency in implementing the GDPR, encourage forward-thinking and future-proof interpretations of key GDPR provisions, develop and share relevant best practices, and foster a culture of trust and collaboration between regulators and industry.  

With the EU General Data Protection Regulation (“GDPR”) enacted and due to come into force in May 2018, the Centre for Information Policy Leadership at Hunton & Williams and AvePoint have launched a global survey to enable organizations to benchmark their readiness for the GDPR. The survey focuses on the key areas of impact and change for organizations under the GDPR, such as consent, legitimate interest, data portability, profiling, privacy impact assessments, DPOs, data transfers and privacy management program.

On March 16, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP co-hosted a one-day workshop in Amsterdam, Netherlands, together with the Dutch Ministry of Security and Justice, to kick off CIPL’s new long-term project on the implementation of the EU General Data Protection Regulation (“GDPR”).

With the recent adoption of the EU General Data Protection Regulation (“GDPR”) and the significant changes it will require from organizations, AvePoint has joined forces with the Centre for Information Policy Leadership (“CIPL”), a global privacy policy think tank at Hunton & Williams LLP, to launch the first global survey to benchmark organizations’ readiness for the GDPR.

On March 17, 2016, Bojana Bellamy, President of the Centre for Information Policy Leadership (“CIPL”), participated on a panel of experts at a hearing in front of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) about the new EU-U.S. Privacy Shield for commercial transfers of EU personal data to the U.S.

On March 16, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP will co-host a one-day workshop in Amsterdam, Netherlands, together with the Dutch Ministry of Security and Justice, to kick off a new long-term CIPL project on the implementation of the EU General Data Protection Regulation (“GDPR”).

During last week’s APEC privacy and e-commerce meetings in Lima, Peru, the APEC E-Commerce Business Alliance (“ECBA”) established its 2nd APEC E-Commerce Business Alliance Expert Council (“Expert Council”). The ECBA Expert Council is comprised of 32 e-commerce experts from government, academia and the private sector in the APEC region. The U.S. members are Markus Heyder, Vice President and Senior Policy Counselor at the Centre for Information Policy Leadership, Manuel “Bing” Maisog, partner at Hunton & Williams, and Joshua Harris, Director of Policy at TRUSTe.

On January 28, 2016, the Centre for Information Policy Leadership (“CIPL”) held a special roundtable at Hunton & Williams’ Brussels office to examine the “essential equivalence” requirement for protection of data transfers to non-EU countries set by the Court of Justice of the European Union’s (“CJEU's”) Schrems decision. The roundtable brought together leading lawyers, corporate privacy officers, legal experts, regulators and policymakers to discuss the critical issues and impact of the new “essential equivalence” requirement for global data transfers set by the CJEU, and its relevance to the current EU-U.S. negotiations of a new Safe Harbor agreement.

On February 22, 2016, the Centre for Information Policy Leadership (“CIPL”), together with TRUSTe, the Information Accountability Foundation and Information Integrity Solutions, will co-host a workshop on Building a Dependable Framework for Privacy, Innovation and Cross-Border Data Flows in the Asia-Pacific Region in Lima, Peru. The workshop will be held in the margins of the upcoming meetings of the APEC Electronic Commerce Steering Group and its Data Privacy Subgroup in Lima from February 23-27, 2016.

On November 20, 2015, Markus Heyder, Vice President of the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP, discussed how “transparency is increasingly understood as a core component of addressing the challenges of the modern information economy” and a key catalyst for a productive and innovative information economy in an article entitled Transparency and the Future of Driverless Privacy published by the International Association of Privacy Professionals.

In late October, the Brazilian Ministry of Justice (the “Ministry”) issued its revised Draft Bill for the Protection of Personal Data (“Draft Bill”). The Ministry released its preliminary draft in January 2015, and the Centre for Information Policy Leadership at Hunton & Williams LLP (“CIPL”) filed public comments to the draft on May 5, 2015.

On Monday, November 2, 2015, Hunton & Williams LLP’s Centre for Information Policy Leadership (“CIPL”) Senior Policy Advisor, Fred H. Cate, moderated an academic panel on The Data Dilemma: A Transatlantic Discussion on Privacy, Security, Innovation, Trade, and the Protection of Personal Data in the 21st Century. The event was sponsored by Indiana University and took place at the CIEE Global Institute in Berlin, Germany.

On October 27, 2015, Hunton & Williams LLP’s Centre for Information Policy Leadership (“CIPL”) will conduct a joint workshop with Nymity on Bridging Disparate Privacy Regimes through Organizational Accountability. As a side event to the 37th International Privacy Conference in Amsterdam during the week of October 26, the workshop is specifically designed to support and further explore the theme of global “Privacy Bridges” that will be discussed at the International Privacy Conference. Organizational accountability is one of the proposed bridges in the Privacy Bridges Report which the international expert group released earlier this week.

On October 21, 2015, the EU-U.S. Privacy Bridge Initiative, a group of transatlantic privacy experts that was convened in April of 2014, released its report on Privacy Bridges – EU and US Privacy Experts in Search of Transatlantic Privacy Solutions.

On October 6 and 7, 2015, the Centre for Information Policy Leadership at Hunton & Williams LLP (“CIPL”), a global privacy policy think-tank based in Washington D.C. and London, and the Instituto Brasiliense de Direito Publico, a legal institute based in Brazil, will co-host a two-day Global Data Privacy Dialogue in Brazil, at the IDP’s conference facilities.

On September 29, 2015, the Centre for Information Policy Leadership at Hunton & Williams LLP (“CIPL”), a global privacy policy think-tank based in Washington D.C. and London, hosted a webinar on The Ins and Outs of the APEC Cross-Border Privacy Rules (“CBPR”) and their Role in Enabling Legal Compliance and International Data Transfers.

The APEC Cross-Border Privacy Rules (“CBPR”) system for information controllers received a significant boost during the recent APEC privacy meetings in the Philippines when APEC finalized a corollary certification scheme for information processors, the APEC Privacy Recognition for Processors (“PRP”). As we previously reported, the PRP allows information processors to demonstrate their ability to effectively implement an information controller’s privacy obligations related to the processing of personal information. In addition, the PRP enables information controllers to identify qualified and accountable processors, as well as assist small or medium-sized processors that are not widely known to gain visibility and credibility. Combined, the CBPR for controllers and PRP for processors now covers the entire information ecosystem, promising to motivate additional APEC economies to join both the CBPR and PRP systems, as well as incentivizing larger numbers of controllers and processors to seek certification.

On August 20, 2015, the Centre for Information Policy Leadership at Hunton & Williams (“CIPL”) filed comments to the Indonesian Draft Regulation proposed by the Minister of Communication and Information (RPM) of the Protection of Personal Data in Electronic Systems. The comments were limited to the issue of cross-border data transfers and were submitted in the form of a new CIPL white paper entitled Cross-Border Data Transfer Mechanisms.

On August 29, 2015, the Centre for Information Policy Leadership at Hunton & Williams (“CIPL”) will host a half-day workshop in Cebu, Philippines, on the APEC Cross-Border Privacy Rules (“CBPR”) and their role in enabling legal compliance and international data transfers. The CBPR are a privacy code of conduct developed by the 21 APEC member economies for cross-border data flows in the Asia-Pacific region.

How do we focus on individuals and ensure meaningful control and the empowerment of individuals in the modern information age? What data privacy tools would drive empowerment in the digital world of today and tomorrow, perhaps more effectively and more nimbly than traditional individual consent? At a time when many countries are legislating or revising their data privacy laws and organizations are searching for best practices to embed in their business models, these questions are more relevant today than ever. In an article published on July 2, 2015, in the International Association of Privacy Professionals’ Privacy Perspective, entitled Empowering Individuals Beyond Consent, Bojana Bellamy and Markus Heyder of the Centre for Information Policy Leadership at Hunton & Williams argue that consent is no longer the best or only way to provide control and protect individuals. There are alternative and additional tools in our toolkit that can deliver effective data privacy and greater individual empowerment.

Richard Thomas, former UK Information Commissioner and Global Strategy Advisor to the Centre for Information Policy Leadership, was invited to a unique event in Scotland last week.

Peter Hustinx, who retired as the European Data Protection Supervisor at the end of 2014, was awarded the Honorary Degree of Doctor of Science in Social Science by the University of Edinburgh.

On June 11 and 12, 2015, Asia Pacific Privacy Authority (“APPA”) members, invited observers and guest speakers from the government, private sector, academia and civil society, met in Hong Kong to discuss privacy law and policy issues at the 43rd APPA Forum. At the end of the open session on day two, APPA issued its customary communiqué, setting forth the highlights of the discussions of the open and closed sessions. The Hong Kong Privacy Commissioner, who hosted the APPA meeting, also hosted a conference on big data and privacy on June 10.

On June 24, 2015, DataGuidance will host a complimentary webinar on Brazil: Towards Privacy Compliance. The panel of speakers includes Bojana Bellamy, President of the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams; Esther Nunes, Partner of Pinheiro Neto Advogados; and Renato Leite Monteiro of Opice Blum, Bruno, Abrusio & Vainzof Advogados Associados. The speakers will discuss the Draft Bill for the Protection of Personal Data (Anteprojeto de Lei para a Proteção de Dados Pessoais) that was issued in January 2015. Concepts and provisions in the ...

On May 5, 2015, the Centre for Information Policy Leadership at Hunton & Williams (“CIPL”) filed comments in English and Portuguese on Brazil’s draft law “on the processing of personal data to protect the personality and dignity of natural persons” (the “Draft Law”).

On April 14, 2015, the American Chamber of Commerce in China (“AmCham”) published a report, entitled Protecting Data Flows in the US-China Bilateral Investment Treaty (the “Report”). The Report is part of AmCham’s Policy Spotlight Series. While in principle addressed to the U.S. and Chinese teams that are currently negotiating the Bilateral Investment Treaty, the Report has been made public. It thereby provides insight into the emerging issue of data localization for the benefit of a much wider audience.

As part of its ongoing Brazil outreach initiative, a delegation of the Centre for Information Policy Leadership at Hunton & Williams (“CIPL”) is in Brasilia and Rio de Janeiro the week of March 23, 2015. The delegation will meet with Brazilian government representatives, organizations and experts to discuss global privacy law and best practice developments and other issues of mutual interest, as well as a joint global privacy dialogue workshop in Brazil planned for later this year.

On January 28, 2015, the Brazilian government issued the Preliminary Draft Bill for the Protection of Personal Data (Anteprojeto de Lei para a Proteção de Dados Pessoais) on a website specifically created for public debate on the draft bill. The text of the bill (in Portuguese) is available on the website. (http://participacao.mj.gov.br/)

On February 12, 2015, the International Association of Privacy Professionals (“IAPP”) will host a web conference on The Role of Risk Management in Data Protection – From Theory to Practice. Panelists will include Bojana Bellamy, President of the Centre for Information Policy Leadership at Hunton & Williams (“CIPL”), Fred Cate, Senior Policy Advisor of CIPL, and Hilary Wandall, Associate Vice President, Compliance and Chief Privacy Officer of Merck & Co., Inc. Together, they will lead an online discussion on some of the key considerations in risk assessment and management.

From January 30 to February 3, 2015, the APEC Data Privacy Subgroup (“DPS”) and its parent committee, the Electronic Commerce Steering Group (“ECSG”), met in Subic Bay, Philippines, for another round of negotiations and meetings. The Centre for Information Policy Leadership at Hunton & Williams participated as part of the U.S. delegation. The principal focus of the meetings was implementing the APEC Cross-Border Privacy Rules (“CBPR”) system, developing a corollary APEC recognition mechanism for information processors, related work relevant to cross-border interoperability, and updating the APEC Privacy Framework. The following is a summary of highlights and outcomes from the meetings.

On February 11, 2015, the International Association of Privacy Professionals Australian New Zealand (“iappANZ”) will host a discussion on the risk-based approach to privacy in Sydney, Australia. Richard Thomas, Global Strategy Advisor for the Centre for Information Policy Leadership at Hunton & Williams (the “Centre”), will present the Centre’s contributions to this topic including the outcomes from the workshops held in Paris and Brussels. Other guest speakers include Timothy Pilgrim, Australian Privacy Commissioner; Dr. Elizabeth Coombs, New South Wales Privacy Commissioner; and Olga Ganopolsky, General Counsel of Privacy and Data at Macquarie Group Limited. Together, they will discuss the benefits and challenges of a risk-based approach and the implications for businesses and regulators.

On December 14, 2014, the University of Amsterdam and the Massachusetts Institute of Technology issued a press release about two recent meetings of the EU-U.S. Privacy Bridges Project in Washington, D.C. (held September 22-23, 2014) and Brussels (held December 9-10, 2014). The Privacy Bridges Project is a group of approximately 20 privacy experts from the EU and U.S. convened by Jacob Kohnstamm, Chairman of the Dutch Data Protection Authority and former Chairman of the Article 29 Working Party, to develop practical solutions for bridging the gap between EU and U.S. privacy regimes and legal systems. Bojana Bellamy, President of the Centre for Information Policy Leadership at Hunton & Williams (the “Centre”), and Fred Cate, the Centre’s Senior Policy Advisor are members of this group.

Former UK Information Commissioner and Centre for Information Policy Leadership (the “Centre”) Global Strategy Advisor Richard Thomas was invited to make a presentation at a roundtable on Privacy Risk Management and Next Steps at the Organization for Economic Cooperation and Development’s (“OECD’s”) 37th meeting of the Working Party on Security and Privacy in the Digital Economy (“Working Party”). The meeting was attended by governmental and regulatory officials from most OECD member countries, with various other participants and observers.

In an article entitled The Rise of Accountability from Policy to Practice and Into the Cloud published by the International Association of Privacy Professinals, Bojana Bellamy, President of the Centre for Information Policy Leadership at Hunton & Williams (the “Centre”), outlines the rapid global uptake of “accountability” as a cornerstone of effective data protection and points to the recent ISO 27018 data privacy cloud standard as one of the latest examples.

The Centre for Information Policy Leadership at Hunton & Williams (the “Centre”) has published a second white paper in its multi-year Privacy Risk Framework Project entitled The Role of Risk in Data Protection. This paper follows the earlier white paper from June 2014 entitled A Risk-based Approach to Privacy: Improving Effectiveness in Practice.

On December 2-4, 2014, Asia Pacific Privacy Authority (“APPA”) members and invited observers and guest speakers from government, the private sector, academia and civil society met in Vancouver, Canada, to discuss privacy laws and policy issues. At the end of the open session (or “broader session”) on day two, APPA issued its customary communiqué (“Communiqué”) containing the highlights of the discussions during both the closed session on day one and the open session on day two. A side event on Big Data will be held on the morning of day three (December 4).

At the International Association of Privacy Professionals’ (“IAPP’s”) recent Europe Data Protection Congress in Brussels, the Centre for Information Policy Leadership at Hunton & Williams (the “Centre”) led two panels on the risk-based approach to privacy as a tool for implementing existing privacy principles more effectively and on codes of conduct as a means for creating interoperability between different privacy regimes.