Privacy & Information Security Law Blog

On October 9, 2014, the 88th Conference of the German Data Protection Commissioners concluded in Hamburg. This biannual conference provides a private forum for all German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information to share their views on current data protection issues, discuss relevant cases and adopt resolutions aimed at harmonizing how data protection law is applied across Germany. During the conference, several resolutions concerning privacy were adopted.

On October 16, 2014, the 36th International Conference of Data Protection and Privacy Commissioners in Mauritius hosted a panel including representatives from the European Data Protection Supervisor ("EDPS") and Hunton & Williams to discuss the need for a coordinated approach to net neutrality and data protection in the EU. While there are divergent views on what net neutrality should (or should not) entail, net neutrality in the EU typically refers to the principle that all Internet traffic is treated equally and without discrimination, restriction or interference.

During the October 14, 2014 closed session of the 36th International Conference of Data Protection and Privacy Commissioners (the “Conference”) held in Balaclava, Mauritius, the host, the Data Protection Office of Mauritius, and member authorities of the Conference issued the “Mauritius Declaration on the Internet of Things,” and four new resolutions – a “Resolution on Accreditation” of new members, a “Resolution on Big Data,” a “Resolution on enforcement cooperation,” and a “Resolution on Privacy in the digital age.” Brief summaries of each of these documents are below.

On September 15-16, 2014, the National Institute of Standards and Technology (“NIST”) will sponsor a workshop to further its Privacy Engineering initiative. The workshop will focus on developing draft privacy engineering definitions and concepts that will be explored in a forthcoming NIST report.

On August 6-10, 2014, the APEC Data Privacy Subgroup (“DPS”) and its parent committee, the Electronic Commerce Steering Group (“ECSG”), met in Beijing, China, for another round of negotiations, meetings and workshops. The Centre for Information Policy Leadership at Hunton & Williams participated as part of the U.S. delegation. The principal focus of the meetings was again on the further implementation of the APEC Cross-Border Privacy Rules (“CBPR”) system and related work relevant to cross-border interoperability. The following is a summary of highlights and outcomes from the meetings:

Join us in New York City on May 19-20, 2014, for the Privacy, Policy & Technology Summit – A High Level Briefing for Today’s Top Privacy Executives. Lisa Sotto, partner and head of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP will be a featured speaker at the session on “Cybersecurity: Insider Tips for Proactively Protecting Your Company and Its Data While Reducing Downstream Regulatory and Litigation Exposure.”

Join us at the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C., March 5-7, 2014. Hunton & Williams privacy professionals will be featured speakers in the following sessions:

On December 3, 2013, Lawrence Strickling, Department of Commerce Assistant Secretary for Communications and Information, spoke at the American European Community Association Conference in Brussels on Data Protection: The Challenges and Opportunities for Individuals and Businesses. Strickling discussed the Obama Administration’s commitment to “preserving the dynamism and openness of the Internet, enhancing the free flow of information, and strengthening our Internet economy.” He addressed the issues surrounding U.S. surveillance operations and the European Commission’s recent report on Safe Harbor. Strickling also provided a progress report on improvements to consumer privacy protection since the White House released its Consumer Privacy Bill of Rights in February 2012, including an update on the National Telecommunications and Information Administration’s (“NTIA’s”) multistakeholder process to develop industry codes of conduct.

On November 19, 2013, the Federal Trade Commission held a workshop in Washington, D.C. to discuss The Internet of Things: Privacy & Security in a Connected World. FTC Chair Edith Ramirez and FTC Senior Attorney Karen Jagielski provided the opening remarks. Chairwoman Ramirez raised three key issues for workshop participants to consider:

On October 2, 2013, the 86th Conference of the German Data Protection Commissioners concluded in Bremen. This biannual conference provides a private forum for the 16 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information, Peter Schaar, to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

On October 4, 2013, The Centre for Information Policy Leadership’s Senior Policy Advisor Fred Cate reported on the 35th International Conference of Data Protection and Privacy Commissioners which concluded on September 24 in Warsaw, Poland. The report indicates that four main issues dominated the Conference: (1) challenges presented by technologies such as mobile apps and online profiling, (2) multinational interoperability and enforcement, (3) pending EU data protection regulation and alternatives, and (4) repercussions of NSA surveillance activities.

Read the ...

On September 30, 2013, Hunton & Williams LLP hosted representatives from the U.S. Department of Commerce for a timely discussion of the Safe Harbor Framework, the Asia-Pacific Economic Cooperation (“APEC”) Cross-Border Privacy Rules System (“CBPRs”), and the Transatlantic Trade and Investment Partnership (“TTIP”) negotiations. The panel also addressed the development of privacy codes of conduct and privacy legislation being developed by the Department of Commerce.

On September 23 and 24, 2013, a declaration and eight resolutions were adopted by the closed session of the 35th International Conference of Data Protection and Privacy Commissioners and have been published on the conference website. This blog post provides an overview of the declaration and the most significant resolutions.

On August 28, 2013, the Obama Administration issued several documents relating to the Cybersecurity Framework that the President called for in Executive Order 13636: Improving Critical Infrastructure Cybersecurity. The documents include:

• Preliminary Cybersecurity Framework (Discussion Draft);
• Preliminary Cybersecurity Framework: Illustrative Examples (Discussion Draft);
• Message to Senior Executives on the Cybersecurity Framework (Discussion Draft);  and
• Cybersecurity Framework Performance Goals (Draft).

As always, the privacy team at Hunton & Williams continues to closely monitor the latest global developments in data protection, privacy and cybersecurity, including progress on the proposed EU General Data Protection Regulation. To keep you informed, we will be hosting regular, 30-minute webcasts to provide brief updates on the most pressing issues. These Hunton Global Privacy Update sessions will take place every two months. Please join us on September 19, 2013, at 11:00 a.m. EDT, for the first Hunton Global Privacy Update webcast.

Register for the complimentary September 19th ...

On September 30, 2013, Hunton & Williams LLP will host a panel discussion with the U.S. Department of Commerce on The Latest International Data Privacy Developments. The panel will take place in Hunton & Williams’ New York office from 5:30 – 7:00 p.m. EDT, with a cocktail reception following the presentation. The Department of Commerce’s International Trade Administration (“ITA”) will brief participants on important international data privacy issues, including:

On August 12, 2013, Privacy Piracy host Mari Frank interviewed Paul M. Tiao on KUCI 88.9 FM radio in Irvine, California. Paul is a partner in the Washington, D.C. office of Hunton & Williams, and the former Senior Counselor for Cybersecurity and Technology to the Director of the Federal Bureau of Investigation. The interview included discussion of hot-button electronic surveillance issues such as the PRISM surveillance program and private sector management of government data requests.

Access the radio interview.

On July 18-19, 2013, the European Union Justice and Home Affairs Council held an informal meeting in Vilnius, Lithuania, where Viviane Reding, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, openly criticized the U.S.-EU Safe Harbor Framework.

On July 30-31, 2013, the Cyber and Intelligence Committees of the Armed Forces Communications and Electronics Association (AFCEA) will host the 2013 AFCEA Global Intelligence Forum at the National Press Club in Washington, D.C. This year’s conference theme, “Defining the Role of Intelligence for Cyber Mission,” explores how leaders in the intelligence community can work together to help “ensure free and secure cyberspace operations – from setting requirements, to collecting and analyzing data, to delivering insights and recommendations.” The conference also ...

The U.S. Department of Commerce’s International Trade Administration (“ITA”) will host a data privacy seminar in Providence, Rhode Island, on Thursday, July 18 from 8:30 – 11:00 a.m. EDT. Seminar participants will hear from Commerce privacy experts who will discuss the Obama Administration’s privacy blueprint and provide updates on significant international developments, including the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks and the Asia-Pacific Economic Cooperation (“APEC”) group’s work to implement the Cross-Border Privacy Rules System. These privacy developments could have a significant impact on how companies comply with laws and privacy regulations in the United States, Asia and Europe. A representative from the Safe Harbor-certified company Textron Inc. (“Textron”) also will discuss the company’s experience developing and implementing a privacy compliance program.

On June 18, 2013, the New York office of Hunton & Williams LLP office hosted Cornell University’s Privacy and Data Security Symposium, Privacy, Security & Your Data - Concerns in a Changing World. The program focused on global privacy and cybersecurity issues, including protecting the personal information of Internet users, balancing user privacy with law enforcement concerns, and implementing responsible data stewardship and governance. Moderated by Cornell University’s Tracy Mitrano, Director of IT Policy and Institute for Computer Policy and Law, the panel included:

On July 1, 2013, Practising Law Institute (“PLI”) hosts its first symposium on Cybersecurity 2013: Managing the Risk in New York. Hunton & Williams partner Lisa J. Sotto is the Chair of the event. The program features timely cybersecurity topics, including the threat landscape, the legal environment (such as the Obama Administration’s Executive Order on Cybersecurity), and how companies can manage cybersecurity incidents when they occur and seek to prevent cyber attacks before they occur. Hunton & Williams partner Paul M. Tiao and Centre for Information Policy Leadership ...

On June 5, 2013, Hunton & Williams hosted a seminar in the firm’s London office: Tracking the Draft EU Regulation ̶ General Update and the Concept of the “One-Stop Shop.” Bridget Treacy, Rosemary Jay and Tim Hickman of Hunton & Williams gave a presentation on the operation and effects of the “consistency mechanism” to be introduced in the proposed General Data Protection Regulation. The June 5 update was the most recent in Hunton & Williams’ ongoing series of Executive Briefings on the Proposed Regulation. The consistency mechanism is intended to ensure that, once the ...

On June 6, 2013, a group of 300 gathered in Santa Marta, Colombia, the second oldest city in South America, for the First Latin America Congress on Data Protection. The Congress was organized by Colombia’s data protection authority, the Superintendency of Industry and Commerce, and the Centre for Information Policy Leadership at Hunton & Williams LLP. “Latin America is very important to Centre member companies, and education is a key element of the Centre’s Latin America Project. So, we were very pleased to help the Superintendent organize the program,” said Centre President Marty Abrams.

On May 29, 2013, Hunton & Williams hosted a webinar, A Discussion on the Proposed EU Regulation: Developing a More Creative Approach. Hunton & Williams partner Bridget Treacy moderated the session with former UK Information Commissioner Richard Thomas, Global Strategy Advisor of the Centre for Information Policy Leadership at Hunton & Williams. Richard Thomas discussed the need for a more creative and flexible approach to the proposed EU General Data Protection Regulation, with better-defined outcomes and targeting businesses that present the greatest risks. He also ...

On June 3, 2013, Privacy Piracy host Mari Frank interviewed Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP, on KUCI 88.9 FM radio in Irvine, California. Listen to the latest developments in cybersecurity, including legal issues businesses should consider when dealing with cybersecurity threats and the types of information being targeted.

Access the radio interview.

On May 6, 2013, the Global Privacy Enforcement Network (“GPEN”) announced its first “Internet Privacy Sweep,” in which 19 data protection authorities are participating. This joint effort, which runs May 6-12, 2013, involves a review of the information notices posted online by major websites.

The Polish Data Protection Authority (Generalny Inspektor Ochrony Danych Osbowych or “GIODO”) has activated the website for the 35th International Conference of Data Protection and Privacy Commissioners to be held in Warsaw, Poland, September 23-26, 2013. The conference theme is “A Compass in a Turbulent World.” Unlike past years, the conference will begin with the closed session for commissioners and concurrent side events. The open conference will take place on September 25 and 26. GIODO currently is working on the conference agenda with an advisory committee that ...

On April 5, 2013, during the Centre for Information Policy Leadership’s First Friday call, Centre President interviewed José Alejandro Bermúdez Durana, Deputy Superintendent for Data Protection for Colombia’s Superintendency of Industry and Commerce, and asked about the progress of Colombia’s new data protection law. Enacted in October 2012, the law provided a six month grace period for companies to prepare to comply with new requirements, which are expected to be implemented on April 18, 2013. The final regulation will be published thereafter. The Deputy Superintendent discussed industry cooperation and said that the regulation’s language on consent will be flexible.

Hunton & Williams LLP is pleased to announce that Lisa J. Sotto, partner and head of the firm’s Global Privacy and Data Security practice, has been named to The National Law Journal’s “The 100 Most Influential Lawyers in America” list. Last published in 2006, this is only the eighth time this list of legal luminaries has been compiled since it was first established in 1985 as “Profiles in Power.”

On March 14, 2013, the 85th Conference of the German Data Protection Commissioners concluded in Bremerhaven. This biannual conference provides a private forum for the 16 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information, Peter Schaar, to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

The U.S. Department of Commerce’s International Trade Administration (“ITA”) will host a data privacy seminar in Waltham, Massachusetts, on Monday, March 25 from 8:30 – 11:30 a.m. EST. Seminar participants will hear from a number of Commerce privacy experts who will discuss the Obama Administration’s privacy blueprint and provide updates on significant international developments involving the U.S.-European Union and U.S.-Swiss Safe Harbor Frameworks and the Asia-Pacific Economic Cooperation group’s work to implement the Cross-Border Privacy Rules System. These privacy developments could have a significant impact on your company and its compliance with laws and privacy regulations in the United States, Asia and Europe.

On February 8, 2013, during the Centre for Information Policy Leadership’s First Friday call, Hunton & Williams partner Frederick Eames offered insights on how key U.S. government players are likely to approach privacy and data security initiatives this session. Eames discussed upcoming privacy legislation and outlined his predictions regarding how several Congressional committees, including the House of Representatives Energy & Commerce Committee and the Senate Committee on Commerce, Science, & Transportation, will address privacy-related issues.

Listen to the full ...

On February 12, 2013, the Obama Administration released its highly-anticipated Executive Order on cybersecurity. Evolving cyber threats and increased government attention to these issues will affect companies in every industry, and businesses must consider a proactive approach to protecting against risks to critical business systems, company personal data, intellectual property and other proprietary information.

On January 28, 2013, the London office of Hunton & Williams marked European Data Privacy Day with the launch of the fourth edition of Data Protection Law & Practice, written by Senior Attorney Rosemary Jay. A panel comprised of the current UK Information Commissioner, Christopher Graham; his three predecessors, Eric Howe CBE, Elizabeth France CBE and Richard Thomas CBE; and the UK Minister of State for Justice, Lord McNally, spoke at the event and provided a retrospective on data protection in the United Kingdom since the Information Commissioner’s Office’s (“ICO’s”) inception in 1984.

On January 28, 2013, European Data Privacy Day, the London office of Hunton & Williams hosted the launch of senior attorney Rosemary Jay’s fourth edition book, Data Protection Law & Practice, by publisher Sweet & Maxwell.

In an interview with Marianne Kolbasuk McGee of HealthcareInfoSecurity, Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP, discusses the measures health care organizations should take to prepare for the issuance of the upcoming HIPAA Omnibus Rule. In March 2012, the Department of Health and Human Services (“HHS”) sent its final Omnibus Rule modifying the HIPAA Privacy, Security and Enforcement Rules to the White House Office of Management and Budget. In the interview, Sotto outlines her predictions of the content of the Omnibus Rule, including “modifications to the HIPAA privacy, security and enforcement rules” and “a final version of the HIPAA breach notification rule.”

On December 10, 2012, Tom Field of HealthcareInfoSecurity interviewed Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP. Discussing the top legal issues in 2012, Lisa said that data breaches remain at the top of the list, with an increase in malicious cyberattacks. She also addressed the need to combat cybercrime.

Listen to Lisa’s interview.

On December 3, 2012, the Centre for Information Policy Leadership (the “Centre”) at Hunton & Williams will co-host a special International Association of Privacy Professionals (“IAPP”) KnowledgeNet meeting in Brussels, Belgium. The meeting will explore global developments in accountability in the context of the proposed EU Data Protection Regulation and the impact of accountability on data protection management.

On December 5, 2012, at 1:00 p.m. EST, the U.S. Department of Commerce’s International Trade Administration (“ITA”) will be hosting a webinar to discuss data privacy issues. Webinar participants will hear from Commerce privacy experts on the Obama Administration’s privacy blueprint. There also will be an update on significant international data privacy developments such as the Asia-Pacific Economic Cooperation (“APEC”) forum’s work to implement the Cross-Border Privacy Rules (“CBPRs”) system and the U.S.-European Union and U.S.-Swiss Safe Harbor ...

Following the launch of Hunton & Williams’ Data Protection Executive Briefing Paper on the proposed EU Data Protection Regulation, we are pleased to announce that on November 29, 2012, we will host a further workshop to explore the challenges facing processors under the draft Regulation. In this workshop, attendees will:

• Explore how obligations on processers are likely to expand significantly;
• Learn how these new obligations will affect both processors and controllers; and
• Create a checklist for preparing for the changes ahead.

On November 13-15, 2012, delegates at the IAPP Europe Data Protection Congress in Brussels were given insight into how discussions with key policymakers are progressing. As European Parliament rapporteur and Member of the European Parliament Jan Philipp Albrecht aims to finalize the reform of the EU Data Protection Directive by the end of the current European Parliament’s mandate in 2014, this ambitious goal faces numerous hurdles.

In partnership with SC Magazine, we are pleased to announce that on November 22-23, 2012, SC Magazine will host its 2012 Virtual Summit “Tackling the Big 3: Clouds, Consumerisation, Cybercrime,” featuring Hunton & Williams partner Bridget Treacy. Following a year of sharp increases in data breaches and regulatory fines, the SC Summit will explore and focus on cybercrime, mobile devices and cloud security – three key priorities for 2013. Bridget Treacy and Paul Swarbrick, Chief Information Security Officer and Head of Cybersecurity for National Air Traffic Services, will open the Summit with their keynote presentation, “Where’s the Danger? From Cybercrime to Consumerisation to the Cloud, Today’s Most Potent Threats Unmasked.” Paul will discuss the data security issues that keep him awake at night and Bridget will offer vital, current perspective on the ever-changing legal landscape.

On November 8, 2012, the 84th Conference of the German Data Protection Commissioners concluded in Frankfurt (Oder). This bi-annual conference provides a private forum for the 16 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information Peter Schaar to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

The Polish Data Protection Authority (Generalny Inspektor Ochrony Danych Osbowych or “GIODO”) announced that it will host the 35th International Conference of Data Protection and Privacy Commissioners on September 23-27, 2013, in Warsaw, Poland. The first two days will be dedicated to the closed session, with the open sessions and side events taking place September 25-27.

In February 2013, the GIODO will facilitate the Global Accountability Project for which the Centre for Information Policy Leadership acts as Secretariat.

On October 24, 2012, Peter Hustinx, the European Data Protection Supervisor, speaking at the 34th International Conference of Data Protection and Privacy Commissioners in Uruguay, called the proposed EU Data Protection Regulation an “ambitious” undertaking, designed to achieve three goals.

First, Hustinx said the regulation is intended to provide the structure for European data protection for at least the next 20 years.

Second, the draft regulation will eliminate the wide variety of requirements that has resulted from the current EU Data Protection Directive’s being transposed into national law in 27 member states.

This year, the International Conference of Data Protection and Privacy Commissioners takes place in Punta del Este, Uruguay. On October 22, 2012, Article 29 Working Party President Jacob Kohnstamm kicked off the conference with the Public Voice session, sending a clear message that the Article 29 Working Party will resist EU data protection reform proposals involving the use of consent and legitimate business interests as legal bases for data processing.

Governance for next generation data applications increasingly will depend less on individual consent, and more on ...

In the opening session of the 34th International Conference of Data Protection and Privacy Commissioners, Conference Executive Committee Chair and Article 29 Working Party President Jacob Kohnstamm introduced this year’s conference. He noted that the topic of this year’s closed session will be profiling. Kohnstamm also indicated that future DPA conferences would focus on the closed session, which typically is comprised of current and former data protection authorities. Among the speakers in the 2012 closed session is Professor Fred H. Cate, Senior Policy Advisor for the Centre for Information Policy Leadership at Hunton & Williams LLP.

Lisa Sotto, partner and head of the Global Privacy and Data Security Practice at Hunton & Williams, was interviewed on July 18, 2012 about her participation in the USAID-funded Judicial Reform and Government Accountability Project’s initiative to educate and provide data protection awareness to the Serbian government. As we reported last week, Sotto was invited to Belgrade to assist Rodoljub Sabic, Serbia’s Commissioner for Information of Public Importance and Personal Data Protection, and the JRGA Project. Sotto, who also is Chair of the U.S. Department of Homeland Security’s Data Privacy and Integrity Advisory Committee, spent last week advising the Commission on steps to enhance Serbia’s data protection framework.

On July 12, 2012, the National Telecommunications and Information Administration (“NTIA”) of the U.S. Department of Commerce convened the first meeting of its multistakeholder process to develop industry codes of conduct. As we reported in June, the stated purpose for this meeting, entitled “Seeking Common Ground Regarding Mobile Application Transparency,” was to establish “a working dialogue that will eventually lead to a code of conduct that is broadly adopted.” Lawrence Strickling, Department of Commerce Assistant Secretary for Communications and Information, opened the session, which he characterized as an effort to highlight the key issues and explore topics to be addressed. Strickling emphasized that the structure and approach to the work would likely differ from that with which participants were familiar, and that it would be important to arrive at a constructive process that encourages collaboration and open engagement.

On May 24, 2012, Hunton & Williams LLP and Jordan Lawrence Group hosted a webcast on “Preparing for a New U.S. Privacy Landscape: An Overview of the FTC and White House Frameworks.” The webcast featured Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams, Aaron P. Simpson, partner at Hunton & Williams, and Rebecca Perry, Executive Vice President of Professional Services of Jordan Lawrence Group.

On June 7, 2012, at the annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference hosted in Washington, D.C. by the Department of Health and Human Services Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”), OCR Director Leon Rodriguez said that, given HIPAA’s 15-year history and the substantial technical assistance OCR and NIST have provided covered entities, tolerance for HIPAA non-compliance is “much, much lower” than it has been in the past.

On May 24, 2012, Hunton & Williams LLP and Jordan Lawrence Group are pleased to present a 45-minute webcast on “Preparing for a New U.S. Privacy Landscape: An Overview of the FTC and White House Frameworks.” Presenters Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams, Aaron P. Simpson, partner at Hunton & Williams, and Rebecca Perry, Executive Vice President of Professional Services of Jordan Lawrence Group, will highlight the key privacy and information security issues contained in these new frameworks and the impact they will ...

On May 4, 2012, Marty Abrams, President of the Centre for Information Policy Leadership at Hunton & Williams LLP (“the Centre”), interviewed British Columbia’s Information and Privacy Commissioner Elizabeth Denham during the Centre’s First Friday call. Commissioner Denham discussed the April 2012 release of “Getting Accountability Right with a Privacy Management Program,” new guidance issued by the Office of the Privacy Commissioner of Canada and the Offices of the Information and Privacy Commissioners of Alberta and British Columbia. The guidance addresses the Commissioners’ expectations for accountable privacy programs as required by Canadian law. Commissioner Denham described the guidance as “a tool to help organizations comply with the law,” providing “a roadmap to sound data governance,” with clear, practical terms for organizations to achieve accountability.

The Uruguayan Personal Data Control and Regulatory Unit has released the preliminary agenda for the 34th International Conference of Data Protection and Privacy Commissioners to take place October 23-24, 2012 in Punta del Este, Uruguay, at the Conrad Hotel. The conference theme is “Privacy and Technology in Balance.” The preliminary agenda with session descriptions and other information is available on the conference website at www.privacyconference2012.org.

As we previously reported, on May 3-4, 2012, the European data protection authorities’ (“DPAs’”) Spring Conference was held in Luxembourg, and the Data Protection Commissioners closed the conference by issuing a resolution on European data protection reform. In their resolution, the Data Protection Commissioners expressed general satisfaction with the ongoing modernization of the data protection frameworks of the European Union, the Council of Europe and the Organization for Economic Cooperation and Development.

On May 2, 2012, Australia’s Attorney General Nicola Roxon announced that the Australian government will introduce a bill to the Australian Parliament that will enact a number of the recommendations from the 2008 Law Reform Commission Report (ALRC Report 108) and reform privacy law in Australia. Discussion drafts of segments of the bill were considered by a Senate Committee in 2011. On May 4, Australian Privacy Commissioner Timothy Pilgrim presented an overview of the draft legislation at an event held during the iappANZ Privacy Awareness Week. Commissioner Pilgrim noted that the legislative package includes:

Join Hunton & Williams at the 2012 Europe Data Protection Intensive, now hosted by the International Association of Privacy Professionals (“IAPP”) in London, April 25-26, 2012. Hunton & Williams privacy professionals will be featured speakers in the following sessions:

On March 19, 2012, the European Commission hosted this year’s Safe Harbor Conference in Washington, D.C., to address the transfer of data from Europe to the United States. Although it appears the Safe Harbor framework will remain unchanged for the time being, it seems unlikely the United States will be considered adequate, or even interoperable, with the EU for purposes of cross-border data transfers.

Join us at the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C., March 7-9, 2012. Hunton & Williams privacy professionals will be featured speakers in the following sessions:

• Mending Fences after a Breach Thursday, March 8, 12:15 p.m. Speakers include: Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice, Hunton & Williams LLP; Susan Grant, Director of Consumer Protection, Consumer Federation of America; and Joanne B. McNabb, Chief, California Office of Privacy Protection.

The U.S. Department of Commerce has confirmed that the European Commission will host this year’s Safe Harbor Conference in Washington, D.C., on March 19, 2012. The venue marks a change from the tradition of previous sessions which have taken place in the host authority’s capital city (Washington, D.C. or Brussels). The Conference will follow the release of the European Commission’s draft revisions to the EU Data Protection Directive 95/46, which are expected on or around January 25, 2012. The widely leaked draft of the proposal does not contain language pertaining to the ...

On November 30, 2011, Tracy Kitten, Managing Editor of BankInfoSecurity, interviewed Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP. Discussing how data breaches can be game changers for organizations that suffer major incidents, Sotto emphasized that companies need to consider both the legal compliance issues involved with data breaches and potential reputational risks. Sotto also addressed how attorneys can play a key role in helping companies through the process.

Read the interview transcript or listen to the ...

On November 29, 2011, at the International Association of Privacy Professionals (“IAPP”) Europe Data Protection Congress in Paris, France, Viviane Reding, Vice President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, provided insight into details of the proposals for the revised EU data protection framework. She focused explicitly on solutions for international data transfers, promoting Binding Corporate Rules ("BCRs") as a solution that can offer a simplified, yet comprehensive, structure for safeguarding international flows of data. Commissioner Reding referred to BCRs as offering the possibility of consistent enforcement and legal certainty, without stifling innovation.

On November 17, 2011, the German Association for Data Protection and Data Security (“GDD”) held its 35th Privacy Conference (“DAFTA”) in Cologne, Germany. At the opening plenary session, Paul Nemitz, Director for Fundamental Rights and Citizenship of the European Commission, announced that the European Commission plans to implement a Regulation that is directly applicable to all EU Member States, to harmonize data protection laws in Europe.

On November 13, 2011, Asia-Pacific Economic Cooperation (“APEC”) leaders endorsed the APEC Cross-Border Privacy Rules (“CBPRs”) system at an APEC meeting in Honolulu, Hawaii. The Leaders’ Statement also endorsed interoperability between national and regional privacy and data protection regimes to facilitate moving data around the globe while protecting privacy.

On November 2, 2011, following welcome comments by Federal Institute for Access to Information and Data Protection (“IFAI”) Commissioner Jacqueline Peschard, the 33rd International Conference of Data Protection and Privacy Commissioners opened in Mexico City with an examination of the phenomenon of “Big Data” as a definer of a new economic era. In a wide-ranging presentation, Kenneth Neil Cukier of the Economist drew into clear relief the possibilities and problems associated with combining vast stores of data and powerful analytics. He highlighted the growing ability to correlate seemingly unrelated data sets to predict behavior, reveal trends, enhance product performance and safety and derive meaning. In his remarks Cukier noted that, in an era of Big Data, much of the decision-making about data collection and use goes beyond traditional notions of privacy, touching on ethics and free will. Noting that the printing press led to the development of free speech laws, he left open the question of how Big Data may change the legal landscape.

On November 1, 2011, the Centre for Information Policy Leadership released a discussion document entitled “Implementing Accountability in the Marketplace,” at the 33rd International Conference of Data Protection and Privacy Commissioners in Mexico City. The document reflects the collaborative effort of experts from Canada, Europe and the United States, and provides a comprehensive summary of the third year of the Centre’s work with the Accountability Project. It examines the requirements and benefits of accountability when it is applied across the marketplace, and ...

On November 2-3, 2011, Mexico’s Federal Institute for Access to Information and Data Protection (“IFAI”) will host the 33rd International Conference of Data Protection and Privacy Commissioners in Mexico City. Marty Abrams, President of the Centre for Information Policy Leadership at Hunton & Williams LLP, is the chairman of the Conference’s advisory panel and principal advisor to Conference organizers on program content. Hunton & Williams is a proud sponsor of the event which will feature Hunton representatives as speakers or moderators on multiple panels and plenary sessions, including the following:

On October 13, 2011, Marty Abrams, President of the Centre for Information Policy Leadership at Hunton & Williams LLP, presented “Accountability in a Page” as part of the “What it Means to Be Accountable” plenary session at the PIPA Conference 2011 taking place in Vancouver, British Columbia. Mr. Abrams, who leads the Centre’s Accountability Project, outlined the essential elements of accountability and described how top multinational companies are building accountability-based programs. According to Mr. Abrams, “accountability as mandated by the Canadian ...

On Tuesday, September 27, 2011, the European Privacy Officers Forum (“EPOF”) celebrated its 10th anniversary with a gala reception at the BELvue Museum in Brussels. EPOF is composed of EU-based data protection compliance officers and internal legal counsel from over 30 multinational companies and public-sector institutions who meet three times a year in Brussels to exchange ideas and to hear presentations by data protection authorities and other government representatives. The gala, which was attended by approximately 100 people, featured opening remarks from Peter Hustinx, European Data Protection Supervisor, the Honorable William E. Kennard, U.S. Ambassador to the EU, and Paul Nemitz, Director of Fundamental Rights and Citizenship of the European Commission.

On September 19, 2011, Privacy Piracy host Mari Frank interviewed Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP, on KUCI 88.9 FM radio in Irvine, California.  In the interview, Ms. Sotto discussed critical current privacy and data security issues, including lessons learned from the recent data breaches, the regulatory framework in the U.S. and EU, and expected legislative changes in the privacy arena globally.

Listen to the Privacy Piracy interview.

On September 15, 2011, the U.S. House of Representatives Subcommittee on Commerce, Manufacturing and Technology held a hearing on “the impact and burden” of European privacy regulation.  Paula Bruening, former Vice President of the Centre for Information Policy Leadership at Hunton & Williams LLP, was one of five witnesses who testified at the hearing.

Mexico’s Federal Institute for Access to Information and Data Protection ( “IFAI”) will host the 33rd International Conference of Data Protection and Privacy Commissioners in Mexico City on November 2-3, 2011.  This year’s conference, entitled “Privacy: The Global Age,” will focus on the challenges associated with managing and protecting personal data in an era characterized by the constant, instantaneous transfer of information across the globe.  IFAI President Jacqueline Peschard discussed the conference in further detail in an interview with Marty Abrams ...

On June 9, 2011, Lisa J. Sotto, partner and head of Hunton & Williams LLP’s Privacy and Data Security practice, spoke during the regulatory session on state and federal laws at NetDiligence’s Cyber Risk & Privacy Liability Forum in Philadelphia.  Sotto discussed recent changes to the legal landscape, emphasizing regulatory authorities’ growing interest in policy and enforcement issues and increased legislative activity on the state and federal levels.

View an excerpt from Sotto’s remarks as part of the panel discussion.

On July 14, 2011, the U.S. House of Representatives Energy and Commerce Committee convened a joint hearing of the Subcommittee on Commerce, Manufacturing and Trade (chaired by Rep. Mary Bono Mack (R-CA)), and the Subcommittee on Communications and Technology (chaired by Rep. Greg Walden (R-OR)), to launch a comprehensive review of Internet privacy.  The series of hearings began with testimony from officials representing three agencies with jurisdiction over consumer privacy issues: FTC Commissioner Edith Ramirez, FCC Chairman Julius Genachowski, and Department of Commerce Assistant Secretary for Communications and Information Lawrence Strickling.

On June 28-30, 2011, the Council of Europe’s Bureau of the Consultative Committee of the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (known as the “T-PD-Bureau”) met in Strasbourg, France, to discuss, among other things, amending the Council of Europe’s Convention 108.  Convention 108, which underlies the European Union’s legal framework for data protection, is the only legally-binding international convention that addresses data protection.  Amendment of the Convention is thus closely linked to the current review of the EU data protection framework, and many of the same actors are involved in both exercises.

On June 28, 2011, the Federal Communications Commission and the Federal Trade Commission convened a public education forum entitled “Helping Consumers Harness the Potential of Location-Based Services.”  Representatives of telecommunications carriers, technology companies and consumer advocacy organizations discussed technological developments and how best to realize the benefits of location-based services without compromising privacy.

On June 29, 2011, the Senate Committee on Commerce, Science and Transportation convened a hearing entitled “Privacy and Data Security: Protecting Consumers in the Online World.”  In opening remarks, Committee Chair Senator Jay Rockefeller (D-WV) highlighted that the hearing would consider both privacy and data security and discussed three bills focused on these issues.  First, Senator Rockefeller noted S. 917, the Do-Not-Track Online Act of 2011, a bill he introduced that would allow consumers to tell online companies that they do not want their personal information collected and require companies to honor those requests.  Second, the Senator referenced S. 799, the Commercial Privacy Bill of Rights Act of 2011, legislation introduced by Senators John Kerry (D-MA) and John McCain (R-AZ) that would comprehensively address privacy protection.  Finally, Senator Rockefeller spoke about S. 1207, the Data Security and Breach Notification Act of 2011, which he and Senator Mark Pryor (D-AR) reintroduced.  That bill would impose an obligation on companies to adopt basic security measures to protect sensitive consumer data and require companies to notify affected consumers in the event of a breach.  Senator Rockefeller emphasized several times his committee’s jurisdiction over privacy and data security issues.

As reported yesterday, on June 16 and 17, 2011, the Hungarian Presidency of the Council of the European Union hosted a high-level international data protection conference in Budapest.  The following are some highlights from the second day’s events:

• During the “New principles in the field” panel, Professor Paul De Hert of the Vrije Universiteit Brussel gave an explanation of the case I v. Finland, which was decided by the European Court of Human Rights on July 17, 2008, and which both he and European Data Protection Supervisor Peter Hustinx agreed was a key document for the concept of accountability in European data protection law.  Endre Szabó of the Hungarian Ministry of Public Administration and Justice noted that the principle of accountability had not yet been fully accepted by all members of the European Council.

On June 16, 2011, the Hungarian Presidency of the Council of the European Union hosted the first day of a high-level international data protection conference in Budapest.  The conference was attended by approximately 150 people, most of whom are representatives of EU governments, data protection authorities (“DPAs”), the European Commission, and other governmental groups such as the Council of Europe.

On June 13, 2011, the Polish Data Protection Authority (Generalny Inspektor Ochrony Danych Osbowych or “GIODO”) hosted a conference in Warsaw on the use of binding corporate rules (“BCRs”) for international data transfers.  The conference was notable as the first on this topic in Poland, and was designed to introduce BCRs to a Polish audience and to promote their use.  The audience of approximately 70 people heard presentations by the Polish Inspector General for Data Protection, Wojciech Rafał Wiewiórowski, as well as representatives of the Belgian, French, Polish ...

On May 26, 2011, the United Kingdom’s Lord Chancellor and Secretary of State for Justice Kenneth Clarke spoke before the EU Committee of the British Chamber of Commerce in Belgium.  His remarks focused on data protection, a subject he characterized as one “heavily on the agenda” in Brussels and in many EU Member States.  Clarke emphasized his own role as a proponent of data protection and a defender of civil liberties and individual freedom, and discussed the introduction into Parliament of a major bill to enhance individual freedom in the UK.  Key measures in the bill, many of which respond to issues raised over the past few years by the UK Information Commissioner, include:

• Greater independence for the Information Commissioner
• Safeguards against misuse of counter-terrorism stop and search powers
• Further regulation of the use of closed-circuit television monitoring
• Reform of the regulations governing vetting and barring of ex-offenders and persons working with children and vulnerable adults

On January 11, 2011, Michelle O’Neill, U.S. Department of Commerce Deputy Under Secretary for International Trade, held a briefing on her November 2010 meetings in Brussels with European data protection authorities.  She discussed a data protection and privacy forum that was convened in November at which she met with several high-level European regulators, including Jacob Kohnstamm, Viviane Reding and Peter Hustinx.  O’Neill mentioned “the right to be forgotten” as a current hot-button issue in Europe.  Commissioner Reding, who is firmly in charge of the reconsideration of the EU Data Protection Directive, focused on ensuring easier compliance with EU data protection rules and greater harmonization among Member States.  O’Neill stated that Peter Hustinx was encouraged by the work ongoing in the United States, including the “Green Paper” issued by the Department of Commerce.  He considers the various U.S. efforts a basis for further dialogue with U.S. authorities.  O’Neill noted that comments to the EU consultation are due January 15, 2011.  The Department of Commerce intends to file a response.

On December 2, 2010, discussions about privacy continued at a hearing on “Do Not Track Legislation: Is Now the Right Time?” held by the U.S. House of Representatives Committee on Energy and Commerce, Subcommittee on Commerce, Trade and Consumer Protection.  The hearing focused on a variety of consumer privacy issues, including the implications and challenges of a Do Not Track mechanism, the consumer’s desire for more control over the collection and use of their data and tracking practices, and the need to preserve an advertising supported Internet that promotes economic growth through online business.

On November 10, 2010, the American Bar Association’s Section of Antitrust Law’s International Committee and Corporate Counseling Committee hosted a webinar on “Regulating Privacy Across Borders in the Digital Age: An Emerging Global Consensus or Vive la Difference?”.  A panel of senior officials and private sector experts provided insights on emerging cross-border data privacy and security issues.  Hunton & Williams partner Lisa Sotto was tapped to moderate an outstanding panel which included Billy Hawkes, Commissioner, Office of the Data Protection Commissioner ...

On November 4, 2010, the New York Privacy Officers' Forum hosted a live program to discuss emerging issues in behavioral advertising.  Peter Weingard from online advertising technology and services company Collective began the program with a presentation highlighting the evolution of the advertising industry and the benefits of online behavioral advertising to advertisers, publishers and consumers.  Hunton & Williams partner Aaron Simpson followed Mr. Weingard with a presentation focusing on the emerging legal issues associated with the technology, including a discussion ...

The international group of data protection commissioners today admitted the U.S. Federal Trade Commission into membership.

Meeting at the 32nd International Conference of Data Protection and Privacy Commissioners in Jerusalem, the commissioners determined that the FTC had the requisite authority and independence to qualify for membership.

The decision has been a long time coming.  The U.S. has long sought to be recognized as a member of the data protection group.  Last year, the U.S. application was rejected at the international conference in Madrid.

The International Conference of Data Protection and Privacy Commissioners is convening in Jerusalem.  Appropriately, given the ancient history of the host city, the conference theme is “Privacy: Generations.”  The debate on Day One has drawn on the founding principles of data protection, but also has heavily focused on the future challenges in safeguarding the fundamental rights of privacy and data protection in a world of ubiquitous computing and social networking.

The tone was set in the opening plenary when Dr. Yuval Steinitz, the Israeli Minister of Finance, reminded us of the key tensions in privacy policy.  While privacy may be a fundamental tenet of every democracy, individual cultures must make choices between the competing values of privacy and security, and privacy and transparency.  The balance between these values, and the priority given to one over the other, will shift over time and from one culture to another.  The conference provides a timely opportunity to reassess where that balance currently lies, and what balance may be appropriate in the near future.

David Vladeck, Director of the Bureau of Consumer Protection of the Federal Trade Commission, today provided a high-level outline of the Commission’s forthcoming report on the future of privacy.

Speaking at the 32nd International Conference of Data Protection and Privacy Commissioners in Jerusalem, Vladeck said the report reflected two broad conclusions.  First, current privacy law places too much burden on consumers to read and understand privacy notices and make privacy choices.  The second conclusion is that there is a pressing need to reexamine the conception of “harm” in U.S. law to move beyond only economic and physical harms.

This year, the 32nd International Conference of Data Protection and Privacy Commissioners takes place in Jerusalem.  In addition, the Israeli Law, Information and Technology Authority (“ILITA”) is hosting a week of privacy activities to mark the 30th anniversary of the OECD Privacy Guidelines.

On September 29, 2010, the Centre for Information Policy Leadership (the “Centre”) hosted a pre-conference workshop at the International Association of Privacy Professionals (”IAPP”) Privacy Academy in Baltimore, Maryland.  The tutorial “Accountability on the Ground,” led by Centre Executive Director Marty Abrams, offered practical guidance on the subject of accountability.  The workshop, which featured presentations by Centre member companies, discussed in-depth examples of how organizations can implement an accountability program.

David Vladeck, the head of the Bureau of Consumer Protection at the Federal Trade Commission, shared his vision for consumer privacy protection with an audience at the IAPP’s Privacy Academy on September 30, 2010.  Mr. Vladeck began by reminding the audience that the FTC is aggressively enforcing on privacy and data security matters, having brought 29 cases to date.  Where possible, the FTC joins forces with other federal regulators, such as the Department of Health and Human Services, to seek broad relief that the FTC could not otherwise get on its own.  Mr. Vladeck indicated that the FTC also works closely with the states, citing a recent case in which the FTC filed concurrent settlements with 36 state attorneys general.  Mr. Vladeck stated that the FTC plans to continue to bring cases to ensure that companies “reasonably” safeguard information.

Mr. Vladeck noted three key areas for future enforcement.  The FTC will (1) bring more cases involving “pure” privacy, i.e., cases involving practices that attempt to circumvent consumers’ understanding of a company’s information practices and consumer choices; (2) focus enforcement efforts on new technologies (Mr. Vladeck noted that, to assist staff attorneys in bringing these sorts of cases, the FTC has hired technologists to assist and also have created mobile labs to respond to the proliferation of smart phones and mobile apps); and (3) increase international cooperation on privacy issues (Mr. Vladeck cited the FTC’s recently-announced participation in the Global Privacy Enforcement Network).

Please join us at these great events coming up this fall.  Several members of Hunton & Williams’ Privacy and Information Management team are presenting at these events to discuss the current and evolving privacy and data security issues occurring around the world.

Internet Rights and Technology: A Practical Legal Guide to Doing Business on the Internet – New York City Bar
On September 28, 2010, 6:00 p.m. – 8:45 p.m., the New York City Bar hosts a live program to discuss how the Internet affects various areas of law, including intellectual property, new media, litigation, regulatory and licensing.  The faculty includes Hunton & Williams partner, Aaron P. Simpson, who will lead the Privacy & Data Security session.

Richard Thomas (RT): Lisa, congratulations on the publication of the new treatise.  I’m sure the Privacy team has been waiting for its release.  Could you give us some background on what prompted you and the team to write the Privacy and Data Security Law Deskbook?

Lisa Sotto (LS): Thanks, Richard.  Privacy and information security are topics that have received significant attention during the last few years.  Organizations that manage personal information are under the microscope and are struggling to keep up with the many new and evolving legal requirements around the world.  In addition, there is a real uptick in enforcement actions for privacy and data security incidents.  As the former Information Commissioner of the UK, I’m sure you would agree that privacy is an issue on which nearly every global company must focus.  In 2009 alone, companies spent an average of $6.6 million to rebuild their brand image and retain customers after being involved in some type of data breach the previous year.

On July 20, 2010, Hunton & Williams announced the release of the first edition treatise Privacy and Data Security Law Deskbook (Aspen Publishers) by lead author Lisa J. Sotto, managing partner of the firm’s New York office and head of the firm’s global Privacy and Information Management practice.  The deskbook provides a detailed overview (with thousands of specific citations for the legal practitioner) of those areas of information privacy and data security law that have the greatest impact on and are most relevant to U.S. businesses operating in the global arena.  In addition ...

“The Department of Commerce is back.”  With those words Cameron Kerry, General Counsel of the U.S. Department of Commerce, made it clear the Department intends to take a leading role in shaping domestic privacy policy and representing U.S. privacy interests in international discussions.  The announcement was made at the May 7, 2010, Department of Commerce symposium, “A Dialogue on Privacy and Innovation,” where the mostly business audience welcomed Mr. Kerry’s declaration with great enthusiasm.

The Department of Commerce (“DOC”) will be holding a public meeting on May 7, 2010, in Washington, D.C., to listen to stakeholders’ views on privacy policies in the United States.  This session is part of a broader inquiry by the DOC’s newly created Internet Policy Task Force “whose mission is to identify leading public policy and operational challenges in the Internet environment.”  The DOC’s National Telecommunications and Information Administration and the International Trade Administration will issue a notice of inquiry to look at the nexus between innovation ...

Join us next week at the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C., April 19 – 21, 2010.  This year’s summit features three days of intensive programs and networking with more 1,500 privacy professionals.  We also hope you will visit our privacy professionals who are speaking on the following panels:

• The Essential Elements of Accountability and Baking Them into a Privacy Business Process
  Tuesday April 20, 1:15 – 2:15 p.m.
  Speakers include: Marty Abrams, Executive Director of the Centre for Information Policy Leadership and Scott Taylor, CIPP, Chief Privacy Officer of Hewlett-Packard Company.
• Revisiting the Safe Harbor a Decade Later
  Wednesday April 21, 12:15 – 1:15 p.m.
  Speakers include: Lisa J. Sotto, Partner and Head of the Privacy and Information Management Practice at Hunton & Williams LLP; Damon Greer, CIPP, Director, U.S. - EU and Swiss Safe Harbor Framework, U.S. Department of Commerce; and JoAnn Stonier, Global Privacy & Data Usage Officer of MasterCard Worldwide.
• Data Can Be Good: Exploring Alternatives to Data Minimization for Protecting Privacy
  Wednesday April 21, 12:15 – 1:15 p.m.
  Speakers include: Marty Abrams, Executive Director of the Centre for Information Policy Leadership; Fred Cate, Distinguished Professor of Indiana University and Senior Policy Advisor of the Centre for Information Policy Leadership; and Stan Crosley, CIPP, Co-Director of Indiana University Center for Strategic Health Information Provisioning and Principal of Crosley Law Offices, LLC. The program is moderated by Jane Horvath, CIPP, CIPP/G, Senior Privacy Counsel of Google, Inc.

Julie Brill and Edith Ramirez took their oaths of office on April 5 and 6, 2010, completing the Federal Trade Commission’s roster of five commissioners and facilitating the Commission’s new tougher stance on privacy.  As we previously reported, Ms. Brill and Ms. Ramirez were confirmed by the U.S. Senate on March 3, 2010.  There are now three Democrats and two Republicans on the Commission.

Last year, when the Commission was comprised of one Democrat, two Republicans, an independent and a vacant seat, FTC Chairman Jon Leibowitz announced an aggressive agenda for the Commission, including a “privacy re-think.”  The new Democratic majority will make it easier to advance that agenda through recommendations to Congress, responses to market requests for greater self regulation and the approach taken with respect to enforcement cases.

Justice Michael Kirby was invited by the Organization for Economic Cooperation and Development (the “OECD”) to open the celebration of the 30th anniversary of the adoption of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.  Justice Kirby led the group of experts who worked from 1978-1980 to develop the Guidelines, which have formed the basis of modern privacy and data protection law.