Privacy & Information Security Law Blog

On April 15, 2015, the Federal Communications Commission (“FCC”) announced that it has joined the Asia Pacific Privacy Authorities (“APPA”), the principal forum for privacy authorities in the Asia-Pacific Region. APPA members meet twice a year to discuss recent developments, issues of common interest and cooperation. The FCC now joins the Federal Trade Commission as the U.S. representatives to APPA.

On April 16, 2015, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2014 (the “Report”) highlighting its main accomplishments in 2014 and outlining some of the topics it will consider further in 2015.

On April 14, 2015, the American Chamber of Commerce in China (“AmCham”) published a report, entitled Protecting Data Flows in the US-China Bilateral Investment Treaty (the “Report”). The Report is part of AmCham’s Policy Spotlight Series. While in principle addressed to the U.S. and Chinese teams that are currently negotiating the Bilateral Investment Treaty, the Report has been made public. It thereby provides insight into the emerging issue of data localization for the benefit of a much wider audience.

On April 15, 2015, the Asia-Pacific Economic Cooperation (“APEC”) Electronic Commerce Steering Group issued a press release announcing Canada’s participation in the APEC Cross-Border Privacy Rules (“CBPR”) System. The U.S. Department of Commerce’s International Trade Administration also released an official press statement.

On March 26, 2015 the United Nations Human Rights Council (the “Council”) announced that it will appoint a new position as special rapporteur on the right to privacy for a term of three years. The position, which is part of the Council’s resolution, is intended to reaffirm the right to privacy and the right to the protection of the law against any interference on a person’s privacy, family, home or correspondences, as set out in Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights.

On April 7, 2015, the FTC announced proposed settlements with TES Franchising, LLC, an organization specializing in business coaching, and American International Mailing, Inc., an alternative mail transporting company, related to charges that the companies falsely claimed they were compliant with the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks.

On April 1, 2015, the Global Privacy Enforcement Network (“GPEN”) released its 2014 annual report (the “Report”). This Report marks the first time that GPEN has issued an annual report highlighting the network’s accomplishments throughout the year. GPEN is a network of approximately 50 privacy enforcement authorities from around the world, including the Federal Trade Commission and the Federal Communications Commission.

The International Conference of Data Protection and Privacy Commissioners (the “Conference”) has launched a new permanent website. The new website fulfills the agreement made between Commissioners “to create a permanent website in particular as a common base for information and resources management” in the Montreux Declaration adopted in 2005. The Executive Committee Secretariat called the website a “one-stop-shop for permanent Conference documentation,” and will be a resource for members and the public to explore upcoming Conference events and newsfeeds ...

On March 27, 2015, the England and Wales Court of Appeal issued its judgment in Google Inc. v Vidal-Hall and Others. Google Inc. (“Google”) appealed an earlier decision by Tugendhat J. in the High Court in January 2014. The claimants were users of Apple’s Safari browser who argued that during certain months in 2011 and 2012, Google collected information about their browsing habits via cookies placed on their devices without their consent and in breach of Google’s privacy policy.

As part of its ongoing Brazil outreach initiative, a delegation of the Centre for Information Policy Leadership at Hunton & Williams (“CIPL”) is in Brasilia and Rio de Janeiro the week of March 23, 2015. The delegation will meet with Brazilian government representatives, organizations and experts to discuss global privacy law and best practice developments and other issues of mutual interest, as well as a joint global privacy dialogue workshop in Brazil planned for later this year.

On March 24, 2015, the CNIL announced the implementation of a new procedure that will simplify the registration formalities for French affiliates of groups that have implemented Binding Corporate Rules (“BCRs”).

On March 9, 2015, the Federal Trade Commission announced that it has entered into a Memorandum of Understanding (the “Memorandum”) with the Dutch Data Protection Authority (the “Dutch DPA”).

On February 3, 2015, the Article 29 Working Party (“Working Party”) published a report on a sweep of 478 websites across eight EU Member States (Czech Republic, Denmark, France, Greece, the Netherlands, Slovenia, Spain and the United Kingdom). The sweep was conducted to assess compliance with Article 5.3 of the e-Privacy Directive 2002/58/EC, as amended by 2009/136/EC.

On February 5, 2015, the Article 29 Working Party (the “Working Party”) published a letter that responds to a request of the European Commission to clarify the scope of the definition of health data in connection with lifestyle and wellbeing apps. In the annex to this letter, the Working Party identifies criteria to determine when personal data qualifies as “health data,” a special category of data receiving enhanced protection under the EU Data Protection Directive 95/46/EC (the “Directive”). The Working Party further discusses the current legal regime for the processing of such health data and provides its view on the requirements for further processing of health data for historical, statistical and scientific research under the Directive. The letter also includes the Working Party’s recommendations for the regime that should be provided in the proposed EU General Data Protection Regulation (the “Proposed Regulation”).

On January 28, 2015, the Brazilian government issued the Preliminary Draft Bill for the Protection of Personal Data (Anteprojeto de Lei para a Proteção de Dados Pessoais) on a website specifically created for public debate on the draft bill. The text of the bill (in Portuguese) is available on the website. (http://participacao.mj.gov.br/)

On February 4, 2015, the German government adopted a draft law to improve the enforcement of data protection provisions that are focused on consumer protection. As reported earlier, the new law would bring about a fundamental change in how German data protection law is enforced.

From January 30 to February 3, 2015, the APEC Data Privacy Subgroup (“DPS”) and its parent committee, the Electronic Commerce Steering Group (“ECSG”), met in Subic Bay, Philippines, for another round of negotiations and meetings. The Centre for Information Policy Leadership at Hunton & Williams participated as part of the U.S. delegation. The principal focus of the meetings was implementing the APEC Cross-Border Privacy Rules (“CBPR”) system, developing a corollary APEC recognition mechanism for information processors, related work relevant to cross-border interoperability, and updating the APEC Privacy Framework. The following is a summary of highlights and outcomes from the meetings.

On January 20, 2015, a group of public officials and industry representatives met in a public discussion panel in Brussels to debate the progress of the proposed EU General Data Protection Regulation (the “ Proposed Regulation”) and the major themes that are yet to be resolved. The panelist included Paul Nemitz, Director for the Fundamental Rights and Union Citizenship of the European Commission, Jan Philipp Albrecht, MEP and Vice Chair of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, and Pat Walshe, Director of Privacy and Public Policy of Groupe Speciale Mobile Association.

On January 28, 2015, in connection with Data Protection Day, newly appointed European Data Protection Supervisor (“EDPS”) Giovanni Buttarelli spoke about future challenges for data protection. Buttareli encouraged the EU “to lead by example as a beacon of respect for digital rights,” and “to be at the forefront in shaping a global, digital standard for privacy and data protection which centers on the rights of the individual.” Buttarelli stressed that in the context of global technological changes, “the EU has to make existing data protection rights more effective in practice, and to allow citizens to more easily exercise their rights.”

On January 1, 2015, Finland’s Information Security Code (2014/ 917, the “Code”) became effective. The Code introduces substantial revisions to Finland’s existing electronic communications legislation and consolidates several earlier laws into a single, unified text. Although many of these earlier laws remain unchanged, the Code includes extensive amendments in a number of areas.

On January 28, 2015, the German conference of data protection commissioners hosted a European Data Protection Day event called Europe: Safer Harbor for Data Protection? – The Future Use of the Different Level of Data Protection between the EU and the US.

On January 12, 2015, the European Union Agency for Network and Information Security (“ENISA”) published a report on Privacy and Data Protection by Design - from policy to engineering (the “Report”). The “privacy by design” principle emphasizes the development of privacy protections at the early stages of the product or service development process, rather than at later stages. Although the principle has found its way into some proposed legislation (e.g., the proposed EU General Data Protection Regulation), its concrete implementation remains presently unclear. Hence, the Report aims to promote a discussion on how the principle can be implemented concretely and effectively with the help of engineering methods.

On January 14, 2015, the data protection authority of the German federal state of Schleswig-Holstein (“Schleswig DPA”) issued an appeal challenging a September 4, 2014 decision by the Administrative Court of Appeals, which held that companies using Facebook’s fan pages cannot be held responsible for data protection law violations committed by Facebook because the companies do not have any control over the use of the data.

On January 5, 2015, the State Administration for Industry and Commerce of the People’s Republic of China published its Measures for the Punishment of Conduct Infringing the Rights and Interests of Consumers (the “Measures”). The Measures contain a number of provisions defining circumstances or actions under which enterprise operators may be deemed to have infringed the rights or interests of consumers. These provisions are consistent with the basic rules in the currently effective P.R.C. Law on the Protection of Consumer Rights and Interests (“Consumer Protection Law”). The Measures will take effect on March 15, 2015.

On January 13, 2015, the French Data Protection Authority (the “CNIL”) published a Referential (the “Referential”) that specifies the requirements for organizations with a data protection officer (“DPO”) in France to obtain a seal for their data privacy governance procedures.

In December 2014, we reported that various technology companies, academics and trade associations filed amicus briefs in support of Microsoft’s attempts to resist a U.S. government search warrant seeking to compel it to disclose the contents of customer emails that are stored on servers in Ireland. On December 23, 2014, the Irish government also filed an amicus brief in the 2nd Circuit Court of Appeals.

In a decision published on January 6, 2015, the French data protection authority (the “CNIL”) adopted a new Simplified Norm NS 47 (the “Simplified Norm”) that addresses the processing of personal data in connection with monitoring and recording employee telephone calls in the workplace. Data processing operations in compliance with all of the requirements set forth in the Simplified Norm may be registered with the CNIL through a simplified registration procedure. If the processing does not comply with the Simplified Norm, however, a standard registration form must be filed with the CNIL. The Simplified Norm includes the following requirements:

On December 31, 2014, Russian President Vladimir Putin signed legislation to move the deadline for compliance to September 1, 2015, for Federal Law No. 242-FZ (the “Localization Law”), which requires companies to store the personal data of Russian citizens in databases located in Russia. The bill that became the Localization Law was adopted by the lower chamber of Russian Parliament in July 2014 with a compliance deadline of September 1, 2016. The compliance deadline was then moved to January 1, 2015, before being changed to September 1, 2015 in the legislation signed by President Putin.

On December 29, 2014, the Hong Kong Office of the Privacy Commissioner for Personal Data published guidance (the “Guidance Note”) on the protection of personal data in cross-border data transfers. The Guidance Note was released in light of the Privacy Commissioner’s intention to elaborate on the legal restrictions governing cross-border data transfers in Hong Kong, though these have not yet gone into effect.

On December 29, 2014, the Commissioner for Data Protection and Freedom of Information of the German state Rhineland-Palatinate issued a press release stating that it imposed a fine of €1,300,000 on the insurance group Debeka. According to the Commissioner, Debeka was fined due to its lack of internal controls and its violations of data protection law. Debeka sales representatives allegedly bribed public sector employees during the eighties and nineties to obtain address data of employees who were on path to become civil servants. Debeka purportedly wanted this address data to market insurance contracts to these employees. The Commissioner asserted that the action against Debeka is intended to emphasize that companies must handle personal data in a compliant manner. The fine was accepted by Debeka to avoid lengthy court proceedings.

On December 15, 2014, Microsoft reported the filing of 10 amicus briefs in the 2nd Circuit Court of Appeals signed by 28 leading technology and media companies, 35 leading computer scientists, and 23 trade associations and advocacy organizations, in support of Microsoft’s litigation to resist a U.S. Government’s search warrant purporting to compel the production of Microsoft customer emails that are stored in Ireland. In opposing the Government’s assertion of extraterritorial jurisdiction in this case, Microsoft and its supporters have argued that their stance seeks to promote privacy and trust in cross-border commerce and advance a “broad policy issue” that is “fundamental to the future of global technology.”

On December 14, 2014, the University of Amsterdam and the Massachusetts Institute of Technology issued a press release about two recent meetings of the EU-U.S. Privacy Bridges Project in Washington, D.C. (held September 22-23, 2014) and Brussels (held December 9-10, 2014). The Privacy Bridges Project is a group of approximately 20 privacy experts from the EU and U.S. convened by Jacob Kohnstamm, Chairman of the Dutch Data Protection Authority and former Chairman of the Article 29 Working Party, to develop practical solutions for bridging the gap between EU and U.S. privacy regimes and legal systems. Bojana Bellamy, President of the Centre for Information Policy Leadership at Hunton & Williams (the “Centre”), and Fred Cate, the Centre’s Senior Policy Advisor are members of this group.

Former UK Information Commissioner and Centre for Information Policy Leadership (the “Centre”) Global Strategy Advisor Richard Thomas was invited to make a presentation at a roundtable on Privacy Risk Management and Next Steps at the Organization for Economic Cooperation and Development’s (“OECD’s”) 37th meeting of the Working Party on Security and Privacy in the Digital Economy (“Working Party”). The meeting was attended by governmental and regulatory officials from most OECD member countries, with various other participants and observers.

On December 11, 2014, in response to a request for a preliminary ruling from the Supreme Administrative Court of the Czech Republic, the Court of Justice of the European Union (“CJEU”) ruled that the use of CCTV in the EU should be strictly limited, and that the exemption for “personal or household activity” does not permit the use of a home CCTV camera that also films any public space.

On December 9, 2014, a coalition of 23 global privacy authorities sent a letter to the operators of mobile application (“app”) marketplaces urging them to require privacy policies for all apps that collect personal information. Although the letter was addressed to seven specific app marketplaces, the letter notes that it is intended to apply to all companies that operate app marketplaces.

On December 8, 2014, the Article 29 Working Party (the “ Working Party”) and the French Data Protection Authority (the “CNIL”) organized the European Data Governance Forum, an international conference centered around the theme of privacy, innovation and surveillance in Europe. The conference concluded with the presentation of a Joint Statement adopted by the Working Party during its plenary meeting on November 25, 2014.

On December 5, 2014, the Article 29 Working Party (the “Working Party”) published a Working Document on surveillance, electronic communications and national security. The Working Party (which is comprised of the national data protection authorities (“DPAs”) of each of the 28 EU Member States) regularly publishes guidance on the application and interpretation of EU data protection law. Although its views are not legally binding, they are strongly indicative of the way in which EU data protection law is likely to be enforced.

On November 26, 2014, the Article 29 Working Party (the “Working Party”) released a Working Document providing a cooperation procedure for issuing common opinions on whether “contractual clauses” comply with the European Commission’s Model Clauses (the “Working Document”).

On December 2-4, 2014, Asia Pacific Privacy Authority (“APPA”) members and invited observers and guest speakers from government, the private sector, academia and civil society met in Vancouver, Canada, to discuss privacy laws and policy issues. At the end of the open session (or “broader session”) on day two, APPA issued its customary communiqué (“Communiqué”) containing the highlights of the discussions during both the closed session on day one and the open session on day two. A side event on Big Data will be held on the morning of day three (December 4).

On November 26, 2014, the Article 29 Working Party (the “Working Party”) published an Opinion (the “Opinion”) on the Guidelines on the Implementation of the Court of Justice of the European Union Judgment on “Google Spain and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12 (the “Judgment” or “Costeja”). The Opinion constitutes guidance from the Working Party on the implementation of Costeja for search engine operators.

At the International Association of Privacy Professionals’ (“IAPP’s”) recent Europe Data Protection Congress in Brussels, the Centre for Information Policy Leadership at Hunton & Williams (the “Centre”) led two panels on the risk-based approach to privacy as a tool for implementing existing privacy principles more effectively and on codes of conduct as a means for creating interoperability between different privacy regimes.

On November 25, 2014, the Article 29 Working Party (the “Working Party”) adopted Opinion 9/2014 (the “Opinion”) on device fingerprinting. The Opinion addresses the applicability of the consent requirement in Article 5.3 of the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC) to device fingerprinting. As more and more website providers suggest using device fingerprinting instead of cookies for the purpose of providing analytics or for tracking purposes, the Working Party clarifies how the rules regarding user consent to cookies apply to device fingerprinting. Thus, the Opinion expands on Opinion 04/2012 on the Cookie Consent Exemption.

On November 24, 2014, the Polish President Bronisław Komorowski signed into law a bill that was passed by Polish Parliament on November 7, 2014, which amends, among other laws, certain provisions of the Personal Data Protection Act 1997. As a result of the amendments, data controllers will be able to transfer personal data to jurisdictions that do not provide an “adequate level” of data protection without obtaining the prior approval of the Polish Data Protection Authority (Generalny Inspektor Ochrony Danych Osbowych or “GIODO”), provided that they meet certain requirements specified under the bill. In addition, the bill amends Polish law so that it is no longer mandatory to appoint an administrator of information security (administrator bezpieczeństwa informacji or “ABI”). An ABI is similar to a data protection officer but an ABI has narrower responsibilities that predominantly concern data security.

On November 27, 2014, the European Parliament announced that it will appoint Giovanni Buttarelli as the new European Data Protection Supervisor (“EDPS”), and Wojciech Wiewiórowski as the Assistant Supervisor. The announcement has been expected since the Parliament’s Committee on Civil Liberties, Justice and Home Affairs voted on October 20, 2014 for Buttarelli and Wiewiórowski to be the Parliament’s leading candidates for the two positions. The final step of the process is for the Parliament and the Council of the European Union to jointly sign a nomination decision, after which Buttarelli and Wiewiórowski will formally take up their new roles.

On November 18, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program covered a number of privacy and data protection topics, including a report on the International Conference of Data Protection and Privacy Commissioners, highlights on the Council of the European Union’s proposed revisions to the compliance obligations of data controllers and data processors included in Chapter IV of the forthcoming EU General Data Protection Regulation, and U.S. highlights on California’s breach report and Federal Communications Commission enforcement actions.

On November 18, 2014, the Centre for Information Policy Leadership at Hunton & Williams (the “Centre”) held the second workshop in its ongoing work on the risk-based approach to privacy and a Privacy Risk Framework. Approximately 70 Centre members, privacy regulators and other privacy experts met in Brussels to discuss the benefits and challenges of the risk-based approach, operationalizing risk assessments within organizations, and employing risk analysis in enforcement. In discussing these issues, the speakers emphasized that the risk-based approach does not change the obligation to comply with privacy laws but helps with the effective calibration of privacy compliance programs.

Join us at the International Association of Privacy Professionals (“IAPP”) Data Protection Congress in Brussels, November 18-20, 2014. Hunton & Williams privacy professionals will be featured speakers in the following sessions:

On October 15, 2014, the UK Information Commissioner’s Office (“ICO”) published a code of practice regarding the use of surveillance cameras (“Code of Practice”). The Code of Practice explains how the legal requirements of the Data Protection Act 1998 apply to operators of surveillance cameras. Practical and technological advancements have led to a wide variety of surveillance camera technologies that differ from traditional CCTV (e.g., Automatic Number Plate Recognition cameras and body-worn cameras). The Code of Practice addresses (1) changes in technology and (2) inconsistent standards that have arisen in various sectors since the ICO last updated its guidance on CCTV systems, which occurred in 2008. In particular, due to technological advancements, surveillance cameras are no longer merely passive recording devices, but rather can be used to identify specific items or individuals, keep detailed records of events, and are increasingly portable and discrete.

On October 28, 2014, the German Federal Court of Justice referred the question of whether an IP address constitutes personal data under the EU Data Protection Directive 95/46/EC (“EU Data Protection Directive”) to the European Court of Justice (“ECJ”). The German court referred the question to the ECJ for a preliminary ruling in connection with a case that arose in 2008 when a German citizen challenged the German federal government’s storage of the dynamic IP addresses of users on government websites. The citizen’s claim initially was rejected by the court of first instance. The claim was granted, however, by the court of second instance to the extent it referred to the storage of IP addresses after the users left the relevant government websites. Subsequently, both parties appealed the decision to the German Federal Court of Justice.

This week, the Article 29 Working Party (“Working Party”) prepares to debate various proposals on the “one-stop-shop” mechanism under the proposed EU General Data Protection Regulation (“Regulation”). Hunton & Williams’ Global Privacy and Cybersecurity practice and its Centre for Information Policy Leadership submitted a strategy paper on the one-stop-shop to the Working Party. The paper proposes a methodology for selecting and defining the role of a lead regulatory authority with the objective of making the one-stop-shop more operational, flexible and viable. The work draws on a more detailed article published on November 3, 2014, by Hunton & Williams senior attorney Rosemary Jay in the magazine for the Society for Computers and Law, entitled The “One Stop Shop” – Working in Practice.

The UK government has announced proposals designed to make it easier for the Information Commissioner’s Office (“ICO”) to fine companies responsible for nuisance calls and text messages. Under the proposals, the current maximum fine of £500,000 would remain unchanged, but the threshold for imposing fines would be lowered.

The Council of the European Union has published proposed revisions to the compliance obligations of data controllers and data processors included in Chapter IV of the forthcoming EU General Data Protection Regulation (“Regulation”). This proposal was led by the current Italian Presidency and the revisions reflect input from representatives of the national governments of the EU Member States.

Eduardo Cunha, a congressman from the Brazilian Democratic Movement Party in Rio de Janeiro, recently introduced a new bill in Brazil that provides Brazilians with a right to be forgotten (PL 7881/2014). Rep. Cunha is one of the most influential congressmen in Brazil and has been reported likely to be the next Speaker of the Brazilian House of Representatives (also translated as the “Chamber of Deputies”).

On October 9, 2014, the 88th Conference of the German Data Protection Commissioners concluded in Hamburg. This biannual conference provides a private forum for all German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information to share their views on current data protection issues, discuss relevant cases and adopt resolutions aimed at harmonizing how data protection law is applied across Germany. During the conference, several resolutions concerning privacy were adopted.

On October 16, 2014, the 36th International Conference of Data Protection and Privacy Commissioners in Mauritius hosted a panel including representatives from the European Data Protection Supervisor ("EDPS") and Hunton & Williams to discuss the need for a coordinated approach to net neutrality and data protection in the EU. While there are divergent views on what net neutrality should (or should not) entail, net neutrality in the EU typically refers to the principle that all Internet traffic is treated equally and without discrimination, restriction or interference.

During the October 14, 2014 closed session of the 36th International Conference of Data Protection and Privacy Commissioners (the “Conference”) held in Balaclava, Mauritius, the host, the Data Protection Office of Mauritius, and member authorities of the Conference issued the “Mauritius Declaration on the Internet of Things,” and four new resolutions – a “Resolution on Accreditation” of new members, a “Resolution on Big Data,” a “Resolution on enforcement cooperation,” and a “Resolution on Privacy in the digital age.” Brief summaries of each of these documents are below.

In October 2014, the People’s Republic of China Supreme People’s Court issued interpretations regarding the infringement of privacy and personal information on the Internet. The interpretations are entitled Provisions of the Supreme People’s Court on Several Issues concerning the Application of the Rules regarding Cases of the Infringement of Personal Rights over Information Networks (the “Provisions”) and became effective on October 10, 2014.

On October 6, 2014, the Irish Office of the Data Protection Commissioner (“ODPC”) announced its success in bringing prosecution proceedings against M.C.K Rentals Limited (“MCK”), a firm of private investigators, and its two directors, for breaches of the Irish Data Protection Acts 1998 and 2003. Specifically MCK and its directors were found to have (1) obtained personal data without the prior authority of the data controller who was responsible for the data and (2) disclosed the personal data obtained to various third parties.

On September 4, 2014, the UK Information Commissioner’s Office (“ICO”) published guidance on data protection for the media entitled Data protection and journalism: a guide for the media (the “Guidance”).

On September 16, 2014, the Article 29 Working Party (the “Working Party”) adopted a Statement on the impact of the development of big data on the protection of individuals with regard to the processing of their personal data in the EU (“Statement”). This two-page Statement sets forth a number of “key messages” by the Working Party on how big data impacts compliance requirements with EU privacy law, with the principal message being that big data does not impact or change basic EU data protection requirements.

On September 22, 2014, the Article 29 Working Party (the “Working Party”) released an Opinion on the Internet of Things (the “Opinion”) that was adopted during the last plenary session of the Working Party in September 2014. With this Opinion, the Working Party intends to draw attention to the privacy and data protection challenges raised by the Internet of Things and to propose recommendations for the stakeholders to comply with the current EU data protection legal framework.

On September 18, 2014, the Article 29 Working Party (the “Working Party”) announced its decision to establish a common approach to the right to be forgotten (the “tool-box”). This tool-box will be used by all EU data protection authorities (“DPAs”) to help address complaints from search engine users whose requests to delete their search result links containing their personal data were refused by the search engines. The development of the tool-box follows the Working Party’s June 2014 meeting discussing the consequences of the European Court of Justice’s judgment in Costeja of May 13, 2014.

On September 18, 2014, the French Data Protection Authority (the “CNIL”) announced plans to review 100 French websites on September 18-19, 2014. This review is being carried out in the context of the European “cookies sweep day” initiative, an EU online compliance audit. The Article 29 Working Party organized this joint action, which runs from September 15-19, 2014, to verify whether major EU websites are complying with EU cookie law requirements.

On September 16, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program covered a number of privacy and data protection topics, including updates in the EU and Germany, highlights on the UK Information Commissioner’s Office annual report and an APEC update.

On September 2, 2014, the UK Information Commissioner’s Office (“ICO”) published a consultation on the framework criteria for selecting scheme providers for its privacy seal scheme. The consultation gives organizations the opportunity to provide recommendations for the framework criteria that will be used to assess the relevant schemes. The consultation is open until October 3, 2014.

On September 10, 2014, the Global Privacy Enforcement Network (“GPEN”) published the results of an enforcement sweep carried out in May of this year to assess mobile app compliance with data protection laws. Twenty-six data protection authorities worldwide evaluated 1,211 mobile apps and found that a large majority of the apps are accessing personal data without providing adequate information to users.

On September 10, 2014, Helen Dixon was announced as the new Data Protection Commissioner for Ireland. Dixon currently is registrar of the Companies Registration Office and has experience in both the private and public sectors, including senior management roles in the Department of Jobs. Dixon will take up her appointment over the coming weeks, succeeding Billy Hawkes in the role. Hawkes has served as Commissioner for two terms since 2005.

The Article 29 Working Party (the “Working Party”) recently released its August 1, 2014 statement providing recommendations on the actions that EU Member States should take in light of the European Court of Justice’s April 8, 2014 ruling invalidating the EU Data Retention Directive (the “Ruling”).

On August 19, 2014, the German Federal Ministry of the Interior published a revised draft cybersecurity law (the “Draft Law”). An earlier version of the law was published in March 2013. The Draft Law is intended to serve as a cornerstone of Germany’s recently-announced digital agenda.

On August 14, 2014, the Center for Digital Democracy (“CDD”) filed a complaint with the Federal Trade Commission and requested that the Commission investigate 30 companies certified to the U.S.-EU Safe Harbor Framework. In the complaint, CDD maintains that it analyzed 30 data marketing and profiling companies that currently are Safe Harbor-certified and identified the following five overarching themes that CDD claims “underscore the fundamental weakness of the Safe Harbor in its current incarnation,” including that the companies: 

On July 28, 2014, the UK Information Commissioner’s Office (“ICO”) released a comprehensive report on Big Data and Data Protection (the “Report”). This is the first big data guidance prepared by a European data protection authority. The Report describes what is meant by “big data,” the privacy issues big data raises, and how to comply with the UK’s Data Protection Act in the context of big data.

On August 6-10, 2014, the APEC Data Privacy Subgroup (“DPS”) and its parent committee, the Electronic Commerce Steering Group (“ECSG”), met in Beijing, China, for another round of negotiations, meetings and workshops. The Centre for Information Policy Leadership at Hunton & Williams participated as part of the U.S. delegation. The principal focus of the meetings was again on the further implementation of the APEC Cross-Border Privacy Rules (“CBPR”) system and related work relevant to cross-border interoperability. The following is a summary of highlights and outcomes from the meetings:

On August 8, 2014, a court in Shanghai found a foreign couple guilty of illegal collection of personal information. British national Peter Humphrey was sentenced to two and a half years of imprisonment and a fine of RMB 200,000, and his wife was sentenced to two years of imprisonment and a fine of RMB 150,000. In addition, Humphrey will be deported after serving his term.

On July 30, 2014, the European Commission announced two new EU standards to help users of Radio Frequency Identification (“RFID”) smart chips and systems comply with both EU data protection requirements and the European Commission’s 2009 Recommendation on RFID. Among other suggestions, the Recommendation discussed the development of a common European symbol or logo to indicate whether a product uses a smart chip. One of the new standards will provide companies with a framework for the design and display of such a logo. The logo will inform consumers of the presence of RFID chips (for example, when using electronic travel passes or purchasing items with RFID tags). The Commission reiterated that such smart chips should be deactivated by default immediately, and free of charge, at the point of sale.

The EU Sub-Committee on Home Affairs, Health and Education of the UK House of Lords has published its Second Report for 2013-14, entitled EU Data Protection Law: A 'Right to Be Forgotten'? (the “Report”). The Report summarizes the findings of the Sub-Committee’s investigation into the right to be forgotten, and was triggered in large part by the European Court of Justice’s (“ECJ’s”) decision in Google v. Costeja (Case C-131/12, “Costeja”). In Costeja, the ECJ held that individuals have a right to request that their personal data no longer be displayed by online search engines in the results for searches made on the basis of the individual’s name, particularly if the information is inadequate, irrelevant or excessive (commonly referred to as the “right to be forgotten”).

On July 22, 2014, the Data Security Council of India (“DSCI”) announced that it has deemed Vodafone India Limited (“Vodafone”) a “DSCI Privacy Certified” organization. The certification, which is designed to help companies “demonstrate the privacy practices to relevant stakeholders and enhance trust,” is the first for a telecommunications company in India.

On July 15, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program covered a number of privacy and data protection topics, including the recent judgment in the Costeja case, the Centre for Information Policy Leadership’s work on a risk-based approach to privacy, the new Canadian anti-spam legislation that went into effect on July 1, and other developments in the U.S. and EU.

On July 17, 2014, the Belgian government announced that it has finalized its Royal Decree on the establishment of a Cybersecurity Center (Centrum Cyber Security België or Centre Cyber Security Belgique). The Cybersecurity Center’s tasks would be to monitor the country’s cybersecurity and manage cyber incidents. It also would oversee various cybersecurity projects, formulate legislative proposals relating to cybersecurity, and issue standards and guidelines for securing public sector IT systems. The Cybersecurity Center is expected to be operational by the end of ...

On July 15, 2014, the UK Information Commissioner’s Office (“ICO”) released its Annual Report for 2013/14 (the “Report”). Entitled Effective, Efficient - and Busier than Ever, the Report illustrates the rapid growth of data protection and freedom of information issues in the UK in the past year. It highlights the fact that the ICO has received increasing numbers of questions and complaints from members of the public, processed record numbers of cases, and issued its highest ever level of fines, totaling almost £1.97 million. The Report also emphasizes the fact that the ICO’s resources are stretched and, in a direct appeal to both the UK Parliament and the Ministry of Justice, calls for “stronger powers, a more sustainable funding system, and a clearer guarantee of independence.”

On July 10, 2014, the UK government announced plans to introduce emergency data retention rules, publishing the Data Retention and Investigatory Powers Bill (the “Bill”) along with explanatory notes and draft regulations. The publication of the Bill follows the European Court of Justice’s April 2014 declaration that the EU Data Retention Directive (the “Directive”) is invalid. Under the Directive, EU Member States were able to require communications service provides (e.g., ISPs) to retain communications data relating to their subscribers for up to 12 months.

On July 11, 2014, the French Data Protection Authority (the “CNIL”) announced that, starting in October 2014, it will conduct on-site and remote inspections to verify whether companies are complying with its new guidance on the use of cookies and other technologies. These inspections will take place in connection with the European “cookies sweep day” initiative, which will be launched from September 15 – 19, 2014. During that initiative, each EU data protection authority will review how users are informed of, and consent to the use of, cookies.

Hunton & Williams, in collaboration with the U.S. Chamber of Commerce, recently issued Business Without Borders: The Importance of Cross-Border Data Transfers to Global Prosperity, a report which highlights the benefits of cross-border data transfers to businesses in the international marketplace. The report underscores the importance of developing data transfer mechanisms that protect privacy and facilitate the free-flow of data, and also explores opportunities for new data transfer regimes.

Last week, the Russian Parliament adopted a bill amending portions of Russia’s existing legislation on privacy, information technology and data protection. Among other provisions, the law would create a “data localization” obligation for companies engaged in the transmission or recording of electronic communications over the Internet. Such companies would be required to store copies of the data for a minimum of six months in databases that must be located within the Russian Federation. The new bill also would empower the Russian data protection authority to block public Internet access to any service that does not comply with this requirement.

On July 2, 2014, the Privacy and Civil Liberties Oversight Board (“PCLOB”) held a public meeting to finalize the release of a report concluding that the National Security Agency’s (“NSA’s”) collection of electronic communications from targets reasonably believed to be non-U.S. persons located outside the United States has operated lawfully within its statutory limitations.

On June 26, 2014, the European Commission issued guidelines on the standardization of service level agreements for cloud services providers (the “Guidelines”). In the context of the European Cloud Computing Strategy, launched by the European Commission in September 2012, the Guidelines focus on security and data protection in the cloud. They are based on the understanding that standardization will improve the clarity of service level agreements (“SLAs”) for cloud services in the European Union.

On July 1, 2014, the Federal Court of Justice of Germany ruled that website operators cannot be compelled to disclose a user’s personal data to third parties in the context of civil defamation proceedings. The case is notable as it clarifies the limits Germany’s Telemedia Act places on how and when personal data can be disclosed in an online context.

On June 18, 2014, the German state data protection authorities responsible for the private sector (the Düsseldorfer Kreis) issued guidelines concerning the data protection requirements for app developers and app publishers (the “Guidelines”). The Guidelines were prepared by the Bavarian state data protection authority and cover requirements in Germany’s Telemedia Act as well as the Federal Data Protection Act. Topics addressed in the 33-page document include:

On June 23, 2014, the Article 29 Working Party (the “Working Party”) published its Opinion 7/2014 on the protection of personal data in Québec (the “Opinion”). In this Opinion, the Working Party provides its recommendations to the European Commission on whether the relevant provisions of the Civil Code of Québec and the Québec Act on the Protection of Personal Information in the Private Sector (the “Québec Privacy Act”) ensure an adequate level of protection for international data transfers in accordance with the EU Data Protection Directive 95/46/EC (the “Directive”). Under the Directive, strict conditions apply to personal data transfers to countries outside the European Economic Area that are not considered to provide an adequate level of data protection.

On June 19, 2014, the President’s Export Council (“PEC”) held a meeting to discuss nine key issues, including the effects of foreign laws that restrict cross-border data flows. At the meeting, the private sector members of the PEC submitted a recommendation letter to President Obama expressing their concern about the threat to American business from protectionist, cross-border data transfer restrictions imposed by foreign countries. The letter describes how certain governments are implementing “digital protectionism” in the form of laws and policies restricting the cross-border flow of data (for example, by requiring domestic processing and storage of data citing concerns for personal privacy and national security). These foreign laws may limit the ability of American businesses, particularly small- and medium-sized businesses, to expand their business operations to include countries that enact such measures.

On June 2, 2014, the U.S. Department of Justice announced a U.S.-led multinational effort to disrupt the “Gameover Zeus” botnet and the malware known as “Cryptolocker.” The DOJ also unsealed charges filed in Pittsburgh, Pennsylvania and Omaha, Nebraska against an administrator of Gameover Zeus.

In response to increasing interest in a “risk-based” approach among privacy experts, including policymakers working on the proposed EU General Data Protection Regulation, the Article 29 Working Party (the “Working Party”) published a statement on the role of a risk-based approach in data protection legal frameworks (the “Statement”).

On June 6, 2014, Viviane Reding, Vice-President of the European Commission and EU Commissioner for Justice, outlined the progress that has been made with respect to the proposed EU General Data Protection Regulation (the “Proposed Regulation”) in a meeting of the Council of the European Union, acting through the Justice Council (the “Council”). In particular, the Council has agreed on two important aspects of the Proposed Regulation.

On June 3 and 4, 2014, the Article 29 Working Party held a meeting to discuss the consequences of the European Court of Justice’s May 13, 2014 judgment in Costeja, which is widely described as providing a “right to be forgotten.” Google gave effect to the Costeja decision by posting a web form that enables individuals to request the removal of URLs from the results of Google searches that include that individual’s name. The Working Party announced that it welcomed Google’s initiative, but pointed out that it is “too early to comment on whether the form is entirely satisfactory.” The Working Party also announced that it will prepare guidelines to ensure a common approach to the implementation of Costeja by the national data protection authorities. Finally, the Working Party called on search engine operators to implement user-friendly processes that enable users to exercise their right to deletion of search result links containing their personal data.

On May 30, 2014, Google posted a web form that enables individuals to request the removal of URLs from the results of searches that include that individual’s name. The web form acknowledges that this is Google’s “initial effort” to give effect to the recent and controversial decision of the Court of Justice of the European Union in Costeja, widely described as providing a “right to be forgotten.” That Google has moved quickly to offer individuals a formal removal request process will be viewed favorably, but the practicalities of creating a removals process that satisfies all interested parties will remain challenging, and not just for Google.

On May 28, 2014, Canadian Prime Minister Stephen Harper nominated Daniel Therrien as the next Privacy Commissioner of Canada. If approved, Therrien would take over from the interim Privacy Commissioner Chantal Bernier, who has been serving in this role after the previous Commissioner Jennifer Stoddart’s term ended in December 2013.

On May 14, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program provided a global overview of some of the most debated topics in data protection and privacy, including cross-border data flows, global data breach issues and the EU Cybersecurity Directive. In addition, we highlighted the latest information regarding the GPEN enforcement sweep.