Privacy & Information Security Law Blog

On December 5, 2008, the Austrian data protection authority ("DPA") issued its first decision on the implementation of a whistleblowing hotline as required by the Sarbanes-Oxley Act ("SOX"), to be administered by the Austrian subsidiary of a U.S.-based company. The DPA partly approved the data transfers from the Austrian entity to the U.S. entity for the purpose of enabling it to prosecute "serious incidents" caused by the behavior of executive managers. The DPA ordered the Austrian subsidiary to implement a contract guarantying data subjects the ability to exercise their rights ...

A law that could increase the level of protection of personal information is circulating among legislative bodies in China. The proposed PRC Tort Liability Law would include clauses providing protections for personal information, by giving a person whose rights are infringed by the use of Internet services a right to demand deletion of the infringing materials. Another clause imposes liability on an Internet service provider that fails to take timely measures after receiving such a demand. Read more...

On December 1, 2008, a strict anti-spam law came into effect in Israel.  The legislation, enacted as an amendment to the country’s Communications Law, prohibits the delivery of advertisements using mobile text messaging, email, fax or automatic dialing systems without first obtaining the recipient’s explicit written consent.  The law contains several exceptions to the prior consent requirement.  For example, advertisers may reach out to businesses to inquire whether they wish to receive marketing communications.  Advertisers also may send unsolicited marketing ...

Scarcely a month after the world media was flooded with news of the catastrophic terrorist attacks in Mumbai, headlines are once again rife with articles on the global impact of events in India. This time, the news has focused on Satyam Computer Services (“Satyam”), previously one of India’s largest and most prestigious outsourcing providers, and a series of missteps that began in October 2008, when alarming allegations of possible involvement in a customer security breach surfaced in the media. After that news, there were allegations of misdeeds with customers, a failed ...

On October 1, 2008, the Article 29 Working Party issued a toolkit on Binding Corporate Rules (BCRs) aimed at promoting them as a mechanism for transferring data to countries without an adequate level of data protection. The toolkit includes: (1) a table highlighting the elements and principles to be found in BCRs (WP 153); (2) a document setting up a framework for the structure of BCRs (WP 154); and (3) a revised version of the FAQs on BCRs (WP 155). The toolkit also announced the creation of a mutual recognition procedure between nine national data protection authorities ...