Privacy & Information Security Law Blog

As we previously reported, this October, the EU Commission released its report and accompanying working document on the first annual review of the EU-U.S. Privacy Shield framework. On November 28, 2017, the Article 29 Data Protection Working Party (the “Working Party”) adopted an opinion on the review (the “Opinion”). While the Opinion notes that the Working Party “welcomes the various efforts made by US authorities to set up a comprehensive procedural framework to support the operation of the Privacy Shield,” the Opinion also identifies some remaining concerns and ...

On November 29, 2017, the EU’s Article 29 Working Party (”Working Party”) announced the establishment of a task force to coordinate the plethora of national investigations throughout the EU into Uber’s 2016 data breach that affected approximately 57 million users worldwide. The task force is being led by the data protection authority (”DPA”) in the Netherlands, where Uber has its EU headquarters, and includes representatives from the DPAs in France, Italy, Germany, Belgium, Spain and the United Kingdom.

On November 23, 2017, the Australian Attorney-General’s Department announced that it will move forward with an application to participate in the APEC Cross Border Privacy Rules (“CBPR”) system. The announcement follows comments received from a July 2017 consultation by the Australian Government regarding the implications of Australia’s possible participation in the system. Over the next months, the Attorney-General’s Department will work with the Office of the Australian Information Commissioner and businesses to implement the CBPR system requirements.

On November 20, 2017, the UK Information Commissioner’s Office (“ICO”) published an article on its blog containing advice on applications for Binding Corporate Rules (“BCRs”) to comply with requirements under the EU General Data Protection Regulation (“GDPR”). BCRs, which are one of the legal mechanisms available to support transfers of personal data outside the EEA, are codified under the GDPR, prompting a number of companies to explore the possibility of applying for BCR authorization. In its article, the ICO stressed that it will continue to accept applications for BCRs in the lead up to GDPR implementation on May 25, 2018, and beyond, and that the UK’s exit from the European Union, currently scheduled for the end of March 2019, will not result in the cancellation of any of the approximately 40 BCR applications currently being considered by the ICO.

On November 7, 2017, the Standing Committee of the National People’s Congress of China published the second draft of the E-commerce Law (the “Second Draft”) and is allowing the general public an opportunity to comment through November 26, 2017.

On October 17, 2017, the French Data Protection Authority (“CNIL”), after a consultation with multiple industry participants that was launched on March 23, 2016, published its compliance pack on connected vehicles (the “Pack”) in line with its report of October 3, 2016. The Pack applies to connected vehicles for private use only (not to Intelligent Transport Systems), and describes the main principles data controllers must adhere to under both the current French legislation and the EU General Data Protection Regulation (“GDPR”).   

On October 24, 2017, an opinion issued by the EU’s Advocate General Bot (“Bot”) rejected Facebook’s assertion that its EU data processing activities fall solely under the jurisdiction of the Irish Data Protection Commissioner. The non-binding opinion was issued in relation to the CJEU case C-210/16, under which the German courts sought to clarify whether the data protection authority (“DPA”) in the German state of Schleswig-Holstein could take action against Facebook with respect to its use of web tracking technologies on a German education provider’s fan page without first providing notice.

The Centre for Information Policy Leadership at Hunton & Williams LLP (“CIPL”) recently submitted responses to the Irish Data Protection Commissioner (IDPC Response) and the CNIL (CNIL Response) on their public consultations, seeking views on transparency and international data transfers under the EU General Data Protection Regulation (“GDPR”).

The responses address a variety of questions posed by both data protection authorities (“DPAs”) and aim to provide insight on and highlight issues surrounding transparency and international transfers.

On October 17, 2017, the Article 29 Working Party (“Working Party”) issued Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (the “Guidelines”). The Guidelines aim to clarify the EU General Data Protection Regulation’s (“GDPR’s”) provisions that address the risks arising from profiling and automated decision-making.

On October 19, 2017, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) narrowly voted to approve an amended version of the e-Privacy Regulation (“Regulation”). The committee vote is an important step in the process within the European Parliament. This vote will be followed by a vote of the European Parliament in its plenary session on October 23-26. If the plenary also votes in favor, the European Parliament will have a mandate to begin negotiations with the Member States in the Council. If these negotiations (commonly known as “trilogue”) succeed, the Regulation will be adopted.

On October 18, 2017, the EU Commission (“Commission”) released its report and accompanying working document on the first annual review of the EU-U.S. Privacy Shield framework (collectively, the “Report”). The Report states that the Privacy Shield framework continues to ensure an adequate level of protection for personal data that is transferred from the EU to the U.S. It also indicates that U.S. authorities have put in place the necessary structures and procedures to ensure the proper functioning of the Privacy Shield, including by providing new redress possibilities for EU individuals and instituting appropriate safeguards regarding government access to personal data. The Report also states that Privacy Shield-related complaint-handling and enforcement procedures have been properly established.

On October 4, 2017, the Article 29 Working Party (the “Working Party”) revised and adopted the final version of the Guidelines on data protection impact assessments (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (the “Guidelines”). The Guidelines were first published for comment on April 4, 2017, and the final publication of these revised Guidelines follows the public consultation that ended in May 2017.

Last week, at the 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong, data protection authorities from around the world issued non-binding guidance on the processing of personal data collected by connected cars (the “Guidance”). Noting the ubiquity of connected cars and the rapidity of the industry’s evolution, the officials voiced their collective concern about potential risks to consumers’ data privacy and security. The Guidance identifies as its main concern the lack of available information, user choice, data control and valid consent mechanisms for consumers to control the access to and use of their vehicle and driving-related data. Building on existing international guidelines and resolutions, the Guidance urges the automobile industry to follow privacy by design principles “at every stage of the creation and development of new devices or services.”

On September 29, 2017 the French Data Protection Authority (CNIL) published a guide for data processors to implement the new obligations set by the EU General Data Protection Regulation (“GDPR”). The guidance addresses the extended scope of the GDPR and the new and direct obligations data processors will have when the GDPR comes into force on May 25, 2018. The guidance elaborates a three-step checklist for data processors:

On October 3, 2017, the Irish High Court referred a legal challenge to the validity of the EU Standard Contractual Clauses (“SCCs”) to the Court of Justice of the European Union (“CJEU”) for resolution. Max Schrems, who had previously successfully challenged the validity of the now defunct U.S.-EU Safe Harbor Program in the Schrems case, had brought a similar claim in relation to the SCCs, and had requested that the Irish Data Protection Commissioner (“DPC”) declare that the SCCs do not provide sufficient protection when personal data is transferred outside the EU to the US and thus are invalid. The Irish DPC declined to make such a ruling, but instead referred the case to the Irish High Court, and requested that the case be referred to the CJEU for a final decision on the validity of the SCCs.

Last week, the Centre for Information Policy Leadership (“CIPL”) and several privacy team members at Hunton & Williams LLP attended the 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong (the “Conference”). The weeklong event hosted by Stephen Kai-yi Wong, Privacy Commissioner for Personal Data, Hong Kong was attended by over 3000 privacy professionals from data protection authorities (“DPAs”), industry and research sectors. CIPL hosted two events at the conference, as well as a joint roundtable with Hunton & Williams and Citibank, throughout the week.

On September 25, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a discussion paper on Regulating for Results: Strategies and Priorities for Leadership and Engagement (the “Discussion Paper”). The Discussion Paper aims to stimulate dialogue about strategies and priorities for data protection authorities (“DPAs”) by putting forward a number of key questions. For example:

On September 20, 2017, the French Data Protection Authority (CNIL) announced that it has updated two standards on privacy seals in order to take into account the requirements of the EU General Data Protection Regulation (“GDPR”).

On September 19, 2017, the French Data Protection Authority (“CNIL”) launched an online public consultation on two topics identified by the Article 29 Working Party (“Working Party”) in its 2017 action plan for the implementation of the EU General Data Protection Regulation (“GDPR”). These two topics are transparency and international data transfers.

Hunton & Williams LLP is pleased to announce that Lisa Sotto, chair of the firm’s top-ranked Global Privacy and Cybersecurity practice and managing partner of the firm’s New York office, has been selected as an arbitrator in connection with the EU-U.S. Privacy Shield Framework Binding Arbitration Program.

Stephen Mathias of the law firm Kochhar & Co. reports from India that in a landmark judgment delivered in August 2017, the Supreme Court of India (“Court”) unanimously held that the right to privacy is a fundamental right under the Constitution of India. The Court also delivered six separate concurring judgments, with the main judgment being delivered by four of the nine judges.

On September 18, 2017, the European Commission (“Commission”) and U.S. Department of Commerce (“Department”) kicked off their first annual joint review of the EU-U.S. Privacy Shield (“Privacy Shield”).  To aid in the review, the Department invited a few industry leaders, including Hunton & Williams’ partner Lisa J. Sotto, who chairs the firm’s Global Privacy and Cybersecurity practice and the U.S. Department of Homeland Security’s Data Privacy and Integrity Advisory Committee, to speak about their experiences during the first year of the Privacy Shield.

On September 8, 2017, the Council of the European Union published its proposed revisions to the draft E-Privacy Regulation (“EPR”), which was first published by the European Commission in January 2016. The revisions have been made based on written comments and discussions involving the Working Party for Telecommunications and Information Society (“WP TELE”) and serve as a discussion for further meetings of the group in late September 2017.

On September 14, 2017, the UK Government introduced a new Data Protection Bill (the “Bill”) to Parliament. The Bill is intended to replace the UK’s existing Data Protection Act 1998 and enshrine the EU General Data Protection Regulation (the “GDPR”) into UK law once the UK has left the European Union. The GDPR allows EU Member States to enact, via national law, exemptions from the various provisions of the GDPR, which the Bill also seeks to implement.

On September 13, 2017, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy published a Joint Communication to the European Parliament and the Council of the European Union on “Resilience, Deterrence and Defence: Building strong cybersecurity for the EU” (“Joint Communication”). This Joint Communication is part of a package of EU documents adopted on the same date aimed at delivering a stronger EU response to cyber attacks. In particular, the Joint Communication puts forward targeted measures to (1) build greater EU resilience to cyber attacks, (2) better detect cyber attacks, and (3) strengthen international cooperation on cybersecurity.

On September 11, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on the Proposal for an ePrivacy Regulation (the “White Paper”). The White Paper comments on the European Commission’s proposal to replace and modernize the privacy framework for electronic communications contained in the current ePrivacy Directive and to align it with the EU General Data Protection Regulation (“GDPR”).

On August 31, 2017, the National Information Security Standardization Technical Committee of China published four draft voluntary guidelines (“Draft Guidelines”) in relation to the Cybersecurity Law of China. The Draft Guidelines are open for comment from the general public until October 13, 2017.

Recently, the National Information Security Standardization Technical Committee of China published a draft document entitled Information Security Technology – Guidelines for De-Identifying Personal Information (the “Draft Guidelines”). The Draft Guidelines are open for comment from the general public until October 9, 2017.

As reported in BNA Privacy Law Watch, on August 22, 2017, the Russian privacy regulator, Roskomnadzor, announced that it had issued an order (the “Order”), effective immediately, revising notice protocols for companies that process personal data in Russia. Roskomnadzor stated that an earlier version of certain requirements for companies to notify the regulator of personal data processing was invalidated by the Russian Telecom Ministry in July.

On August 24, 2017, APEC issued a statement on the renewed talks between APEC and the EU on creating interoperability between the APEC Cross-Border Privacy Rules (“CBPR”) and the EU data transfer mechanisms.

Recently, the fourth edition of the book, The International Comparative Legal Guide to: Data Protection 2017, was published by the Global Legal Group. Hunton & Williams’ Global Privacy and Cybersecurity lawyers prepared several chapters in the guide, including the opening chapter on “All Change for Data Protection: The European Data Protection Regulation,” co-authored by London partner Bridget Treacy and associate Anita Bapat. Several other global privacy and cybersecurity team members also prepared chapters in the guide, including David Dumont (Belgium), Claire François (France), Judy Li (China), Manuel E. Maisog (China), Wim Nauwelaerts (Belgium), Anna Pateraki (Germany), Aaron P. Simpson (United States), Adam Smith (United Kingdom) and Jenna Rode (United States).

As reported in BNA Privacy & Security Law Report, on August 9, 2017, the Russian privacy regulator, Roskomnadzor, expanded its list of nations that provide sufficient privacy protections to allow transfers of personal data from Russia. Russian law allows data transfers to countries that are signatories to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (the “Convention”), and to certain other non-signatory countries deemed by Roskomnadzor to have adequate privacy protections based on relevant data protection laws, privacy regulators and penalties for privacy law violations.

On August 14, 2017, the Colombian Superintendence of Industry and Commerce (“SIC”) announced that it was adding the United States to its list of nations that provide an adequate level of protection for the transfer of personal information, according to a report from Bloomberg BNA. The SIC, along with the Superintendence of Finance, is Colombia’s data protection authority, and is responsible for enforcing Colombia’s data protection law. Under Colombian law, transfers of personal information to countries that are deemed to have laws providing an adequate level of ...

In the wake of China’s Cybersecurity Law going into effect on June 1, 2017, local authorities in Shantou and Chongqing have brought enforcement actions against information technology companies for violations of the Cybersecurity Law. These are, reportedly, the first enforcement actions brought pursuant to the Cybersecurity Law.

On August 7, 2017, the UK Government’s Department for Culture, Media and Sport published a Statement of Intent setting out the planned reforms to be included in the forthcoming Data Protection Bill, which we previously reported is expected to be laid before the UK Parliament in early September.

Media sources have reported that the UK Department for Culture, Media & Sport has confirmed its plans to present its Data Protection Bill to Parliament when MPs return to Parliament in early September. The Bill follows commitments made in the Queen’s Speech in June, and will effectively copy the EU General Data Protection Regulation (“GDPR”) into the UK statute book. The Bill’s primary aim is to ensure that the UK retains the same data protection laws as the rest of the EU once it leaves the EU, which is likely to be in March 2019.

With less than one year to go before the EU General Data Protection Regulation (“GDPR”) comes into force, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams and AvePoint have launched the second annual GDPR Organizational Readiness Survey. Last year, over 220 predominantly multinational organizations participated in the study which focused on key areas of impact and change under the GDPR such as consent, legitimate interest, data portability, profiling, DPIAs, DPOs, data transfers and privacy management programs. This year’s study revisits these important areas of impact and further considers additional topics. 

On July 18, 2017, the European Union Committee of the UK’s House of Lords published its paper, Brexit: the EU data protection package (the “Paper”). The Paper urges the UK government to make good on its stated aim of maintaining unhindered and uninterrupted data flows between the UK and EU after Brexit, and examines the options available to ensure that this occurs. It warns that data flows have become so valuable to cross-border business that failure to establish an adequate framework could hamper EU-UK trade.

On July 25, 2017, the French Data Protection Authority (“CNIL”) published their decision on the adoption of several amendments to its Single Authorization AU-004 regarding the processing of personal data in the context of whistleblowing schemes (the “Single Authorization”). The amendments reflect changes introduced by French law on December 9, 2016, regarding transparency, the fight against corruption and the modernization of the economy, also known as the “Sapin II Law.”

On July 27, 2017, the French Data Protection Authority (“CNIL”) imposed a fine of €40,000 on a French affiliate of the rental car company, The Hertz Corporation, for failure to ensure the security of website users’ personal data.

On July 27, 2017, Singapore submitted its notice of intent to join the APEC Cross-Border Privacy Rules (“CBPR”) system and the APEC Privacy Recognition for Processors System (“PRP”). Singapore would be the sixth member of the CBPR system, joining Canada, Japan, Mexico, the United States and the newest member, South Korea. The announcement was made by Dr. Yaacob Ibrahim, Minister for Communication and Information, at the Personal Data Protection Seminar 2017.

On July 26, 2017, the Court of Justice of the European Union (“CJEU”) declared that the envisaged EU-Canada agreement on the transfer of Passenger Name Records (“PNR Agreement”) interferes with the fundamental right to respect for private life and the right to the protection of personal data and is therefore incompatible with EU law in its current form. This marks the first instance where the CJEU has been asked to rule on the compatibility of a draft international agreement with the European Charter of Fundamental Human Rights.

This post has been updated. 

On July 10, 2017, the Cyberspace Administration of China published a new draft of its Regulations on Protecting the Security of Key Information Infrastructure (the “Draft Regulations”), and invited comment from the general public. The Cybersecurity Law of China establishes a new category of information infrastructure, called “key [or critical] information infrastructure,” and imposes certain cybersecurity obligations on enterprises that operate such infrastructure. The Draft Regulations will remain open for comment through August 10, 2017.

This post has been updated. 

The Belgian Privacy Commission (the “Belgian DPA”) recently released a Recommendation regarding the requirement to maintain internal records of data processing activities (the “Recommendation”) pursuant to Article 30 of the EU General Data Protection Regulation (“GDPR”).

The Recommendation aims to provide guidance to data controllers and data processors in establishing and maintaining internal records by May 25, 2018. As of that date, the internal records requirement must be complied with, and the Belgian DPA must be able to request that such records are made available to it.

As reported in BNA Privacy Law Watch, on July 1, 2017, a new law took effect in Russia allowing for administrative enforcement actions and higher fines for violations of Russia's data protection law. The law, which was enacted in February 2017, imposes higher fines on businesses and corporate executives accused of data protection violations, such as unlawful processing of personal data, processing personal data without consent, and failure of data controllers to meet data protection requirements. Whereas previously fines were limited to 300 to 10,000 rubles ($5 to $169 USD), under the new law, available fines for data protection violations range from 15,000 to 75,000 rubles ($254 to $1,269 USD) for businesses and 3,000 to 20,000 rubles ($51 to $338 USD) for corporate executives.

The Article 29 Working Party (“Working Party”) recently issued its Opinion on data processing at work (the “Opinion”). The Opinion, which complements the Working Party’s previous Opinion 08/2001 on the processing of personal data in the employment context and Working document on the surveillance of electronic communications in the workplace, seeks to provide guidance on balancing employee privacy expectations in the workplace with employers’ legitimate interests in processing employee data. The Opinion is applicable to all types of employees and not just those under an employment contract (e.g., freelancers).

As companies in the EU and the U.S. prepare for the application of the EU General Data Protection Regulation (“GDPR”) in May 2018, Hunton & Williams’ Global Privacy and Cybersecurity partner Aaron Simpson discusses with Forcepoint the key, significant changes from the EU Directive that companies must comply with before next year. Accountability, expanded data subject rights, breach notification, sanctions and data transfer mechanisms are a few requirements that Simpson explores in detail. He reminds companies that, in the coming year, it will be very important to ...

On June 20, 2017, the UK Information Commissioner’s Office (“ICO”) published an updated version of its Code of Practice on Subject Access Requests (the “Code”). The updates are primarily in response to three Court of Appeal decisions from earlier this year regarding data controllers’ obligations to respond to subject access requests (“SARs”). The revisions more closely align the ICO’s position with the court’s judgments.

On June 20, 2017, the German Federal Ministry of Transport and Digital Infrastructure issued a report on the ethics of Automated and Connected Cars (the “Report”). The Report was developed by a multidisciplinary Ethics Commission established in September 2016 for the purpose of developing essential ethical guidelines for the use of automated and connected cars.

On June 21, 2017, in the Queen’s Speech to Parliament, the UK government confirmed its intention to press ahead with the implementation of the EU General Data Protection Regulation (“GDPR”) into national law. Among the announcements on both national and international politics, the Queen stated that, “A new law will ensure that the United Kingdom retains its world-class regime protecting personal data, and proposals for a new digital charter will be brought forward to ensure that the United Kingdom is the safest place to be online.” The statement confirms the priority ...

Recently, the Belgian Privacy Commission (the “Belgian DPA”) released a Recommendation (in French and Dutch) regarding the requirement to appoint a data protection officer (“DPO”) under the EU General Data Protection Regulation (“GDPR”).

On Monday, June 12, 2017, South Korea’s Ministry of the Interior and the Korea Communications Commission announced that South Korea has secured approval to participate in the APEC Cross-Border Privacy Rules (“CBPR”) system. South Korea had submitted its intent to join the CBPR system back in January 2017. South Korea will become the fifth APEC economy to join the CBPR system. The other four participants are Canada, Japan, Mexico and the United States.

On May 27, 2017, the National Information Security Standardization Technical Committee of China published draft guidelines on cross-border transfers pursuant to the new Cybersecurity Law, entitled Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (the “Draft Guidelines"). The earlier draft, Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data (the “Draft Measures”), requires network operators to conduct “security assessments” when they propose to transfer personal information and “important information” to places outside of China. These “security assessments” are essentially audits of the cybersecurity circumstances surrounding the proposed transfer that are intended to produce an assessment of the risk involved. If the assessment indicates that the risk is too high, the transfer must be terminated.

Recently, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on Recommendations for Implementing Transparency, Consent and Legitimate Interest under the GDPR (the “White Paper”). The White Paper sets forth guidance and recommendations on the key concepts of transparency, consent and legitimate interest under the EU General Data Protection Regulation (“GDPR”).

The Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP recently submitted formal comments (“Comments”) to the Article 29 Working Party’s (“Working Party’s”) Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (“DPIA Guidelines”) that were adopted on April 4, 2017. CIPL’s Comments follow its December 2016 white paper on Risk, High Risk, Risk Assessments and Data Protection Impact Assessments under the GDPR, which CIPL had submitted to the Working Party as formal initial input to its development of DPIAs and “high-risk” guidance.

On June 1, 2017, the new Cybersecurity Law went into effect in China. This post takes stock of (1) which measures have been passed so far, (2) which ones go into effect on June 1 and (3) which ones are in progress but have yet to be promulgated.

With just under one year to go before the EU General Data Protection Regulation (“GDPR”) becomes law across the European Union, the UK Information Commissioner’s Office (“ICO”) has continued its efforts to help businesses prepare for the new law. The ICO also has taken steps to address its own role post-Brexit.

On May 26, 2017, the Belgian Privacy Commission (the “Belgian DPA”) published its Annual Activity Report for 2016 (the “Annual Report”) highlighting its main accomplishments from the past year.

On May 29, 2017, a high-level EU Commission official and Politico reported that the primary objective of the first annual joint review of the EU-U.S. Privacy Shield (“Privacy Shield”) is not to obtain more concessions from the U.S. regarding Europeans’ privacy safeguards, but rather to monitor the current U.S. administration’s work and steer U.S. privacy debates to prevent privacy safeguards from deteriorating. On March 31, 2017, the EU Commissioner for Justice, Věra Jourová, announced that the joint review will take place in September 2017.

On May 24, 2017, the Bavarian Data Protection Authority (“DPA”) published a questionnaire to help companies assess their level of implementation of the EU General Data Protection Regulation (“GDPR”).  

On May 19, 2017, the Cyberspace Administration of China (“CAC”) issued a revised draft (the “Revised Draft”) of its Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data. The original draft was issued in April 2017, and similar to the original draft, the Revised Draft does not have the impact of law; it does, however, provide an indication of how the CAC’s views on the Cybersecurity Law have evolved since the publication of the original draft. The Revised Draft was issued after the CAC received comments on the original draft from numerous parties.

On May 5, 2017, the U.S. District Court for the Southern District of New York entered a default judgment in favor of the SEC against three Chinese defendants accused of hacking into the nonpublic networks of two New York-headquartered law firms and stealing confidential information regarding several publicly traded companies engaged in mergers and acquisitions. The defendants allegedly profited illegally by trading the stolen nonpublic information. After the defendants failed to answer the SEC’s complaint, the court entered a default judgment against them, imposing a fine ...

On May 12, 2017, a massive ransomware attack began affecting tens of thousands of computer systems in over 100 countries. The ransomware, known as “WannaCry,” leverages a Windows vulnerability and encrypts files on infected systems and demands payment for their release. If payment is not received within a specified time frame, the ransomware automatically deletes the files. A wide range of industries have been impacted by the attack, including businesses, hospitals, utilities and government entities around the world.

On May 2, 2017, the Cyberspace Administration of China published the final version of the Measures for the Security Review of Network Products and Services (for trial implementation) (the “Measures”), after having published a draft for public comment in February. Pursuant to the Cybersecurity Law of China (the “Cybersecurity Law”), if an operator of key information infrastructure purchases a network product or service that may affect national security, a security review of that product or service is required. The Measures provide detailed information about how these security reviews will actually be implemented. The Measures will come into effect on June 1, 2017, together with the Cybersecurity Law. The Measures should not be confused with the final version of the draft Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data, which was published on April 11, 2017, and remain open for public comment.

This post has been updated. 

On April 27, 2017, the German Federal Parliament adopted the new German Federal Data Protection Act (Bundesdatenschutzgesetz) (“new BDSG”) to replace the existing Federal Data Protection Act of 2003. The new BDSG is intended to adapt the current German data protection law to the EU General Data Protection Regulation (“GDPR”), which will become effective on May 25, 2018.

On April 13, 2017, the North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information published an English translation of the draft Standard Data Protection Model (“SDM”). The SDM was adopted in November 2016 at the Conference of the Federal and State Data Protection Commissioners. 

On April 4, 2017, the Article 29 Working Party (“Working Party”) adopted its draft Guidelines on Data Protection Impact Assessment and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (the “Guidelines”). The Guidelines aim to clarify when a data protection impact assessment (“DPIA”) is required under the EU General Data Protection Regulation (“GDPR”). The Guidelines also provide criteria to Supervisory Authorities (“SAs”) to use to establish their lists of processing operations that will be subject to the DPIA requirement.

On April 4, 2017, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the Proposed Regulation of the European Commission for the ePrivacy Regulation (the “Proposed ePrivacy Regulation”). The Proposed ePrivacy Regulation is intended to replace the ePrivacy Directive and to increase harmonization of ePrivacy rules in the EU. A regulation is directly applicable in all EU Member States, while a directive requires transposition into national law. 

On April 5, 2017, the Article 29 Working Party (“Working Party”) adopted the final versions of its guidelines (the “Guidelines”) on the right to data portability, Data Protection Officers (“DPOs”) and Lead Supervisory Authority (“SA”), which were first published for comment in December 2016. The final publication of these revised guidelines follows the public consultation which ended in February 2017.

The Cybersecurity Law of China, which was passed in November of 2016, introduced a data localization requirement requiring “operators of key information infrastructure” to retain, within China, critical data and personal information which they collect or generate in the course of operating their business in China. If an entity has a genuine need resulting from a business necessity to transmit critical data or personal information to a destination outside of China, it can do so provided it undergoes a “security assessment.”

Haim Ravia and Dotan Hammer of Pearl Cohen Zedek Latzer Baratz recently published an article outlining Israel’s new Protection of Privacy Regulations (“Regulations”), passed by the Knesset on March 21, 2017. The Regulations will impose mandatory comprehensive data security and breach notification requirements on anyone who owns, manages or maintains a database containing personal data in Israel.

The Regulations will become effective in late March 2018.

Read Pearl Cohen’s full article.

On March 28, 2017, the French Data Protection Authority (“CNIL”) published its Annual Activity Report for 2016 (the “Report”) and released its annual inspection program for 2017.

On March 15, 2017, the French data protection authority (the “CNIL”) published a six step methodology and tools for businesses to prepare for the EU General Data Protection Regulation (“GDPR”) that will become applicable on May 25, 2018.

On March 2, 2017, the UK Information Commissioner’s Office (“ICO”) published draft guidance regarding the consent requirements of the EU General Data Protection Regulation (“GDPR”). The guidance sets forth how the ICO interprets the GDPR’s consent requirements, and its recommended approach to compliance and good practice. The ICO guidance precedes the Article 29 Working Party’s guidance on consent, which is expected in 2017.

On March 21, 2017, Hunton & Williams is pleased to host an in-person seminar in its London office featuring seasoned cybersecurity practitioners. Drawing from deep experience in their respective fields, the panel members will discuss the implications of the EU General Data Protection Regulation’s breach notification obligations in the context of a state-of-the-art cyber attack simulation. In doing so, the panelists will share best practices to help protect organizations in the event of a cyber attack.

Hunton & Williams LLP, in coordination with the U.S. Chamber of Commerce, recently issued a series of recommendations to enhance the effectiveness of data privacy regulators. The report, Seeking Solutions: Attributes of Effective Data Protection Authorities, identifies seven key attributes of data protection authorities (“DPAs”) that contribute to effective data protection governance. The report also explores how the level of effectiveness varies based on differences in the structure, roles and resources of a DPA.

On March 1, 2017, Hunton & Williams senior consultant attorney Rosemary Jay presented evidence on the data protection reform package and the impact of Brexit to the UK Parliament’s House of Lords EU Home Affairs Sub-Committee meeting. 

On February 21, 2017, Sweet & Maxwell published a Guide to the General Data Protection Regulation, written by Hunton & Williams senior consultant attorney Rosemary Jay. The book was released as a companion to Data Protection Law and Practice.

On February 23, 2017, the French Data Protection Authority (“CNIL”) launched an online public consultation on three topics identified by the Article 29 Working Party (“Working Party”) in its 2017 action plan for the implementation of the EU General Data Protection Regulation (“GDPR”). The three topics are consent, profiling and data breach notification.

On February 20, 2017, the Article 29 Working Party (“Working Party”) issued a template complaint form and Rules of Procedure that clarify the role of the EU Data Protection Authorities (“DPAs”) in resolving EU-U.S. Privacy Shield-related (“Privacy Shield”) complaints.

On February 13, 2017, the Parliament of Australia passed legislation that amends the Privacy Act of 1988 (the “Privacy Act”) and requires companies with revenue over $3 million AUD ($2.3 million USD) to notify affected Australian residents and the Australian Information Commissioner (the “Commissioner”) in the event of an “eligible data breach.”

On February 15, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP submitted two sets of formal comments to the Article 29 Working Party (the “Working Party”). CIPL commented on the Guidelines for identifying a controller or processor’s lead supervisory authority (“Lead Authority Guidelines”), and on the Guidelines on the right to data portability (“Data Portability Guidelines”). Both were adopted by the Working Party on December 13, 2016, for public consultation. 

On February 15, 2017, the European Data Protection Supervisor (“EDPS”) published its Priorities for 2017 (the “EDPS Priorities”). The EDPS Priorities consist of a note listing the strategic priorities and a color-coded table listing the European Commission’s proposals that require the EDPS’ attention, sorted by level of priority.

On February 4, 2017, the Cyberspace Administration of China published a draft of its proposed Measures for the Security Review of Network Products and Services (the “Draft”). Under the Cybersecurity Law of China, if an operator of key information infrastructure purchases network products and services that may affect national security, a security review is required. The Draft provides further hints of how these security reviews may actually be carried out, and is open for comment until March 4, 2017.

On March 6 and 7, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP and over 100 public and private sector participants in CIPL’s GDPR Implementation Project will convene in Madrid, Spain, for CIPL’s third major GDPR implementation workshop.

As previously published on the Data Privacy Laws blog, Pablo A. Palazzi, partner at Buenos Aires law firm Allende & Brea, provides the following report.

Earlier this month, the Argentine Data Protection Agency (“DPA”) posted the first draft of a new data protection bill (the “Draft Bill”) on its website. Argentina’s current data protection bill was enacted in December 2000. Argentina was the first Latin American country to be recognized as an adequate country by the European Union.

On February 1, 2017, Matt Hancock, the UK Government Minister responsible for data protection, was questioned by the House of Lords committee on the UK’s implementation plan of the EU General Data Protection Regulation (“GDPR”) in the context of the UK’s looming exit from the EU. In responding to the questioning, Hancock revealed further details into the UK Government’s position on implementing the GDPR into UK law.

On February 2, 2017, the UK government published a white paper entitled The United Kingdom’s exit from and new partnership with the European Union (the “white paper”). The white paper strikes a conciliatory tone, making it clear that the UK intends to maintain close ties with the European Union and its 27 remaining Member States after Brexit. A large portion of the white paper is devoted to discussing the issues at the heart of the 2016 Brexit referendum, such as immigration controls, continuing trade with the EU and the protection of individuals’ rights conferred under EU law. Among the rights addressed is the free flow of personal data between the UK and the EU.

On January 31, 2017, the Times of London reported that UK Prime Minister Theresa May plans to invoke Article 50 of the Treaty on European Union on March 9, 2017, meaning that formal Brexit negotiations with the EU could begin thereafter. This coincides with a two-day European Council summit in Malta which the leaders of all 28 EU Member States will be attending. The report in the Times of London states that the government informed the House of Lords yesterday that it intends to secure the approval of the European Union (Notification of Withdrawal) Bill (the “Bill”)—which would give the Prime Minister the legislative power to trigger Article 50—on March 7, 2017, just two days before the summit.

On January 25, 2017, President Trump issued an Executive Order entitled “Enhancing Public Safety in the Interior of the United States.” While the Order is primarily focused on the enforcement of immigration laws in the U.S., Section 14 declares that “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” This provision has sparked a firestorm of controversy in the international privacy community, raising questions regarding the Order’s impact on the Privacy Shield framework, which facilitates lawful transfers of personal data from the EU to the U.S. While political ramifications are certainly plausible from an EU-U.S. perspective, absent further action from the Trump Administration, Section 14 of the Order should not impact the legal viability of the Privacy Shield framework.

On January 25, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP submitted formal comments to the Article 29 Working Party’s (“Working Party’s”) Guidelines on Data Protection Officers (DPOs) (“DPO Guidelines”) that were adopted on December 13, 2016. CIPL’s comments follow its November 2016 white paper on Ensuring the Effectiveness and Strategic Role of the Data Protection Officer under the General Data Protection Regulation, which CIPL submitted as formal initial input to the Working Party’s development of DPO implementation guidance under the EU General Data Protection Regulation (“GDPR”).

On January 17, 2017, the International Trade Administration (“ITA”) announced that South Korea formally submitted its intent to join the APEC Cross-Border Privacy Rules (“CBPR”) system. South Korea would be the fifth APEC economy to join the system, joining the United States, Mexico, Canada and Japan.

On January 24, 2017, the UK Supreme Court handed down its judgment in the case of R (on the application of Miller and another) (Respondents) v. Secretary of State for Exiting the European Union (Appellant) [2017] UKSC 5. The case concerned the process to be followed to effect the UK’s withdrawal from the European Union and, in particular, whether the UK government may commence the UK’s withdrawal using executive powers, or whether Parliamentary approval is required. The Supreme Court held, by majority, that the UK government cannot commence the UK’s withdrawal from the EU without the approval of Parliament.

On January 16, 2017, the Article 29 Working Party (“Working Party”) published further information about its Action Plan for 2017, which sets forth the Working Party’s priorities and objectives in the context of implementation of the EU General Data Protection Regulation (“GDPR”) for the year ahead. The Action Plan closely follows earlier GDPR guidance relating to Data Portability, the appointment of Data Protection Officers and the concept of the Lead Supervisory Authority, which were published together by the Working Party on December 13, 2016.

Last month, the Standing Committee of the National People’s Congress of China published a full draft of the E-commerce Law (the “Draft”) and is giving the general public an opportunity to comment on the draft through January 26, 2017.

On January 10, 2017, the European Commission published a communication addressed to the European Parliament and European Council on Exchanging and Protecting Personal Data in a Globalized World (the “Communication”). The Communication aims to facilitate commercial data flows and foster law enforcement cooperation. In the Communication, the European Commission states that it will:

On January 11, 2017, the Swiss Federal Data Protection and Information Commissioner announced that it has reached an agreement with the U.S. Department of Commerce on a new Swiss-U.S. Privacy Shield framework (the “Swiss Privacy Shield”), which will allow companies to legally transfer Swiss personal data to the U.S. The Swiss Privacy Shield will replace the U.S.-Swiss Safe Harbor framework, and according to the Swiss government’s announcement, will “apply the same conditions as the European Union, which set up a comparable system with the U.S. last summer,” referring ...

On January 10, 2017, the European Commission announced the final elements of its long-awaited “digital single market” strategy for Europe. The announcement includes two new proposed EU regulations as well as a European Commission Communication, as described below.

On December 21, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on Risk, High Risk, Risk Assessments and Data Protection Impact Assessments under the GDPR (the “White Paper”). The White Paper sets forth guidance and recommendations concerning the interpretation and implementation of the EU General Data Protection Regulation’s (“GDPR's”) provisions relating to risk and risk assessment, which will become applicable on May 25, 2018. While risk assessments already are required under the EU Data Protection Directive, the GDPR broadens the relevance of risk and risk assessment by explicitly and comprehensively incorporating a risk-based approach to data protection.

Recently, the Ministry of Industry and Information Technology of the People’s Republic of China published a draft of the new Notice on Regulating Business Behaviors in the Cloud Service Market (Draft for Public Comments) (the “Draft”) for public comment. The Draft is open for comment until December 24, 2016.