Privacy & Information Security Law Blog

On December 21, 2016, a judgment by the Court of Justice for the European Union (the “CJEU”) that clarifies EU surveillance laws has called into question the legality of the UK’s Investigatory Powers Act 2016. The decision in Case C-698/15 could have significant implications on the UK’s chances of securing “adequacy” status for its data protection regime post-Brexit.

On December 15, 2016, the Article 29 Working Party (“Working Party”) issued a press release announcing its December 13, 2016, adoption and release of three sets of guidelines and FAQs on key implementation issues under the EU General Data Protection Regulation (“GDPR”):

The Privacy team at Hunton & Williams has authored several chapters of the recently published 2017 guide to data protection and privacy for Getting the Deal Through. The publication covers data privacy and data protection laws in 26 jurisdictions across the globe. Wim Nauwelaerts, Privacy team partner in the firm’s Brussels office, served as the contributing editor of the guide and co-authored the Belgium chapter and the EU overview.

On December 12, 2016, Politico reported that the European Commission intends to replace the e-Privacy Directive with a Regulation. The planned shift from a Directive to a Regulation has important legal consequences under EU law, as it means that instead of creating a floor upon which EU Member States may base the creation of their own versions of the law, a Regulation will create a harmonized set of requirements at the EU level that are directly applicable in the Member States.

On November 30, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on The One-Stop-Shop and the Lead DPA as Co-operation Mechanisms in the GDPR (the “White Paper”). The White Paper sets forth guidance and recommendations concerning the interpretation and implementation of the GDPR’s provisions relating to the One-Stop-Shop (“OSS”) and lead DPA, which will become effective on May 25, 2018.

On November 19, 2016, the French government enacted a bill creating a legal basis for class actions against data controllers and processors resulting from data protection violations. The bill, which aims to facilitate access to justice for French citizens, establishes a general class action regime and includes specific provisions regarding data protection violations. These provisions go beyond the class action provisions already in place for consumers by adding, within the context of the French Data Protection Act of 1978 (“Loi Informatique et Libertés”), a right to class actions for data protection violations regardless of industry sector.

On November 21, 2016, against the backdrop of the EU General Data Protection Regulation (“GDPR”) and Brexit, UK Information Commissioner Elizabeth Denham delivered a keynote speech at the Annual Conference of the National Association of Data Protection and Freedom of Information Officers. During the address, Denham discussed the UK ICO’s ongoing preparations for the GDPR, reiterating the government’s position that the GDPR will be implemented in the UK. 

On November 23, 2016, Bloomberg BNA reported that the Hague Administrative Court in the Netherlands upheld a decision by the Dutch Data Protection Authority that WhatsApp was in breach of the Dutch Data Protection Act (the “Act”) on account of its alleged failure to identify a representative within the country responsible for compliance with the Act, despite the processing of personal data of Dutch WhatsApp users on Dutch smartphones. WhatsApp reportedly faces a fine of €10,000 per day up to a maximum of €1 million ...

Recently, German Chancellor Angela Merkel spoke at Germany’s 10th National IT Summit, and called for EU Member States to take a pragmatic approach to the application of EU data protection laws. Chancellor Merkel warned that a restrictive interpretation of data protection laws risks undermining the development of big data projects in the EU. Ahead of the introduction of the General Data Protection Regulation throughout the EU in May 2018, Merkel argued that, more than simply preventing the excesses of personal data use, data protection law should serve to enable emerging data ...

On November 17, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on Ensuring the Effectiveness and Strategic Role of the Data Protection Officer under the General Data Protection Regulation (the “White Paper”). The White Paper sets forth guidance and recommendations concerning the interpretation and implementation of the GDPR’s provisions relating to the role of the Data Protection Officer (“DPO”).

On November 20, 2016, the heads of state of the 21 member economies of the Asia-Pacific Economic Cooperation (“APEC”) forum reaffirmed the APEC Cross-Border Privacy Rules (“CBPR”) system in their Leaders’ Declaration at the APEC Leaders’ Meeting in Lima, Peru as follows: “We recall the APEC Leaders 2011 Honolulu Declaration and recognize the importance of implementing the APEC Cross-Border Privacy Rules System, a voluntary mechanism whose participants seek to increase the number of economies, companies, and accountability agents that participate in the CBPR system.” The fact that the CBPR system is mentioned in the Leaders’ Declaration reflects its priority status on the APEC agenda.

On November 18, 2016, the Argentina Data Protection Agency (“DPA”) announced that it had issued DNPDP Disposition 60 –  a new regulation on international transfers of personal data (the “Regulation”). 

On November 16, 2016, the UK Investigatory Powers Bill (the “Bill”) was approved by the UK House of Lords. Following ratification of the Bill by Royal Assent, which is expected before the end of 2016, the Bill will officially become law in the UK. The draft of the Bill has sparked controversy, as it will hand significant and wide-ranging powers to state surveillance agencies, and has been strongly criticized by some privacy and human rights advocacy groups. 

This post has been updated. 

On November 10, 2016, the Court of Appeal for Moscow’s Taginsky District upheld an August 2016 decision by the district’s lower court that LinkedIn had violated Russian data protection laws. Access to the professional networking site is now set to be blocked across Russia.

On November 9, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP and AvePoint released the results of a joint global survey launched in May 2016 concerning organizational preparedness for implementing the EU General Data Protection Regulation (“GDPR”). The GDPR replaces Directive 95/46/EC and will become applicable in May 2018.

Join us at the International Association of Privacy Professionals (“IAPP”) Data Protection Congress in Brussels, November 9-10, 2016.

On November 7, 2016, the Standing Committee of the National People’s Congress of China enacted the final Cybersecurity Law after it held its third reading of the draft Cybersecurity Law on October 31, 2016. The first draft of the Cybersecurity Law was published for comment more than a year ago, followed by the second draft in July this year. The final Cybersecurity Law will apply from June 1, 2017.

On October 24, 2016, the UK Secretary of State for Culture, Media and Sport confirmed that the UK will implement the EU General Data Protection Regulation (“GDPR”) by May 2018. The UK Information Commissioner, Elizabeth Denham, has officially welcomed this confirmation and said that the UK must stay on top of the continuing digital economy evolution. The Information Commissioner’s Office (“ICO”) will publish a revised timeline setting out what areas of guidance the ICO will be prioritizing over the next six months.

On November 3, 2016, the High Court of England and Wales handed down its judgment in the case of R (on the application of Santos) v. Secretary of State for Exiting the European Union [2016] EWHC 2768 (Admin). This high-profile and closely followed case concerns the process that must be followed to trigger Britain’s exit from the European Union. In particular, the question before the court was whether the Prime Minister can wield her executive powers to trigger the exit or if she needs Parliamentary approval before doing so. In reaching its decision, the Court ruled in favor of the claimants, meaning that the Prime Minister does not have the power to trigger Britain’s exit from the European Union, but instead must first obtain Parliamentary approval.

On October 31, 2016, the Standing Committee of the National People’s Congress of China held a third reading of the draft Cybersecurity Law (the “third draft”). As we previously reported, the second draft of the Cybersecurity Law was published for comment in June. The National People’s Congress has not yet published the full text of the third draft of the Cybersecurity Law.

On October 20, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP hosted a side workshop at the International Conference of Data Protection & Privacy Commissioners focused on transparency and risk assessment, entitled “The Role of Risk Assessment and Transparency in Enabling Organizational Accountability in the Digital Economy.” The workshop was led by Bojana Bellamy, CIPL’s President, and featured contributions from many leaders in the field, including the UK ICO, Belgium and Hong Kong’s Privacy Commissioners, and counsel and privacy officers from several multinational companies.

On October 7, 2016, the French Digital Republic Bill (the “Bill”) was enacted after a final vote from the Senate. The Bill aligns the French legal data protection framework with the EU General Data Protection Regulation (“GDPR”) requirements before the GDPR becomes applicable in May 2018.

Recently, the Cyberspace Administration of China published for public comment a draft of the Regulations on the Online Protection of Minors (“Draft Regulations”). The Draft Regulations are open for comment until October 31, 2016.

A recent update on the Court of Justice of the European Union’s (the “CJEU’s”) website has revealed that Digital Rights Ireland, an Irish privacy advocacy group, has filed an action for annulment against the European Commission’s adequacy decision on the EU-U.S. Privacy Shield (the “Privacy Shield”).

On October 21, 2016, the Vietnam e-Commerce and Information Technology Agency and APEC co-hosted an APEC Cross-Border Privacy Rules (“CBPR”) system capacity-building workshop in Da Nang, Vietnam, on the heels of last week’s bilateral affirmation of commitment between the U.S. and Japan to implement and expand the CBPR system. The workshop further signals the continuing growth of the CBPR system.

Earlier this month, Hunton & Williams announced that Global Privacy and Cybersecurity partner Aaron P. Simpson has switched to London from the firm’s New York office. He will continue his work on behalf of clients as a leader of the firm’s Global Privacy and Cybersecurity practice.

Earlier this month, at a meeting of the Article 31 Committee, the European Commission (“Commission”) unveiled two draft Commission Implementing Decisions that propose amendments to the existing adequacy decisions and decisions on EU Model Clauses.

On October 19, 2016, the International Trade Administration issued a press release reaffirming the commitment of both the U.S. Department of Commerce and Japan’s Personal Information Protection Commission (the “PPC”) to continue implementation of the APEC Cross-Border Privacy Rules (“CBPR”) system in order to foster the protection of personal information transferred across borders. According to the press release, the PPC’s “recent decision to recognize the system as a mechanism for international data transfers in the implementing guidelines for Japan’s amended privacy law marks an important milestone for the development of the APEC CBPR system in Japan.” Going forward, both agencies also have committed to cooperate in raising awareness and encouraging other APEC member economies to implement the CBPR system.

On October 7, 2016, the Article 29 Working Party (the “Working Party”) published a summary of the discussions that took place at its “Fablab” workshop entitled GDPR/from concepts to operational toolbox, DIY, which took place on July 26, 2016, in Brussels.

On October 19, 2016, the Court of Justice of the European Union (the “CJEU”) issued its judgment in Patrick Breyer v. Bundesrepublik Deutschland, following the Opinion of Advocate General Manuel Campos Sánchez-Bordona on May 12, 2016. The CJEU followed the Opinion of the Advocate General and declared that a dynamic IP address registered by a website operator must be treated as personal data by that operator to the extent that the user's Internet service provider ("ISP") has - and may provide - additional data that in combination with the IP address that would allow for the identification of the user.

On October 13, 2016, Elizabeth Denham, the UK Information Commissioner, suggested that directors of companies who violate data protection laws should be personally liable to pay fines at a House of Commons Public Bill Committee meeting when discussing the latest draft of the Digital Economy Bill (the “Bill”). The Bill is designed to enable businesses and individuals to access fast, digital communications services, promote investment in digital communications infrastructure and support the “digital transformation of government.” Measures to improve the digital landscape contained in the Bill include the introduction of a new Electronic Communications Code and more effective controls to protect citizens from nuisance calls. More controversially, however, the Bill also contains provisions both enabling and controlling the sharing of data between public authorities and private companies.

In September, the Centre for Information Policy Leadership (“CIPL”) held its second GDPR Workshop in Paris as part of its two-year GDPR Implementation Project. The purpose of the project is to provide a forum for stakeholders to promote EU-wide consistency in implementing the GDPR, encourage forward-thinking and future-proof interpretations of key GDPR provisions, develop and share relevant best practices, and foster a culture of trust and collaboration between regulators and industry.  

On October 3, 2016, at the Paris Motor Show, the French Data Protection Authority ("CNIL") reported on the progress of a new compliance pack on connected vehicles. The work was launched on March 23, 2016, and should be finalized in Spring 2017.

On September 27, 2016, Cloud Infrastructure Services Providers in Europe (“CISPE”) published its Data Protection Code of Conduct (the “Code”). CISPE, a relatively new coalition of more than 20 cloud infrastructure providers with operations in Europe, has focused the Code on transparency and compliance with EU data protection laws.

On September 23, 2016, the European Data Protection Supervisor (the “EDPS”) released Opinion 8/2016 (the “Opinion”) on the coherent enforcement of fundamental rights in the age of big data. The Opinion updates the EDPS’ Preliminary Opinion on Privacy and Competitiveness in the Age of Big Data, first published in 2014, and provides practical recommendations on how the EU’s objectives and standards can be applied holistically across the EU institutions. According to the EDPS, the Digital Single Market Strategy presents an opportunity for a coherent approach with respect to the application of EU rules on data protection, consumer protection, antitrust enforcement and merger control. In addition, the EDPS calls for greater dialogue and cooperation between data protection, consumer and competition authorities in order to protect the rights and interests of individuals, including the rights to privacy, freedom of expression and non-discrimination.

On September 27, 2016, the French Data Protection Authority (“CNIL”) announced the adoption of two new decisions, Single Authorizations AU-052 and AU-053, that will now cover all biometric access control systems in the workplace. These two new decisions repeal and replace the previous biometric decisions adopted by the CNIL and lay down the CNIL’s new position on biometric systems used to control access to the premises, software applications and/or devices in the workplace.  

On September 23, 2016, the French Data Protection Authority ("CNIL") published the results of the Internet sweep on connected devices. The sweep was conducted in May 2016 to assess the quality of the information provided to users of connected devices, the level of security of the data flows and the degree of user empowerment (e.g., user’s consent and ability to exercise data protection rights).

On September 22, 2016, Korean law firm Bae, Kim & Lee LLC released a Legal Update outlining amendments to Korea’s Personal Information Protection Act (“PIPA”) and the Act on the Promotion of IT Network Use and Information Protection (“IT Network Act”).

On September 16, 2016, the Belgian Data Protection Authority (the “Privacy Commission”) published a 13-step guidance document (in French and Dutch) to help organizations prepare for the EU General Data Protection Regulation (“GDPR”).

The 13 steps recommended by the Privacy Commission are summarized below.

Recently, the National Privacy Commission (the “Commission”) of the Philippines published the final text of its Implementing Rules and Regulations of Republic Act No. 10173, known as the Data Privacy Act of 2012 (the “IRR”). The IRR has a promulgation date of August 24, 2016, and went into effect 15 days after the publication in the official Gazette.

On August 30, 2016, the First-tier Tribunal (Information Rights) (the “Tribunal”) dismissed an appeal from UK telecoms company TalkTalk Telecom Group PLC (“TalkTalk”) regarding a monetary penalty notice issued to it on February 17, 2016, by the UK Information Commissioner’s Office (“ICO”). The ICO had issued the monetary penalty notice to TalkTalk, for the amount of £1,000, for an alleged failure to report an October 2015 data breach to the ICO within the legally required time period.

On September 8, 2016, Advocate General Paolo Mengozzi of the Court of Justice of the European Union (“CJEU”) issued his Opinion on the compatibility of the draft agreement between Canada and the European Union on the transfer of passenger name record data (“PNR Agreement”) with the Charter of Fundamental Rights of the European Union (“EU Charter”). This is the first time that the CJEU has been called upon to issue a ruling on the compatibility of a draft international agreement with the EU Charter.

Last month, the People’s Republic of China’s Ministry of Transportation, Ministry of Industry and Information Technology and six other administrative departments jointly published the Interim Measures for the Administration of Operation and Services of E-hailing Taxis (the “Measures”). E-hailing is an increasingly popular business in China and has already become a compelling alternative to the traditional taxi. The Measures seek to regulate this emerging industry, and will come into effect on November 1, 2016. Below is a summary of the key requirements.

Recently, the People’s Republic of China’s Ministry of Public Security, the National Development and Reform Commission and six other administrative departments jointly published the Announcement on Regulating the Administration of the Use of Resident Identity Cards (the “Announcement”). The Announcement came into effect on July 15, 2016, the date of its issuance.

The Announcement reiterates existing prohibitions against leasing, lending or assigning a resident identity card to another person, and reiterates an existing requirement that resident identity cards must not be seized or held as a security by government agencies, related entities or their staff.

The State Administration for Industry and Commerce of the People’s Republic of China published a draft of its Implementing Regulations for the P.R.C. Law on the Protection of the Rights and Interests of Consumers (the “Draft”) for public comment. The draft is open for comment until September 5, 2016.

On July 25, 2016, the Article 29 Working Party (the “Working Party”) and the European Data Protection Supervisor (“EDPS”) released their respective Opinions regarding the review of Directive 2002/58/EC on privacy and electronic communications (the “ePrivacy Directive"). Both the Working Party and the EDPS stressed that new rules should complement the protections available under the EU General Data Protection Regulation (“GDPR”).

On July 20, 2016, the French Data Protection Authority (“CNIL”) announced that it issued a formal notice to Microsoft Corporation (“Microsoft”) about Windows 10, ordering Microsoft to comply with the French Data Protection Act within three months.

Background

Following the launch of Microsoft’s new operation system, Windows 10, in July 2015, the CNIL was alerted by the media and political parties that Microsoft could collect excessive personal data via Windows 10. A group composed of several EU data protection authorities was created within the Article 29 Working Party to examine the issue and conduct investigations in their relevant EU Member States. The CNIL initiated its investigation and carried out seven online inspections in April and June 2016. The CNIL also questioned Microsoft on certain points of its privacy statement.

On July 26, 2016, Isabelle Falque-Pierrotin, the Chairwoman of the Article 29 Working Party of data protection regulators, announced that EU data protection regulators will not challenge the adequacy of the EU-U.S. Privacy Shield (“Privacy Shield”) for at least one year (i.e., until after summer 2017). The European Commission is scheduled to conduct a mandatory review of the adequacy of the Privacy Shield by May 2017.

On July 12, 2016, after months of negotiations and criticism, the EU-U.S. Privacy Shield (“Privacy Shield”) was officially adopted by the European Commission and the Department of Commerce. Similar to the Safe Harbor, companies must certify their compliance with the seven principles comprising the Privacy Shield to use the Shield as a valid data transfer mechanism. Hunton & Williams partner Lisa J. Sotto and associate Chris D. Hydak recently published an article in Law360 entitled “The EU-U.S. Privacy Shield: A How-To Guide.” In the article, Lisa and Chris detail the ...

On July 26, 2016, the U.S. Department of Commerce announced that it has launched a new website that provides individuals and companies with additional information regarding the EU-U.S. Privacy Shield Framework (“Privacy Shield”). Among other things, the website provides information about complying with, and self-certifying to, the Privacy Shield’s principles. The Department of Commerce’s website will begin accepting certifications on August 1, 2016.

On July 19, 2016, Advocate General Saugmandsgaard Oe (“Advocate General”), published his Opinion on two joined cases relating to data retention requirements in the EU, C-203/15 and C-698/15. These cases were brought following the Court of Justice for the European Union’s (“CJEU's”) decision in the Digital Rights Ireland case, which invalidated Directive 2006/24/EC on data retention. The two cases, referred from courts in Sweden and the UK respectively, sought to establish whether a general obligation to retain data is compatible with the fundamental rights to privacy and data protection under EU law.

On July 14, 2016, the Federal Trade Commission issued warning letters to 28 companies relating to apparent false claims of participation in the APEC Cross-Border Privacy Rules (“CBPR”).

The warning letters state that the companies’ websites represent APEC CBPR certification even though the companies do not appear to have undertaken the necessary steps to claim certification, such as a review and approval process by an APEC-recognized Accountability Agent.

On July 12, 2016, the EU Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, and U.S. Secretary of Commerce Penny Pritzker announced the formal adoption of the EU-U.S. Privacy Shield (the “Privacy Shield”) framework, composed of an Adequacy Decision and accompanying Annexes.

On July 6, 2016, the Bavarian Data Protection Authority (“DPA”) issued a short paper on video surveillance under the EU General Data Protection Regulation (“GDPR”).

This paper is part of a series of papers that the Bavarian DPA will issue periodically on specific topics of the GDPR to inform the public about what topics are being discussed within the DPA. The DPA emphasized that these papers are non-binding.

On July 6, 2016, the UK government decided to close its controversial care.data scheme after concerns were raised about the safeguards in place to protect individuals’ health care data and issues with patient transparency.

On July 8, 2016, EU representatives on the Article 31 Committee approved the final version of the EU-U.S. Privacy Shield (“Privacy Shield”) to permit transatlantic transfers of personal data from the EU to the U.S.

On July 6, 2016, the European Parliament adopted the Directive on Security of Network and Information Systems (the “NIS Directive”), which will come into force in August 2016. EU Member States will have 21 months to transpose the NIS Directive into their national laws. The NIS Directive is part of the European Commission’s cybersecurity strategy for the European Union, and is designed to increase cooperation between EU Member States on cybersecurity issues.

On July 5, 2016, the Standing Committee of the National People’s Congress of the People’s Republic of China (the “Standing Committee”) published the full second draft of the Cybersecurity Law (the “second draft”). The publication of the second draft comes after the Standing Committee’s second reading of the draft on June 27, 2016. The public may comment on the second draft of the Cybersecurity Law until August 4, 2016.

On July 5, 2016, the European Commission announced the launch of a new public-private partnership (the “Partnership”) on cybersecurity, as part of its Digital Single Market and EU Cybersecurity strategies. In this context, the European Commission released several documents, including a Commission Decision establishing a contractual arrangement of the new Partnership for cybersecurity industrial research, and a Staff Working Document on the preparation activities for the Partnership.

On June 28, 2016, the UK Information Commissioner’s Office (“ICO”) released its Annual Report for 2015 -2016 (the “Report”).

According to the Report, the ICO has dealt with an increase in the number of data protection concerns, handling 16,388 complaints in total. Particularly noteworthy is the £130,000 fine imposed on Pharmacy 2U for breach of the fair processing requirements under the UK Data Protection Act 1998. Pharmacy 2U sold details of over 20,000 customers to a list marketing company without customers' knowledge or consent.

On June 28, 2016, the State Internet Information Office of the People’s Republic of China published the Administrative Provisions on Information Services for Mobile Internet Applications (the “App Administrative Provisions”). This is the first regulation that expressly regulates mobile apps in the People’s Republic of China. Before the App Administrative Provisions were published, the P.R.C. Ministry of Industry and Information Technology had published a draft of the Interim Provisions on the Preinstallation and Management of the Distribution of Mobile Intelligent Terminal Applications (“Interim Provisions”). The comment period for the Interim Provisions draft expired six months ago and i’s still uncertain when it will become effective. According to unofficial statistics, domestic app stores have more than 4 million apps in inventory presently, and the number is growing. Those apps will now become highly regulated products under the App Administrative Provisions.

On June 30, 2016, a joint committee composed of representatives from both chambers of the French Parliament (“Joint Committee”) reached a common position on the French ‘Digital Republic’ Bill that rejects the data localization amendment previously approved by the French Senate, but significantly amends other aspects of the French Data Protection Act.

On June 27, 2016, the Standing Committee of the National People’s Congress of the People's Republic of China held a second reading of the draft Cybersecurity Law (the “second draft”). The law is aimed at strengthening the protection and security of key information infrastructure and important data in China. As we previously reported, the first draft of the Cybersecurity Law was published for comment almost a year ago, but the National People’s Congress has not published the full second draft of the Cybersecurity Law to date.

On June 25, 2016, the Cyberspace Administration of China published its new Administrative Provisions on Internet Information Search Services (the “Provisions”). The Provisions will come into effect on August 1, 2016.

On June 29, 2016, Politico reported that it has obtained updated EU-U.S. Privacy Shield documents following the latest negotiations between U.S. and EU government authorities. Certain aspects of the prior Privacy Shield framework were criticized by the Article 29 Working Party, the European Parliament and the European Data Protection Supervisor.

This post has been updated. 

On June 17, 2016, the National Privacy Commission (the “Commission”) of the Philippines released draft guidelines entitled, Implementing Rules and Regulations of the Data Privacy Act of 2012 (“IRR”), for public consultation.

Under the IRR, the processing of personal data has to adhere to the principles of transparency, legitimate purpose and proportionality. The IRR defines personal data as personal information, sensitive information and privileged information. Sensitive information refers to personal information about an individual’s race, ethnicity, health, education, genetic or sexual life of a person, proceedings related to an offense committed by a person, health records and tax returns. According to the IRR, the personal information controller should take organizational, physical and technical security measures for data protection. Such security measures include the designation of a privacy officer, limitations on physical access and the adoption of technical and logical security measures.

With the EU General Data Protection Regulation (“GDPR”) enacted and due to come into force in May 2018, the Centre for Information Policy Leadership at Hunton & Williams and AvePoint have launched a global survey to enable organizations to benchmark their readiness for the GDPR. The survey focuses on the key areas of impact and change for organizations under the GDPR, such as consent, legitimate interest, data portability, profiling, privacy impact assessments, DPOs, data transfers and privacy management program.

On June 23, 2016, the UK held a referendum to decide upon its continued membership in the European Union. The outcome has resulted in the decision for the UK to withdraw its membership from the European Union. Despite the result, data protection standards are unlikely to be affected.

On June 22, 2016, the Bavarian Data Protection Authority (“DPA”) issued a short paper on certifications under Article 42 of the General Data Protection Regulation (“GDPR”). The GDPR will become effective on May 25, 2018.

This paper is part of a series of papers that the Bavarian DPA will be issuing periodically on specific topics of the GDPR to inform the public about what topics are being discussed within the DPA. The DPA emphasizes that these papers are non-binding.

Hunton & Williams announces its participation with the Global Legal Group in the publication of the third edition of the book The International Comparative Legal Guide to: Data Protection 2016. The guide provides corporate counsel and international practitioners with a comprehensive worldwide legal analysis of the laws and regulations relating to data protection. Bridget Treacy, partner and head of the UK privacy and cybersecurity practice, served as the contributing editor of the guide and co-authored the UK chapter.

On June 16, 2016, the French Data Protection Authority (“CNIL”) launched a public consultation on the four priority topics identified by the Article 29 Working Party (“Working Party”) in its February 2016 action plan for the implementation of the EU General Data Protection Regulation (“GDPR”).

On June 9, 2016, the Belgian Privacy Commission (the “Belgian DPA”) published its Annual Activity Report for 2015 (the “Annual Report”) highlighting its main accomplishments.

According to Bloomberg BNA, the EU-U.S. Privacy Shield framework could be approved by the European Commission in early July. The Privacy Shield is a successor framework to the Safe Harbor, which was invalidated by the European Court of Justice in October 2015. Certain provisions of the Privacy Shield documents, previously released by the European Commission on February 29, 2016, have been subjected to criticism by the Article 29 Working Party, the European Parliament and the European Data Protection Supervisor. According to Bloomberg BNA, the previously released draft adequacy decision, one of the Privacy Shield documents released on February 29, 2016, is expected to be modified.

On June 13, 2016, the U.S. government expressed its wish to join the legal proceedings brought by Max Schrems concerning the validity of international data transfers under EU Standard Contractual Clauses.

Along with the U.S. government, the Irish Business and Employers Confederation and the Business Software Alliance, an industry trade group, also informed Ireland’s High Court of their desire to be added to the case as amici curiae, or "friends of the court."

On June 2, 2016, the European Union and the U.S. signed an Umbrella Agreement, which will implement a comprehensive data protection framework for criminal law enforcement cooperation. The agreement is not yet in effect and additional procedural steps are needed to finalize the agreement. The European Council will adopt a decision on the Umbrella Agreement after obtaining consent from the European Parliament.

On June 1, 2016, a new do-not-call list (the “BLOCTEL list”) was implemented in France. French residents who do not wish to receive marketing phone calls may register their landline or mobile phone number online at www.bloctel.gouv.fr.

In a recently published decision, the Belgian Court of Cassation confirmed the broad interpretation given to the “right to be forgotten” by a Belgian Court of Appeal (i.e., Cour d’Appel de Liège, 2013/RG/393, September 25, 2014).

The judgment was rendered in a case initiated by an individual against a Belgian newspaper for not complying with a request to remove from its online archives an article from 1994 regarding a car accident causing the death of two persons in which the individual was involved.

On May 30, 2016, the European Data Protection Supervisor (“EDPS”) released its Opinion (the “Opinion”) on the EU-U.S. Privacy Shield (the “Privacy Shield”) draft adequacy decision. The Privacy Shield was created to replace the previous Safe Harbor framework invalidated by the Court of Justice of the European Union (“CJEU”) in the Schrems decision.

On May 26, 2016, the European Parliament approved a resolution calling for the European Commission to reopen negotiations with U.S. authorities on the EU-U.S. Privacy Shield (“Privacy Shield”), and to implement the recommendations of the Article 29 Working Party (“Working Party”) on the draft Privacy Shield adequacy decision.

The Working Party had previously published its recommendations in an Opinion regarding the draft decision issued by the European Commission on adequacy of the protection provided by the Privacy Shield. In the Opinion, the Working Party highlighted a number of key issues concerning access to European personal data by law enforcement and government agencies, and also recommended a number of changes to ensure that European citizens’ data are adequately protected.

On May 25, 2016, Max Schrems stated that the Irish Data Protection Commissioner (the “DPC”) is expected to bring legal proceedings before the Irish courts concerning international data transfers under EU Standard Contractual Clauses.

In an unofficial statement to the Irish press, a representative of the DPC confirmed the DPC’s intention to seek declaratory relief in the Irish High Court and to recommend that the case be referred to the Court of Justice of the European Union (“CJEU”) for a preliminary ruling.

Read our previous entry on the Schrems ruling of the CJEU.

Hunton ...

On May 24, 2016, the UK Information Commissioner’s Office (“ICO”) published priorities for preparing for the EU General Data Protection Regulation (“GDPR”).

The ICO’s priorities for issuing guidance to assist organizations with GDPR preparation are split into three phases.

On May 23, 2016, half of the EU Member States sent a letter to the European Commission and the Netherlands (which holds the rotating presidency), seeking the removal of barriers to the free flow of data both within and outside the EU to benefit the EU from new data-driven technologies, according to Reuters and EurActive.com.

On May 17, 2016, the European Council adopted its position at first reading of the Network and Information Security Directive (the “NIS Directive”). The NIS Directive was proposed by the European Commission on February 7, 2013, as part of its cybersecurity strategy for the European Union, and is designed to increase cooperation between EU Member States on cybersecurity issues.

The NIS Directive will impose security obligations on “operators of essential services” in critical sectors and “digital service providers.” These operators will be required to take measures to manage cyber risks and report major security incidents.

On May 12, 2016, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) issued an opinion stating that Internet Protocol (“IP”) addresses are personal data and data protection law should apply to IP addresses. Specifically, the AG urged the CJEU to rule that a dynamic IP address is personal data to the extent that an Internet access provider has additional data that in combination with the IP address would allow for the re-identification of the user.

On March 16, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP co-hosted a one-day workshop in Amsterdam, Netherlands, together with the Dutch Ministry of Security and Justice, to kick off CIPL’s new long-term project on the implementation of the EU General Data Protection Regulation (“GDPR”).

On May 4, 2016, the Federal Trade Commission issued a press release announcing its recent settlement with the hand-held vaporizers manufacturer, Very Incognito Technologies, Inc. (“Vipvape”). The FTC had charged Vipvape with falsely claiming that it was a certified company under the Asia-Pacific Economic Cooperation (“APEC”) Cross-Border Privacy Rules (“CBPR”) framework. The settlement prohibits Vipvape from misleading consumers about its participation in any privacy and security certification program, including the APEC CBPR framework. This is the first CBPR-related case taken up by the FTC.

On May 4, 2016, the EU General Data Protection Regulation (“GDPR”) was published in the Official Journal of the European Union.

Following the European Parliament’s vote to adopt the GDPR on April 14, 2016, and the signing of the final draft on April 27, 2016, the GDPR will enter into force 20 days following its publication in the Official Journal of the European Union. Its provisions will be directly applicable in all EU Member States two years after this date, on May 25, 2018.

After four years of drafting and negotiations, the GDPR finally replaces and harmonizes the existing EU ...

On April 26, 2016, Korean law firm Bae, Kim & Lee LLC released a Privacy News Alert outlining amendments to Korea’s Personal Information Protection Act (“PIPA”) and the Act on the Promotion of IT Network Use and Information Protection (“IT Network Act”). According to Tae Uk Kang, partner at Bae, Kim & Lee and author of the alert, these amendments to PIPA and the IT Network Act “reflect the general trend concerning the Korean data privacy policy, which is intended to achieve more stringent regulation (and sanctions) of processing personal information.”

On April 27, 2016, the UK House of Commons Culture, Media and Sport Select Committee (the “Committee”) confirmed Elizabeth Denham’s appointment as Information Commissioner. Denham, currently the Privacy and Information Commissioner for British Columbia, Canada, was announced as the UK Government’s preferred choice on March 22, 2016.

On April 12, 2016, the French Data Protection Authority (“CNIL”) announced that it will participate in a coordinated online audit to analyze the impact of everyday connected devices on privacy. The audit will be coordinated by the Global Privacy Enforcement Network (“GPEN”), a global network of approximately 50 data protection authorities (“DPAs”) from around the world.

On April 14, 2016, after four years of drafting and negotiations, the long awaited EU General Data Protection Regulation (“GDPR”) has been adopted at the EU level. Following the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs’ vote earlier this week and the EU Parliament in plenary session, the GDPR is now officially EU law and will directly apply in all EU countries, replacing EU and national data protection legislation.

On April 13, 2016, the Article 29 Working Party (the “Working Party”) published its Opinion on the EU-U.S. Privacy Shield (the “Privacy Shield”) draft adequacy decision. The Privacy Shield was created to replace the previous Safe Harbor framework invalidated by the Court of Justice of the European Union (“CJEU”) in the Schrems decision. The Working Party also published a Working Document on the justification for interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees).

On April 12, 2016, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs voted to approve the EU General Data Protection Regulation (“GDPR”) by a 54-3 vote, with one abstention. The GDPR replaces Directive 95/46/EC, enacted in 1995, and will significantly change EU data protection laws.

This development clears the way for the European Parliament to rubber stamp the GDPR at a plenary session on April 14, 2016, completing the legislative process for adoption of the GDPR. The GDPR is expected to be published in the Official Journal of the European Union ...

On April 11, 2016, the European Commission launched a public consultation to evaluate and review Directive 2002/58/EC on the processing of personal data and the protection of privacy in the electronic communications sector, also known as the e-Privacy Directive.

Technological advances and the advent of the EU General Data Protection Regulation (“GDPR”) have prompted the European Commission to review the e-Privacy Directive, which was last updated in 2009.

After much debate, the final version of the EU General Data Protection Regulation (“GDPR”) is expected to be adopted by the European Parliament this week and to take effect in early 2018. The GDPR will significantly change EU data protection law in several areas, affecting all businesses in the energy, financial, health care, real estate, manufacturing, retail, technology and transportation industries, among others. To assist in-house lawyers and privacy professionals with understanding the new GDPR and planning ahead for implementation, Hunton & Williams’ Privacy and Cybersecurity practice lawyers have released The EU General Data Protection Regulation, a Guide for In-House Lawyers covering these strategic areas:

On March 30 through April 1, 2016, the 2016 Nuclear Industry Summit meetings took place in Washington D.C. In the nuclear industry, the issue of cybersecurity has grown steadily in importance over the past decade. This has been most apparent in the increasing attention and effort paid to cyber-based threats under the biennial Nuclear Industry Summit and its international meetings.

On April 6, 2016, the Federal Trade Commission formally welcomed the updated Recommendation on Consumer Protection in E-commerce (the “Recommendation”) issued by the Organization for Economic Cooperation and Development (“OECD”) on March 24, 2016, endorsing the Recommendation’s broadened scope and increased consumer protections that “are designed to strengthen consumers’ trust in the expanding electronic marketplace.”

On March 24, 2016, the Grand National Assembly of Turkey approved the Law on Personal Data Protection, which is Turkey’s first comprehensive data protection legislation. The law will become effective once it is ratified by Turkey’s President and published in the Official Gazette of the Republic of Turkey.

On April 8, 2016, the Council of the European Union (the “Council”) will adopt its position on the EU General Data Protection Regulation (“GDPR”). The General Secretariat of the Council of the EU sent a Note (the “Note”) asking the Permanent Representatives Committee to use the “written procedure” to adopt the Council's position. The adoption of the Council's position was initially planned for a vote on April 21, 2016, during the next Justice and Home Affairs Council, but the Council has decided to expedite the process for adoption by using the “written procedure,” which is an exceptional procedure that does not include public deliberation.

Chambers & Partners ranked Hunton & Williams LLP’s Global Privacy and Cybersecurity practice in Band 1 in the recently released 2016 Global guide. The firm has been recognized by Chambers Global as a Band 1 firm, global-wide, for data protection for the past nine years. As noted by Chambers Global, the team is a “[t]op-ranked firm with notable strength negotiating with regulators and advising on compliance programmes.”