Privacy & Information Security Law Blog

On January 22, 2024, a draft of the final text of the EU Artificial Intelligence Act (“AI Act”) was leaked to the public. The leaked text substantially diverges from the original proposal by the European Commission, which dates back to 2021. The AI Act includes elements from both the European Parliament’s and the Council’s proposals.

The French Data Protection Authority (the “CNIL”) recently published its Annual Activity Report for 2018 (the “Report”) and released its annual inspection program for 2019.

On April 25, 2019, the Belgian Data Protection Authority (the “Belgian DPA”) published its Annual Activity Report for 2018 (the “Annual Report”), highlighting the main developments and accomplishments of the past year.

On May 2, 2018, the Belgian Privacy Commission (the “Belgian DPA”) published its Annual Activity Report for 2017 (the “Annual Report”), highlighting its main accomplishments for the past year.

On May 26, 2017, the Belgian Privacy Commission (the “Belgian DPA”) published its Annual Activity Report for 2016 (the “Annual Report”) highlighting its main accomplishments from the past year.

On June 9, 2016, the Belgian Privacy Commission (the “Belgian DPA”) published its Annual Activity Report for 2015 (the “Annual Report”) highlighting its main accomplishments.

On May 25, 2015, the French Data Protection Authority (“CNIL”) released its long-awaited annual inspection program for 2015. Under French data protection law, the CNIL may conduct four types of inspections: (1) on-site inspections (i.e., the CNIL may visit a company’s facilities and access anything that stores personal data); (2) document reviews (i.e., the CNIL may require an entity to send documents or files upon written request); (3) hearings (i.e., the CNIL may summon representatives of organizations to appear for questioning and provide other necessary information); and (4) since March 2014, online inspections.

On December 11, 2014, in response to a request for a preliminary ruling from the Supreme Administrative Court of the Czech Republic, the Court of Justice of the European Union (“CJEU”) ruled that the use of CCTV in the EU should be strictly limited, and that the exemption for “personal or household activity” does not permit the use of a home CCTV camera that also films any public space.

On October 15, 2014, the UK Information Commissioner’s Office (“ICO”) published a code of practice regarding the use of surveillance cameras (“Code of Practice”). The Code of Practice explains how the legal requirements of the Data Protection Act 1998 apply to operators of surveillance cameras. Practical and technological advancements have led to a wide variety of surveillance camera technologies that differ from traditional CCTV (e.g., Automatic Number Plate Recognition cameras and body-worn cameras). The Code of Practice addresses (1) changes in technology and (2) inconsistent standards that have arisen in various sectors since the ICO last updated its guidance on CCTV systems, which occurred in 2008. In particular, due to technological advancements, surveillance cameras are no longer merely passive recording devices, but rather can be used to identify specific items or individuals, keep detailed records of events, and are increasingly portable and discrete.

On May 19, 2014, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2013 (the “Report”) highlighting its main accomplishments in 2013 and outlining some of its priorities for the upcoming year.

On March 10, 2014, the German Federal Commissioner for Data Protection and Freedom of Information and all 16 German state data protection authorities responsible for the private sector issued guidelines on the use of closed-circuit television (“CCTV”) by private companies. The guidelines provide information regarding the conditions under which CCTV may be used and outline the requirements for legal compliance. The guidelines feature:

On July 3, 2013, the French Data Protection Authority (“CNIL”) released its decision in a case against PS Consulting, imposing a fine of €10,000 on the information systems consulting company for violations related to the operation of its CCTV system.

On April 2, 2013, the Article 29 Working Party (the “Working Party”) adopted an Opinion (the “Opinion”) that elaborates on the purpose limitation principle set out in Article 6(1)(b) of the current EU Data Protection Directive 95/46/EC (the “Data Protection Directive”). The Opinion analyzes the scope of this principle under the Data Protection Directive, clarifies its limits and makes recommendations to strengthen it in the proposed General Data Protection Regulation (the “Proposed Regulation”). It also focuses on how to apply this principle in the context of Big Data and open data.

On March 19, 2013, the French Data Protection Authority (“CNIL”) announced (in French) its annual inspection program, providing an overview of its inspections of data controllers in 2012 and a list of inspections that it plans to conduct in 2013. Under French data protection law, the CNIL is authorized to collect any useful information in connection with its investigations and has access to data controllers’ electronic data and data processing programs.

On November 16, 2011, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2010 (the “Report”) highlighting its main 2010 accomplishments and outlining some of its priorities for the upcoming year. This year’s Report covers events that occurred since last year’s publication of the Annual Activity Report for 2009.

On May 26, 2011, the United Kingdom’s Lord Chancellor and Secretary of State for Justice Kenneth Clarke spoke before the EU Committee of the British Chamber of Commerce in Belgium.  His remarks focused on data protection, a subject he characterized as one “heavily on the agenda” in Brussels and in many EU Member States.  Clarke emphasized his own role as a proponent of data protection and a defender of civil liberties and individual freedom, and discussed the introduction into Parliament of a major bill to enhance individual freedom in the UK.  Key measures in the bill, many of which respond to issues raised over the past few years by the UK Information Commissioner, include:

• Greater independence for the Information Commissioner
• Safeguards against misuse of counter-terrorism stop and search powers
• Further regulation of the use of closed-circuit television monitoring
• Reform of the regulations governing vetting and barring of ex-offenders and persons working with children and vulnerable adults

As we previously reported, Korea's long-awaited Personal Information Protection Act (“PIPA”) was enacted on March 29, 2011.  The law generally requires an individual’s informed consent for the collection, use or disclosure of any personal information by any person, company or government agency.  Kwang Hyun Ryoo from Bae, Kim & Lee LLC in Korea has provided a detailed analysis of the law.

On August 25, 2010, the German government approved a draft law concerning special rules for employee data protection, originally proposed by the Federal Ministry of the Interior.  A background paper on the draft law was published on August 25, 2010.  The draft law would amend the German Federal Data Protection Act (the Bundesdatenschutzgesetz or “BDSG”) by adding provisions that specifically address data protection in the employment context.  Currently, employee data protection is regulated by (1) general provisions in the BDSG, (2) the new Section 32 of the BDSG introduced by the most recent reform in September 2009, (3) the Works Constitution Act, (4) guidance from state data protection authorities, and (5) comprehensive case law from federal and local labor courts.

On June 21, 2010, the French Data Protection Authority (the “CNIL”) published its Opinion on a new security bill, the Loi d'orientation et de programmation de la performance de la sécurité intérieure (referred to as “LOPPSI”), which was adopted by the French National Assembly on February 16, 2010, and recently amended by the Senate's Commission of Laws on June 2, 2010.

On March 17, 2010, the French Data Protection Authority (the “CNIL”) published a report concerning on-site inspections and outlined its objectives for the coming year.  In the report, which was adopted on February 18, 2010, the CNIL indicated that it intends to conduct at least 300 on-site inspections throughout France in 2010, with a special focus on the following issues:

• ensuring compliance with CNIL decisions, in particular the CNIL’s standards for simplified notifications;
• verifying that data controllers comply with the technical recommendations defined in their registration forms; and
• assessing the effectiveness of data protection officers within organizations.