Privacy & Information Security Law Blog

On April 14, 2015, the American Chamber of Commerce in China (“AmCham”) published a report, entitled Protecting Data Flows in the US-China Bilateral Investment Treaty (the “Report”). The Report is part of AmCham’s Policy Spotlight Series. While in principle addressed to the U.S. and Chinese teams that are currently negotiating the Bilateral Investment Treaty, the Report has been made public. It thereby provides insight into the emerging issue of data localization for the benefit of a much wider audience.

On March 26, 2015 the United Nations Human Rights Council (the “Council”) announced that it will appoint a new position as special rapporteur on the right to privacy for a term of three years. The position, which is part of the Council’s resolution, is intended to reaffirm the right to privacy and the right to the protection of the law against any interference on a person’s privacy, family, home or correspondences, as set out in Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights.

On March 9, 2015, the Federal Trade Commission announced that it has entered into a Memorandum of Understanding (the “Memorandum”) with the Dutch Data Protection Authority (the “Dutch DPA”).

On February 3, 2015, the Article 29 Working Party (“Working Party”) published a report on a sweep of 478 websites across eight EU Member States (Czech Republic, Denmark, France, Greece, the Netherlands, Slovenia, Spain and the United Kingdom). The sweep was conducted to assess compliance with Article 5.3 of the e-Privacy Directive 2002/58/EC, as amended by 2009/136/EC.

On February 12, 2015, the Office of the Privacy Commissioner of Canada released a research report entitled Privacy and Cyber Security - Emphasizing privacy protection in cyber security activities (the “Report”). The Report explores the interconnected relationship among cybersecurity, privacy and data protection, including common interests and challenges.

On February 4, 2015, the German government adopted a draft law to improve the enforcement of data protection provisions that are focused on consumer protection. As reported earlier, the new law would bring about a fundamental change in how German data protection law is enforced.

On January 28, 2015, the German conference of data protection commissioners hosted a European Data Protection Day event called Europe: Safer Harbor for Data Protection? – The Future Use of the Different Level of Data Protection between the EU and the US.

On January 12, 2015, the European Union Agency for Network and Information Security (“ENISA”) published a report on Privacy and Data Protection by Design - from policy to engineering (the “Report”). The “privacy by design” principle emphasizes the development of privacy protections at the early stages of the product or service development process, rather than at later stages. Although the principle has found its way into some proposed legislation (e.g., the proposed EU General Data Protection Regulation), its concrete implementation remains presently unclear. Hence, the Report aims to promote a discussion on how the principle can be implemented concretely and effectively with the help of engineering methods.

On January 14, 2015, the data protection authority of the German federal state of Schleswig-Holstein (“Schleswig DPA”) issued an appeal challenging a September 4, 2014 decision by the Administrative Court of Appeals, which held that companies using Facebook’s fan pages cannot be held responsible for data protection law violations committed by Facebook because the companies do not have any control over the use of the data.

On January 13, 2015, the French Data Protection Authority (the “CNIL”) published a Referential (the “Referential”) that specifies the requirements for organizations with a data protection officer (“DPO”) in France to obtain a seal for their data privacy governance procedures.

In a decision published on January 6, 2015, the French data protection authority (the “CNIL”) adopted a new Simplified Norm NS 47 (the “Simplified Norm”) that addresses the processing of personal data in connection with monitoring and recording employee telephone calls in the workplace. Data processing operations in compliance with all of the requirements set forth in the Simplified Norm may be registered with the CNIL through a simplified registration procedure. If the processing does not comply with the Simplified Norm, however, a standard registration form must be filed with the CNIL. The Simplified Norm includes the following requirements:

On December 29, 2014, the Commissioner for Data Protection and Freedom of Information of the German state Rhineland-Palatinate issued a press release stating that it imposed a fine of €1,300,000 on the insurance group Debeka. According to the Commissioner, Debeka was fined due to its lack of internal controls and its violations of data protection law. Debeka sales representatives allegedly bribed public sector employees during the eighties and nineties to obtain address data of employees who were on path to become civil servants. Debeka purportedly wanted this address data to market insurance contracts to these employees. The Commissioner asserted that the action against Debeka is intended to emphasize that companies must handle personal data in a compliant manner. The fine was accepted by Debeka to avoid lengthy court proceedings.

On December 11, 2014, in response to a request for a preliminary ruling from the Supreme Administrative Court of the Czech Republic, the Court of Justice of the European Union (“CJEU”) ruled that the use of CCTV in the EU should be strictly limited, and that the exemption for “personal or household activity” does not permit the use of a home CCTV camera that also films any public space.

On December 5, 2014, the Article 29 Working Party (the “Working Party”) published a Working Document on surveillance, electronic communications and national security. The Working Party (which is comprised of the national data protection authorities (“DPAs”) of each of the 28 EU Member States) regularly publishes guidance on the application and interpretation of EU data protection law. Although its views are not legally binding, they are strongly indicative of the way in which EU data protection law is likely to be enforced.

On November 26, 2014, the Article 29 Working Party (the “Working Party”) released a Working Document providing a cooperation procedure for issuing common opinions on whether “contractual clauses” comply with the European Commission’s Model Clauses (the “Working Document”).

On December 2-4, 2014, Asia Pacific Privacy Authority (“APPA”) members and invited observers and guest speakers from government, the private sector, academia and civil society met in Vancouver, Canada, to discuss privacy laws and policy issues. At the end of the open session (or “broader session”) on day two, APPA issued its customary communiqué (“Communiqué”) containing the highlights of the discussions during both the closed session on day one and the open session on day two. A side event on Big Data will be held on the morning of day three (December 4).

On November 26, 2014, the Article 29 Working Party (the “Working Party”) published an Opinion (the “Opinion”) on the Guidelines on the Implementation of the Court of Justice of the European Union Judgment on “Google Spain and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12 (the “Judgment” or “Costeja”). The Opinion constitutes guidance from the Working Party on the implementation of Costeja for search engine operators.

On November 24, 2014, the Polish President Bronisław Komorowski signed into law a bill that was passed by Polish Parliament on November 7, 2014, which amends, among other laws, certain provisions of the Personal Data Protection Act 1997. As a result of the amendments, data controllers will be able to transfer personal data to jurisdictions that do not provide an “adequate level” of data protection without obtaining the prior approval of the Polish Data Protection Authority (Generalny Inspektor Ochrony Danych Osbowych or “GIODO”), provided that they meet certain requirements specified under the bill. In addition, the bill amends Polish law so that it is no longer mandatory to appoint an administrator of information security (administrator bezpieczeństwa informacji or “ABI”). An ABI is similar to a data protection officer but an ABI has narrower responsibilities that predominantly concern data security.

On November 27, 2014, the European Parliament announced that it will appoint Giovanni Buttarelli as the new European Data Protection Supervisor (“EDPS”), and Wojciech Wiewiórowski as the Assistant Supervisor. The announcement has been expected since the Parliament’s Committee on Civil Liberties, Justice and Home Affairs voted on October 20, 2014 for Buttarelli and Wiewiórowski to be the Parliament’s leading candidates for the two positions. The final step of the process is for the Parliament and the Council of the European Union to jointly sign a nomination decision, after which Buttarelli and Wiewiórowski will formally take up their new roles.

On November 18, 2014, the Centre for Information Policy Leadership at Hunton & Williams (the “Centre”) held the second workshop in its ongoing work on the risk-based approach to privacy and a Privacy Risk Framework. Approximately 70 Centre members, privacy regulators and other privacy experts met in Brussels to discuss the benefits and challenges of the risk-based approach, operationalizing risk assessments within organizations, and employing risk analysis in enforcement. In discussing these issues, the speakers emphasized that the risk-based approach does not change the obligation to comply with privacy laws but helps with the effective calibration of privacy compliance programs.

On October 9, 2014, the 88th Conference of the German Data Protection Commissioners concluded in Hamburg. This biannual conference provides a private forum for all German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information to share their views on current data protection issues, discuss relevant cases and adopt resolutions aimed at harmonizing how data protection law is applied across Germany. During the conference, several resolutions concerning privacy were adopted.

During the October 14, 2014 closed session of the 36th International Conference of Data Protection and Privacy Commissioners (the “Conference”) held in Balaclava, Mauritius, the host, the Data Protection Office of Mauritius, and member authorities of the Conference issued the “Mauritius Declaration on the Internet of Things,” and four new resolutions – a “Resolution on Accreditation” of new members, a “Resolution on Big Data,” a “Resolution on enforcement cooperation,” and a “Resolution on Privacy in the digital age.” Brief summaries of each of these documents are below.

On October 6, 2014, the Irish Office of the Data Protection Commissioner (“ODPC”) announced its success in bringing prosecution proceedings against M.C.K Rentals Limited (“MCK”), a firm of private investigators, and its two directors, for breaches of the Irish Data Protection Acts 1998 and 2003. Specifically MCK and its directors were found to have (1) obtained personal data without the prior authority of the data controller who was responsible for the data and (2) disclosed the personal data obtained to various third parties.

On September 18, 2014, the Article 29 Working Party (the “Working Party”) announced its decision to establish a common approach to the right to be forgotten (the “tool-box”). This tool-box will be used by all EU data protection authorities (“DPAs”) to help address complaints from search engine users whose requests to delete their search result links containing their personal data were refused by the search engines. The development of the tool-box follows the Working Party’s June 2014 meeting discussing the consequences of the European Court of Justice’s judgment in Costeja of May 13, 2014.

On September 18, 2014, the French Data Protection Authority (the “CNIL”) announced plans to review 100 French websites on September 18-19, 2014. This review is being carried out in the context of the European “cookies sweep day” initiative, an EU online compliance audit. The Article 29 Working Party organized this joint action, which runs from September 15-19, 2014, to verify whether major EU websites are complying with EU cookie law requirements.

On September 10, 2014, the Global Privacy Enforcement Network (“GPEN”) published the results of an enforcement sweep carried out in May of this year to assess mobile app compliance with data protection laws. Twenty-six data protection authorities worldwide evaluated 1,211 mobile apps and found that a large majority of the apps are accessing personal data without providing adequate information to users.

On September 10, 2014, Helen Dixon was announced as the new Data Protection Commissioner for Ireland. Dixon currently is registrar of the Companies Registration Office and has experience in both the private and public sectors, including senior management roles in the Department of Jobs. Dixon will take up her appointment over the coming weeks, succeeding Billy Hawkes in the role. Hawkes has served as Commissioner for two terms since 2005.

On July 28, 2014, the UK Information Commissioner’s Office (“ICO”) released a comprehensive report on Big Data and Data Protection (the “Report”). This is the first big data guidance prepared by a European data protection authority. The Report describes what is meant by “big data,” the privacy issues big data raises, and how to comply with the UK’s Data Protection Act in the context of big data.

On July 22, 2014, the Data Security Council of India (“DSCI”) announced that it has deemed Vodafone India Limited (“Vodafone”) a “DSCI Privacy Certified” organization. The certification, which is designed to help companies “demonstrate the privacy practices to relevant stakeholders and enhance trust,” is the first for a telecommunications company in India.

On July 11, 2014, the French Data Protection Authority (the “CNIL”) announced that, starting in October 2014, it will conduct on-site and remote inspections to verify whether companies are complying with its new guidance on the use of cookies and other technologies. These inspections will take place in connection with the European “cookies sweep day” initiative, which will be launched from September 15 – 19, 2014. During that initiative, each EU data protection authority will review how users are informed of, and consent to the use of, cookies.

On June 18, 2014, the German state data protection authorities responsible for the private sector (the Düsseldorfer Kreis) issued guidelines concerning the data protection requirements for app developers and app publishers (the “Guidelines”). The Guidelines were prepared by the Bavarian state data protection authority and cover requirements in Germany’s Telemedia Act as well as the Federal Data Protection Act. Topics addressed in the 33-page document include:

On June 6, 2014, Viviane Reding, Vice-President of the European Commission and EU Commissioner for Justice, outlined the progress that has been made with respect to the proposed EU General Data Protection Regulation (the “Proposed Regulation”) in a meeting of the Council of the European Union, acting through the Justice Council (the “Council”). In particular, the Council has agreed on two important aspects of the Proposed Regulation.

On June 3 and 4, 2014, the Article 29 Working Party held a meeting to discuss the consequences of the European Court of Justice’s May 13, 2014 judgment in Costeja, which is widely described as providing a “right to be forgotten.” Google gave effect to the Costeja decision by posting a web form that enables individuals to request the removal of URLs from the results of Google searches that include that individual’s name. The Working Party announced that it welcomed Google’s initiative, but pointed out that it is “too early to comment on whether the form is entirely satisfactory.” The Working Party also announced that it will prepare guidelines to ensure a common approach to the implementation of Costeja by the national data protection authorities. Finally, the Working Party called on search engine operators to implement user-friendly processes that enable users to exercise their right to deletion of search result links containing their personal data.

On May 30, 2014, Google posted a web form that enables individuals to request the removal of URLs from the results of searches that include that individual’s name. The web form acknowledges that this is Google’s “initial effort” to give effect to the recent and controversial decision of the Court of Justice of the European Union in Costeja, widely described as providing a “right to be forgotten.” That Google has moved quickly to offer individuals a formal removal request process will be viewed favorably, but the practicalities of creating a removals process that satisfies all interested parties will remain challenging, and not just for Google.

On May 13, 2014, the European Court of Justice (the “CJEU”) rendered its judgment in Google Spain S.L. and Google Inc. v Agencia Española de Protección de Datos (Case C-131/12, “Google v. AEPD” or the “case”). The case concerns a request made by a Spanish individual, Mr. Costeja, to the Spanish Data Protection Authority (Agencia Española de Protección de Datos or “AEPD”) to order the removal of certain links from Google’s search results. The links relate to an announcement in an online newspaper of a real estate auction for the recovery of Mr. Costeja’s social security debts. The information was lawfully published in 1998, but Mr. Costeja argued that the information had become irrelevant as the proceedings concerning him had been fully resolved for a number of years. The AEPD upheld the complaint and ordered Google Spain S.L. and Google Inc. (“Google”) to remove the links from their search results. Google appealed this decision before the Spanish High Court, which referred a series of questions to the ECJ for a preliminary ruling. The ECJ ruled as follows:

On May 19, 2014, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2013 (the “Report”) highlighting its main accomplishments in 2013 and outlining some of its priorities for the upcoming year.

On May 13, 2014, the French data protection authority (“CNIL”) decided to examine 100 mobile apps most commonly used in France.

On May 9, 2014, the Federal Trade Commission announced a settlement with clothing manufacturer American Apparel related to charges that the company falsely claimed to comply with the U.S.-EU Safe Harbor Framework. According to the FTC’s complaint, the company violated Section 5 of the FTC Act by deceptively representing, through statements in its privacy policy, that it held a current Safe Harbor certification even though it had allowed the certification to expire.

On February 18, 2014, the Frankfurt am Main Regional Court issued a ruling addressing the use of opt-out notices for web analytics tools. The case concerned Piwik web analytics software and its “AnonymizeIP” function. The court held that website users must be informed clearly about their right to object to the creation of pseudonymized usage profiles. This information must be provided when a user first visits the website (e.g., via a pop-up or highlighted/linked wording on the first page) and must be accessible at all times (e.g., via a privacy notice).

On April 9, 2014, the Article 29 Working Party (the “Working Party”) issued an Opinion on using the “legitimate interests” ground listed in Article 7 of the EU Data Protection Directive 95/46/EC as the basis for lawful processing of personal data. Citing “legitimate interests” as a ground for data processing requires a balancing test, and it may be relied on only if (1) the data processing is necessary for the legitimate interests of the controller (or third parties), and (2) such interests are not overridden by the interests or fundamental rights and freedoms of the data subject. With the Opinion, the Working Party aims to ensure a common understanding of this concept.

On April 10, 2014, the Article 29 Working Party (the “Working Party”) adopted Opinion 04/2014. The Opinion analyzes the implications of electronic surveillance programs on the right to privacy and provides several recommendations for protecting EU personal data in the surveillance context.

On March 18, 2014, a new French consumer law (Law No. 2014-344) was published in the Journal Officiel de la République Franҫaise. The new law strengthens the investigative powers of the French Data Protection Authority (the “CNIL”) by giving the CNIL the ability to conduct online inspections.

On March 10, 2014, the German Federal Commissioner for Data Protection and Freedom of Information and all 16 German state data protection authorities responsible for the private sector issued guidelines on the use of closed-circuit television (“CCTV”) by private companies. The guidelines provide information regarding the conditions under which CCTV may be used and outline the requirements for legal compliance. The guidelines feature:

On March 6, 2014 the Article 29 Working Party (the “Working Party”) published a comprehensive Opinion: Opinion 02/2014 on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in the EU and Cross-Border Privacy Rules submitted to APEC CBPR Accountability Agents. This blog post provides an overview of the Opinion.

On March 6, 2014, the U.S. Federal Trade Commission (“FTC”) and UK Information Commissioner’s Office (“ICO”) signed a memorandum of understanding (“MOU”) to promote increased cooperation and information sharing between the two enforcement agencies.

On January 31, 2014, the Greek Presidency of the Council of the European Union issued four notes regarding the proposed EU Data Protection Regulation. These notes, discussed below, address the following topics: (1) one-stop-shop mechanism; (2) data portability; (3) data protection impact assessments and prior checks; and (4) rules applicable to data processors.

On February 11, 2014, the Federal Trade Commission announced a proposed settlement with Fantage.com stemming from allegations that the company made statements in its privacy policy that deceptively claimed that Fantage.com was complying with the U.S.-EU Safe Harbor Framework.

On January 21, 2014, the Federal Trade Commission announced settlements with twelve companies that allegedly falsely claimed that they complied with the U.S.-EU Safe Harbor Framework. The settlements stem from allegations that the companies violated Section 5 of the FTC Act by falsely representing that they held current Safe Harbor certifications despite having allowed their certifications to expire. The companies involved represent a variety of industries, ranging from technology and accounting to consumer products and National Football League teams.

As reported by Bloomberg BNA, on January 13, 2014, Ukrainian Parliament Commissioner for Human Rights Valeriya Lutkovska (the “Ombudsman”) announced the adoption of new data protection regulations. The Ombudsman became the new data protection authority in Ukraine as of January 1, 2014, when amendments to abolish the previous data protection authority became effective. As we previously reported, Ukraine first passed personal data protection legislation in June 2010.

On December 10, 2013, a German data protection working group on advertising and address trading published new guidelines on the collection, processing and use of personal data for advertising purposes (the “Guidelines”). The working group was established by the committee of German data protection authorities (“DPAs”) and is chaired by the Bavarian DPA. The first set of guidelines were published in November 2012.

On November 27, 2013, the European Commission published an analysis of the EU-U.S. Safe Harbor Framework, as well as other EU-U.S. data transfer agreements. The analysis includes the following documents:

The Luxembourg data protection authority (Commission nationale pour la protection des donées, “CNPD”) has stated that it will not investigate complaints relating to the alleged involvement of Microsoft Luxembourg (“Microsoft”) and Skype Software S.a.r.l. and Skype Communications S.a.r.l. (collectively, “Skype”) in the PRISM surveillance program. The PRISM surveillance program involves the transfer of EU citizens’ data to the U.S. National Security Agency (the “NSA”).

On November 14, 2013, the Minister of the Malaysian Communications and Multimedia Commission (the “Minister”) announced that Malaysia’s Personal Data Protection Act 2010 (the “Act”) would be going into effect as of November 15, marking the end of years of postponements. The following features of the law are of particular significance:

On November 4, 2013, the data protection authority (“DPA”) of the German state of Rhineland-Palatinate announced two sets of recommendations for mobile payment systems, including contactless payments. The recommendations were prepared in conjunction with the state consumer protection agency, the Ministry of Justice for Rhineland-Palatinate, the mobile payment industry and research organizations.

On October 21, 2013, the European Parliament approved its Compromise Text of the proposed EU General Data Protection Regulation (the “Proposed Regulation”). The approval follows months of negotiations between the various parliamentary committees. The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) has been in charge of working toward an agreement on the Compromise Text in the European Parliament.

On October 2, 2013, the 86th Conference of the German Data Protection Commissioners concluded in Bremen. This biannual conference provides a private forum for the 16 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information, Peter Schaar, to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

On October 4, 2013, The Centre for Information Policy Leadership’s Senior Policy Advisor Fred Cate reported on the 35th International Conference of Data Protection and Privacy Commissioners which concluded on September 24 in Warsaw, Poland. The report indicates that four main issues dominated the Conference: (1) challenges presented by technologies such as mobile apps and online profiling, (2) multinational interoperability and enforcement, (3) pending EU data protection regulation and alternatives, and (4) repercussions of NSA surveillance activities.

On September 24, 2013, the Singapore Personal Data Protection Commission (the “Commission”) published guidelines to facilitate implementation of the Singapore Personal Data Protection Act (the “PDPA”). The Advisory Guidelines on Key Concepts in the Personal Data Protection Act and the Advisory Guidelines on the Personal Data Protection Act for Selected Topics provide explanations of concepts underlying the data protection principles in the PDPA, and offer guidance on how the Commission may interpret and apply the PDPA with respect to certain issues (e.g., anonymization, employment, national identification numbers). The guidelines are advisory only; they are not legally binding.

On September 23 and 24, 2013, a declaration and eight resolutions were adopted by the closed session of the 35th International Conference of Data Protection and Privacy Commissioners and have been published on the conference website. This blog post provides an overview of the declaration and the most significant resolutions.

On September 5, 2013, the 16 German state data protection authorities and the Federal Commissioner for Data Protection and Freedom of Information (the “DPAs”) passed a resolution concerning recent revelations about the PRISM, Tempora and XKeyscore surveillance programs.

As reported by Bloomberg BNA, the South African Parliament passed the Protection of Personal Information Bill on August 22, 2013. The bill, which was sent to President Jacob Zuma to be signed into law, represents South Africa’s first comprehensive data protection legislation.

As reported by Bloomberg BNA, the Irish Office of the Data Protection Commissioner (“ODPC”) has stated that it will not investigate complaints relating to the alleged involvement of Facebook Ireland Inc. (“Facebook”) and Apple Distribution International (“Apple”) in the PRISM surveillance program.

On July 24, 2013, the Conference of the German Data Protection Commissioners at both the Federal and State levels issued a press release stating that surveillance activities by foreign intelligence and security agencies threaten international data traffic between Germany and countries outside the EEA.

On June 25, 2013, the Belgian Data Protection Authority (the “Privacy Commission”) and the Belgian Ministry of Justice agreed on a Protocol establishing new rules for the approval of international data transfer agreements.

Senior Attorney Rosemary Jay reports from London:

On June 25, 2013, Advocate-General Jääskinen of the European Court of Justice (“ECJ”) delivered his Opinion in Google Spain S.L. and Google Inc. v Agencia Española de Protección de Datos (Case C-131/12, “Google v AEPD” or the “case”).

The case concerns Google Search results, and whether individuals have a right to erasure of search result links about them. The Opinion concludes that under current law, individuals have no such right. The European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”) would introduce a right to be forgotten. However, this Opinion appears to demonstrate unease with the basic concept of such a right.

In a recording prepared for the Centre for Information Policy Leadership at Hunton & Williams LLP’s (“Centre’s”) annual retreat, former UK Information Commissioner and Centre Global Strategy Advisor Richard Thomas discussed some of the challenges facing Big Data with respect to the purpose limitation principle set out in Article 6(1)(b) of the current EU Data Protection Directive 95/46/EC. In April 2013, the Article 29 Working Party adopted an Opinion on this topic, focusing on how to apply the purpose limitation principle in the Big Data context. Richard Thomas ...

On July 1, 2013, the Republic of Croatia joined the European Union, increasing the number of EU Member States to 28. As of the day of its accession, Croatia must implement the acquis communautaire (the complete body of the EU legislation), which includes the EU Data Protection Directive 95/46/EC (“Data Protection Directive”).

The Centre for Information Policy Leadership at Hunton & Williams LLP is pleased to announce that Bojana Bellamy, global director of data privacy for Accenture, will be joining the firm as president of the Centre, effective September 2, 2013. Current Centre President, Marty Abrams, who is retiring on September 1, will stay on as an advisor to the Centre.

The Bavarian data protection authority recently updated its compliance initiative regarding online tracking tools to include Adobe’s online tracking product (Adobe Analytics (Omniture)). As with previous initiatives of this nature, the underlying analyses were carried out in an automated manner, using a program specifically developed by the Bavarian data protection authority to verify compliance.

On June 14, 2013, the European Data Protection Supervisor (the “EDPS”) issued an Opinion regarding a joint communication by the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy, Cyber Security Strategy of the European Union: an Open, Safe and Secure Cyberspace (the “Strategy”), as well as the European Commission’s proposed draft directive to ensure uniformly high security measures for network and information security across the EU (the “NIS Directive”). The EDPS welcomes recognizing privacy and data protection as core values of a robust cybersecurity policy, as opposed to separating out security and privacy, but draws attention to several deficiencies, stating that “the ambitions of the strategy are not reflected in how it will be implemented.”

On June 3, 2013, the French Data Protection Authority (“CNIL”) published an article outlining the importance of binding corporate rules (“BCRs”) for data processors, and describing how to use them.

On June 5, 2013, Hunton & Williams hosted a seminar in the firm’s London office: Tracking the Draft EU Regulation ̶ General Update and the Concept of the “One-Stop Shop.” Bridget Treacy, Rosemary Jay and Tim Hickman of Hunton & Williams gave a presentation on the operation and effects of the “consistency mechanism” to be introduced in the proposed General Data Protection Regulation. The June 5 update was the most recent in Hunton & Williams’ ongoing series of Executive Briefings on the Proposed Regulation. The consistency mechanism is intended to ensure that, once the ...

On May 13, 2013, the Article 29 Working Party (the “Working Party”) adopted an Advice Paper on profiling (the “Advice Paper”). The Advice Paper serves as the national data protection authorities’ contribution to the ongoing legislative debate before the European Parliament and the Council of the European Union on the proposed EU General Data Protection Regulation (the “Proposed Regulation”).

On May 7, 2013, the Federal Trade Commission announced that it issued letters to ten data broker companies warning that their practices could violate prohibitions against selling consumer information under the Fair Credit Reporting Act (“FCRA”). The FTC identified the ten data broker companies after a test-shopping operation that indicated these companies were willing to sell consumer information without adhering to FCRA requirements.

On May 6, 2013, the Global Privacy Enforcement Network (“GPEN”) announced its first “Internet Privacy Sweep,” in which 19 data protection authorities are participating. This joint effort, which runs May 6-12, 2013, involves a review of the information notices posted online by major websites.

The Polish Data Protection Authority (Generalny Inspektor Ochrony Danych Osbowych or “GIODO”) has activated the website for the 35th International Conference of Data Protection and Privacy Commissioners to be held in Warsaw, Poland, September 23-26, 2013. The conference theme is “A Compass in a Turbulent World.” Unlike past years, the conference will begin with the closed session for commissioners and concurrent side events. The open conference will take place on September 25 and 26. GIODO currently is working on the conference agenda with an advisory committee that ...

On April 29, 2013, the Belgian Privacy Commission announced that it referred a data breach case involving The National Belgian Railway Company to the Brussels Public Prosecutor. The data breach, which occurred in December 2012, resulted in the 1.46 million sets of customer data being made publicly available online. The Privacy Commission investigated the case and concluded that there had been a violation of the Belgian Data Protection Act, but since the Privacy Commission does not have the authority to impose sanctions for the violation, it referred the case to the prosecutor’s office to initiate criminal proceedings. The Privacy Commission commented that this is the first time that it has referred a data breach case to the Public Prosecutor.

On April 22, 2013, the higher administrative court of Schleswig issued two decisions rejecting an appeal by the data protection authority of Schleswig-Holstein (“Schleswig DPA”) that sought to challenge a lower court’s earlier rulings in Facebook’s favor.

On March 21-22, 2013, the data protection authorities (“DPAs”) of the Baltic states of Estonia, Latvia and Lithuania met in Riga, Latvia, for their second annual meeting to discuss several practical cooperation matters regarding data protection.

On March 26, 2013, the Article 29 Working Party issued a press release on the recent developments concerning cooperation between the EU and the Asia-Pacific Economic Cooperation group (“APEC”) on cross-border data transfer rules. A joint EU-APEC committee, which includes the French and German data protection authorities as well as the European Data Protection Supervisor and the European Commission, has been studying similarities and differences between the EU’s binding corporate rules (“BCRs”) framework and APEC Cross-Border Privacy Rules. The committee’s goal is to facilitate data protection compliance in this area for international businesses operating in the EU and the APEC region, including by creating a common frame of reference for both sets of cross-border data transfer rules.

On March 19, 2013, the French Data Protection Authority (“CNIL”) announced (in French) its annual inspection program, providing an overview of its inspections of data controllers in 2012 and a list of inspections that it plans to conduct in 2013. Under French data protection law, the CNIL is authorized to collect any useful information in connection with its investigations and has access to data controllers’ electronic data and data processing programs.

On March 20, 2013, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) held legislative deliberations regarding the European Commission’s proposed General Data Protection Regulation (”Proposed Regulation”). The LIBE Committee Chair, Juan Fernando López Aguilar, noted that 2,783 amendments to the Proposed Regulation and 504 amendments to the proposed Police and Criminal Justice Directive (“Proposed Directive”) have been tabled.

On March 14, 2013, the 85th Conference of the German Data Protection Commissioners concluded in Bremerhaven. This biannual conference provides a private forum for the 16 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information, Peter Schaar, to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

On March 5, 2013, Costa Rica published the Reglamento a la Ley de Protección de la Persona Frente al Tratamiento de sus Datos Personales (Regulations of the Law of Protection of the Person in the Processing of His Personal Data) (the “Regulations”). The wide-ranging Regulations, which took effect immediately, expand and clarify many aspects of the underlying law and include the requirements described below.

The French Data Protection Authority (the “CNIL”) reports that in late January 2013, representatives of the Article 29 Working Party and the Asia-Pacific Economic Cooperation group (“APEC”) met in Jakarta, Indonesia, to discuss interoperability between EU Binding Corporate Rules and APEC Cross-Border Privacy Rules governing international data transfers. The U.S. Department of Commerce also is participating in the process to develop a roadmap for future progress toward establishing tools companies can use to facilitate true interoperability ...

On March 6, 2013, the French Data Protection Authority (the “CNIL”) announced that it launched a consultation of relevant private and public actors for the purpose of determining whether the CNIL should adopt an initiative on “Open Data.”

On February 27, 2013, the Article 29 Working Party (the “Working Party”) issued a statement on the European Commission’s proposed revised data protection framework (“Statement”), including the proposed General Data Protection Regulation (“Proposed Regulation”). The Working Party offered amendments to the Proposed Regulation in the form of two Annexes to the Statement on the topics of competence and lead data protection authority (“DPA”) and the exemption for household or personal activities.

Following up on its February 5, 2013 consultation paper, Singapore’s Personal Data Protection Commission has issued two additional public consultation papers concerning the guidelines the Commission is empowered to issue under the new data protection law. The first proposed set of advisory guidelines examines key concepts in the Personal Data Protection Act (“PDPA”), with thorough discussions of definitions as well as data protection obligations set forth in the PDPA. The second paper addresses selected topics: analytics and research, anonymization, employment, use of national ID numbers and online activities. In addition, the Commission has produced a cover note on how to submit comments on these public consultations.

On January 17, 2013, Mexico’s Ministry of Economy published its Lineamientos del Aviso de Privacidad (in Spanish) (“Privacy Notice Guidelines” or “Guidelines”), which it prepared in collaboration with the Mexican data protection authority. The Guidelines introduce heightened notice and opt-out requirements for the use of cookies, web beacons and similar technology, and they impose extensive requirements on the content and delivery of privacy notices generally (with respect to all personal data, not just data collected via cookies and other automated means). The Guidelines will take effect in mid-April.

On February 5, 2013, Singapore’s new data protection agency, the Personal Data Protection Commission, published its first consultation paper (the “Paper”) articulating proposals for a data protection regulation. The Paper outlines the Commission’s positions on three key issues: (1) requests for access and correction; (2) transfer of personal data outside of Singapore; and (3) individuals who may act for others under the Personal Data Protection Act (“PDPA”). The PDPA was passed by the Singapore Parliament in October 2012 and became law in January 2013.

On January 28, 2013, the London office of Hunton & Williams marked European Data Privacy Day with the launch of the fourth edition of Data Protection Law & Practice, written by Senior Attorney Rosemary Jay. A panel comprised of the current UK Information Commissioner, Christopher Graham; his three predecessors, Eric Howe CBE, Elizabeth France CBE and Richard Thomas CBE; and the UK Minister of State for Justice, Lord McNally, spoke at the event and provided a retrospective on data protection in the United Kingdom since the Information Commissioner’s Office’s (“ICO’s”) inception in 1984.

Following up on the UK Information Commissioner’s Office’s (“ICO’s”) positive reaction to the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”), the ICO has now published additional thoughts on the European Commission’s proposed revised data protection framework, reacting to the recent draft report prepared by the rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs, Jan Philipp Albrecht. In February 2012, the ICO released an initial analysis of the Commission’s package of proposals, which included the proposed Police and Criminal Justice Data Protection Directive (“Proposed Directive”).

On January 10, 2013, the rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”), Jan Philipp Albrecht, presented his draft report (the “Report”) on the proposed amendments to the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”) to the LIBE Committee.

On December 19, 2012, the Irish Data Protection Commissioner (“DPC”) wrote to 80 website operators requesting details regarding how they are complying with recent changes to Irish law governing the use of cookies and other similar technologies (SI 336/ 2011, the “Regulations”). The letter expects website operators, which include government departments as well as companies, to comply fully with the Regulations, which took effect 18 months ago and require user consent before deploying or accessing cookies or other information stored on users’ computer equipment. If the relevant organizations have not yet achieved compliance, they are expected to provide an explanation to the DPC explaining “why it has not been possible to comply by now, a clear timescale for when compliance will be achieved, and details of specifically what work is being done to make that happen.”

On December 21, 2012, the Article 29 Working Party issued a press release announcing the launch of Binding Corporate Rules (“BCRs”) for processors effective January 1, 2013. This announcement follows the Article 29 Working Party’s adoption of a Working Document (WP 195) on June 6, 2012, which set forth requirements for BCRs for processors, and an application form for submitting BCRs for processors issued on September 17, 2012.

On November 23, 2012, a German data protection working group on advertising and address trading published guidelines (in German) on the collection, processing and use of personal data for advertising purposes (the “Guidelines”). The working group was established by the committee of German data protection authorities (“DPAs”) and is chaired by the Bavarian DPA.

On November 23, 2012, the German Federal Council (Bundesrat or the “Council”) published its comments on the European Commission’s strategy on cloud computing and also submitted them to the Commission.

On November 20, 2012, the European Network and Information Security Agency (“ENISA”) published a new report entitled “The Right to Be Forgotten – Between Expectations and Practice.” The report complements two earlier papers which focused on data collection and storage and online behavioral advertising, and focuses on the technical implications of the proposed General Data Protection Regulation’s new right to be forgotten.

On December 3, 2012, the Centre for Information Policy Leadership (the “Centre”) at Hunton & Williams will co-host a special International Association of Privacy Professionals (“IAPP”) KnowledgeNet meeting in Brussels, Belgium. The meeting will explore global developments in accountability in the context of the proposed EU Data Protection Regulation and the impact of accountability on data protection management.

On November 20, 2012, the UK Information Commissioner’s Office (“ICO”) published “Anonymisation: Managing Data Protection Risk Code of Practice” (the “Code”). The purpose of the Code is to provide organizations with a framework for assessing the risks of anonymization. It also sets forth good practice recommendations that may be adopted by organizations to provide a “reasonable degree of confidence” that the publication and sharing of anonymized data will not lead to an “inappropriate disclosure of personal data.” The published Code follows a consultation on the same topic earlier this year. The ICO also announced the creation of the UK Anonymisation Network, which will promote the sharing of good practices related to anonymization across the public and private sectors.