Privacy & Information Security Law Blog

On January 10, 2019, Advocate General Maciej Szpunar (“Advocate General”) of the Court of Justice of the European Union (“CJEU”) issued an Opinion in the case of Google v. CNIL, which is currently pending before the CJEU. In the Opinion, the Advocate General provided his views concerning the territorial scope of the right to be forgotten under the relevant EU Data Protection Directive in the case at hand.

On December 20, 2018, the French data protection authority (the “CNIL”) announced that it levied a €400,000 fine on Uber France SAS, the French establishment of Uber B.V. and Uber Technologies Inc., for failure to implement some basic security measures that made possible the 2016 Uber data breach.

The European Commission (“Commission”), the European Parliament (“Parliament”) and the Council of the European Union reached an agreement earlier this month regarding changes to the Proposal for a Regulation on ENISA, the “EU Cybersecurity Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology Cybersecurity Certification (the “Cybersecurity Act”). The agreement empowers the EU Cybersecurity Agency (known as European Union Agency for Network and Information and Security, or “ENISA”) and introduce an EU-wide cybersecurity certification for services and devices.

On November 23, 2018, the European Data Protection Board (“EDPB”) published its long-awaited draft guidelines on the extraterritorial application of the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”). To date, there has been a degree of uncertainty for organizations regarding the scope of the GDPR’s application outside of the EU. While the Guidelines provide some clarity on this issue, questions will remain for non-EU controllers and processors. Importantly, these Guidelines are only in draft form and are open for consultation until January 18, 2019, which will give organizations an opportunity to provide comments and raise additional questions in an effort to obtain further clarification from the EDPB on these important scoping questions.

On September 5, 2018, the European Commission (the “Commission”) announced in a press release the launch of the procedure to formally adopt the Commission’s adequacy decision with respect to Japan.

On July 12, 2018, British Prime Minister Theresa May presented her Brexit White Paper, “The Future Relationship Between the United Kingdom and the European Union,” (the "White Paper”) to Parliament. The White Paper outlines the UK’s desired future relationship with the EU post-Brexit, and includes within its scope important data protection-related issues, including digital trade, data flows, cooperation for the development of Artificial Intelligence (“AI”), and the role of the Information Commissioner’s Office (“ICO”), as further discussed below:

On July 17, 2018, the European Union and Japan successfully concluded negotiations on a reciprocal finding of an adequate level of data protection, thereby agreeing to recognize each other’s data protection systems as “equivalent.” This will allow personal data to flow safely between the EU and Japan, without being subject to any further safeguards or authorizations. 

On January 10, 2017, the European Commission adopted a proposal for a Regulation on Privacy and Electronic Communications (“ePR”). On June 8, 2018, the Council of the European Union’s Bulgarian Presidency presented a progress report (the “Report”) on the draft ePR to the Transport, Telecommunications and Energy Council. The Report reflects on the amendments presented in the May 2018 Examination of the Presidency text. The Report is split into two sections: Annex I, a progress report, and Annex II, questions for the policy debate.

On May 14, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP published a study on how the ePrivacy Regulation will affect the design and user experiences of digital services (the “Study”). The Study was prepared by Normally, a data product and service design studio, whom CIPL had asked for an independent expert opinion on user experience design.

On April 11, 2018, the Article 29 Working Party (the “Working Party”) adopted two Recommendations on the Standard Application for Approval of Data Controller or Processor Binding Corporate Rules for the Transfer of Personal Data (the “Recommendations”). Binding Corporate Rules (“BCRs”) are one of the mechanisms offered to companies to transfer data outside the European Economic Area to a country which does not provide an adequate level of protection for the data according to Article 45 of the GDPR. These Recommendations, in the form of questionnaires, are intended to help BCR applicants demonstrate how they fulfill the requirements of Article 47 of the GDPR.

On February 7, 2018, representatives of European Data Protection Authorities (“DPAs”) met in Brussels to appoint the new leader of the current Article 29 Data Protection Working Party (the “Working Party”). Andrea Jelinek, head of the Austrian DPA, was elected to the post and will replace Isabelle Falque-Pierrotin, leader of the French DPA, who has represented the Working Party over the past four years.

On January 24, 2018, the European Commission issued a communication to the European Parliament and the Council (the “Communication”) on the direct application of the EU General Data Protection Regulation (“GDPR”). The Communication (1) recounts novel elements of the GDPR that create stronger protections for individuals and new opportunities for organizations; (2) reviews preparatory work undertaken to date for GDPR implementation; (3) outlines remaining steps for successful preparation; and (4) outlines measures the European Commission intends to take up until May 25, 2018.

Recently, the EU’s Article 29 Working Party (”Working Party”) held a plenary meeting to discuss, among other things, the implementation of the EU General Data Protection Regulation (“GDPR”) and the EU-U.S. Privacy Shield. As well as adopting its first Joint Annual Review Report on the Privacy Shield, the Working Party has been working on a number of documents that offer review and/or guidance on the GDPR, including:

• guidelines on (1) consent and transparency, (2) data protection certifications, and (3) derogations for personal data transfers under the GDPR;
• updated “referentials” on adequacy and binding corporate rules for data controllers and processors; and
• tools for cooperation between data protection authorities on data breach notifications.

On November 29, 2017, the EU’s Article 29 Working Party (”Working Party”) announced the establishment of a task force to coordinate the plethora of national investigations throughout the EU into Uber’s 2016 data breach that affected approximately 57 million users worldwide. The task force is being led by the data protection authority (”DPA”) in the Netherlands, where Uber has its EU headquarters, and includes representatives from the DPAs in France, Italy, Germany, Belgium, Spain and the United Kingdom.

On October 24, 2017, an opinion issued by the EU’s Advocate General Bot (“Bot”) rejected Facebook’s assertion that its EU data processing activities fall solely under the jurisdiction of the Irish Data Protection Commissioner. The non-binding opinion was issued in relation to the CJEU case C-210/16, under which the German courts sought to clarify whether the data protection authority (“DPA”) in the German state of Schleswig-Holstein could take action against Facebook with respect to its use of web tracking technologies on a German education provider’s fan page without first providing notice.

On October 19, 2017, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) narrowly voted to approve an amended version of the e-Privacy Regulation (“Regulation”). The committee vote is an important step in the process within the European Parliament. This vote will be followed by a vote of the European Parliament in its plenary session on October 23-26. If the plenary also votes in favor, the European Parliament will have a mandate to begin negotiations with the Member States in the Council. If these negotiations (commonly known as “trilogue”) succeed, the Regulation will be adopted.

On September 13, 2017, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy published a Joint Communication to the European Parliament and the Council of the European Union on “Resilience, Deterrence and Defence: Building strong cybersecurity for the EU” (“Joint Communication”). This Joint Communication is part of a package of EU documents adopted on the same date aimed at delivering a stronger EU response to cyber attacks. In particular, the Joint Communication puts forward targeted measures to (1) build greater EU resilience to cyber attacks, (2) better detect cyber attacks, and (3) strengthen international cooperation on cybersecurity.

On August 7, 2017, the UK Government’s Department for Culture, Media and Sport published a Statement of Intent setting out the planned reforms to be included in the forthcoming Data Protection Bill, which we previously reported is expected to be laid before the UK Parliament in early September.

On July 18, 2017, the European Union Committee of the UK’s House of Lords published its paper, Brexit: the EU data protection package (the “Paper”). The Paper urges the UK government to make good on its stated aim of maintaining unhindered and uninterrupted data flows between the UK and EU after Brexit, and examines the options available to ensure that this occurs. It warns that data flows have become so valuable to cross-border business that failure to establish an adequate framework could hamper EU-UK trade.

On June 7, 2017, the European Commission published a paper signalling the EU’s intention to increase its role in directing cybersecurity policy and responses across its member states. The increasing threat posed by cyber attacks is highlighted in the EU Commission’s Reflection Paper on the Future of European Defence, which builds its case for closer union in respect of defense efforts.

Recently, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on Recommendations for Implementing Transparency, Consent and Legitimate Interest under the GDPR (the “White Paper”). The White Paper sets forth guidance and recommendations on the key concepts of transparency, consent and legitimate interest under the EU General Data Protection Regulation (“GDPR”).

With just under one year to go before the EU General Data Protection Regulation (“GDPR”) becomes law across the European Union, the UK Information Commissioner’s Office (“ICO”) has continued its efforts to help businesses prepare for the new law. The ICO also has taken steps to address its own role post-Brexit.

On April 4, 2017, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the Proposed Regulation of the European Commission for the ePrivacy Regulation (the “Proposed ePrivacy Regulation”). The Proposed ePrivacy Regulation is intended to replace the ePrivacy Directive and to increase harmonization of ePrivacy rules in the EU. A regulation is directly applicable in all EU Member States, while a directive requires transposition into national law. 

On April 5, 2017, the Article 29 Working Party (“Working Party”) adopted the final versions of its guidelines (the “Guidelines”) on the right to data portability, Data Protection Officers (“DPOs”) and Lead Supervisory Authority (“SA”), which were first published for comment in December 2016. The final publication of these revised guidelines follows the public consultation which ended in February 2017.

On February 2, 2017, the UK government published a white paper entitled The United Kingdom’s exit from and new partnership with the European Union (the “white paper”). The white paper strikes a conciliatory tone, making it clear that the UK intends to maintain close ties with the European Union and its 27 remaining Member States after Brexit. A large portion of the white paper is devoted to discussing the issues at the heart of the 2016 Brexit referendum, such as immigration controls, continuing trade with the EU and the protection of individuals’ rights conferred under EU law. Among the rights addressed is the free flow of personal data between the UK and the EU.

On January 31, 2017, the Times of London reported that UK Prime Minister Theresa May plans to invoke Article 50 of the Treaty on European Union on March 9, 2017, meaning that formal Brexit negotiations with the EU could begin thereafter. This coincides with a two-day European Council summit in Malta which the leaders of all 28 EU Member States will be attending. The report in the Times of London states that the government informed the House of Lords yesterday that it intends to secure the approval of the European Union (Notification of Withdrawal) Bill (the “Bill”)—which would give the Prime Minister the legislative power to trigger Article 50—on March 7, 2017, just two days before the summit.

On January 25, 2017, President Trump issued an Executive Order entitled “Enhancing Public Safety in the Interior of the United States.” While the Order is primarily focused on the enforcement of immigration laws in the U.S., Section 14 declares that “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” This provision has sparked a firestorm of controversy in the international privacy community, raising questions regarding the Order’s impact on the Privacy Shield framework, which facilitates lawful transfers of personal data from the EU to the U.S. While political ramifications are certainly plausible from an EU-U.S. perspective, absent further action from the Trump Administration, Section 14 of the Order should not impact the legal viability of the Privacy Shield framework.

On January 10, 2017, the European Commission published a communication addressed to the European Parliament and European Council on Exchanging and Protecting Personal Data in a Globalized World (the “Communication”). The Communication aims to facilitate commercial data flows and foster law enforcement cooperation. In the Communication, the European Commission states that it will:

On January 10, 2017, the European Commission announced the final elements of its long-awaited “digital single market” strategy for Europe. The announcement includes two new proposed EU regulations as well as a European Commission Communication, as described below.

On December 12, 2016, Politico reported that the European Commission intends to replace the e-Privacy Directive with a Regulation. The planned shift from a Directive to a Regulation has important legal consequences under EU law, as it means that instead of creating a floor upon which EU Member States may base the creation of their own versions of the law, a Regulation will create a harmonized set of requirements at the EU level that are directly applicable in the Member States.

On November 30, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on The One-Stop-Shop and the Lead DPA as Co-operation Mechanisms in the GDPR (the “White Paper”). The White Paper sets forth guidance and recommendations concerning the interpretation and implementation of the GDPR’s provisions relating to the One-Stop-Shop (“OSS”) and lead DPA, which will become effective on May 25, 2018.

Recently, German Chancellor Angela Merkel spoke at Germany’s 10th National IT Summit, and called for EU Member States to take a pragmatic approach to the application of EU data protection laws. Chancellor Merkel warned that a restrictive interpretation of data protection laws risks undermining the development of big data projects in the EU. Ahead of the introduction of the General Data Protection Regulation throughout the EU in May 2018, Merkel argued that, more than simply preventing the excesses of personal data use, data protection law should serve to enable emerging data ...

Earlier this month, at a meeting of the Article 31 Committee, the European Commission (“Commission”) unveiled two draft Commission Implementing Decisions that propose amendments to the existing adequacy decisions and decisions on EU Model Clauses.

In September, the Centre for Information Policy Leadership (“CIPL”) held its second GDPR Workshop in Paris as part of its two-year GDPR Implementation Project. The purpose of the project is to provide a forum for stakeholders to promote EU-wide consistency in implementing the GDPR, encourage forward-thinking and future-proof interpretations of key GDPR provisions, develop and share relevant best practices, and foster a culture of trust and collaboration between regulators and industry.  

On September 27, 2016, Cloud Infrastructure Services Providers in Europe (“CISPE”) published its Data Protection Code of Conduct (the “Code”). CISPE, a relatively new coalition of more than 20 cloud infrastructure providers with operations in Europe, has focused the Code on transparency and compliance with EU data protection laws.

On September 27, 2016, the French Data Protection Authority (“CNIL”) announced the adoption of two new decisions, Single Authorizations AU-052 and AU-053, that will now cover all biometric access control systems in the workplace. These two new decisions repeal and replace the previous biometric decisions adopted by the CNIL and lay down the CNIL’s new position on biometric systems used to control access to the premises, software applications and/or devices in the workplace.  

On July 20, 2016, the French Data Protection Authority (“CNIL”) announced that it issued a formal notice to Microsoft Corporation (“Microsoft”) about Windows 10, ordering Microsoft to comply with the French Data Protection Act within three months.

Background

Following the launch of Microsoft’s new operation system, Windows 10, in July 2015, the CNIL was alerted by the media and political parties that Microsoft could collect excessive personal data via Windows 10. A group composed of several EU data protection authorities was created within the Article 29 Working Party to examine the issue and conduct investigations in their relevant EU Member States. The CNIL initiated its investigation and carried out seven online inspections in April and June 2016. The CNIL also questioned Microsoft on certain points of its privacy statement.

On July 19, 2016, Advocate General Saugmandsgaard Oe (“Advocate General”), published his Opinion on two joined cases relating to data retention requirements in the EU, C-203/15 and C-698/15. These cases were brought following the Court of Justice for the European Union’s (“CJEU's”) decision in the Digital Rights Ireland case, which invalidated Directive 2006/24/EC on data retention. The two cases, referred from courts in Sweden and the UK respectively, sought to establish whether a general obligation to retain data is compatible with the fundamental rights to privacy and data protection under EU law.

On July 12, 2016, the EU Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, and U.S. Secretary of Commerce Penny Pritzker announced the formal adoption of the EU-U.S. Privacy Shield (the “Privacy Shield”) framework, composed of an Adequacy Decision and accompanying Annexes.

On July 6, 2016, the Bavarian Data Protection Authority (“DPA”) issued a short paper on video surveillance under the EU General Data Protection Regulation (“GDPR”).

This paper is part of a series of papers that the Bavarian DPA will issue periodically on specific topics of the GDPR to inform the public about what topics are being discussed within the DPA. The DPA emphasized that these papers are non-binding.

On July 8, 2016, EU representatives on the Article 31 Committee approved the final version of the EU-U.S. Privacy Shield (“Privacy Shield”) to permit transatlantic transfers of personal data from the EU to the U.S.

On July 6, 2016, the European Parliament adopted the Directive on Security of Network and Information Systems (the “NIS Directive”), which will come into force in August 2016. EU Member States will have 21 months to transpose the NIS Directive into their national laws. The NIS Directive is part of the European Commission’s cybersecurity strategy for the European Union, and is designed to increase cooperation between EU Member States on cybersecurity issues.

On July 5, 2016, the European Commission announced the launch of a new public-private partnership (the “Partnership”) on cybersecurity, as part of its Digital Single Market and EU Cybersecurity strategies. In this context, the European Commission released several documents, including a Commission Decision establishing a contractual arrangement of the new Partnership for cybersecurity industrial research, and a Staff Working Document on the preparation activities for the Partnership.

On June 29, 2016, Politico reported that it has obtained updated EU-U.S. Privacy Shield documents following the latest negotiations between U.S. and EU government authorities. Certain aspects of the prior Privacy Shield framework were criticized by the Article 29 Working Party, the European Parliament and the European Data Protection Supervisor.

On June 23, 2016, the UK held a referendum to decide upon its continued membership in the European Union. The outcome has resulted in the decision for the UK to withdraw its membership from the European Union. Despite the result, data protection standards are unlikely to be affected.

On June 9, 2016, the Belgian Privacy Commission (the “Belgian DPA”) published its Annual Activity Report for 2015 (the “Annual Report”) highlighting its main accomplishments.

On June 2, 2016, the European Union and the U.S. signed an Umbrella Agreement, which will implement a comprehensive data protection framework for criminal law enforcement cooperation. The agreement is not yet in effect and additional procedural steps are needed to finalize the agreement. The European Council will adopt a decision on the Umbrella Agreement after obtaining consent from the European Parliament.

On May 23, 2016, half of the EU Member States sent a letter to the European Commission and the Netherlands (which holds the rotating presidency), seeking the removal of barriers to the free flow of data both within and outside the EU to benefit the EU from new data-driven technologies, according to Reuters and EurActive.com.

On May 17, 2016, the European Council adopted its position at first reading of the Network and Information Security Directive (the “NIS Directive”). The NIS Directive was proposed by the European Commission on February 7, 2013, as part of its cybersecurity strategy for the European Union, and is designed to increase cooperation between EU Member States on cybersecurity issues.

The NIS Directive will impose security obligations on “operators of essential services” in critical sectors and “digital service providers.” These operators will be required to take measures to manage cyber risks and report major security incidents.

On May 4, 2016, the EU General Data Protection Regulation (“GDPR”) was published in the Official Journal of the European Union.

Following the European Parliament’s vote to adopt the GDPR on April 14, 2016, and the signing of the final draft on April 27, 2016, the GDPR will enter into force 20 days following its publication in the Official Journal of the European Union. Its provisions will be directly applicable in all EU Member States two years after this date, on May 25, 2018.

After four years of drafting and negotiations, the GDPR finally replaces and harmonizes the existing EU ...

On April 27, 2016, the UK House of Commons Culture, Media and Sport Select Committee (the “Committee”) confirmed Elizabeth Denham’s appointment as Information Commissioner. Denham, currently the Privacy and Information Commissioner for British Columbia, Canada, was announced as the UK Government’s preferred choice on March 22, 2016.

On April 13, 2016, the Article 29 Working Party (the “Working Party”) published its Opinion on the EU-U.S. Privacy Shield (the “Privacy Shield”) draft adequacy decision. The Privacy Shield was created to replace the previous Safe Harbor framework invalidated by the Court of Justice of the European Union (“CJEU”) in the Schrems decision. The Working Party also published a Working Document on the justification for interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees).

On March 22, 2016, the UK government confirmed Elizabeth Denham as its preferred candidate to replace Christopher Graham as Information Commissioner. Subject to a pre-scrutiny hearing by the Culture, Media and Sports Select Committee and final approval from Her Majesty the Queen, Denham would begin her five-year term in mid-2016.

On March 9, 2016, Hunton & Williams’ Global Privacy and Cybersecurity practice lawyers released a management guide on the EU General Data Protection Regulation (“GDPR”), entitled “Overview of the EU General Data Protection Regulation,” addressing the key impacts the new law will have on businesses. This high-level management guide is intended to provide companies with a roadmap to the Regulation, focusing on topics such as expanded territorial scope, data breach notification rules, the One-Stop Shop concept and the right to be forgotten.

On February 29, 2016, the European Commission issued the legal texts that will implement the EU-U.S. Privacy Shield. These texts include a draft adequacy decision from the European Commission, Frequently Asked Questions and a Communication summarizing the steps that have been taken in the last few years to restore trust in transatlantic data flows.

The agreement in support of the new EU-U.S. transatlantic data transfer framework, known as the EU-U.S. Privacy Shield, was reached on February 2, 2016, between the U.S. Department of Commerce and the European Commission. Once adopted, the adequacy decision will establish that the safeguards provided when transferring personal data pursuant to the new EU-U.S. Privacy Shield are equivalent to the EU data protection standards. In addition, the European Commission has stated that the new framework reflects the requirements that were set forth by the Court of Justice of the European Union (the “CJEU”) in the recent Schrems decision.

On February 24, 2016, President Obama signed the Judicial Redress Act (the “Act”) into law. The Act grants non-U.S. citizens certain rights, including a private right of action for alleged privacy violations that occur in the U.S. The Act was signed after Congress approved an amendment that limits the right to sue to only those citizens of countries which (1) permit the “transfer of personal data for commercial purposes” to the U.S., and (2) do not impose personal data transfer policies that “materially impede” U.S. national security interests.

On February 10, 2016, the U.S. House of Representatives passed the Judicial Redress Act, which had been approved by the Senate the night before and included a recent Senate amendment. The House of Representatives previously passed the original bill in October 2015, but the bill was sent back to the House due to the recent Senate amendment. The Judicial Redress Act grants non-U.S. citizens certain rights, including a private right of action for alleged privacy violations that occur in the U.S. The amendment limits the right to sue to only those citizens of countries that (1) permit the “transfer of personal data for commercial purposes” to the U.S., and (2) do not impose personal data transfer policies that “materially impede” U.S. national security interests. The bill now heads to President Obama to sign.

On February 2, 2016, a new EU-U.S. transatlantic data transfer agreement was reached. Věra Jourová, European Commissioner for Justice, Consumers and Gender Equality, presented the new agreement to the European Commission (the “Commission”) today. According to the Commission’s press release, the new agreement will be called the EU-U.S. Privacy Shield.

On February 1, 2016, Věra Jourová, European Commissioner for Justice, Consumers and Gender Equality, told the European Parliament that an agreement on a new U.S.-EU Safe Harbor agreement has not yet been reached. Jourová indicated that an agreement is close, but additional work is needed to finalize it.

On January 28, 2016, the Centre for Information Policy Leadership (“CIPL”) held a special roundtable at Hunton & Williams’ Brussels office to examine the “essential equivalence” requirement for protection of data transfers to non-EU countries set by the Court of Justice of the European Union’s (“CJEU's”) Schrems decision. The roundtable brought together leading lawyers, corporate privacy officers, legal experts, regulators and policymakers to discuss the critical issues and impact of the new “essential equivalence” requirement for global data transfers set by the CJEU, and its relevance to the current EU-U.S. negotiations of a new Safe Harbor agreement.

According to Bloomberg BNA, Paul F. Nemitz, Director for Fundamental Rights and Union Citizenship at the Directorate-General Justice of the European Commission, said at a privacy conference that he hoped a new U.S.-EU Safe Harbor agreement would be reached by the evening of Monday, February 1, 2016.

On January 28, 2016, the Senate Judiciary Committee passed the Judicial Redress Act (the “Act”), which would give EU citizens the right to sue over certain data privacy issues in the U.S. The Act passed after an amendment was approved which would condition EU citizens’ right to sue on EU Member States (1) allowing companies to transfer personal data to the U.S. for commercial purposes and (2) having personal data transfer policies which do not materially impede the national security interests of the U.S. The vote was initially set to take place on January 21, 2016, but was delayed.

On January 1, 2016, a Dutch law became effective that (1) includes a general obligation for data controllers to notify the Data Protection Authority (“DPA”) of data security breaches, and (2) authorizes the DPA to impose direct fines for violations of the Data Protection Act.

On December 17, 2015, after three years of drafting and negotiations, the European Parliament and Council of the European Union reached an informal agreement on the final draft of the EU General Data Protection Regulation (the “Regulation”), which is backed by the Committee on Civil Liberties, Justice and Home Affairs.

On December 7, 2015, European negotiators reached an agreement on the draft text of the Network and Information Security Directive (the “NIS Directive”), the first pan-EU rules on cybersecurity. The NIS Directive was first proposed by the European Commission on February 7, 2013, as part of its cybersecurity strategy for the European Union and aims to ensure a uniform level of cybersecurity across the EU.

On November 19, 2015, the French Data Protection Authority (“CNIL”) published guidance, including a set of frequently asked questions, to assist companies that are transferring personal data to the U.S. pursuant to the Safe Harbor framework.

On November 6, 2015, the European Commission published a communication and a Q&A document addressed to the European Parliament and European Council on the transfer of personal data from the EU to the U.S. under EU Data Protection Directive 95/46/EC (the “Directive”), following the decision by the Court of Justice of the European Union invalidating the European Commission’s Safe Harbor Decision.

On October 16, 2015, the Article 29 Working Party (the “Working Party”) issued a statement on the consequences of the recent ruling of the Court of Justice of the European Union (the “CJEU”) invalidating the European Commission’s Safe Harbor Decision.

On October 1, 2015, the Court of Justice of the European Union (the “CJEU”) issued its judgment in Weltimmo v Nemzeti (Case C-230/14). Weltimmo, a company registered and headquartered in Slovakia, runs a website that allows property owners in Hungary to advertise their properties. The CJEU stated that, in some cases, Weltimmo had failed to delete the personal data of the advertisers upon request, and also had sent debt collectors to some advertisers despite their earlier attempts to cancel their accounts. The advertisers complained to the Hungarian Data Protection Authority (“DPA”), which investigated the matter and issued a fine of HUF 10 million (approximately 36,500 USD) against Weltimmo.

On September 8, 2015, representatives from the U.S. Government and the European Commission initialed a draft agreement known as the Protection of Personal Information Relating to the Prevention, Investigation, Detection and Prosecution of Criminal Offenses (the “Umbrella Agreement”). The European Commission’s stated aim for the Umbrella Agreement is to put in place “a comprehensive high-level data protection framework for EU-U.S. law enforcement cooperation.” The Umbrella Agreement has been agreed upon amid the ongoing uncertainty over the future of the U.S.-EU Safe Harbor, and was drafted shortly before the release of the September 23 Advocate General’s Opinion in the Schrems v. Facebook litigation. The content of the Umbrella Agreement is in its final form, but its implementation is dependent upon revisions to U.S. law that are currently before Congress.

On July 27, 2015, Giovanni Buttarelli, the European Data Protection Supervisor (“EDPS”), published Opinion 3/2015 on the reform of Europe’s data protection laws, intended to “assist the participants in the trilogue in reaching the right consensus on time.” The Opinion sets out the EDPS’ vision for the regulation of data protection, re-stating the case for a framework that strengthens the rights of individuals and noting that “the time is now to safeguard individuals’ fundamental rights and freedoms in the data-driven society of the future.”

On June 18, 2015, the Article 29 Working Party (the “Working Party”) published letters regarding the proposed EU General Data Protection Regulation (the “Regulation”) addressed to representatives of the Council of the European Union, the European Parliament and the European Commission. Attached to each of the letters is an Appendix detailing the Working Party’s opinion on the core themes of the Regulation.

The Council of the European Union has agreed on a general approach to the proposed EU General Data Protection Regulation (the “Regulation”). This marks a significant step forward in the legislative process, and the Council’s text will form the basis of its “trilogue” negotiations with the European Parliament and the European Commission. The aim of the trilogue process is to achieve agreement on a final text of the Regulation by the end of 2015. The first trilogue meeting is expected to take place on June 24, 2015.

On May 22, 2015, the Article 29 Working Party published an update to its explanatory document regarding the use of Binding Corporate Rules (“BCRs”) by data processors (“WP204”). The original explanatory document was published on April 19, 2013 and identified two scenarios in which a non-EU processor, processing personal data received under BCRs, should notify the controller and the relevant data protection authorities (“DPAs”) in the event of a legally binding request for the personal data.

On June 1, 2015, the Group of the European People’s Party in the European Parliament released an updated timetable for agreeing on the proposed EU General Data Protection Regulation (the “Regulation”). The European Commission, European Parliament and the Council of the European Union will soon enter multilateral negotiations, known as the “trilogue,” to agree on the final text of the proposed Regulation.

On February 3, 2015, the Article 29 Working Party (“Working Party”) published a report on a sweep of 478 websites across eight EU Member States (Czech Republic, Denmark, France, Greece, the Netherlands, Slovenia, Spain and the United Kingdom). The sweep was conducted to assess compliance with Article 5.3 of the e-Privacy Directive 2002/58/EC, as amended by 2009/136/EC.

On December 5, 2014, the Article 29 Working Party (the “Working Party”) published a Working Document on surveillance, electronic communications and national security. The Working Party (which is comprised of the national data protection authorities (“DPAs”) of each of the 28 EU Member States) regularly publishes guidance on the application and interpretation of EU data protection law. Although its views are not legally binding, they are strongly indicative of the way in which EU data protection law is likely to be enforced.

On November 26, 2014, the Article 29 Working Party (the “Working Party”) released a Working Document providing a cooperation procedure for issuing common opinions on whether “contractual clauses” comply with the European Commission’s Model Clauses (the “Working Document”).

On November 26, 2014, the Article 29 Working Party (the “Working Party”) published an Opinion (the “Opinion”) on the Guidelines on the Implementation of the Court of Justice of the European Union Judgment on “Google Spain and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12 (the “Judgment” or “Costeja”). The Opinion constitutes guidance from the Working Party on the implementation of Costeja for search engine operators.

On November 25, 2014, the Article 29 Working Party (the “Working Party”) adopted Opinion 9/2014 (the “Opinion”) on device fingerprinting. The Opinion addresses the applicability of the consent requirement in Article 5.3 of the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC) to device fingerprinting. As more and more website providers suggest using device fingerprinting instead of cookies for the purpose of providing analytics or for tracking purposes, the Working Party clarifies how the rules regarding user consent to cookies apply to device fingerprinting. Thus, the Opinion expands on Opinion 04/2012 on the Cookie Consent Exemption.

On November 24, 2014, the Polish President Bronisław Komorowski signed into law a bill that was passed by Polish Parliament on November 7, 2014, which amends, among other laws, certain provisions of the Personal Data Protection Act 1997. As a result of the amendments, data controllers will be able to transfer personal data to jurisdictions that do not provide an “adequate level” of data protection without obtaining the prior approval of the Polish Data Protection Authority (Generalny Inspektor Ochrony Danych Osbowych or “GIODO”), provided that they meet certain requirements specified under the bill. In addition, the bill amends Polish law so that it is no longer mandatory to appoint an administrator of information security (administrator bezpieczeństwa informacji or “ABI”). An ABI is similar to a data protection officer but an ABI has narrower responsibilities that predominantly concern data security.

On November 27, 2014, the European Parliament announced that it will appoint Giovanni Buttarelli as the new European Data Protection Supervisor (“EDPS”), and Wojciech Wiewiórowski as the Assistant Supervisor. The announcement has been expected since the Parliament’s Committee on Civil Liberties, Justice and Home Affairs voted on October 20, 2014 for Buttarelli and Wiewiórowski to be the Parliament’s leading candidates for the two positions. The final step of the process is for the Parliament and the Council of the European Union to jointly sign a nomination decision, after which Buttarelli and Wiewiórowski will formally take up their new roles.

This week, the Article 29 Working Party (“Working Party”) prepares to debate various proposals on the “one-stop-shop” mechanism under the proposed EU General Data Protection Regulation (“Regulation”). Hunton & Williams’ Global Privacy and Cybersecurity practice and its Centre for Information Policy Leadership submitted a strategy paper on the one-stop-shop to the Working Party. The paper proposes a methodology for selecting and defining the role of a lead regulatory authority with the objective of making the one-stop-shop more operational, flexible and viable. The work draws on a more detailed article published on November 3, 2014, by Hunton & Williams senior attorney Rosemary Jay in the magazine for the Society for Computers and Law, entitled The “One Stop Shop” – Working in Practice.

The Council of the European Union has published proposed revisions to the compliance obligations of data controllers and data processors included in Chapter IV of the forthcoming EU General Data Protection Regulation (“Regulation”). This proposal was led by the current Italian Presidency and the revisions reflect input from representatives of the national governments of the EU Member States.

The Article 29 Working Party (the “Working Party”) recently released its August 1, 2014 statement providing recommendations on the actions that EU Member States should take in light of the European Court of Justice’s April 8, 2014 ruling invalidating the EU Data Retention Directive (the “Ruling”).

On August 19, 2014, the German Federal Ministry of the Interior published a revised draft cybersecurity law (the “Draft Law”). An earlier version of the law was published in March 2013. The Draft Law is intended to serve as a cornerstone of Germany’s recently-announced digital agenda.

On July 10, 2014, the UK government announced plans to introduce emergency data retention rules, publishing the Data Retention and Investigatory Powers Bill (the “Bill”) along with explanatory notes and draft regulations. The publication of the Bill follows the European Court of Justice’s April 2014 declaration that the EU Data Retention Directive (the “Directive”) is invalid. Under the Directive, EU Member States were able to require communications service provides (e.g., ISPs) to retain communications data relating to their subscribers for up to 12 months.

On May 13, 2014, the European Court of Justice (the “CJEU”) rendered its judgment in Google Spain S.L. and Google Inc. v Agencia Española de Protección de Datos (Case C-131/12, “Google v. AEPD” or the “case”). The case concerns a request made by a Spanish individual, Mr. Costeja, to the Spanish Data Protection Authority (Agencia Española de Protección de Datos or “AEPD”) to order the removal of certain links from Google’s search results. The links relate to an announcement in an online newspaper of a real estate auction for the recovery of Mr. Costeja’s social security debts. The information was lawfully published in 1998, but Mr. Costeja argued that the information had become irrelevant as the proceedings concerning him had been fully resolved for a number of years. The AEPD upheld the complaint and ordered Google Spain S.L. and Google Inc. (“Google”) to remove the links from their search results. Google appealed this decision before the Spanish High Court, which referred a series of questions to the ECJ for a preliminary ruling. The ECJ ruled as follows:

On May 19, 2014, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2013 (the “Report”) highlighting its main accomplishments in 2013 and outlining some of its priorities for the upcoming year.

On April 16, 2014, the Article 29 Working Party (the “Working Party”) sent a letter (the “Letter”) to Lilian Mitrou, Chair of the Working Group on Information Exchange and Data Protection (the “DAPIX”) of the Council of the European Union, to support a compromise position on the one-stop-shop mechanism within the proposed EU General Data Protection Regulation (the “Proposed Regulation”).

On April 10, 2014, the Article 29 Working Party (the “Working Party”) adopted Opinion 04/2014. The Opinion analyzes the implications of electronic surveillance programs on the right to privacy and provides several recommendations for protecting EU personal data in the surveillance context.

On April 8, 2014, the European Court of Justice ruled that the EU Data Retention Directive is invalid because it disproportionally interferes with the European citizens’ rights to private life and protection of personal data. The Court’s ruling applies retroactively to the day the Directive entered into force.

On March 28, 2014, the 87th Conference of the German Data Protection Commissioners concluded in Hamburg. This biannual conference provides a private forum for the 17 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information, Andrea Voßhoff, to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

On March 12, 2014, the European Parliament formally adopted the compromise text of the proposed EU General Data Protection Regulation (the “Regulation”). The text now adopted by the Parliament is unchanged and had already been approved by the Parliament’s Committee on Civil Liberties, Justice and Home Affairs in October of last year. The Parliament voted with 621 votes in favor, 10 against and 22 abstentions for the Regulation.

On January 31, 2014, the Greek Presidency of the Council of the European Union issued four notes regarding the proposed EU Data Protection Regulation. These notes, discussed below, address the following topics: (1) one-stop-shop mechanism; (2) data portability; (3) data protection impact assessments and prior checks; and (4) rules applicable to data processors.

On February 5, 2014, the Member States of the EU and European Free Trade Association (“EFTA”) as well as the European Network and Information Security Agency (“ENISA”) issued Standard Operational Procedures (“SOPs”) to provide guidance on how to manage cyber incidents that could escalate to a cyber crisis.

On December 12, 2013, Advocate-General Cruz Villalón of the European Court of Justice (“ECJ”) issued his Opinion on the compatibility of the EU Data Retention Directive 2006/24/EC (the “Data Retention Directive”) with the Charter of Fundamental Rights of the European Union (the “EU Charter”).

As we previously reported, on October 21, 2013, the European Parliament approved its Compromise Text of the proposed EU General Data Protection Regulation (the “Proposed Regulation”). Hunton & Williams has now published an analysis of these proposals.

On October 21, 2013, the European Parliament approved its Compromise Text of the proposed EU General Data Protection Regulation (the “Proposed Regulation”). The approval follows months of negotiations between the various parliamentary committees. The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) has been in charge of working toward an agreement on the Compromise Text in the European Parliament.

On October 2, 2013, the Article 29 Working Party (the “Working Party”) issued a Working Document providing guidance on how to obtain consent for the use of cookies and similar technologies in compliance with EU legal requirements (“Working Document”).