On July 27, 2021, the Spanish Data Protection Authority (the “AEPD”) imposed a €2,520,000 fine on Spanish supermarket chain Mercadona, S.A. for unlawful use of a facial recognition system.
The Spanish Data Protection Authority (the “AEPD”) recently published a report on data processing activities carried out by data controllers in the private and public sectors as a result of the spread of the COVID-19 virus (the “Report”).
On March 6 and 7, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP and over 100 public and private sector participants in CIPL’s GDPR Implementation Project will convene in Madrid, Spain, for CIPL’s third major GDPR implementation workshop.
On October 6, 2015, the Court of Justice of the European Union (the “CJEU”) issued its judgment in the Schrems v. Facebook case, following the Opinion of the Advocate General published on September 23, 2015. In its judgment, the CJEU concluded that:
- The national data protection authorities (“DPAs”) have the power to investigate and suspend international data transfers even where the European Commission (the “Commission”) has adopted a decision finding that a third country affords an adequate level of data protection, such as Decision 2000/520 on the adequacy of the protection provided by the Safe Harbor Privacy Principles (the “Safe Harbor Decision”).
- The Safe Harbor Decision is invalid.
On February 3, 2015, the Article 29 Working Party (“Working Party”) published a report on a sweep of 478 websites across eight EU Member States (Czech Republic, Denmark, France, Greece, the Netherlands, Slovenia, Spain and the United Kingdom). The sweep was conducted to assess compliance with Article 5.3 of the e-Privacy Directive 2002/58/EC, as amended by 2009/136/EC.
On November 26, 2014, the Article 29 Working Party (the “Working Party”) published an Opinion (the “Opinion”) on the Guidelines on the Implementation of the Court of Justice of the European Union Judgment on “Google Spain and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12 (the “Judgment” or “Costeja”). The Opinion constitutes guidance from the Working Party on the implementation of Costeja for search engine operators.
On May 13, 2014, the European Court of Justice (the “CJEU”) rendered its judgment in Google Spain S.L. and Google Inc. v Agencia Española de Protección de Datos (Case C-131/12, “Google v. AEPD” or the “case”). The case concerns a request made by a Spanish individual, Mr. Costeja, to the Spanish Data Protection Authority (Agencia Española de Protección de Datos or “AEPD”) to order the removal of certain links from Google’s search results. The links relate to an announcement in an online newspaper of a real estate auction for the recovery of Mr. Costeja’s social security debts. The information was lawfully published in 1998, but Mr. Costeja argued that the information had become irrelevant as the proceedings concerning him had been fully resolved for a number of years. The AEPD upheld the complaint and ordered Google Spain S.L. and Google Inc. (“Google”) to remove the links from their search results. Google appealed this decision before the Spanish High Court, which referred a series of questions to the ECJ for a preliminary ruling. The ECJ ruled as follows:
Senior Attorney Rosemary Jay reports from London:
On June 25, 2013, Advocate-General Jääskinen of the European Court of Justice (“ECJ”) delivered his Opinion in Google Spain S.L. and Google Inc. v Agencia Española de Protección de Datos (Case C-131/12, “Google v AEPD” or the “case”).
The case concerns Google Search results, and whether individuals have a right to erasure of search result links about them. The Opinion concludes that under current law, individuals have no such right. The European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”) would introduce a right to be forgotten. However, this Opinion appears to demonstrate unease with the basic concept of such a right.
On December 12, 2012, the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) released an accountability self-assessment tool designed to help organizations evaluate their internal privacy programs and practices. The tool is the product of the Global Accountability Project for which the Centre serves as Secretariat.
On November 2-3, 2011, Mexico’s Federal Institute for Access to Information and Data Protection (“IFAI”) will host the 33rd International Conference of Data Protection and Privacy Commissioners in Mexico City. Marty Abrams, President of the Centre for Information Policy Leadership at Hunton & Williams LLP, is the chairman of the Conference’s advisory panel and principal advisor to Conference organizers on program content. Hunton & Williams is a proud sponsor of the event which will feature Hunton representatives as speakers or moderators on multiple panels and plenary sessions, including the following:
On January 14, 2011, the European Network and Information Security Agency (“ENISA”), which was created to enhance information security within the European Union, published a report entitled “Data breach notifications in the EU” (the “Report”).
Currently, there is wide debate throughout the EU regarding data breach notification requirements. The debate stems from recent high-profile data breach incidents and the introduction of mandatory data breach notification requirements for telecommunication service providers imposed by EU Directive 2009/136/EC (amending EU Directive 2002/58/EC, the “e-Privacy Directive”), which must be integrated into EU Member States’ national laws by May 25, 2011. The goal of the Report is to assist Member States, regulatory authorities and private organizations with their implementation of data breach notification policies.
The 32nd International Conference of Data Protection and Privacy Commissioners held in Jerusalem this October continued the trend from past conferences by enacting a resolution, this time with respect to the adoption of global privacy standards. The Jerusalem Declaration calls for an intergovernmental conference in 2011 or 2012 to negotiate a binding international agreement guaranteeing respect for data protection and privacy, and facilitating cross-border coordination of enforcement efforts. The basis for the binding international agreement would be the Madrid ...
On October 26, 2010, the Centre for Information Policy Leadership (the “Centre”) released its long-awaited paper, “Demonstrating and Measuring Accountability, Accountability Phase II – The Paris Project” at the 32nd International Conference of Data Protection and Privacy Commissioners in Jerusalem, Israel. This document is the result of the deliberations of an international working group that includes 60 representatives of business, civil society, government, data protection and privacy enforcement agencies, and the European Data Protection Supervisor. ...
Following its recent enactment of an omnibus data protection law, Mexico has been unanimously elected to lead the Ibero-American Data Protection Network, a consortium of the governments of Spain, Portugal, Andorra and 19 Latin American countries. The group’s mission is to foster, maintain and strengthen an exchange of information, experience and knowledge among Ibero-American countries through dialogue and collaboration on issues related to personal data protection. The IFAI announced on September 29, 2010, that Jacqueline Peschard, head of Mexico’s Federal ...
On October 5, 2010, the Commission for Economic Affairs of the French National Assembly introduced a Resolution (the “Resolution”) to support the International Standards on the Protection of Personal Data and Privacy adopted in Madrid on November 5, 2009, at the 31st International Conference of Data Protection and Privacy Commissioners (also known as the “Madrid Resolution”).
The Resolution states: “the right to privacy is a fundamental value in our society; the development of information and communication systems must be contained in order to prevent uses of personal data which threaten this right.
On April 19, 2010, the Privacy Commissioner of Canada, Jennifer Stoddart, and the heads of nine other international data protection authorities took part in an unprecedented collaboration by issuing a strongly worded letter of reproach to Google’s Chief Executive Officer, Eric Schmidt. The joint letter, which was also signed by data protection officials from France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the United Kingdom, highlighted growing international concern that “the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications.”
In a closed session on November 5, 2009, the 31st International Conference of Data Protection and Privacy Commissioners adopted the International Standards on the Protection of Personal Data and Privacy (the “Standards”). Although the document is advisory in nature and is not legally binding, it offers guidance to States that have not yet adopted comprehensive data protection laws. The Spanish Data Protection Agency, which acted as the secretariat for drafting the Standards, held two meetings that included more than fifty privacy enforcement agencies, privacy advocates and businesses before hosting a final drafting session that was reserved for recognized data protection authorities.
In 1980, the Organization for Economic Cooperation and Development (“OECD”) first published privacy guidelines that included an accountability principle. Since that time, little work has been done to define accountability or to describe what it means for organizations to be accountable for the responsible use and protection of data. In an effort to fill that gap, The Centre for Information Policy Leadership has authored “Data Protection Accountability: The Essential Elements” which articulates the conditions organizations would have to meet to be accountable.
Janet Napolitano, Secretary of the Department of Homeland Security, and Alfredo Perez Rubalcaba, the Spanish Minister of the Interior, spoke in contrasting tones today of the difficulties of finding the right balance between security and privacy. The theme "Striving for a Balance Between Security and Privacy" was debated during the first plenary session of the 31st International Conference of Data Protection and Privacy Commissioners in Madrid.
On November 4, join our privacy professionals at the 31st International Conference of Data Protection and Privacy Commissioners in Madrid, Spain. Participate in various presentations on ways to manage the most challenging data protection issues in today’s global environment. In addition, the International Association of Privacy Professionals (“IAPP”) will host a Data Protection and Privacy Workshop in conjunction with the conference.
On April 27, 2009, the Article 29 Working Party issued a new working document (WP 155 rev.04) on frequently asked questions relating to binding corporate rules ("BCRs"). Two new FAQs were adopted: (1) FAQ 10 deals with the relationship between EEA data protection laws and BCRs; and (2) FAQ 11 relates to the reversal of the burden of proof in the context of BCRs. The Working Party reiterated that, although BCRs may offer an adequate level of protection to personal data being transferred within the same company, they do not exempt multinationals from complying with national data ...
In November, the 31st International Conference of Data Protection and Privacy Commissioners will approve a resolution that will include an international standard for privacy protection called the “Joint Proposal for a Draft of International Standards on the Protection of Privacy with regard to the processing of Personal Data.” The standard will be submitted to the United Nations as the basis for a treaty. This is not the conference’s first attempt to reach consensus on an international standard, but it is the first to include robust processes that will begin to narrow the issues that divide nations on data protection law.
The Centre for Information Policy Leadership’s Executive Director, Marty Abrams, brings you these thoughts on a recent data protection summit in Barcelona.
Harmonized international data protection rules have been privacy’s Holy Grail since the EU Directive was enacted in 1995. Harmonized, globally recognized rules would simplify life for privacy protection authorities and companies. Numerous efforts have been undertaken to create a harmonized code. The most recent, an international standards project led by the Spanish Data Protection Commissioner, began on January 12 as international privacy experts met in Barcelona. The Spanish Data Protection Commissioner leads the project, and the finished product — a harmonized privacy code that will be the basis for a data protection treaty— will be a center-piece of the 31st International Conference of Data Protection and Privacy Commissioners on November 2009 in Madrid.
The Barcelona meeting focused on a draft standards document developed by the Spanish Data Protection Authority, Agencia Espanola de Proteccion de Datos. The document integrates many of the elements from the OECD Privacy Guidelines, Council of Europe Convention, EU Directive and APEC Privacy Framework. In its 30 sections, the document recognizes almost every concept found in this existing guidance.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code