Privacy & Information Security Law Blog

On September 22, 2011, new provisions under the French Data Protection Authority’s (“CNIL’s”) internal regulation (Délibération n°2011-249 du 8 septembre 2011) came into force. The CNIL recently amended its regulations to incorporate a new chapter (Chapter IV bis) that sets forth a specific procedure for issuing privacy seals in accordance with the French Data Protection Act. The Act authorizes the CNIL to “issue a quality label to products or procedures intended to protect individuals with respect to processing of personal data, once [the CNIL] has recognized them as in compliance with the provisions of the Act.”

On Tuesday, September 27, 2011, the European Privacy Officers Forum (“EPOF”) celebrated its 10th anniversary with a gala reception at the BELvue Museum in Brussels. EPOF is composed of EU-based data protection compliance officers and internal legal counsel from over 30 multinational companies and public-sector institutions who meet three times a year in Brussels to exchange ideas and to hear presentations by data protection authorities and other government representatives. The gala, which was attended by approximately 100 people, featured opening remarks from Peter Hustinx, European Data Protection Supervisor, the Honorable William E. Kennard, U.S. Ambassador to the EU, and Paul Nemitz, Director of Fundamental Rights and Citizenship of the European Commission.

Hunton & Williams announces that Rosemary Jay, formerly head of the privacy practice at Pinsent Masons and the former head of the legal team at the UK Information Commissioner’s Office, will join the firm’s Privacy and Data Security practice in October.  Ms. Jay will be based in the firm’s London office.  As a senior lawyer, Ms. Jay will bring more than 20 years of data protection experience to Hunton & Williams, enhancing both the firm’s renowned privacy practice and its Centre for Information Policy Leadership.  

On September 19, 2011, Privacy Piracy host Mari Frank interviewed Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP, on KUCI 88.9 FM radio in Irvine, California.  In the interview, Ms. Sotto discussed critical current privacy and data security issues, including lessons learned from the recent data breaches, the regulatory framework in the U.S. and EU, and expected legislative changes in the privacy arena globally.

Listen to the Privacy Piracy interview.

On September 21, 2011, the board of the French Data Protection Authority (the “CNIL”) elected Isabelle Falque-Pierrotin as its new Chair, following Alex Türk’s resignation which he officially tendered at the board meeting.

On June 17, 2011, the National Assembly of the Republic of Angola passed Law 22/11 on Personal Data Protection.  The omnibus privacy legislation applies to the automated and non-automated processing of personal data by controllers based or operating in Angola, or subject to, or using equipment governed by, Angola’s laws.  Some highlights of the law are listed below.

On September 14, 2011, the Article 29 Working Party (the “Working Party”) met with representatives of the European Advertising Standards Alliance (“EASA”) and IAB Europe, to discuss the industry’s new self-regulatory code of conduct for online behavioral advertising (the “Code”), which was released on April 14, 2011.

On September 14, 2011, UK Information Commissioner Christopher Graham said that the private sector “isn’t as good as it thinks it is” when it comes to data protection compliance, and that many of the compliance problems that arise originate in the private sector.  While giving evidence to the House of Commons Justice Select Committee, the Commissioner criticized the private sector and, in particular, banks and other financial services companies.

On September 15, 2011, the data protection authority of the German federal state of Hamburg (the “DPA”) published a press release confirming that Google has significantly improved compliance with respect to the implementation of Google Analytics in Germany.  This finding is the result of two years of fruitful dialog between Google and the DPA, which was acting on behalf of the conference of German data protection authorities responsible for the private sector (the “Düsseldorfer Kreis”).

On September 14, 2011, Alex Türk announced that he will be resigning his position as Chairman of the French Data Protection Authority (the “CNIL”), in accordance with a recent amendment to the French Data Protection Act (Loi n° 2011-334 du 29 mars 2011 relative au Défenseur des droits).  The amendment prohibits the CNIL’s Chairman from holding any other elected office or public position.  Although this restriction does not enter into force until September 1, 2012, Mr. Türk, who also serves as a senator in the French Parliament, chose to resign prior to the upcoming French ...

On September 8, 2011, Richard Allan, Facebook’s Director of European Public Policy, met with the German Federal Ministry of the Interior (the “Ministry”) and endorsed the Ministry’s initiative for a future self-regulatory code for social networks with a focus on data security, consumer protection and the protection of minors.

On September 12, 2011, the Commissioner for Data Protection and Freedom of Information of the German federal state of North Rhine-Westphalia (“DPA”) imposed a fine of €60,000 on Easycash GmbH (“Easycash”), a leading German service provider for electronic payments.

Mexico’s Federal Institute for Access to Information and Data Protection ( “IFAI”) will host the 33rd International Conference of Data Protection and Privacy Commissioners in Mexico City on November 2-3, 2011.  This year’s conference, entitled “Privacy: The Global Age,” will focus on the challenges associated with managing and protecting personal data in an era characterized by the constant, instantaneous transfer of information across the globe.  IFAI President Jacqueline Peschard discussed the conference in further detail in an interview with Marty Abrams ...

On August 5, 2011, the Beijing Second Intermediate People’s Court announced its decision in what is reported to be the largest criminal case to date involving the misuse of personal information in Beijing, China.  The Court based its ruling on Article 7 of the Seventh Amendment to the Criminal Law, which applies to three types of criminal activities: (1) illegal sale of citizens’ personal information, (2) illegal provision of citizens’ personal information, and (3) illegal access to citizens’ personal information.

On August 24, 2011, France’s new law concerning electronic communications (Ordonnance n° 2011-1012 du 24 août 2011 relative aux communications électroniques, or the “Ordinance”) came into force.  The Ordinance implements the provisions of the revised EU Directive 2002/58/EC (the “e-Privacy Directive”) with respect to the French Data Protection Act of 1978, the French Postal and Electronic Communications Code and the French Consumer Protection Code.  In particular, the Ordinance introduces new provisions under the French Data Protection Act, which impose an obligation on electronic communication service providers to provide notice in the event of a data security breach. 

On August 24, 2011, France’s new law concerning electronic communications (Ordonnance n° 2011-1012 du 24 août 2011 relative aux communications électroniques, or the “Ordinance”) came into force.  The Ordinance implements the provisions of the revised EU Directive 2002/58/EC (the “e-Privacy Directive”) with respect to the French Data Protection Act of 1978, the French Postal and Electronic Communications Code and the French Consumer Protection Code.  Specifically, the Ordinance amends the existing legal framework concerning cookies and introduces an opt-in regime for the use of cookies.

On August 19, 2011, the Data Protection Commissioner’s Office of the German federal state of Schleswig-Holstein (“ULD”) ordered all businesses in that state “to shut down their fan pages on Facebook and remove social plug-ins such as the ‘like’-button from their websites.”  Although this warning is specific to Facebook users, the regulator’s explanation of its motives reveals a fundamental concern about common data analytics practices:

“By using the Facebook service traffic and content data are transferred into the USA and a qualified feedback is sent back to the website owner concerning the web page usage, the so called web analytics (Ger.: Reichweitenanalyse).  Whoever visits facebook.com or uses a plug-in must expect that he or she will be tracked by the company for two years.  Facebook builds a broad individual and for members even a personalised profile.  Such a profiling infringes German and European data protection law.  There is no sufficient information of users and there is no choice; the wording in the conditions of use and privacy statements of Facebook does not nearly meet the legal requirements relevant for compliance of legal notice, privacy consent and general terms of use.”

On July 13, 2011, the Belgian Privacy Commission (the “Belgian DPA”) signed a Protocol with the Ministry of Justice which significantly simplifies the authorization procedure for binding corporate rules (“BCRs”) under Belgian law.  The Protocol was just made public on the Belgian DPA's website. 

On August 24, 2011, the Government of India’s Ministry of Communications & Information Technology issued a clarification regarding India’s new privacy regulations, known as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Rules”), under Section 43A of the Information Technology Act 2000.

The Department of Commerce released an English translation of Peru’s Law for Personal Data Protection (Ley de Protección de Datos Personales, Ley No. 29733).  The law passed Peru’s Congress on June 7, 2011, and was signed by the president July 2, 2011.  Peru’s adoption of this new law is in keeping with a recent trend in Latin America, where Uruguay, Mexico and Colombia also have passed privacy legislation.

On July 27, 2011, the Ministry of Industry and Information Technology of the People’s Republic of China (the “MIIT”) published a draft rule including provisions regulating the processing of personal information by “Internet Information Service Providers.”  The draft rule, entitled “Provisions on the Administration of Internet Information Services” (the “Draft Provisions”), is not the first rule regulating Internet information services in China.  In 2000, the MIIT enacted the “Measures for the Administration of Internet Information Services” (the “Measures”), which took effect on September 25, 2000.  However, the Measures do not include any explicit provisions addressing the protection of personal information.

As we previously reported, the Mexican government has developed draft regulations for the implementation of Mexico’s Federal Law on the Protection of Personal Data in the Possession of Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares). The U.S. Department of Commerce recently circulated an English translation of the draft regulations. Public comments on the draft are due on August 3, 2011, and Mexican officials have indicated they will not grant extensions for late submissions. A final version of the regulations is ...

As reported in BNA’s Privacy Law Watch, on July 25, 2011, Russian President Dmitry Medvedev signed a new federal law amending Russia’s personal data privacy law, “On Personal Data.” The amended law, which was made public on July 27 and is effective retroactively from July 1, 2011, imposes new rules on international data transfers. As we previously reported, and as noted by the BNA, Russia had been considering improving its data protection regime and has enacted two other laws regarding the protection of personal data in the past several weeks.

The Hong Kong Privacy Commissioner has issued a document soliciting comments regarding a proposal to require a wide range of data users to submit information about their activities to the Office of the Privacy Commissioner for Personal Data.  The proposal would be carried out pursuant to the Hong Kong Privacy Ordinance, which authorizes the Privacy Commissioner to require certain data users to submit data user returns.  Under the Ordinance, a “data user return” is a form certain data users must submit to the Privacy Commissioner for purposes of maintaining a data user registration database.  A “data user” is defined as “a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of [personal] data” (emphasis added).

On July 13, 2011, the Article 29 Working Party (the “Working Party”), adopted an Opinion on the concept of consent as a legal basis for processing personal data, which includes recommendations for improving the concept in the context of the ongoing review of the EU data protection framework.  The Opinion also analyzes the conditions for valid consent under EU data protection law (that consent must be “freely given,” “specific,” “unambiguous,” “explicit,” “informed,” etc.), and clarifies the obligations of data controllers seeking consent.  In addition, the Opinion provides examples of valid and invalid consent with respect to company social media, medical research, body scanners, PNR data and online gaming.

Adam Kardash from Heenan Blaikie LLP in Canada reports that Industry Canada and the Canadian Radio-television and Telecommunications Commission (“CRTC”) have released draft regulations for Canada’s Anti-Spam Legislation (“CASL”).  CASL imposes a consent-based anti-spam regime that restricts organizations’ ability to send commercial electronic messages.  Industry Canada and the CRTC are charged with the task of implementing regulations under CASL.

On June 16, 2011, the German Federal Ministry of the Interior officially opened a National Cyber Defense Center as part of the comprehensive cybersecurity strategy that was adopted by the German federal government on February 23, 2011.  The Cyber Defense Center is intended to serve as a common platform for rapid information exchange and better coordination of protective and defensive measures against information technology security incidents.

On July 6, 2011, Mexico’s Secretary of Economy, in conjunction with the Federal Institute for Access to Information and Data Protection (“IFAI”), released wide-ranging privacy regulations for public comment.  The regulations establish rules and guidelines for the implementation of Mexico’s Federal Law on the Protection of Personal Data in the Possession of Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares), which became effective one year ago.  Among the topics covered are jurisdictional issues, details regarding ...

On July 6, 2011, the UK Information Commissioner’s Office (the “ICO”) released its Annual Report and Financial Statements for 2010/11.  Characterizing information as “the currency of democracy,” the report highlights the wide range of the ICO’s activities during the last twelve months, which focused on education and the provision of good practice guidance in addition to enforcement activities.

On July 1, 2011, the French Data Protection Authority (the “CNIL”) released a comprehensive handbook for health professionals (the “Guidance”).  The Guidance reiterates that health professionals (e.g., doctors, nurses, hospitals, research laboratories) have an obligation to comply with the French Data Protection Act when collecting and processing health data on patients.

As reported in BNA’s Privacy Law Watch, on July 2, 2011, Peruvian President Alan García signed the Personal Data Protection Law (Ley de Protección de Datos Personales, Ley No. 29733), making Peru the latest Latin American country to adopt EU-style omnibus privacy legislation.  Implementing rules for the new law are to be drafted in the next few months.

On June 28-30, 2011, the Council of Europe’s Bureau of the Consultative Committee of the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (known as the “T-PD-Bureau”) met in Strasbourg, France, to discuss, among other things, amending the Council of Europe’s Convention 108.  Convention 108, which underlies the European Union’s legal framework for data protection, is the only legally-binding international convention that addresses data protection.  Amendment of the Convention is thus closely linked to the current review of the EU data protection framework, and many of the same actors are involved in both exercises.

On June 24, 2011, the U.S. Department of Commerce’s International Trade Administration released a PowerPoint presentation on Mexico’s new private sector data protection law that was shared at a meeting of the OECD Working Party on Information Security and Privacy by Mexico’s Ministry of Economy and Federal Institute for Access to Information and Data Protection (“IFAI”).  The presentation provides guidance on the creation of privacy notices and establishment of self-regulatory schemes, and also outlines the responsibilities of the Ministry of Economy and the IFAI ...

Recent developments involving the use of facial recognition technology have raised privacy concerns in the United States, Europe and Canada.  As we reported earlier this month, the Electronic Privacy Information Center (“EPIC”) and several other consumer privacy advocacy groups filed a complaint with the Federal Trade Commission against Facebook for its use of facial recognition technology.  According to EPIC’s complaint, Facebook’s Tag Suggestions feature recognizes individuals’ faces based on photographs already on Facebook, then suggests that users “confirm Facebook’s identification of facial images in user photos” when they upload new photos to their Facebook profiles.

Speaking at the British Bankers’ Association’s Data Protection and Privacy Conference in London on June 20, 2011, Viviane Reding, Vice President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, signaled her intention to streamline data protection to “simplify the regulatory environment” and “substantially reduce the administrative burden” for businesses.  In return, Reding expects businesses to ensure “safe and transparent digital products and services.”

On June 20, 2011, Malaysia’s Bernama News Agency reported that the Malaysian Ministry of Information, Communication and Culture will establish a government department to facilitate the implementation of Malaysia’s new Personal Data Protection Act.  Malaysia passed the Personal Data Protection Act in 2010, but the law has yet to go into effect.  According to the report, enforcement of the Act is scheduled for early next year.

On June 15, 2011, European Data Protection Supervisor (“EDPS”) Peter Hustinx gave a press conference to present his annual report for 2010.  The annual report provides an overview of the EDPS’ main activities in 2010 and sets forth key priorities and challenges for the future.

In his speech, Hustinx focused primarily on the review of the EU data protection framework and the Data Retention Directive.  He referenced his recent Opinion in which he concluded that the Data Retention Directive does not meet general EU data protection requirements and that the European Commission should explore the possibility of replacing it with alternative measures such as data preservation through a “quick freeze” procedure.  Hustinx also stated his intention to keep a close eye on any developments with respect to RFID technology, cloud computing and online enforcement of intellectual property rights.

As reported yesterday, on June 16 and 17, 2011, the Hungarian Presidency of the Council of the European Union hosted a high-level international data protection conference in Budapest.  The following are some highlights from the second day’s events:

• During the “New principles in the field” panel, Professor Paul De Hert of the Vrije Universiteit Brussel gave an explanation of the case I v. Finland, which was decided by the European Court of Human Rights on July 17, 2008, and which both he and European Data Protection Supervisor Peter Hustinx agreed was a key document for the concept of accountability in European data protection law.  Endre Szabó of the Hungarian Ministry of Public Administration and Justice noted that the principle of accountability had not yet been fully accepted by all members of the European Council.

On June 16, 2011, the Hungarian Presidency of the Council of the European Union hosted the first day of a high-level international data protection conference in Budapest.  The conference was attended by approximately 150 people, most of whom are representatives of EU governments, data protection authorities (“DPAs”), the European Commission, and other governmental groups such as the Council of Europe.

On June 7, 2011, the Congress of the Republic of Peru passed the Personal Data Protection Law (Ley de Protección de Datos Personales, Proyecto de Ley 4079/2009-PE).  If signed into law, the bill would make Peru the newest member of the group of Latin American countries with EU-style omnibus privacy legislation.  The broad-ranging legislation would do the following, among other things:

On June 13, 2011, the Polish Data Protection Authority (Generalny Inspektor Ochrony Danych Osbowych or “GIODO”) hosted a conference in Warsaw on the use of binding corporate rules (“BCRs”) for international data transfers.  The conference was notable as the first on this topic in Poland, and was designed to introduce BCRs to a Polish audience and to promote their use.  The audience of approximately 70 people heard presentations by the Polish Inspector General for Data Protection, Wojciech Rafał Wiewiórowski, as well as representatives of the Belgian, French, Polish ...

On May 26, 2011, the United Kingdom’s Lord Chancellor and Secretary of State for Justice Kenneth Clarke spoke before the EU Committee of the British Chamber of Commerce in Belgium.  His remarks focused on data protection, a subject he characterized as one “heavily on the agenda” in Brussels and in many EU Member States.  Clarke emphasized his own role as a proponent of data protection and a defender of civil liberties and individual freedom, and discussed the introduction into Parliament of a major bill to enhance individual freedom in the UK.  Key measures in the bill, many of which respond to issues raised over the past few years by the UK Information Commissioner, include:

• Greater independence for the Information Commissioner
• Safeguards against misuse of counter-terrorism stop and search powers
• Further regulation of the use of closed-circuit television monitoring
• Reform of the regulations governing vetting and barring of ex-offenders and persons working with children and vulnerable adults

Costa Rica’s quest for an omnibus privacy law took a major step forward on April 27, 2011, when the Supreme Court of Justice of Costa Rica gave its stamp of approval to a far-ranging piece of privacy legislation, finding that it had no constitutional defects.  In March 2011, the bill, known as the law of “Protection of the Person in the Processing of His Personal Data” (Protección de la Persona Frente al Tratamiento de sus Datos Personales), survived an initial vote in the unicameral Legislative Assembly.  The bill has now been returned to the Legislative Assembly.

As reported by Kwang Hyun Ryoo and Ji Yeon Park of Bae, Kim & Lee LLC in Korea, on May 24, 2011, the government of South Korea published draft regulations to the Personal Information Protection Act (“PIPA”), the Republic’s new omnibus data protection law.

As we previously reported, PIPA was enacted on March 29, 2011, after past privacy legislation had languished in the Korean Parliament.  The recently published regulations (an Enforcement Decree and Enforcement Regulations) apply to any “handler of personal information” or “data handler,” which is any entity that uses personal information for business purposes.

The German Data Protection Authorities of Berlin and North Rhine-Westphalia have issued a paper containing Frequently Asked Questions about the German statutory data breach notification requirement that went into effect on September 1, 2009.  The paper provides detailed information on key questions concerning the procedure for notification as required by Section 42a of the German Federal Data Protection Act.

On June 6, 2011, join Hunton & Williams for a panel discussion on the implementation of the new EU Cookie Law in the UK, France, Germany and the Netherlands.  EU law on the use of cookies is changing.  Opt-in consent will be required, but specific requirements may differ across the EU.  What are organizations doing to ensure compliance with the new cookie law?  Listen to David Evans, Group Manager of Business and Industry of the Information Commissioner's Office, explain the steps that UK organizations are expected to take.  Learn about cookie compliance in France, Germany and the ...

On May 25, 2011, the UK Information Commissioner’s Office (the “ICO”) issued a news release stating that organizations and businesses that run websites aimed at UK consumers will be given up to 12 months to “get their house in order” before enforcement of the new cookie law begins.  Information Commissioner Christopher Graham made it clear, however, that “[t]his does not let everyone off the hook.  Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”

On May 16, 2011, the Article 29 Working Party (the “Working Party”) adopted an Opinion on geolocation services on smart mobile devices (the “Opinion”).  The Opinion clarifies the legal framework and obligations applicable to geolocation services such as maps and navigation tools, geo-personalized services, geotagging of content on the Internet, child control and location-based advertising.

On April 11, 2011, India adopted new privacy regulations, known as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Rules”).  The Rules are final versions of the draft regulations issued in February 2011 and impose wide-ranging obligations on any “body corporate” (company) that “collects, receives, possesses, stores, deals or handles” personal information.  These obligations require companies to provide privacy policies, restrict the processing of sensitive personal data, restrict international data transfers and require additional security measures.  The Rules introduce an omnibus privacy law that is similar in many respects to existing EU data protection law, but which raises some fundamental challenges for India’s numerous outsourcing vendors, and their customers.

As we previously reported, Korea's long-awaited Personal Information Protection Act (“PIPA”) was enacted on March 29, 2011.  The law generally requires an individual’s informed consent for the collection, use or disclosure of any personal information by any person, company or government agency.  Kwang Hyun Ryoo from Bae, Kim & Lee LLC in Korea has provided a detailed analysis of the law.

On May 10, 2011, the German Federal Office for Information Security, (the Bundesamt für Sicherheit in der Informationstechnik or “BSI”) released the final framework paper on information security issues related to cloud computing.  The paper describes the minimum requirements for information security for cloud computing services.  As we previously reported, in September 2010, the BSI had presented the draft framework paper which received positive reviews and constructive comments from cloud computing providers, users, associations and other stakeholders.  The ...

From May 26, 2011, UK law regulating the use of cookies on websites will change from an opt-out regime, to one requiring prior opt-in consent.  This change poses significant practical challenges for website operators.  In guidance on the new regulations, the UK Information Commissioner has acknowledged the challenge but warned that website operators must take steps now to ensure that they are ready to comply.

On May 11, 2011, the UK Information Commissioner’s Office (the “ICO”) published a new statutory code of practice on the sharing of personal data.  As stated in the ICO’s press release, the code of practice covers best practices for both routine and one-off data sharing activities, and offers organizations tips for reducing the risk of inappropriate or insecure data sharing.  By helping organizations understand how to share data appropriately, the code of practice should facilitate compliance with the Data Protection Act and minimize the risk of enforcement actions by the ICO or other regulators.

Austrian DPA Gives Green Light Subject to Conditions

On April 21, 2011, the Austrian Data Protection Commission (“Austrian DPA”) published its decision allowing Google to register its Google Street View application on the Austrian DPA’s data processing register.  As part of the registration procedure, Google agreed to blur images of faces and license plates prior to publishing them on the Internet, and to provide information to the public about the right to object to publication of certain images.  Further, the Austrian DPA required Google to:

On April 26, 2011, the French Data Protection Authority (the “CNIL”) issued a press release unveiling its inspection goals for the coming year.  In a report adopted on March 24, 2011, the CNIL indicated that it intends to conduct at least 400 inspections in France (100 more than the 2010 goal), with a special focus on the following issues:

As part of an effort to increase penalties for violations of the country’s Personal Information Protection Act, officials in Japan plan to extend liability under that law to individual employees, according to recent reports in The Yomiuri Shimbun and The Japan Times.  Currently, a company that violates the law may be fined or ordered to take remedial steps, and the company head may be imprisoned.  The law revision would come as part of changes to the legal framework accompanying a proposed national identification number system ...

On April 14, 2011, the European Advertising Standards Alliance (“EASA”) and IAB Europe released complementary new self-regulatory standards for online behavioral advertising.  This cross-industry initiative is aimed at enhancing European consumers’ control over their data and ensuring transparency, particularly with respect to advertisements that are delivered using third party online behavioral advertising.

On April 18, 2011, the European Commission (the “Commission”) adopted an Evaluation Report on the EU Data Retention Directive 2006/24/EC (the “Data Retention Directive”).

The Data Retention Directive requires that, for law enforcement purposes, telecommunications service and network providers (“Operators”) must retain certain categories of telecommunications data (excluding the content of the communication) for not less than six months and not more than two years.  To date, most of the EU Member States have implemented the Data Retention Directive, but Czech Republic, Germany and Romania no longer have implementing laws in place because their constitutional courts have annulled the implementing laws as unconstitutional.

On April 4, 2011, the Article 29 Working Party (the “Working Party”) issued an Opinion to clarify the legal framework applicable to smart metering technology in the energy sector (the “Opinion”).

Smart meters are digital meters that record energy consumption and enable two-way remote communication with the wider network for purposes such as monitoring and billing, and to forecast energy demand.  Smart meters are intended to allow the industry to better regulate energy supply, and to help individuals reduce consumption.  According to the Working Party, however, the analysis and exchange of smart metering information has the potential to be privacy-invasive.

On April 15, 2011, the United Kingdom’s Department for Culture, Media and Sport (“DCMS”) announced that the UK will adopt the new EU rules on cookies without “gold-plating” the regulations by imposing additional national requirements, to help ensure that British companies can compete with the rest of Europe.  As we previously reported, the UK government had reassured businesses that it would carry out the implementation in a manner that would minimize the impact on businesses and consumers.

On April 5, 2011, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the current EU personal data breach framework and recommendations for future policy developments (the “Opinion”).

In 2009, the revised e-Privacy Directive 2002/58/EC (the “e-Privacy Directive”) introduced a mandatory data breach notification regime for the telecommunications sector.  Pursuant to the e-Privacy Directive, telecommunications and internet service providers are required to report certain data breaches to their national regulator and to affected individuals.

On April 4, 2011, the Article 29 Working Party (the “Working Party”) issued an Opinion finding that New Zealand ensures an adequate level of data protection within the meaning of the EU Data Protection Directive 95/46/EC (the “Data Protection Directive”).  The Working Party’s assessment in the Opinion focuses on the New Zealand Privacy Act 1993 and is based primarily on a comparison of the Act and relevant case law, against the provisions of the Data Protection Directive.

On April 6, 2011, the European Commission (“the Commission”) signed a voluntary agreement with private and public stakeholders to establish data protection guidelines for companies that use radio frequency identification device (“RFID”) technology within Europe.

The agreement, entitled “Privacy and Data Protection Impact Assessment Framework for RFID Applications” (the “Framework”) requires companies to conduct privacy impact assessments for all RFID applications they implement and to take measures to address identified data protection risks before those applications are deployed in the market.  Reports of the completed privacy impact assessments must be made available to the national data protection authorities.  The Framework, which was designed in close cooperation with the European Network and Information Security Agency after consultation with the Article 29 Working Party, provides the first clear, comprehensive methodology that can be applied across all industry sectors to assess and mitigate RFID-related privacy risks.  It is intended both to assure companies that their use of RFID technology is compatible with European data protection legislation, and to enhance privacy protections for European citizens and consumers.

On April 6, 2011, the European Commission formally requested that Germany immediately comply with a March 9, 2010 judgment (C-518/07) by the European Court of Justice (the “Court”) concerning the independence of German data protection authorities (“DPAs”).

As we previously reported, the Court ruled in March 2010 that Germany had failed to properly implement the requirement that DPAs are to act with “complete independence” in exercising the functions entrusted to them, as explicitly provided by the EU Data Protection Directive 95/46/EC. According to the Commission, 15 out of Germany’s 16 federal states have not yet undertaken any action to rectify the violation identified in the Court’s judgment. In its formal notice letter, the Commission ordered Germany to comply with the Court’s judgment within two months or risk a fine or penalty imposed by the Court.

Mexico’s Ministry of Economy and Federal Institute for Access to Information and Data Protection (the “IFAI”) will issue the first set of regulations implementing Mexico's new private sector data protection law the week of April 11, 2011.  These first regulations will cover the legal requirements to provide privacy notices to consumers and to appoint a designated privacy official, which go into effect in July 2011.  The two agencies want to ensure that the private sector has adequate time to prepare appropriate privacy notices prior to the July effective date.  The balance of the law, granting individual participation rights to consumers, becomes effective in January 2012.

As reported in BNA’s Privacy Law Watch, on March 29, 2011, South Korea’s president approved the Act on the Protection of Personal Data.  This comprehensive privacy law will require nearly all businesses and government agencies to provide data breach protection, mandate the use of privacy assessments before establishing certain new databases, and establish a right to file class actions in court over alleged violations of the law.  The implementing rules will be worked out before the law is due to take effect on September 30, 2011.  South Korea first attempted to enact a comprehensive privacy law in 2004; however, for the past seven years, omnibus privacy bills sponsored by the government and lawmakers have stalled in Parliament.

A new French law containing several key amendments to the French Data Protection Act and creating a new public authority referred to as the “Defender of Rights” (Loi n°2011-334 du 29 mars 2011 relative au Défenseur des droits, or the “Law”) came into effect on March 30, 2011.  The Defender of Rights, whose role is to defend civil rights and liberties, to promote children’s rights and to fight against discrimination, also will serve as a member of the CNIL’s plenary committee.

On March 21, 2011, the French Data Protection Authority (the “CNIL”) published its decision to fine Google €100,000 for violating the French Data Protection Act.

In 2009, the CNIL inspected Google’s geolocation service (“Street View”), which revealed that Google had collected huge quantities of undeclared personal data (e.g., navigation data, email content, logins and passwords) through Wi-Fi connections accessed by its Street View cars.  Google responded that the personal data had been collected by mistake, and promised to stop the Wi-Fi data collection.

On January 13, 2011, the China Banking Regulatory Commission issued Measures for the Supervision and Administration of the Credit Card Businesses of Commercial Banks (the “Measures”), which took effect that same day. The Measures are reported to be the first comprehensive regulations relating to the credit card business in China, and include a number of provisions on the protection of personal information by commercial banks, as detailed below.

On March 16, 2011, UK Information Commissioner Christopher Graham shared details of the government’s proposals for the implementation of the e-Privacy Directive with delegates at the Direct Marketing Association’s Data Protection Conference in London. A letter from the Minister for Culture, Communications and Creative Industries, Ed Vaizey, provides important reassurance to business that “Government is committed to introducing the amended provision in a way that minimises impacts to business and consumers.”

On March 16, 2011, a meeting of the “European Privacy Platform” group of the European Parliament was held in Brussels.  The meeting provided important insights into the likely structure and content of proposed revisions to the European Data Protection Directive 95/46/EC that the European Commission has been working on for the past several months.

On March 8, 2011, the UK Information Commissioner’s Office (the “ICO”) issued a warning to UK businesses on the forthcoming amendments to the Privacy and Electronic Communications Directive (2002/58/EC as amended by 2009/136/EC) that will require businesses operating websites in the UK to obtain consent from website visitors to store information on their computers and retrieve that information in the form of cookies.

The Committee of Experts on New Media (the “Expert Committee”) of the Council of Europe (“CoE”) has issued draft recommendations and guidelines regarding the protection of human rights by search engines and social networking providers. The draft recommendations and guidelines observe that the way in which search engines and social networking providers operate impacts various human rights, especially the rights to freedom of expression and information and the right to privacy and data protection. Current drafts of both sets of recommendations and guidelines are open for public consultation and comments until March 18, 2011.

On March 2, 2011, the German Federal government adopted a draft law revising certain sector-specific data protection provisions in the German Telecommunications Act.  The draft law addresses the implementation of data breach notification requirements in the European e-Privacy Directive by introducing a breach notification obligation for telecommunications companies.

The Council of the European Union (the “Council”) released its conclusions following meetings held on February 24 and 25, 2011, regarding the European Commission’s November 4, 2010 Communication proposing “a comprehensive approach on personal data protection in the European Union” which we reported on last November.

A draft document, entitled Information Security Technology - Guidelines for Personal Information Protection, has been issued in China for comment.  While comments are being solicited at this time, if issued in its proposed form, this document has the potential to add significantly to the rules governing the handling of personal information in China.  Read More...

The Government of India’s Ministry of Communications & Information Technology has published three draft rules that would implement the Information Technology Act, 2000. These include: Reasonable Security Practices and Procedures and Sensitive Personal Information; Due Diligence Observed by Intermediaries Guidelines and Guidelines for Cyber Cafe. The first two of these rules could affect international companies that provide digital services or process data in India. The comment period on the rules ends February 28, 2011.

On February 18, 2011, the European Network and Information Security Agency (“ENISA”), an advisory body created to enhance information security in the EU, announced the issuance of its report on cookies, entitled “Bittersweet cookies.  Some security and privacy considerations.”

In our August 2009 blog post on data protection issues in China, we noted that there was no uniform Chinese law that specifically addresses the protection of personal data, and that it seemed likely that Chinese personal information protection law would continue to develop as a patchwork of piecemeal regulations. This remains true today, and developments since our previous article was published have in fact reinforced this assumption. In the past year and a half, new laws affecting personal information protection in China have arisen in various forms, including a consumer ...

Reporting from Israel, legal consultant Dr. Omer Tene writes:

In a sweeping, 91-page decision issued last week, the Israeli National Labor Court severely restricted employers’ ability to monitor employee emails.  In its opinion, the Court made strong statements concerning the suspect nature of employee consent and mandated the implementation of principles of legitimacy, transparency, proportionality, purpose limitation, access, accuracy, confidentiality and security.  The Court stated that, given the constitutional status of the right to privacy, exemptions to the Privacy Protection Act, 1981, must be interpreted narrowly.

On February 8, 2011, the German Federal Commissioner for Data Protection and Freedom of Information issued a concept paper setting forth concrete suggestions for the creation of a Data Protection Foundation (the “Foundation”). The German government has reserved a budget of €10 million to establish the Foundation, which it plans to do in 2011.

On February 3, 2011, the German Federal Commissioner for Data Protection and Freedom of Information issued a press release announcing that it has approved the privacy policy formulated by Deutsche Post DHL.  This allows Deutsche Post DHL to transfer personal data abroad in accordance with its privacy policy without having to obtain approval in individual cases.  Deutsche Post DHL is the first German company to have its binding corporate rules (“BCRs”) approved at the European level, following an extensive consultation process among EU data protection authorities.

Reporting from Israel, legal consultant Dr. Omer Tene writes:

The Israeli Law, Information and Technology Authority (“ILITA”) has issued a new instruction (the “Instruction”) restricting financial institutions from using information concerning writs of execution issued against clients’ property.  Pursuant to the Instruction, if a bank or insurance company finds out that a client’s account has become subject to a writ of execution, such information may not be used to deny the client credit or to adjust the rate of his or her insurance premiums.  Information regarding writs of execution may be used only to carry out the writ.  ILITA’s Instruction is based on the purpose limitation provisions in the Israeli Privacy Protection Act, 1981, as well as a specific section in the Execution of Judgments Act, 1967.

Reporting from Israel, legal consultant Dr. Omer Tene writes:

On January 31, 2011, the European Commission formally approved Israel’s status as a country providing “adequate protection” for personal data under the European Data Protection Directive.  The decision is restricted to automated international data transfers from the EU, as well as to non-automated data transfers that are subject to further automated processing in Israel.  It will allow unrestricted transfers of personal data from the EU to Israel, for example between corporate affiliates or from European companies to data centers in Israel.

On January 24, 2011, the data protection authority of the German state of Rhineland-Palatinate issued a press release regarding significant breaches of data protection law by companies that maintain websites and create user profiles.

On January 17, 2011, the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) released a response to the European Commission’s consultation paper, “A comprehensive approach on personal data protection in the European Union.”  In its response, prepared by Richard Thomas, former UK Information Commissioner and Global Strategy Advisor of the Centre, the Centre calls for a modernized European framework for data protection that addresses the realities of the digital age.

On January 14, 2011, the European Network and Information Security Agency (“ENISA”), which was created to enhance information security within the European Union, published a report entitled “Data breach notifications in the EU” (the “Report”).

Currently, there is wide debate throughout the EU regarding data breach notification requirements.  The debate stems from recent high-profile data breach incidents and the introduction of mandatory data breach notification requirements for telecommunication service providers imposed by EU Directive 2009/136/EC (amending EU Directive 2002/58/EC, the “e-Privacy Directive”), which must be integrated into EU Member States’ national laws by May 25, 2011.  The goal of the Report is to assist Member States, regulatory authorities and private organizations with their implementation of data breach notification policies.

On January 13, 2011, a Bill (Projet de loi organique relatif au Défenseur des droits) containing several amendments to the French Data Protection Act was preliminarily adopted by the French National Assembly.  If enacted, the Bill would amend several key provisions of the French Data Protection Act, including revisions regarding the powers of the French Data Protection Authority (the “CNIL”), and the role of Chairman of the CNIL.  The amendments are summarized below.

Earlier this month, the Belgian Privacy Commission (the “Belgian DPA”) published its December 15, 2010 Recommendation on Mobile Mapping (Recommandation d’initiative en matière de Mobile Mapping, or “the Recommendation”).  The Recommendation defines Mobile Mapping as “technology by which a vehicle equipped with a camera and/or a scanner can digitally record all data on a specific road, including by taking 360° photos.”  The scope of the Recommendation covers not only applications such as Google Street View, but also other types of Mobile Mapping such as mapping by public authorities, mapping for tourism, real estate applications and GPS navigation mapping.

On January 11, 2011, Michelle O’Neill, U.S. Department of Commerce Deputy Under Secretary for International Trade, held a briefing on her November 2010 meetings in Brussels with European data protection authorities.  She discussed a data protection and privacy forum that was convened in November at which she met with several high-level European regulators, including Jacob Kohnstamm, Viviane Reding and Peter Hustinx.  O’Neill mentioned “the right to be forgotten” as a current hot-button issue in Europe.  Commissioner Reding, who is firmly in charge of the reconsideration of the EU Data Protection Directive, focused on ensuring easier compliance with EU data protection rules and greater harmonization among Member States.  O’Neill stated that Peter Hustinx was encouraged by the work ongoing in the United States, including the “Green Paper” issued by the Department of Commerce.  He considers the various U.S. efforts a basis for further dialogue with U.S. authorities.  O’Neill noted that comments to the EU consultation are due January 15, 2011.  The Department of Commerce intends to file a response.

Early this week, the Article 29 Working Party issued its December 16, 2010 Opinion on applicable law, providing guidance on the scope of EU data protection law and the practical implications of Article 4 of the EU Data Protection Directive (95/46/EC, the “Directive”).

The purpose of the Working Party’s Opinion 8/2010 (the “Opinion”) is twofold.  First, it intends to clarify the current scope of EU data protection law with regard to the processing of personal data within and outside the European Economic Area (the “EEA”).  The clarifications by the Working Party are aimed at enhancing legal certainty for data controllers, providing a clearer framework for individuals and stakeholders and avoiding legal loopholes and potential conflicts between overlapping national data protection laws.  Throughout the Opinion, practical examples are used to demonstrate the clarifications, such as in the context of centralized HR databases, geolocation services, cloud computing and online social networks.  Furthermore, in light of the general revision of the EU data protection framework, the Opinion includes suggestions to improve the existing applicable law provisions in the EU Data Protection Directive.

On November 25, 2010, the German data protection authorities responsible for the private sector (also known as the “Düsseldorfer Kreis”) issued a resolution on the minimum requirements for the qualifications and independence of company data protection officers (“DPOs”).  This initiative follows inspections carried out within companies that revealed a generally insufficient level of expertise among DPOs given data processing complexities and the requirements set by the Federal Data Protection Act.  The DPAs recognize that a DPO’s workload depends primarily on the size and number of data controllers the DPO supervises, industry-specific factors related to data processing and the level of protection required for the types of personal data being processed.  Changes with respect to these factors frequently increase the burden on DPOs without a compensating increase in resources needed to ensure proper oversight.

Adam Kardash from Heenan Blaikie LLP in Canada reports that Bill C-28, the Fighting Internet and Wireless Spam bill, received Royal Assent on December 15, 2010.  The centerpiece of the Act are prohibitions aimed at preventing spam, but the law also includes regulations to combat phishing and protect users from online malware.  Specifically, among other things, the legislation would prohibit:

• sending commercial electronic messages (including emails and text messages) without consent (subject to certain limited exceptions);
• altering transmission data on email messages; and
• the installation of computer programs without express consent.

The 32nd International Conference of Data Protection and Privacy Commissioners held in Jerusalem this October continued the trend from past conferences by enacting a resolution, this time with respect to the adoption of global privacy standards.  The Jerusalem Declaration calls for an intergovernmental conference in 2011 or 2012 to negotiate a binding international agreement guaranteeing respect for data protection and privacy, and facilitating cross-border coordination of enforcement efforts.  The basis for the binding international agreement would be the Madrid ...

On October 14, 2010, the French Data Protection Authority (the “CNIL”) adopted several amendments to its single authorization AU-004 regarding the use of whistleblowing schemes (the “Single Authorization”).

Since 2005, companies in France must register their whistleblowing schemes with the CNIL either by self-certifying to the CNIL’s Single Authorization or by filing a formal request for approval with the CNIL.  Companies that self-certify to the Single Authorization make a formal undertaking that their whistleblowing scheme complies with the pre-established conditions set out in this authorization.  In particular, the scope of the Single Authorization is limited to the following specific areas: finance, accounting, banking, fight against corruption and compliance with Section 301(4) of the Sarbanes-Oxley Act.  Under the revised framework, the CNIL has extended the scope of the Single Authorization to include the prevention of anti-competitive practices and compliance with the Japanese Financial Instrument and Exchange Act.

The Yomiuri Shimbun has been following a story regarding the November 25, 2010, release by a Tokyo publisher of a book containing Tokyo Metropolitan Police Department anti-terrorism documents that were leaked on the Internet in October.  According to reports, the book (“Leaked Police Terrorism Info: All Data”) contains 469 pages of unedited personal information of foreign residents who are being monitored by Japanese authorities, as well as the names of the police officers involved in the cases and individuals who have cooperated with police investigations.  On November 29, a ...

On December 1, 2010, the German Federal Ministry of the Interior (the “BMI”) issued a paper entitled “Data Protection on the Internet,” which contains a draft law to protect against particularly serious violations of privacy rights online.

On December 1, 2010, the European Parliament hosted a Privacy Platform on the European Commission’s recent Communication proposing “a comprehensive approach on personal data protection in the European Union,” which is aimed at modernizing the current EU data protection framework.

The panel, hosted by European Parliament Member Sophie in ‘t Veld, included:

• The Head of Cabinet of the European Commission’s Commissioner for Justice, Fundamental Rights and Citizenship, Martin Selmayr (in Commissioner Viviane Reding’s absence);
• The Chairman of the Article 29 Working Party, Jacob Kohnstamm; and
• The European Data Protection Supervisor, Peter Hustinx.

The Platform was very well attended, bringing together a wide range of stakeholders from both the public and private sectors.

On November 25, 2010, the Council of Europe’s Committee of Ministers adopted a recommendation (the “Recommendation”) on the protection of individuals with regard to the automatic processing of personal data in the context of profiling.  View the press release.

The Recommendation is designed to set up safeguards for profiling activities by applying the principles established in Convention 108 to the challenges raised by profiling and by defining new principles.  It defines profiling as “an automatic data processing technique that consists of applying a ‘profile’ to an individual, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.”  The term ‘profile’ refers to a set of data characterizing a group of individuals which is intended to be applied to an individual.  Interestingly, Members States may decide to exclude the public sector under certain conditions.

Adam Kardash from Heenan Blaikie LLP in Canada reports that Jennifer Stoddart has been nominated for reappointment as Privacy Commissioner of Canada for a three-year term.  The nomination will be tabled in the House of Commons for consideration and is widely expected to be accepted.

Marty Abrams, Executive Director of the Centre for Information Policy Leadership at Hunton & Williams LLP, said, “Commissioner Stoddart has been a key leader in bringing data protection into the 21st century.”

Ms. Stoddart has served as Privacy Commissioner since December 2003.

For further ...