Privacy & Information Security Law Blog

On July 12, 2016, after months of negotiations and criticism, the EU-U.S. Privacy Shield (“Privacy Shield”) was officially adopted by the European Commission and the Department of Commerce. Similar to the Safe Harbor, companies must certify their compliance with the seven principles comprising the Privacy Shield to use the Shield as a valid data transfer mechanism. Hunton & Williams partner Lisa J. Sotto and associate Chris D. Hydak recently published an article in Law360 entitled “The EU-U.S. Privacy Shield: A How-To Guide.” In the article, Lisa and Chris detail the ...

On July 26, 2016, the U.S. Department of Commerce announced that it has launched a new website that provides individuals and companies with additional information regarding the EU-U.S. Privacy Shield Framework (“Privacy Shield”). Among other things, the website provides information about complying with, and self-certifying to, the Privacy Shield’s principles. The Department of Commerce’s website will begin accepting certifications on August 1, 2016.

On July 19, 2016, Advocate General Saugmandsgaard Oe (“Advocate General”), published his Opinion on two joined cases relating to data retention requirements in the EU, C-203/15 and C-698/15. These cases were brought following the Court of Justice for the European Union’s (“CJEU's”) decision in the Digital Rights Ireland case, which invalidated Directive 2006/24/EC on data retention. The two cases, referred from courts in Sweden and the UK respectively, sought to establish whether a general obligation to retain data is compatible with the fundamental rights to privacy and data protection under EU law.

This post has been updated. 

On July 14, 2016, the U.S. Court of Appeals for the Second Circuit held that Microsoft Corporation (“Microsoft”) cannot be compelled to turn over customer emails stored abroad to U.S. law enforcement authorities.

On July 14, 2016, the Federal Trade Commission issued warning letters to 28 companies relating to apparent false claims of participation in the APEC Cross-Border Privacy Rules (“CBPR”).

The warning letters state that the companies’ websites represent APEC CBPR certification even though the companies do not appear to have undertaken the necessary steps to claim certification, such as a review and approval process by an APEC-recognized Accountability Agent.

On July 12, 2016, the EU Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, and U.S. Secretary of Commerce Penny Pritzker announced the formal adoption of the EU-U.S. Privacy Shield (the “Privacy Shield”) framework, composed of an Adequacy Decision and accompanying Annexes.

On July 6, 2016, the Bavarian Data Protection Authority (“DPA”) issued a short paper on video surveillance under the EU General Data Protection Regulation (“GDPR”).

This paper is part of a series of papers that the Bavarian DPA will issue periodically on specific topics of the GDPR to inform the public about what topics are being discussed within the DPA. The DPA emphasized that these papers are non-binding.

On July 6, 2016, the UK government decided to close its controversial care.data scheme after concerns were raised about the safeguards in place to protect individuals’ health care data and issues with patient transparency.

On July 8, 2016, EU representatives on the Article 31 Committee approved the final version of the EU-U.S. Privacy Shield (“Privacy Shield”) to permit transatlantic transfers of personal data from the EU to the U.S.

On July 6, 2016, the European Parliament adopted the Directive on Security of Network and Information Systems (the “NIS Directive”), which will come into force in August 2016. EU Member States will have 21 months to transpose the NIS Directive into their national laws. The NIS Directive is part of the European Commission’s cybersecurity strategy for the European Union, and is designed to increase cooperation between EU Member States on cybersecurity issues.