Privacy & Information Security Law Blog

On January 13, 2016, the Russian Data Protection Authority (Roscommandzor) released its plan for audits this year to assess compliance with Russia’s data localization law, which became effective on September 1, 2015. The localization law requires companies to store the personal data of Russians in databases located in Russia. The audit plan indicates that the Roscommandzor will audit large, multinational companies doing business in numerous jurisdictions and processing the personal data of Russian citizens ...

On January 28, 2016, the Senate Judiciary Committee passed the Judicial Redress Act (the “Act”), which would give EU citizens the right to sue over certain data privacy issues in the U.S. The Act passed after an amendment was approved which would condition EU citizens’ right to sue on EU Member States (1) allowing companies to transfer personal data to the U.S. for commercial purposes and (2) having personal data transfer policies which do not materially impede the national security interests of the U.S. The vote was initially set to take place on January 21, 2016, but was delayed.

On January 21, 2016, the Israeli Law, Information and Technology Authority (“ILITA”) announced that it would postpone for the time being any review or enforcement actions on data transfers from Israel to the United States that are based on the U.S.-EU Safe Harbor framework.

On January 21, 2016, a Senate Judiciary Committee vote on the Judicial Redress Act, which would give EU citizens the right to sue over certain data privacy issues in the U.S., has reportedly been postponed. As reported by Forbes, the vote may have been delayed due to amendments to the fifth paragraph of the bill, which deals with litigation pursuant to the act. The vote was initially scheduled for today.

On February 22, 2016, the Centre for Information Policy Leadership (“CIPL”), together with TRUSTe, the Information Accountability Foundation and Information Integrity Solutions, will co-host a workshop on Building a Dependable Framework for Privacy, Innovation and Cross-Border Data Flows in the Asia-Pacific Region in Lima, Peru. The workshop will be held in the margins of the upcoming meetings of the APEC Electronic Commerce Steering Group and its Data Privacy Subgroup in Lima from February 23-27, 2016.

On December 30, 2015, Taiwan’s Office of the President issued an order to promulgate certain amendments (the “Amendments”) to Taiwan’s Personal Data Protection Law (the “PDPL”). The Amendments revise 12 articles in the PDPL. The Amendments concern the collection and use of sensitive personal data, the form of consent for the collection and use of non-sensitive personal data, and the imposition of criminal liability for violations of certain provisions of the PDPL. The Amendments are expected to become effective in the first half of 2016 on a date to be determined by the Executive Yuan.

On January 12, 2016, the European Court of Human Rights (“the Court”) ruled in Bărbulescu v. Romania that companies can monitor their employees’ online communications in certain circumstances.

The case concerned the dismissal of a Romanian engineer, Bărbulescu, by his employer, for the use of the company’s Internet and in particular, Yahoo Messenger, for personal purposes during work hours. The employer alleged that Bărbulescu was violating internal regulations that prohibit the use of the company’s equipment for personal purposes.

On December 28, 2015, the People's Bank of China published Administrative Measures for Online Payment Business of Non-bank Payment Institutions (the “Measures”). The Measures were enacted to provide further details on the regulation of online payment businesses, in supplement to the earlier Administrative Measures for the Payment Services of Non-financial Institutions (the “2010 Measures”), published by the People's Bank of China on June 14, 2010. The 2010 Measures regulated the conduct of all payment services, including both online payment methods and three other types of payment methods, by all types of Non-bank Payment Institutions (“NBPIs”). The newer Measures are more focused and apply only to online payment methods, and only to NBPIs which have already obtained a Payment Business License and are engaged in an online payment business.

On January 5, 2016, the Federal Trade Commission announced that dental office management software provider, Henry Schein Practice Solutions, Inc. (“Schein”), agreed to settle FTC charges that accused the company of falsely advertising the level of encryption it used to protect patient data. The proposed Agreement Containing Consent Order (“Consent Order”) stems from an FTC complaint that alleged the company engaged in unfair or deceptive acts or practices by falsely representing that the Dentrix G5 software used industry-standard encryption and helped dentists protect patient data in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

On January 7, 2016, the European Data Protection Supervisor (the “EDPS”) published his Priorities for 2016. The EDPS Priorities consists of a cover note listing the strategic priorities of the EDPS in 2016 and a color-coded table listing the European Commission’s proposals that require the EDPS’ attention, per level of priority.

In line with the EDPS Strategy 2015-2019 unveiled in March 2015, the EDPS will set his focus on the following areas of strategic importance: