Privacy & Information Security Law Blog

On October 2, 2013, the Article 29 Working Party (the “Working Party”) issued a Working Document providing guidance on how to obtain consent for the use of cookies and similar technologies in compliance with EU legal requirements (“Working Document”).

At its meeting on October 7, 2013, the Council of the European Union voiced support for the “one-stop-shop” mechanism in the draft General Data Protection Regulation (the “Regulation”). The “one-stop-shop” mechanism allocates responsibility for overseeing data processing activities in multiple EU Member States to the data protection authority of the EU Member State where the data controller or processor has its main establishment. At the Council meeting, a majority of the EU Member States indicated that the responsible data protection authority should have exclusive decision powers with regard to enforcement actions, but acknowledged that the “local” DPAs should be involved in the decisionmaking process as well. The Council emphasized the need for further exploration of the European Data Protection Board’s role in ensuring consistent application of EU data protection rules.

On October 8, 2013, a Royal Decree was published completing the transposition of the EU Data Retention Directive 2006/24/EC (the “Data Retention Directive”) into Belgian law. The Royal Decree was adopted on September 19, 2013.

On October 2, 2013, the 86th Conference of the German Data Protection Commissioners concluded in Bremen. This biannual conference provides a private forum for the 16 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information, Peter Schaar, to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

In its October 2013 e-newsletter, the UK Information Commissioner’s Office (“ICO”) announced that it is reviewing its Privacy Notices Code of Practice (the “Code”) to assess whether it should be updated. The Code, last updated in December 2010 and issued under Section 51 of the UK Data Protection Act 1998 (the “DPA”), is designed to assist organizations “to collect and use information appropriately by drafting clear and genuinely informative privacy notices.”

On October 4, 2013, The Centre for Information Policy Leadership’s Senior Policy Advisor Fred Cate reported on the 35th International Conference of Data Protection and Privacy Commissioners which concluded on September 24 in Warsaw, Poland. The report indicates that four main issues dominated the Conference: (1) challenges presented by technologies such as mobile apps and online profiling, (2) multinational interoperability and enforcement, (3) pending EU data protection regulation and alternatives, and (4) repercussions of NSA surveillance activities.

On September 30, 2013, Hunton & Williams LLP hosted representatives from the U.S. Department of Commerce for a timely discussion of the Safe Harbor Framework, the Asia-Pacific Economic Cooperation (“APEC”) Cross-Border Privacy Rules System (“CBPRs”), and the Transatlantic Trade and Investment Partnership (“TTIP”) negotiations. The panel also addressed the development of privacy codes of conduct and privacy legislation being developed by the Department of Commerce.

On September 27, 2013, California Governor Jerry Brown signed into law a bill amending the California Online Privacy Protection Act (“CalOPPA”) to require website privacy notices to disclose how the site responds to “Do Not Track” signals, and whether third parties may collect personal information when a consumer uses the site. Although the changes to the law do not prohibit online behavioral advertising, this is the first law in the United States to impose disclosure requirements on website operators that track consumers’ online behavior.

On September 24, 2013, the Singapore Personal Data Protection Commission (the “Commission”) published guidelines to facilitate implementation of the Singapore Personal Data Protection Act (the “PDPA”). The Advisory Guidelines on Key Concepts in the Personal Data Protection Act and the Advisory Guidelines on the Personal Data Protection Act for Selected Topics provide explanations of concepts underlying the data protection principles in the PDPA, and offer guidance on how the Commission may interpret and apply the PDPA with respect to certain issues (e.g., anonymization, employment, national identification numbers). The guidelines are advisory only; they are not legally binding.

On September 25, 2013, Senator Jay Rockefeller (D-WV), Chair of the Senate Committee on Commerce, Science and Transportation, expanded his investigation of the data broker industry by asking twelve popular health and personal finance websites to answer questions about their data collection and sharing practices.