Two developments in Russian law this summer could significantly limit the ability of cloud and other online services to publish online content and to make Russian data remotely available online. The first is the advancement of legislation requiring data operators to store locally in Russia information of Russian citizens. The second is the countdown to the effective date of new rules that impose onerous registration, content, and censorship requirements on certain website operators and electronic communication services. We address each here in turn.
Hogan Lovells today published Pan-American Governmental Access to Data in the Cloud, the fifth installment in a series of White Papers examining government access to data held by Cloud service providers. Examining the right of governments in the United States and Latin America to access data in the Cloud, the White Paper concludes that the physical location of Cloud servers does not significantly affect government access to data stored on those servers, and that it is fundamentally incorrect to assume that the United States government’s access to data in the Cloud is greater than that in the Latin American countries examined.
The French data protection authority has announced that following the “cookie sweep day” due to take place the week commencing 15 September 2014, it will launch a program of website audits in October to verify compliance with the CNIL’s 5 December 2013 cookie recommendations.
On 10 July, the UK government announced cross-party backing for emergency legislation designed to ensure that the police and security services can continue to access communications data held by communications service providers for the purpose of investigating criminal activity and protecting national security. This is in response to the recent European Court of Justice judgment of 8 April 2014 in joined cases (C-293/12 Digital Rights Ireland & C-594/12 Seitlinger) which declared the Data Retention Directive (2006/24/EC) invalid.
In a new turn to the Maximilian Schrems case in Ireland, the Irish High Court on 18 June 2014 decided to refer several questions to the European Court of Justice, including whether national data protection authorities in Europe may disregard the Safe Harbor decision of the European Commission when assessing whether the U.S. recipient of data ensures an adequate level of data protection required under EU law. Depending on the outcome of the case, European and U.S. companies may not be able to rely on Safe Harbor to legitimise cross-border data transfers in the future.
The German Federal Labor Court has published its reasoning underlying a June 2013 decision in which it declared invalid the dismissal by a large supermarket of an employee who was found in possession of stolen goods. According to the Court, the factual evidence leading to the dismissal—obtained upon inspection of the employee’s workplace locker without the presence of the employee—was gathered in violation of the employee’s right to privacy established by the German Federal Data Protection Act. The ruling represents a shift in case law regarding employee data privacy were German courts are likely to exclude from civil law proceedings information collected in violation of statutory data privacy requirements. Companies operating in Germany should be aware of these requirements in order to avoid losing lawsuits as a consequence of non-compliance with strict local data privacy rules.
The “one-stop-shop” EU data protection regulator was originally presented as one of the fundamental pillars of the future Data Protection Regulation, but now hangs in the balance of the EU legislative process. This post provides the latest on the status of one-stop-shop in the Council of the EU, where it currently is being debated.
In an Op-Ed for the National Post entitled “Sorry, but there’s no online ‘right to be forgotten’,” privacy advocates Ann Cavoukian and Christopher Wolf team up to consider the consequences of the European Court of Justice’s “Right to Be Forgotten” ruling. The pair focus on potential conflicts created by the Right to Be Forgotten between the right to privacy and that of free expression and highlight the plausible outcome that companies, in their new forced role as online censors, may “err on the side of deleting links to information.”
In a recent advisory opinion related to an exemption under the International Traffic In Arms Regulations, the State Department confirmed that a company could use a data security method called “tokenization” to protect export-controlled technical data stored in the cloud on servers located outside the United States, provided the company satisfied the conditions of the exemption and took “sufficient means” to prevent foreign persons from accessing such technical data. Although the advisory opinion is quite narrow in scope, it is the first publicly-available formal position from the State Department on the ITAR implications of cloud computing.
Canada’s new anti-spam law was passed in December 2010, and certain provisions will become effective 1 July 2014 — including new consent requirements for e-mails and certain other electronic messages. As of 1 July 2014, an organization must have consent to send commercial electronic messages to an email account, telephone account or instant messaging account. In addition, CEMs must include certain identification information and an unsubscribe mechanism. The law applies to messages whenever a computer system located in Canada is used to send or access the CEM. Certain exemptions and transition periods also apply.
Whilst the reform of the EU data protection framework continues its tortuous course in Brussels’ corridors of power, privacy pros in the real world are doing their best to cope with the current uncertainty. One of the ever-present sources of concern for those with data-related operations in Europe is how to overcome the restrictions affecting international data transfers in a cost-effective, sustainable and effective manner. In reality, there are many paths to follow, but choosing the right one is not always obvious—each case is different, and limited resources and time constraints often add an unwelcome degree of stress and complexity to the process.
The Chairman of the French National Assembly, Claude Bartolone, announced June 11 the creation of a parliamentary commission on digital rights, whose task will be among other things to define guidelines for evaluating legislative proposals affecting digital rights. France’s new Digital Rights Commission consists of 13 members of Parliament and 13 outside experts. Among the outside experts is Hogan Lovell’s partner Winston Maxwell, known for his work on net neutrality and data privacy.
The discussion at the Council of the EU in the context of the European data protection legislative reform that took place on 6 June is by no means the end of a process which is likely to carry on for at least a year, but it provided a helpful pointer as to where the policy making thinking is. One of the biggest challenges that organisations operating in the EU have faced since the 1990s is the prohibition on transfers of data to jurisdictions outside the EU without equivalent standards of data protection. The ongoing legislative reform is an opportunity to review the existing regime and bring it into line with today’s data globalisation.
Vodafone’s publication last Friday of its first Law Enforcement Disclosure Report attracted global press attention and comment. The report provides detailed insight into the legal frameworks, governance principles and operating procedures associated with responding to demands for assistance from law enforcement and intelligence agencies in 29 countries in which Vodafone operates.
Three weeks after the FTC’s seminar on Consumer Generated and Controlled Health Data, the French data protection authority, the CNIL, held its own workshop on connected health and wellness devices. This blog post summarizes the results of the CNIL workshop.
A recent article by Hogan Lovells provides key takeaways for businesses in light of last week’s landmark ruling by the European Court of Justice that in effect judicially sanctioned a “right to be forgotten” allowing data subjects to scrub their names from a public record while also extending jurisdiction under European data protection law to include non-EU companies that may have a branch or subsidiary in the European Union and that collect data in the context of business activities in the European Union.
Internet service providers, social media websites, search engines, and other online companies hosting user-generated content that do business in Brazil or collect information online from Brazilian consumers should be aware of the “Marco Civil da Internet,” or Brazilian Internet Law, that takes effect 23 June 2014. As detailed in an alert published by attorneys from the Hogan Lovells Washington, D.C., São Paulo, and Rio de Janeiro offices, While Brazil still does not have a comprehensive privacy law, the Brazilian Internet Law contains privacy requirements that broadly restrict these companies from the sharing of users’ personal information, their communications, and certain online logging data. Covered companies will, however, be required to retain Web logs for a period of time and protect the user-related information they hold.
The Article 29 Working Party’s new opinion on anonymization techniques provides a useful primer on randomization and generalization (i.e., data aggregation) techniques used to anonymize data sets. The opinion analyzes each technique based on three ways that data can be re-identified: the ability to single out individuals after the anonymization technique has been applied; the linkability of the anonymized data sets to other data sets; and finally the ability of the data sets to resist inference attacks after application of the anonymization technique. Organizations depending on anonymization for compliance with the Data Protection Directive would be well advised to review their anonymization processes to determine if they comport with the standards set out in the opinion.
In a decision rendered on 8 April 2014, the European Court of Justice (ECJ) declared the Data Retention Directive invalid. The Court’s decision was grounded on its conclusion that, by requiring the retention of the data falling within the scope of the Directive, and by allowing the competent national authorities to access those data, the Directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.
The privacy enforcement in Hong Kong under its data protection law, the Personal Data (Privacy) Ordinance, ramped up significantly last year. Hong Kong’s Privacy Commissioner for Personal Data received 1,792 complaints in 2013, a record high. The figures show a 48% increase in complaints filed and more than a doubling of the number of enforcement notices issued by the Commissioner, with 25 enforcement notices issued in 2013 against 11 in 2012. 78% of all complaints were made against the private sector and in particular the financial, telecommunications and property sectors. The Commissioner has confirmed that a key focus for 2014 will be to increase its enforcement efforts.
On 12 March 2014, the European Parliament voted overwhelmingly in favour of the European Commission’s data protection reform with 621 votes for, 10 against, and 22 abstentions for the proposed General Data Protection Regulation. The vote is significant because it confirms the approval of the European Parliament, one of the required participants in the s0-calle “trilogue” process along with the Commission and the Council, which will not change even if the composition of the Parliament changes following the European elections in May.
The CNIL, France’s data protection authority, published on 25 February 2014 a new recommendation relating to the collection of credit card information, replacing an older 2003 recommendation. The new recommendation, which represents a de facto standard for online merchants and payment services providers who collect data from French consumers, is more prescriptive than the old, particularly regarding how online merchants should seek consent for the retention of credit card information.
The French data protection authority has just published an amended version of its standard authorization for professional whistleblowing helplines which results in a significant broadening of its scope but also tightens the requirements for anonymous reporting. Under French data protection legislation, whistleblowing helplines are subject to prior authorization by the French data protection authority. Indeed, French data protection legislation require that processes which may result in the exclusion of a person from the benefit of a right or a contract are subject to prior authorization, as could be the case when resorting to a whistleblowing helpline (employees may incur sanctions and be terminated).