Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Category Archives: International/EU Privacy

Subscribe to International/EU Privacy RSS Feed
Posted in International/EU Privacy

French Official Recommends Increased Supervision Over Government Data-Gathering

During a November 13, 2014 hearing before the Digital Rights Commission of the French National Assembly, Jean-Marie Delarue, the head of France’s oversight Commission for National Security Interceptions said that France’s 1991 law on national security wiretaps needed to be updated to better protect individuals. Currently, the CNCIS is consulted by the Prime Minister’s office before the implementation of national security wiretaps. According to Mr. Delarue, this system works well for wiretaps. But the collection of metadata falls largely outside this procedure. According to Delarue, a major overhaul of the 1991 law on national security wiretaps is needed to catch up with modern intelligence gathering techniques and to better reflect the case law of the European Court of Human Rights. According to Delarue, justifications for government invasion of privacy need to be narrowly defined by law. Broad justifications such as “fundamental interests of the nation” are too vague to withstand scrutiny under European constitutional principles.

Posted in International/EU Privacy

How Do Global Businesses Know When EU Data Protection Law Applies to Them?

At the heart of EU data protection law is the passionate belief in the right to privacy. Indeed, the Treaty of Lisbon has now recognised both privacy and data protection as fundamental rights under EU law. As fundamental rights, there is a sense in which the scope of privacy and data protection must be expanded to the furthest extent possible. Yet, like any other law, it must be clear when and where EU data protection rules apply and the applicable law provision in the current Data Protection Directive has caused some headaches along the way. Whether the proposed new EU regime will prove to be a calming tonic remains to be seen. Today’s technology pays no attention to geographic borders. What do Cloud Computing networks care about the Atlantic Ocean so long as the network is resilient and customers can access their data? Businesses typically structure their systems in order to provide the best commercial proposition which often (but not always) involves cross-border data transfers. Therefore, cross-border data transfers are a part of everyday business. But businesses need to understand which laws apply to their operations to ensure compliance and avoid being chased by regulators or disgruntled customers. Unfortunately, the Directive’s provision concerning when it applies has not always provided much clarity.

Posted in International/EU Privacy

Data Privacy Regulation Comes of Age in Asia

Asia has seen a proliferation of new and stepped-up data privacy laws in recent years. Many of these laws draw from a common source in the APEC Privacy Framework, a principles-based document that shares origins with Europe’s Directive 95/46. But regional framework notwithstanding, these laws have been implemented with unique features and important nuances in each jurisdiction across the Asia region. Critically, these laws are now being enforced, with high profile data security breaches and enforcement action regularly hitting the headlines in Asia, as elsewhere. Data privacy issues are now board level issues in Asia. Our Data Privacy Regulation Comes of Age in Asia gives an overview of regional developments and features a “heat map” that compares and contrasts regulatory standards and the enforcement environment in Asia’s key jurisdictions.

Posted in International/EU Privacy

Insights from the Russian Data Protection Authority’s Conference on Personal Data Protection

In a recent client alert, partner Natalia Gulyaeva and associate Maria Sedykh from the Hogan Lovells Moscow Office joined associate Bret Cohen from the Hogan Lovells Washington, D.C. office to highlight key insights from the fifth annual conference on “Personal Data Protection” hosted by Roskomnadzor, Russia’s Data Protection Authority.

Posted in International/EU Privacy

Update on South Africa’s Data Protection Regime

Until very recently, data protection in South Africa was regulated only under the broad constitutional right to privacy, the common law and a few pieces of legislation that contained interim provisions relating to data protection. In November 2013, South Africa enacted the Protection of Personal Information Act, the country’s first data protection-specific legislation. The Act partially came into force in April 2014 to create an information regulator and to codify concepts such as “processing” and “personal information”. The commencement of those sections is indicative of the processes being put in place by the government of South Africa to ensure that the commencement of the remaining sections is met with relevant support, in the form of regulations and the establishment of an information regulator. Though the remaining sections of the Act (including the material provisions) are not yet enforceable and have no foreseeable or determinable effective date, businesses operating in South Africa should be aware of the Act’s provisions as they may one day come into force.

Posted in International/EU Privacy

The Privacy Challenges of the New European Commission

The European Union’s executive branch has a brand new engine. Following the European Parliament’s election earlier this year and after months of political manoeuvring, a new European Commission is now in place and fully operational. The Commission’s functions remain as they were but under a revised structure of one president – Jean-Claude Juncker – seven vice-presidents responsible for designated policy areas and 20 commissioners. As the main policy making body in the European Union, the Commission continues to be in charge of pushing forward the ongoing data protection legislative reform that will lead to a new legal framework for privacy across the EU.

Posted in International/EU Privacy

Recording and Deck from Webinar on New Russia Data Localization Law

Thank you to everyone who attended our webinar last Tuesday on the new Russian law introducing rules requiring the local storage of the personal data of Russian citizens. For those who were unable to make it, linked to this blog post are a recording of the entire webinar and a copy of the slide deck.

Posted in International/EU Privacy

Prepare Yourself for the ‘Risk-Based’ Approach to Privacy

Assuming a fair amount of hard work and that the EU institutions are able to put their political skills to good use, 2015 may be the year that sees the culmination of a legal modernisation process that has been running for the best part of four years. It was in 2010 when the European Commission formally acknowledged that the 1995 Data Protection Directive was ready for a makeover to address the privacy and data protection needs of the 21 century. Since then, stakeholders covering a whole spectrum of views have participated in a process that is approaching a decisive stage. In early 2014, the European Parliament came forward with a bold proposal to amend the Commission’s original draft and put the ball firmly in the Council of the EU’s court. As the Council finalises its own proposal, a picture of what the new framework will look like is starting to emerge.

Posted in International/EU Privacy, News & Events

Upcoming Webinar on Russian Data Localization Law

On Tuesday, October 28, Natalia Gulyaeva of Hogan Lovells’ Moscow office and Bret Cohen of our Washington, D.C. office will host a complimentary webinar outlining implications for businesses of the new Russian Data Storage Law. The law, which may come into effect as early as January 2015, requires that data “operators” – organizations that process personal data of Russian citizens, including providers of Internet-based services – to store the personal data of Russian citizens on databases located in the country.

Posted in International/EU Privacy

German Data Protection Authorities Issue Resolution on Connected Cars

The Conference of the German Federal and State Data Protection Authorities during its last meeting on 8 and 9 October adopted the resolution “Data Protection in the Car”. The resolution expresses a concern about what it describes as privacy risks involved in the growing collection and processing of personal data in cars, and the interests of various actors (car manufacturers, service providers, insurance companies, employers) in using those data.

Posted in International/EU Privacy

Hogan Lovells Partner Considers Impact of Europe’s “Right to be Forgotten”

The “Right to be Forgotten” ruling issued by the European Court of Justice in May 2014 has been a key source of controversy this summer. Much criticism has explored the impact of the ruling on freedom of expression and the right of access to information. In an article published in the Privacy and Data Protection Journal, Eduardo Ustaran, Partner in Hogan Lovells’ Global Privacy and Information Management Practice, unpacks the wider implications of the ruling to focus on key legal-applicability considerations for businesses with subsidiaries in the EU. The article also considers how the ruling will impact legislative debate on the forthcoming EU Data Protection Regulation.

Posted in International/EU Privacy

Why Binding Safe Processor Rules Are Key to Global Privacy

Ask any data protection officer or privacy counsel what tops their list of trepidations and engaging global data services’ vendors will be up there. The combination of security threats and burdens, restrictions on international data transfers and data-hungry law enforcement authorities has turned delegating any data processing or storage operations to cloud service providers into an unnerving proposition. This is unfortunate given all the practical benefits and crucial role of cloud computing for the world’s economy and the information society. If we add to this the incessant scrutiny of Safe Harbor and the growing distrust surrounding technology giants which is part of the legacy of the post-Snowden era, things are not looking very rosy for the global guardians of our information. It needs not be this way.

Posted in International/EU Privacy, Privacy & Security Litigation

Unsurprisingly, U.S. Court Rules that Cloud Provider Must Produce Data Stored Abroad

On July 31, a U.S. District Court judge ruled from the bench that Microsoft could be forced to turn over customer emails in the context of a law enforcement investigation even though those emails were stored on servers located in Ireland. Microsoft had contested the government’s request, arguing that the data was subject to Irish law and that the U.S. government was required to utilize law enforcement treaty channels to obtain the data. Since the ruling, many have expressed surprise that the ruling gave such seemingly expansive jurisdiction to the U.S. government. But it shouldn’t come as a surprise to those who follow these issues, including readers of Hogan Lovells’ white papers on government access that U.S. law enforcement can compel companies subject to its jurisdiction to produce data stored abroad, much as it shouldn’t come as a surprise that many other countries’ governments provide the exact same authority.

Posted in International/EU Privacy

Is Appointing an EU Controller Still Valuable for Global Businesses?

The dust has yet to settle but much has already been said about the implications of the Google Spain decision by the Court of Justice of the European Union and the right to be forgotten. The controversy has focused on the impact of this judgment on freedom of expression and the right of access to information, as well as the potentially devastating effect of a large amount of deletion requests. EU regulators are wondering – like everybody else – how big and unmanageable this is going to get, whilst search engines scramble for resources to deal with the unknown. With the prospect of an even more demanding EU privacy framework looming over the horizon, the right to be forgotten decision is a potential game changer for the whole Internet industry. But the CJEU did not just enable an unprecedented level of control by individuals over their data, it shook the basis on which the applicability of EU data protection law has been understood until now.

Posted in International/EU Privacy

EU Data Protection Supervisor’s Workshop Examines Role of Privacy in Merger Reviews and Competition Investigations

In a recent client alert, Hogan Lovells partners from the firm’s London and Washington, D.C. offices highlighted key takeaways for businesses following the European Data Protection Supervisor’s Workshop on Privacy, Consumers, Competition, and Big Data. The workshop, hosted by EDPS in the European Parliament in Brussels on 2 June 2014, discussed the technological advances and market for ‘big data’ analytics and the policy implications for the fields of data protection, competition and consumer protection of the rapidly expanding digital economy in the EU and in other regions, particularly the in US. Around 70 experts attended, including representatives from the European regulators and the US Federal Trade Commission.

Posted in International/EU Privacy

Cookie Consent—What’s Changed?

Almost five years ago, EU legislators shocked the Internet world by changing the legal requirement for the use of cookies and similar device identification techniques from “notice and opt-out” to “notice and consent.” At first, there was a sense of disbelief about whether this sudden legal twist was for real. As the dust settled, it became clear that what had been common practice until then—sticking a generic paragraph about the use of cookies in the privacy policy and referring users to the browser’s menu for further control—was no longer enough to comply with the new requirement.

Posted in International/EU Privacy

Russia Enacts Data Localization Requirement; New Rules Restricting Online Content Come into Effect

Two developments in Russian law this summer could significantly limit the ability of cloud and other online services to publish online content and to make Russian data remotely available online. The first is the advancement of legislation requiring data operators to store locally in Russia information of Russian citizens. The second is the countdown to the effective date of new rules that impose onerous registration, content, and censorship requirements on certain website operators and electronic communication services. We address each here in turn.

Posted in International/EU Privacy

Hogan Lovells White Paper Examines Governmental Access to Data in the U.S. and Latin America

Hogan Lovells today published Pan-American Governmental Access to Data in the Cloud, the fifth installment in a series of White Papers examining government access to data held by Cloud service providers. Examining the right of governments in the United States and Latin America to access data in the Cloud, the White Paper concludes that the physical location of Cloud servers does not significantly affect government access to data stored on those servers, and that it is fundamentally incorrect to assume that the United States government’s access to data in the Cloud is greater than that in the Latin American countries examined.

Posted in International/EU Privacy

UK Government Seeks to Preserve Data Retention Powers

On 10 July, the UK government announced cross-party backing for emergency legislation designed to ensure that the police and security services can continue to access communications data held by communications service providers for the purpose of investigating criminal activity and protecting national security. This is in response to the recent European Court of Justice judgment of 8 April 2014 in joined cases (C-293/12 Digital Rights Ireland & C-594/12 Seitlinger) which declared the Data Retention Directive (2006/24/EC) invalid.

Posted in International/EU Privacy

Irish High Court Refers Questions to European Court of Justice: Can National DPAs Disregard Safe Harbor?

In a new turn to the Maximilian Schrems case in Ireland, the Irish High Court on 18 June 2014 decided to refer several questions to the European Court of Justice, including whether national data protection authorities in Europe may disregard the Safe Harbor decision of the European Commission when assessing whether the U.S. recipient of data ensures an adequate level of data protection required under EU law. Depending on the outcome of the case, European and U.S. companies may not be able to rely on Safe Harbor to legitimise cross-border data transfers in the future.

Posted in International/EU Privacy

HL Launches German Language Privacy Blog; German Court Sets Criteria for Employee Monitoring

The German Federal Labor Court has published its reasoning underlying a June 2013 decision in which it declared invalid the dismissal by a large supermarket of an employee who was found in possession of stolen goods. According to the Court, the factual evidence leading to the dismissal—obtained upon inspection of the employee’s workplace locker without the presence of the employee—was gathered in violation of the employee’s right to privacy established by the German Federal Data Protection Act. The ruling represents a shift in case law regarding employee data privacy were German courts are likely to exclude from civil law proceedings information collected in violation of statutory data privacy requirements. Companies operating in Germany should be aware of these requirements in order to avoid losing lawsuits as a consequence of non-compliance with strict local data privacy rules.

Posted in International/EU Privacy

Reflections on Europe’s “Right to Be Forgotten”

In an Op-Ed for the National Post entitled “Sorry, but there’s no online ‘right to be forgotten’,” privacy advocates Ann Cavoukian and Christopher Wolf team up to consider the consequences of the European Court of Justice’s “Right to Be Forgotten” ruling. The pair focus on potential conflicts created by the Right to Be Forgotten between the right to privacy and that of free expression and highlight the plausible outcome that companies, in their new forced role as online censors, may “err on the side of deleting links to information.”