In a decision rendered on 8 April 2014, the European Court of Justice (ECJ) declared the Data Retention Directive invalid. The Court’s decision was grounded on its conclusion that, by requiring the retention of the data falling within the scope of the Directive, and by allowing the competent national authorities to access those data, the Directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.
The privacy enforcement in Hong Kong under its data protection law, the Personal Data (Privacy) Ordinance, ramped up significantly last year. Hong Kong’s Privacy Commissioner for Personal Data received 1,792 complaints in 2013, a record high. The figures show a 48% increase in complaints filed and more than a doubling of the number of enforcement notices issued by the Commissioner, with 25 enforcement notices issued in 2013 against 11 in 2012. 78% of all complaints were made against the private sector and in particular the financial, telecommunications and property sectors. The Commissioner has confirmed that a key focus for 2014 will be to increase its enforcement efforts.
On 12 March 2014, the European Parliament voted overwhelmingly in favour of the European Commission’s data protection reform with 621 votes for, 10 against, and 22 abstentions for the proposed General Data Protection Regulation. The vote is significant because it confirms the approval of the European Parliament, one of the required participants in the s0-calle “trilogue” process along with the Commission and the Council, which will not change even if the composition of the Parliament changes following the European elections in May.
The CNIL, France’s data protection authority, published on 25 February 2014 a new recommendation relating to the collection of credit card information, replacing an older 2003 recommendation. The new recommendation, which represents a de facto standard for online merchants and payment services providers who collect data from French consumers, is more prescriptive than the old, particularly regarding how online merchants should seek consent for the retention of credit card information.
The French data protection authority has just published an amended version of its standard authorization for professional whistleblowing helplines which results in a significant broadening of its scope but also tightens the requirements for anonymous reporting. Under French data protection legislation, whistleblowing helplines are subject to prior authorization by the French data protection authority. Indeed, French data protection legislation require that processes which may result in the exclusion of a person from the benefit of a right or a contract are subject to prior authorization, as could be the case when resorting to a whistleblowing helpline (employees may incur sanctions and be terminated).
Isabelle Falque-Pierrotin, the recently reelected president of the French Data Protection Authority, the CNIL, was elected today to head the Article 29 Working Party for two years effective immediately.
In June 2013, the French National Commission on Information Technology and Liberties announced that, following a question of Member of European Parliament Françoise Castex, it was going to investigate IP Tracking practices that e-commerce sites allegedly used to illegitimately increase their prices. This investigation was carried out in close connection with the French Directorate General for Competition Policy, Consumer Affairs and Fraud Control. In January 2013, MEP Françoise Castex had already alerted the European Commission about this alleged unfair commercial practice. The Commission concluded that national authorities in charge of protecting personal data were competent as the IP address is personal data.
On January 27, the European Agency for Fundamental Rights, an official agency of the European Union, released its report on Access to Data Protection Remedies in EU Member States. As detailed below, the FRA concluded that redress mechanisms for data protection violations in the EU need improvement. More specifically, the FRA found that data protection authorities do not have sufficient powers or resources, there are not enough judges and lawyers with adequate knowledge of data protection issues, civil society organizations (e.g., consumer interest and privacy advocacy groups) have difficulty bringing suits on behalf of victims of data protection breaches, the costs and burdens of proof associated with data protection suits are too high, and Europeans lack awareness of remedies for data protection violations.
The UK Information Commissioner and the Secretary of State for Justice have entered into Memoranda of Understanding on the handling of information requests in relation to national security cases under the UK’s Data Protection Act, Freedom of Information Act and Environmental Information Regulations. The new Memoranda set out guidelines as to how the Information Commissioner’s office and government departments will cooperate with one another in cases where a government department refrains from disclosing information to an individual, or the ICO, on the basis of national security.
The Brazilian legislature is considering two privacy laws that have been in limbo but have found new life following revelations about US government spying. The Marco Civil da Internet would establish an “Internet Bill of Rights” with data protection requirements and obligations to preserve net neutrality. The Data Protection Bill would establish an EU-style framework for the processing of personal data. If the Brazilian legislature fails to pass the bills promptly or does not include the data localization measures discussed below in the final legislation, Brazil’s president may choose–to the extent permitted by Brazil’s constitution–to implement many of the privacy provisions contained in the proposed laws by executive decree.
Data Protection Day in Europe, 28 January 2014, saw the announcement by EU Justice Commissioner Viviane Reding of a more precise timetable for the adoption of the EU’s data protection reform package, comprising a Regulation governing general data protection and a Directive governing the use of personal data in the area of law enforcement and crime. The Council of the EU will agree upon a formal negotiating mandate by the end of June 2014, with a view to inter-institutional negotiations concluding by the end of 2014.
China’s Supreme People’s Court on November 21, 2013 issued a new regulation “Provisions on the Online Issuance of Judgment Documents by People’s Courts,” effective since January 1, 2014, requiring that all court judgements in China be published online in a searchable public database specially set up for that purpose.
Less than two months after the European Commission issued a report urging the Federal Trade Commission to step up enforcement of the EU-U.S. Safe Harbor framework, the FTC announced a settlement with twelve companies — including an Internet service provider, makers of consumer goods, three National Football League teams, and a developer of mobile applications — over allegations that they deceptively claimed to be certified under Safe Harbor. According to the FTC, each of these companies represented that they maintained a active Safe Harbor certification with the U.S. Department of Commerce when in fact they did not.
France’s December 18, 2013 law on military spending contains two provisions that facilitate the collection of data by the French military and intelligence services. The first provision relates to the collection of passenger name records (PNRs) while the second, more controversial provision permits French intelligence and security agencies to collect metadata from telecom operators and hosting providers in real time.
In a decision of 16 December, the French data protection authority (the “CNIL”) issued new recommendations with regards to the appropriate fashion in which businesses should implement the so-called “cookie consent law”.
A recent survey from the UK Government’s Department for Business, Innovation and Skills has highlighted that the majority of FTSE 350 firms are not regularly taking cyber risks into account in their decision making. Despite a growing international trend in cyber crime targeted at businesses, the survey showed that only 14 percent of FTSE 350 companies regularly consider cyber threats, and nearly half of those surveyed do not even include cyber risks on their company’s strategic risk register.
The continued uncertainty around the draft EU Data Protection Regulation presents something of a challenge for data controllers. It’s clear that it could require them to make significant changes to how they handle individuals’ data, but the ongoing fundamental political disagreements make it difficult to predict which changes will make it into the final form of the legislation. So it is interesting to see the recommendations on the UK ICO’s blog on where to start in preparing for reforms, highlighting three areas: consent, breach notification, and privacy by design.
On November 27, the European Commission released a strategy memo on rebuilding trust in the mechanisms allowing data to flow from the European Union (“EU”) to the United States. The Commission recognizes that EU-U.S. data flows are essential to the strategic and economic partnerships between the two markets. However, revelations about U.S. surveillance programs have, according to the Commission, caused EU Member States and citizens to believe that the current data transfer mechanisms do not provide adequate protections for personal data. To address those concerns and rebuild trust in transatlantic data flows, the Commission recommends six initiatives, including specific recommendations for reforming the U.S. privacy framework. Of particular note, the Commission identified several shortcomings with the EU-U.S. Safe Harbor framework and offered 13 recommendations for reform. And the Commission once again calls on the United States to adopt comprehensive privacy legislation.
The EU’s Work on Data Protection Reform continues following the vote of the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) on 21 October 2013 to adopt compromise amendments. The 104 compromise amendments represent a consolidation of proposals submitted by various European Parliament committees. Hogan Lovells has prepared a detailed analysis of the compromise amendments approved by the LIBE committee, which is attached to this post.
On October 25, 2013, the Standing Committee of China’s National People’s Congress passed an amendment (“Amendment”) to the 1993 Law of Protection of Consumer Rights and Interests, which addresses longstanding issues related to e-commerce fraud and illegal disclosures of consumers’ personal information. The Amendment, which takes effect on March 15, 2014, reforms China’s 20-year-old consumer protection law by providing more robust protections to consumers, including provisions that restrict the collection, use, and disclosure of consumers’ personal information and require consent to send commercial communications.
The Spanish Data Protection Agency has published its annual report for 2012. The report contains a detailed description of the activities undertaken by the Spanish DPA in 2012 together with its view of the latest trends and challenges related to data protection, including an increase in the number of complaints lodged with and monetary sanctions issued by the Agency.
On 16 October 2013, the Polish Ministry of Economy published draft amendments to Poland’s data protection law, the Polish Act of 29 August 1997 on the Protection of Personal Data (“PPD”), aimed at easing administrative obligations regarding the compulsory hiring of data protection officers and registration of data filing systems with the Polish Data Protection Authority (“DPA”). Under the proposed legislation, companies would have the flexibility to decide whether to appoint an administrator of information security (“AIS”), currently a legal requirement. A data controller regulated under the PPD would be able to strategically choose whether to appoint an AIS, a move that would increase its compliance obligations and the company’s visibility to regulators in return for reduced external filing obligations.
The EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) voted on Monday to adopt its report on the draft General Data Protection Regulation and the separate Directive for the law enforcement sector. This vote sets out the Parliament’s position for its negotiations with the Council and Commission (known as the “trialogue” stage). The Committee aims to have a plenary Parliamentary vote in March before the Parliamentary elections.
On October 17, Jan Albrecht, rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”), issued a release in which he claims that “Edward Snowden and the PRISM scandal laid the ground” for including a prohibition against telecommunications and Internet companies transferring data to other countries’ governmental authorities unless otherwise permitted by EU law. Albrecht’s release offers 10 points to describe the draft Regulation that LIBE is scheduled to vote upon on October 21. If LIBE adopts the draft, the Parliament, Council, and Commission will begin work on negotiating the final legislation, which parliamentarians hope will be adopted before elections in May 2014.