On 6 October 2015, the Court of Justice of the European Union declared the EU-US Safe Harbor framework invalid as a mechanism to legitimize transfers of personal data from the EU to the US. This decision effectively leaves any organisation that relied on Safe Harbor exposed to claims that such data transfers are unlawful. In this post, we outline the effects of the decision and a suggested plan of action, and include details for a webinar we will be hosting on Wednesday, 7 October to discuss the next steps that organisations should take.
Next Tuesday, the Court of Justice of the European Union is scheduled to publish its decision in Maximillian Schrems v. Data Protection Commissioner, in which it is expected to rule on the validity of the U.S.-EU Safe Harbor Framework. Last week’s opinion of the CJEU’s Advocate General emphatically found Safe Harbor to be inadequate under EU law on the basis that access to Safe Harbor data by U.S. intelligence services is too wide and disproportionate, and that Safe Harbor does not contain appropriate guarantees to prevent this level of access. While the AG’s opinion is not binding on the CJEU, the short turn-around implies that the CJEU will not vary significantly from the opinion.
The Opinion of the Advocate General of the Court of Justice of the European Union on the case assessing the status and validity of Safe Harbor has created significant uncertainty relating to its immediate future. While the CJEU has not yet ruled, the AG’s decisions are typically quite influential. The AG’s view is that the Safe Harbor program does not provide an adequate level of data protection and that it should have already been invalidated by the European Commission.
On 1 September 2015, Russia’s much anticipated data localization law came into force. In recent interviews with European CEO and The Financial Times, Natalia Gulyaeva, partner in Hogan Lovells’ Moscow office, highlighted some key elements for multinationals to consider when doing business in Russia. In the interviews, Natalia explains that Roskomnadzor is not likely to conduct compliance audits on large multinational companies for some time and will allow for the transfer of data out of Russia as long as the primary database is inside Russia. She also highlighted that because Russia’s definition of “personal data” is very broad, companies should treat all information used to assist in the identification of individuals as “personal data.”
Today, on 1 September 2015, the Russian Data Localization Law came into force. So far there have been no unexpected developments or reports of any unplanned inspections by Roskomnadzor, the Russian Data Protection Authority. Existing planning documents, however, provide some predictability for organizations subject to the law about the schedule under which Roskomnadzor plans on conducting compliance inspections.
The Organisation for Economic Co-operation and Development (OECD) has published its 2015 Digital Economy Outlook (“Report”), a survey of changes and opportunities in, and challenges arising from, the digital economy. The Report identifies three broad trends for member countries and their partners to focus on in digitising their economies.
With the aim of keeping pace alongside European practice, on July 13th 2015, the Russian President signed into law a bill amending the Federal Law “On Information, information technologies and on protection of information” No. 149-FZ of 27 July 2006. This law introduces in Russia the so-called “right to be forgotten” or “right to oblivion” and will take effect on January 1st 2016.
The UK’s Information Commissioner’s Office is known to prefer an “engaging” rather than an enforcement approach with organisations. However, when looking at the “action we’ve taken” page on the ICO website the ICO’s enforcement activity seems to be increasing by the day. While the ICO has stated that it wants to focus its enforcement efforts going forward on unsolicited marketing, such as nuisance messages and calls, breaches of security requirements have to date attracted the majority of the ICO’s enforcement attention. Therefore, organisations operating in the UK would be well-served to focus on understanding and adhering to the ICO’s expectations for data security compliance.
As we reported last week, on 3 August 2015 the Russian Ministry of Communications, the agency that oversees the Russian data protection authority which will be enforcing Russia’s Data Localization Law, published unofficial clarifications on its website that provide a view into how the Ministry believes organizations must comply with the law. While these clarifications are non-binding, they constitute the only written regulatory guidance that has been published to date about the law, which takes effect on 1 September and requires organizations that collect personal data from individuals located in Russia to store that data within Russian territory. The Ministry’s website also provides a mechanism to ask further questions online. In this blog post, we summarize the main issues raised in the published clarifications, and the possible impact on global businesses seeking to comply with the law.
Adopted by Parliament in June 2015, France’s new surveillance law was ratified by the President on July 24, 2015 and published in France’s Official Journal on July 26, 2015. France’s Constitutional Court Court reviewed the law prior to its ratification and issued an opinion on July 23, 2015 requiring deletion of certain measures that the Court felt were incompatible with constitutional principles. However a number of observers were surprised that the Court validated a provision of the law allowing intelligence agencies to deploy algorithms to analyze traffic and log data to detect potential terrorist threats. To some lawyers, analyzing the traffic and log data of the entire population of France violates the proportionality principle set forth in the European Court of Justice’s Digital Rights Ireland decision.
In September 2015 the Russian Data Localization Law will come into force, requiring organizations that collect personal data from individuals located in Russia to store that data within Russian territory. In this blog post, we summarize recent developments on how the law will be applied, including the unexpected publication of regulatory guidance issued by the government this week.
Few areas of regulation are advancing as quickly in Asia as data privacy regulation. This year marks the tenth anniversary of the APEC Privacy Framework and we now see “European style” comprehensive data privacy regimes in a dozen jurisdictions across the Asia-Pacific region. Hogan Lovells data protection lawyers Mark Parsons and Eugene Low recently hosted in-person seminars at Hogan Lovells’ offices in Hong Kong to take stock of where Asia is in terms of data privacy regulation, and to help chart a roadmap to compliance. The focus of these discussions was on identifying “hot spots” for businesses operating across the region and pointing to practical measures and points of prioritisation. The discussions also considered steps to be taken to prepare for and react to data breach events, with a seasoned view of regulatory attitudes and approaches to enforcement and remediation.
Following on from the Article 29 Working Party’s Opinion in June, the European Data Protection Supervisor has now published his own recommendations for the proposed General Data Protection Regulation. Unsurprisingly, given that the EDPS is a member of the Working Party, the views expressed are in line with that Opinion. At this point you may be tempted to stop reading, but wait, there is more. In addition to expressing his vision of the GDPR (more on which below) and producing his own recommendations for every single article of the GDPR, the EDPS has demonstrated his commitment to practicality by making this all available as a mobile app. The app allows you to select which of the drafts you wish to see side by side, scroll rapidly through the contents to select a particular article, or search on the whole text so you can see at a glance what each version says, for example, about pseudonymisation or profiling. Whilst the app may have limited appeal, and is unlikely to keep small children entertained on long car journeys, it will be a thing of joy for its target audience.
Making the UK a safe place to live and prosper is not a small matter. Whatever the root causes, the threats to public safety are real and a political priority for government and opposition alike. This huge responsibility combined with the complexities of 21st century communications has resulted in a succession of laws aimed at legitimising the ability of law enforcement and intelligence agencies to tap into our digital lives. Just like technology itself, this is a moving target and policy decisions in this area have come thick and fast – not just in the UK but in many other democracies around the world.
Spain is well known for having one of the most restrictive data protection regimes in the European Union. It also counts with some of the highest penalties (fines are up to € 600,000 per infringement), and a data protection authority – the Spanish Data Protection Agency – with a reputation for being one of the fiercest of the EU. Moreover, the penalties envisaged are not only on paper; they are applied on a regular basis by the AEPD. For instance, in the past few years, it has imposed fines of € 450,000, € 900,000 and € 1,400,000.
The mobile Health sector is rapidly developing and revolutionising the healthcare market. More and more consumers share information such as medical and physiological conditions, lifestyles, daily activity and geolocation via all kinds of health-related mobile applications and devices. The growing success of mHealth, however, inevitably casts a spotlight on compliance with privacy protection laws. Data protection agencies and supervisory bodies in the EU recently raised concerns about the collection, processing and use of customers’ data by mHealth apps and mobile devices. This blog introduces the key hot spots involving mHealth and data protection laws, before we dig deeper on other issues in a series of consecutive posts on this blog in the upcoming weeks.
The enactment of the USA FREEDOM Act was news unto itself. However, the impact that the surveillance reform legislation may have on cross-border data transfers could turn out to be newsworthy as well. In this post, we summarize some important elements of the legislation and explore the USA FREEDOM Act’s potential to influence more than government surveillance practices.
Data privacy in an employment context remains an important challenge for companies. On the one hand, employers have a strong interest in monitoring personnel conduct or performance; few controllers are likely to have collected more personal data about an individual than their employer. On the other hand, employees have a legitimate expectation of privacy – including at their workplace. This inherent conflict of interests has created a considerable volume of case law regarding employee monitoring in several member states, relating to the permissibility of internal investigations and compliance controls. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”
One of the major purposes of the Regulation is to ensure a consistent application of data protection law throughout the EU, not only to provide a high level of data protection but also to guarantee legal certainty for businesses when handling personal data. This has presented legislators with one of their biggest challenges: how to maintain the existing network of independent national DPAs, whilst ensuring that they promote a consistent interpretation of the Regulation and minimising the number of different DPAs which a controller has to deal with. It remains to be seen whether they have devised a workable solution. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”
The Data Protection Directive and the Regulation both impose restrictions on the transfer of personal data by EU based businesses to destinations outside the EEA. The of the Data Protection Directive, however, have not been uniformly implemented by EU Member States. In some Member States additional requirements apply, such as prior notification to or approval by the local DPA, particularly where companies wish to rely on EU Model Clauses, BCRs or the U.S.-EU Safe Harbor Framework. This approach is essentially set to continue under the Regulation with some variations. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”
The General Data Protection Regulation will have a significant impact on service providers/vendors (i.e. data “processors”) and organisations that engage them by imposing a number of detailed obligations and restrictions directly on processors, unlike the current Directive that only applies to data controllers. The new rules for processors are considered in detail in the attached entry. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”
Telematics-based pay-as-you-drive insurance is a new, innovative and not yet proven product from the insurance industry. This new product collects information about the driving behavior associated with the vehicle and therefore raises privacy issues for the drivers. The Commissioner for Data Protection and Freedom of Information for North Rhine-Westphalia is the first German data protection authority to evaluate a pay-as-you-drive product and has recently published its requirements for data protection and data security compliance.
Accountability has been described by the Article 29 Working Party as a way of “showing how responsibility is exercised and making this verifiable”. Accountability is far from being a new concept. It was introduced back in 1980 in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”