Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Category Archives: International/EU Privacy

Subscribe to International/EU Privacy RSS Feed
Posted in International/EU Privacy

Hogan Lovells Partner Considers Potential CJEU Ruling on Safe Harbor

The fact that the Safe Harbor framework is permanently in the firing line is not particularly earth-shattering, but the prospect of the top European court declaring its inadequacy later this year could have dramatic consequences. This prospect became all the more possible after a hearing at the Court of Justice of the European Union (CJEU) in Luxembourg in March. In an article published in the May 2015 issue of Privacy Laws & Business International Report, Eduardo Ustaran, Partner in Hogan Lovells’ Global Privacy and Information Management Practice, explores the policy climate that led to the CJEU’s potential reckoning of the Safe Harbor and the potential consequences of the eventual ruling.

Posted in Health Privacy/HIPAA, International/EU Privacy

The Treatment of Health Data Under the EU Data Protection Regulation – Cause for Hope?

On 9 March, the Council of the EU issued a partial general approach on a key chapter of the EU Data Protection Regulation which has implications for the regulation of health data. The Council’s stance has been welcomed by a number of healthcare commentators as it promotes a more flexible approach to the use of health data and accords with the tenor of the revised version of the draft Regulation that emerged from the Council in December last year.

Posted in International/EU Privacy

The CNIL Simplifies Formalities Regarding the Implementation of Binding Corporate Rules

On 24 March, the French data protection authority, the CNIL, announced that it will soon make easier the practical implementation of intra-group transfers of data from French entities to entities located outside the European Union where groups of companies have adopted Binding Corporate Rules (BCRs). BCRs are becoming increasingly popular among multinationals as a legal means for providing adequate protection to personal data which are transferred from the European Union to countries that are not considered to provide an adequate level of protection by the European Commission. In the CNIL’s view, the implementation of BCRs shows a strong commitment from multinational organisations to protect personal data. Indeed, the CNIL has been a champion of the emerging “BCR for processors” initiative which is also prompting interest from sophisticated processors who operate globally.

Posted in International/EU Privacy

Hogan Lovells Hong Kong Event: Data Privacy Regulation in Asia – A Practical Way Forward to Compliance

On Thursday, 14 May, Hogan Lovells data protection lawyers Mark Parsons and Eugene Low will host an in-person discussion at Hogan Lovells’ offices in Hong Kong to take stock of where Asia is in terms of data privacy regulation, and to help chart a roadmap to compliance. The focus will be on identifying “hot spots” for businesses operating across the region and pointing to practical measures and points of prioritisation. The discussion will also consider steps to be taken to prepare for and react to breach events, with a seasoned view of regulatory attitudes and approaches to enforcement and remediation.

Posted in International/EU Privacy

Hong Kong Privacy Commissioner for Personal Data Issues Guidance on the Use of Drones

On 29 March, the Hong Kong Privacy Commissioner for Personal Data published a guidance note that supplements previous guidance on the use of closed circuit television systems and for the first time addresses the increasing use of unmanned aircraft systems. The Commissioner’s guidance is the first significant regulatory engagement on the use of UAS by a Hong Kong regulator.

Posted in International/EU Privacy

Recording and Deck from Webinar: Update on New Russia Data Localization Law

Thank you to everyone who participated in the Hogan Lovells webinar “Russia Data Localization Update: New Details Emerge from Meetings with Russian Regulator” on 2 April 2015. This update follows an October 2014 presentation by Hogan Lovells that outlined Russia’s newly enacted Data Localization Law. In this webinar, Hogan Lovells privacy and data protection Natalia Gulyaeva and Bret Cohen provided insight into the expectations of Russian regulators as the September 2015 implementation deadline approaches.

Posted in Consumer Privacy, International/EU Privacy

Canada’s Anti-Spam Law: First CASL Enforcement Action Brings $1.1 Million Penalty

Earlier this month, the Canadian Radio-television and Telecommunications Commission’s Chief Compliance and Enforcement Officer issued a Notice of Violation and $1.1 million penalty to Compu-Finder for four violations of the Canadian Anti-Spam Legislation. Although Compu-Finder was apparently engaged in “flagrant” CASL violations, according to the Chief Compliance and Enforcement Officer, the CRTC also confirmed that it is assessing CASL complaints and that “a number of investigations are currently underway.” Therefore, organizations engaging with individuals located in Canada should review their communications and marketing practices for compliance under CASL and other applicable law.

Posted in Cybersecurity & Data Breaches, International/EU Privacy

Executive Order Authorizes Economic Sanctions as New Tool for U.S. Cyber Defense

On 1 April 2015, President Obama signed an Executive Order authorizing the imposition of sanctions on individuals and entities determined to be responsible for or complicit in malicious cyber-enabled activities constituting a significant threat to the national security, foreign policy, or economic health or financial stability of the United States. The Treasury Department’s Office of Foreign Assets Control simultaneously released FAQs related to the Order. The White House, in a statement by President Obama and in FAQs on the White House Blog, explained that the Order will be used to impose targeted sanctions against the “worst of the worst” malicious cyber actors, as well as companies that knowingly use stolen trade secrets.

Posted in International/EU Privacy

The Netherlands: New Rules for Cookies, Data Breaches and Fines

Recently, new rules on cookies came into force in the Netherlands. In addition, the Dutch Second Chamber approved a draft bill to introduce a mandatory data breach notification requirement and to strengthen the Dutch Data Protection Authority’s investigative and fining powers. The new rules apply to all companies acting as a “data controller” within the meaning of the Dutch Data Protection Act. The Dutch First Chamber has announced that it plans to review this draft bill as soon as possible.

Posted in International/EU Privacy

Russia Data Localization Law Update and Webinar: New Details Emerge from Meetings with Russian Regulator

With the September 2015 effective date of Russia’s Data Localization Law less than six months away, the Russian data protection authority, Roskomnadzor, has still not issued any formal guidance on how it interprets the law’s broad requirement that companies must process and store the personal data of Russian citizens within Russia. Roskomnadzor has, however, recently held a series of meetings with different industry groups about the law. While Roskomnadzor’s views as expressed in these meetings do not constitute a formal position, they provide insight into how the regulator is likely to interpret the law.

Posted in International/EU Privacy

Regulators Write to Manufacturers to Highlight Concerns Over Connected Devices

The UK and Canadian data protection regulators have written to webcam manufacturers to highlight concerns about the safety of internet-connected devices and to enlist their assistance in reducing the risks posed by their products. In particular, the regulators call for manufacturers to roll out privacy-friendly default settings, implement “privacy by design” – whereby data protection and privacy considerations are built into the design and manufacturing process – and provide increased guidance to consumers about ensuring the security of devices.

Posted in International/EU Privacy

CNIL Releases BYOD Guidelines

Security concerns and the need to increase cyber security measures have recently boosted the use of Bring Your Own Device policies in France. Recent events have exacerbated fears of data breaches and hacking for IT managers who were not overly concerned before. As a consequence, IT security teams are seeking to apply the same security and device management systems that apply to their own company’s equipment to employees’ devices when employees use their devices for work purposes. The expansion of an employer’s control over its employees’ devices raises concerns for the privacy and protection of employees’ personal data. The CNIL has published new guidelines on BYOD. An unofficial English translation of the guidelines appear in this post.

Posted in International/EU Privacy

UK Parliamentary Report Calls for a New Legal Framework for UK Secret Intelligence Agencies

The Intelligence and Security Committee of the UK Parliament today published its much anticipated report into the secret capabilities of the UK intelligence and security agencies, in particular their powers to intercept electronic communications and acquire communications data.The key recommendation of the report is that the UK’s current laws governing the activities of the agencies be replaced in their entirety by a new, transparent, legal framework.

Posted in International/EU Privacy

Russia Plans to Increase Fines for Violating Data Protection Laws

On 24 February, the Russian State Duma (the lower chamber of the Russian Parliament) adopted in the first reading a draft law introducing amendments to the Russian Code on Administrative Offences that would increase the amount of the fines imposed for violating Russian data protection laws and introducing a differentiation of the relevant offences’ types. Notably, the Draft Law does not introduce any separate fine for violating Russia’s new Data Localization Law, although there is still a possibility that this could be modified as the legislative process progresses.

Posted in International/EU Privacy

2015: The Turning Point for Data Privacy Regulation in Asia?

2014 was a very eventful year for data privacy regulation in Asia and there are reasons to believe that 2015 will represent a turning point for the region as established privacy regimes are toughened and new regimes enacted in recent years begin to mature. The past year saw a number of significant regulatory developments, in particular the implementation of new, comprehensive “European-style” privacy laws in Singapore and Malaysia, the amendment of China’s consumer protection law to include data privacy principles and increased financial penalties in South Korea.

Posted in Consumer Privacy, International/EU Privacy

Sweep Reveals Scale of Cookie Consent Non-Compliance

The results of an international investigation into the cookie consent practices of 478 websites frequently visited by European citizens have now been published. The outcome is perhaps unsurprising: cookies are used en masse by websites operating in Europe, their expiry dates are often excessive, and crucially, not enough is being done to provide notice and obtain valid consent for the use of cookies and other device identifying technologies. The specific websites that were investigated are not identified (as yet), however those selected were amongst the 250 most frequently visited by individuals within each member state taking part in the investigation (as ranked by Alexa.com). Sites in the media, e-commerce and public sectors were targeted in particular because they are perceived by the EU data protection regulators to present the greatest data protection and privacy risks to EU citizens.

Posted in International/EU Privacy

The Most Delicate Balance of Our Time

Public atrocities always attract some kind of political reaction. Generally, the more brutal the atrocity, the harsher the reaction. It is understandable from the perspective of political responsibility. So when defenceless people are mercilessly attacked by gunmen as punishment for their satirical views, a very visible reaction is to be expected. However, political reactions to grave situations need not only visibility but measured thinking and careful decision-making. The reaction to a violent and criminal act can often have more far-reaching implications than the act itself, leading to an escalation of violence. At the same time, doing nothing to protect citizens from harm is not a responsible option. As with many political decisions, securing public safety is a balancing exercise of robustness and restraint.

Posted in International/EU Privacy

Will the New EU Data Protection Regulation Facilitate Healthcare Innovation?

Technology has transformed and disrupted long standing industries as well as created new industries along the way. The digital revolution in the healthcare industry appears to have been long promised but much delayed. There may be a number of understandable reasons why the wheels have not turned so quickly. For instance, unlike say the financial services industry which is private sector led, the healthcare industry has obvious public sector touch points which can make any sort of change slower. But just as information about an individual’s bank balance or salary is considered confidential, so a person’s health information is particularly sensitive, both in a legal sense (because health information is categorised as sensitive under EU data protection law) but also in an obviously everyday sense – people feel that their health information (in most but not all circumstances) is private.

Posted in International/EU Privacy

The Compliance Challenges That Can No Longer Be Ignored

Although Asia’s data privacy laws draw from a common set of guiding principles, each law is unique. Moreover, as freshly minted regulators come to grips with these new laws, differences in interpretation and underlying policy are becoming apparent. As a consequence, there is now a ‘patchwork’ of compliance requirements across the region. Depending on the country, sector specific laws, consumer protection laws, employment laws and laws in emerging areas such as cybersecurity, also complicate the compliance picture for Asia, and there is no common framework for any of these laws.

Posted in International/EU Privacy

French Consumer Protection Panel Flags Unfair Privacy Practices

Like the United States, France has a broadly-worded consumer protection statute prohibiting unfair clauses in consumer contracts (the French term is “clauses abusives”). What constitutes an “unfair” clause is in some cases fixed by regulation. But in many cases, the term is left to the interpretation of the courts and France’s consumer protection agency, the DGCCRF. France created an advisory panel to issue guidance on what constitutes an unfair clause in various circumstances. On December 3, 2014, the panel published a lengthy opinion identifying 46 clauses in social media terms of use and privacy policies that the panel considers unfair.

Posted in International/EU Privacy

Hong Kong Privacy Commissioner Issues Guidance on Cross-Border Data Transfers

On 29 December, 2014, Hong Kong’s Privacy Commissioner for Personal Data published a guidance note concerning the potential implementation of section 33 of the Personal Data (Privacy) Ordinance, which would restrict the export of personal data from Hong Kong. In a recent client alert, partner Mark Parsons and associate Peter Colegate from the Hogan Lovells Hong Kong office explore the Commissioner’s understanding of how section 33 would be implemented, including some important nuances that are particularly relevant to multi-national businesses operating in Hong Kong and the wider region.

Posted in International/EU Privacy

New EU Data Protection Law in 2015? Decisiveness, Flexibility and Direction are the Answer

All eyes are currently on the Council of the EU to figure out when and in what form we are likely to see a new EU data protection law emerging. The adoption of this law, which has been in the making since the European Commission presented its vision for a modern privacy regime in 2010, will have vital and global implications for the future of our data-driven existence. This explains the cautious progress so far, but the need for a modernised regime is pressing. Six presidencies have so far managed the adoption process within the Council—which together with the European Parliament has legislative responsibility for passing EU laws—and each has made its own contribution to the process. But the Council has been the key focus of attention of the ongoing legislative process since the European Parliament approved its own draft of the EU Data Protection Regulation in early 2014.

Posted in International/EU Privacy

New CNIL Accountability Standard May Become European Model

The chairwoman of the French data protection authority (the CNIL), Isabelle Falque-Pierrotin, has long been an outspoken proponent that companies should have internal accountability mechanisms for data protection compliance. On January 13, 2015 the CNIL published a standard defining what accountability means in practice. Companies that demonstrate that they comply with the new standard will be able to obtain an “accountability seal” from the CNIL.