Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Category Archives: International/EU Privacy

Subscribe to International/EU Privacy RSS Feed
Posted in International/EU Privacy

Russia Enacts Data Localization Requirement; New Rules Restricting Online Content Come into Effect

Two developments in Russian law this summer could significantly limit the ability of cloud and other online services to publish online content and to make Russian data remotely available online. The first is the advancement of legislation requiring data operators to store locally in Russia information of Russian citizens. The second is the countdown to the effective date of new rules that impose onerous registration, content, and censorship requirements on certain website operators and electronic communication services. We address each here in turn.

Posted in International/EU Privacy

Hogan Lovells White Paper Examines Governmental Access to Data in the U.S. and Latin America

Hogan Lovells today published Pan-American Governmental Access to Data in the Cloud, the fifth installment in a series of White Papers examining government access to data held by Cloud service providers. Examining the right of governments in the United States and Latin America to access data in the Cloud, the White Paper concludes that the physical location of Cloud servers does not significantly affect government access to data stored on those servers, and that it is fundamentally incorrect to assume that the United States government’s access to data in the Cloud is greater than that in the Latin American countries examined.

Posted in International/EU Privacy

UK Government Seeks to Preserve Data Retention Powers

On 10 July, the UK government announced cross-party backing for emergency legislation designed to ensure that the police and security services can continue to access communications data held by communications service providers for the purpose of investigating criminal activity and protecting national security. This is in response to the recent European Court of Justice judgment of 8 April 2014 in joined cases (C-293/12 Digital Rights Ireland & C-594/12 Seitlinger) which declared the Data Retention Directive (2006/24/EC) invalid.

Posted in International/EU Privacy

Irish High Court Refers Questions to European Court of Justice: Can National DPAs Disregard Safe Harbor?

In a new turn to the Maximilian Schrems case in Ireland, the Irish High Court on 18 June 2014 decided to refer several questions to the European Court of Justice, including whether national data protection authorities in Europe may disregard the Safe Harbor decision of the European Commission when assessing whether the U.S. recipient of data ensures an adequate level of data protection required under EU law. Depending on the outcome of the case, European and U.S. companies may not be able to rely on Safe Harbor to legitimise cross-border data transfers in the future.

Posted in International/EU Privacy

HL Launches German Language Privacy Blog; German Court Sets Criteria for Employee Monitoring

The German Federal Labor Court has published its reasoning underlying a June 2013 decision in which it declared invalid the dismissal by a large supermarket of an employee who was found in possession of stolen goods. According to the Court, the factual evidence leading to the dismissal—obtained upon inspection of the employee’s workplace locker without the presence of the employee—was gathered in violation of the employee’s right to privacy established by the German Federal Data Protection Act. The ruling represents a shift in case law regarding employee data privacy were German courts are likely to exclude from civil law proceedings information collected in violation of statutory data privacy requirements. Companies operating in Germany should be aware of these requirements in order to avoid losing lawsuits as a consequence of non-compliance with strict local data privacy rules.

Posted in International/EU Privacy

Reflections on Europe’s “Right to Be Forgotten”

In an Op-Ed for the National Post entitled “Sorry, but there’s no online ‘right to be forgotten’,” privacy advocates Ann Cavoukian and Christopher Wolf team up to consider the consequences of the European Court of Justice’s “Right to Be Forgotten” ruling. The pair focus on potential conflicts created by the Right to Be Forgotten between the right to privacy and that of free expression and highlight the plausible outcome that companies, in their new forced role as online censors, may “err on the side of deleting links to information.”

Posted in International/EU Privacy

State Department Issues Advisory Opinion on Cloud Computing

In a recent advisory opinion related to an exemption under the International Traffic In Arms Regulations, the State Department confirmed that a company could use a data security method called “tokenization” to protect export-controlled technical data stored in the cloud on servers located outside the United States, provided the company satisfied the conditions of the exemption and took “sufficient means” to prevent foreign persons from accessing such technical data. Although the advisory opinion is quite narrow in scope, it is the first publicly-available formal position from the State Department on the ITAR implications of cloud computing.

Posted in International/EU Privacy

New Canadian Anti-Spam Legislation Requirements Become Effective in Less Than Two Weeks

Canada’s new anti-spam law was passed in December 2010, and certain provisions will become effective 1 July 2014 — including new consent requirements for e-mails and certain other electronic messages. As of 1 July 2014, an organization must have consent to send commercial electronic messages to an email account, telephone account or instant messaging account. In addition, CEMs must include certain identification information and an unsubscribe mechanism. The law applies to messages whenever a computer system located in Canada is used to send or access the CEM. Certain exemptions and transition periods also apply.

Posted in International/EU Privacy

Five Reasons to Do BCRs Now

Whilst the reform of the EU data protection framework continues its tortuous course in Brussels’ corridors of power, privacy pros in the real world are doing their best to cope with the current uncertainty. One of the ever-present sources of concern for those with data-related operations in Europe is how to overcome the restrictions affecting international data transfers in a cost-effective, sustainable and effective manner. In reality, there are many paths to follow, but choosing the right one is not always obvious—each case is different, and limited resources and time constraints often add an unwelcome degree of stress and complexity to the process.

Posted in International/EU Privacy

Hogan Lovells Partner Appointed to French Digital Rights Commission

The Chairman of the French National Assembly, Claude Bartolone, announced June 11 the creation of a parliamentary commission on digital rights, whose task will be among other things to define guidelines for evaluating legislative proposals affecting digital rights. France’s new Digital Rights Commission consists of 13 members of Parliament and 13 outside experts. Among the outside experts is Hogan Lovell’s partner Winston Maxwell, known for his work on net neutrality and data privacy.

Posted in International/EU Privacy

International Data Transfers – The Challenge Continues

The discussion at the Council of the EU in the context of the European data protection legislative reform that took place on 6 June is by no means the end of a process which is likely to carry on for at least a year, but it provided a helpful pointer as to where the policy making thinking is. One of the biggest challenges that organisations operating in the EU have faced since the 1990s is the prohibition on transfers of data to jurisdictions outside the EU without equivalent standards of data protection. The ongoing legislative reform is an opportunity to review the existing regime and bring it into line with today’s data globalisation.

Posted in International/EU Privacy

Hogan Lovells Assists Vodafone in the Preparation of its First Law Enforcement Disclosure Report

Vodafone’s publication last Friday of its first Law Enforcement Disclosure Report attracted global press attention and comment. The report provides detailed insight into the legal frameworks, governance principles and operating procedures associated with responding to demands for assistance from law enforcement and intelligence agencies in 29 countries in which Vodafone operates.

Posted in International/EU Privacy

Italian DPA Publishes Decision on Cookies

On 3 June, Italy’s data protection authority, the Garante, published a general decision on user notice and consent requirements when an organization uses cookies as part of its online services. The decision outlines specific categories of cookies based on their intended uses and the roles played by the entities placing those cookies, and highlights different levels of notice and consent requirements for each. The decision also offers guidelines for providing users with adequate notice through a two-layer privacy notice and outlines the consequences of failing to comply with Italy’s rules on cookies.

Posted in International/EU Privacy

EU High Court Grants “Right to Be Forgotten” and Expands Privacy Jurisdiction Over Foreign Companies: What Should Businesses Operating Outside of Europe Do Now?

A recent article by Hogan Lovells provides key takeaways for businesses in light of last week’s landmark ruling by the European Court of Justice that in effect judicially sanctioned a “right to be forgotten” allowing data subjects to scrub their names from a public record while also extending jurisdiction under European data protection law to include non-EU companies that may have a branch or subsidiary in the European Union and that collect data in the context of business activities in the European Union.

Posted in International/EU Privacy

Brazil’s New Internet Law Could Broadly Impact Online Privacy and Data Handling Practices

Internet service providers, social media websites, search engines, and other online companies hosting user-generated content that do business in Brazil or collect information online from Brazilian consumers should be aware of the “Marco Civil da Internet,” or Brazilian Internet Law, that takes effect 23 June 2014. As detailed in an alert published by attorneys from the Hogan Lovells Washington, D.C., São Paulo, and Rio de Janeiro offices, While Brazil still does not have a comprehensive privacy law, the Brazilian Internet Law contains privacy requirements that broadly restrict these companies from the sharing of users’ personal information, their communications, and certain online logging data. Covered companies will, however, be required to retain Web logs for a period of time and protect the user-related information they hold.

Posted in International/EU Privacy

European Regulators Raise the Bar on Anonymization Techniques

The Article 29 Working Party’s new opinion on anonymization techniques provides a useful primer on randomization and generalization (i.e., data aggregation) techniques used to anonymize data sets. The opinion analyzes each technique based on three ways that data can be re-identified: the ability to single out individuals after the anonymization technique has been applied; the linkability of the anonymized data sets to other data sets; and finally the ability of the data sets to resist inference attacks after application of the anonymization technique. Organizations depending on anonymization for compliance with the Data Protection Directive would be well advised to review their anonymization processes to determine if they comport with the standards set out in the opinion.

Posted in International/EU Privacy

ECJ Declares Data Retention Directive Invalid

In a decision rendered on 8 April 2014, the European Court of Justice (ECJ) declared the Data Retention Directive invalid. The Court’s decision was grounded on its conclusion that, by requiring the retention of the data falling within the scope of the Directive, and by allowing the competent national authorities to access those data, the Directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.

Posted in International/EU Privacy

Privacy Complaints Up 48% in Hong Kong in 2013: Are Businesses Prepared?

The privacy enforcement in Hong Kong under its data protection law, the Personal Data (Privacy) Ordinance, ramped up significantly last year. Hong Kong’s Privacy Commissioner for Personal Data received 1,792 complaints in 2013, a record high. The figures show a 48% increase in complaints filed and more than a doubling of the number of enforcement notices issued by the Commissioner, with 25 enforcement notices issued in 2013 against 11 in 2012. 78% of all complaints were made against the private sector and in particular the financial, telecommunications and property sectors. The Commissioner has confirmed that a key focus for 2014 will be to increase its enforcement efforts.

Posted in International/EU Privacy

European Parliament Overwhelmingly Approves Data Protection Regulation

On 12 March 2014, the European Parliament voted overwhelmingly in favour of the European Commission’s data protection reform with 621 votes for, 10 against, and 22 abstentions for the proposed General Data Protection Regulation. The vote is significant because it confirms the approval of the European Parliament, one of the required participants in the s0-calle “trilogue” process along with the Commission and the Council, which will not change even if the composition of the Parliament changes following the European elections in May.

Posted in International/EU Privacy

CNIL Adds New Consent Requirement for Use of Credit Card Data

The CNIL, France’s data protection authority, published on 25 February 2014 a new recommendation relating to the collection of credit card information, replacing an older 2003 recommendation. The new recommendation, which represents a de facto standard for online merchants and payment services providers who collect data from French consumers, is more prescriptive than the old, particularly regarding how online merchants should seek consent for the retention of credit card information.

Posted in International/EU Privacy

French Data Protection Authority Broadens the Scope of Its Whistleblowing Authorization

The French data protection authority has just published an amended version of its standard authorization for professional whistleblowing helplines which results in a significant broadening of its scope but also tightens the requirements for anonymous reporting. Under French data protection legislation, whistleblowing helplines are subject to prior authorization by the French data protection authority. Indeed, French data protection legislation require that processes which may result in the exclusion of a person from the benefit of a right or a contract are subject to prior authorization, as could be the case when resorting to a whistleblowing helpline (employees may incur sanctions and be terminated).