In mid-January, the territorial divisions of Russia’s Data Protection Authority, Roskomnadzor, uploaded their 2016 plans for conducting inspections of local companies’ compliance with Russia’s data localization requirements, and there are a number of prominent multi-national companies on the list.
Following the announcement by the European Commission of the newly agreed EU-US Privacy Shield, the missing piece of the jigsaw was the Article 29 Working Party’s stance on the adequacy of the existing mechanisms in place—in particular, standard contractual clauses and binding corporate rules. So after two days of intense discussions, the Working Party has issued a statement with its latest position, which is the follow up to their original reaction to the invalidation of Safe Harbor last October. The bottom line: the Working Party still does not view US government surveillance laws as sufficiently protective of privacy—a position which calls all transfers of personal data to the US in question, regardless of the methods used to legitimise the transfer—but they will reconsider this position in light of the Privacy Shield in the coming months.
The European Commission has announced an agreement today with the United States Department of Commerce to replace the invalidated Safe Harbor agreement on transatlantic data flows with a new EU-U.S. “Privacy Shield.” The Privacy Shield aims to address the requirements set out by the European Court of Justice in its Oct. 6, 2015 ruling by imposing stronger obligations on companies, providing stronger monitoring and enforcement by the DOC and Federal Trade Commission , and making commitments regarding access to information on the part of public authorities. In announcing the agreement, Vice-President Ansip noted his belief that the Privacy Shield will benefit both European businesses and citizens, and will prove to be a “much better” solution for transatlantic data flows.
It’s close to 7pm on a Friday evening and my team are trying their best to manage our clients’ stress and frantic desperation. Jokes about how much they love Max Schrems are shared by email. In the meantime, we are diligently working our way through endless charts of dataflows and attempting to cover every single […]
To say that the EU General Data Protection Regulation (GDPR) will change the existing data protection framework in Europe is an understatement. After an intense legislative process of more than 4 years, an ambitious, complex and strict new law that is set to transform the way in which personal information is collected, shared and used globally. Eduardo Ustaran highlights the GDPR’s significant changes in this article published in the Privacy and Data Protection Journal.
The EU General Data Protection Regulation has been called the most lobbied piece of legislation in the history of the EU. Before Christmas last year, what is likely to be the final text of the GDPR emerged from the EU trilogue negotiations. Victoria Hordern, Senior Associate at Hogan Lovells, explores what the new GDPR will mean for those collecting and handling health data, and examines a number of the provisions and themes that impact the use of health data.
A legal tsunami of overwhelming proportions. A ground breaking piece of legislation. A sweeping digital-privacy regime. A strict new legal framework that will have ripple effects globally. These are all hyperbolic expressions used to describe the impact of the newly agreed EU General Data Protection Regulation (GDPR). Anyone who has read and digested the GDPR […]
The Right to be Forgotten Law imposes an obligation on search engines that disseminate adverts targeted at consumers located in Russia to remove search results listing information on individuals where such information is unlawfully disseminated, untrustworthy, outdated, or irrelevant (i.e. the information is no longer substantially relevant to the individual in question due to subsequent events or the actions of individuals). The Law includes exemptions where a search engine does not have to comply – (i) information on events reporting a crime where the limitation period for criminal liability has not expired; as well as (ii) crimes committed by an individual where their conviction record has not been erased.
The Colombian Data Protection Authority (the Superintendence of Industry and Commerce, or SIC) has issued regulations requiring all data controllers that are (i) private legal entities registered in Chambers of Commerce in Colombia (i.e., incorporated in Colombia) or (ii) partially government owned corporations (“sociedades de economía mixta”) to register their databases by November 8th, 2016. The regulations were issued on November 3, 2015, and the National Database Registry (the “Registry”) required by Colombian data protection laws was enabled on November 9, 2015. Read our post to learn about the registration requirements and potential penalties for noncompliance.
It has finally happened. Like that train you are waiting for that keeps getting delayed but eventually arrives. The all-powerful trio comprising the European Parliament, the Council of the EU and the European Commission arrived at their destination after a journey of four years, and on December 15th, 2015, agreed the final text of the EU General Data Protection Regulation. Once formally adopted in the coming weeks, the GDPR will create a completely new legal framework for the collection, use and sharing of personal information that will apply well beyond Europe.
At a trialogue meeting on December 7, the Luxembourg Presidency of the Council of the European Union reached agreement with the European Parliament on common rules to strengthen network and information security (NIS) across the EU. The new directive will set out the first ever EU-wide cybersecurity obligations for operators of essential services and digital […]
The need for proper and legitimate powers to enable intelligence and law enforcement agencies to do their job and to keep everyone safe requires little justification. However, in our data-rich and uber-connected way of life, those powers necessarily involve a substantial degree of intrusion into our digital comings and goings, and that makes things complicated. In a show of political awareness and legislative dexterity, in November 2015, the UK government presented its draft Investigatory Powers Bill—an attempt to strike a balance between intelligence and law enforcement needs with the protection of ordinary citizens’ privacy. The Bill seeks to adopt a comprehensive and sophisticated framework of modern law enforcement and intelligence gathering powers. It is currently being scrutinized by a parliamentary committee and subject to public consultation.
On 9 October 2015, the Privacy Commissioner for Personal Data published a Guidance Note on “Data Breach Handling and the Giving of Breach Notifications”, a revised version of its June 2010 edition. The Guidance Note gives guidance to data users on how to deal with data breaches. In particular, the Guidance Note provides more of a focus on the relationship between data users and data processors. A data user engaging a data processor must adopt contractual or other means to ensure personal data security.
The roller coaster of developments affecting the Safe Harbor framework shows no signs of slowing down. It has taken a couple of years since Edward Snowden’s revelations for the train to reach to its highest point, but once the European Court of Justice ruled on the Schrems case, we knew it would be a bumpy ride. In the past weeks, most of the attention has focused on the EU data protection authorities, which are now more emboldened than ever and keen to capitalize on the ECJ’s decision to tighten the regime affecting international dataflows. The European Commission’s communication of 6 November to the European Parliament and the Council of the EU, coupled with its practical guidance, represents yet another turn in this uncertain journey. At the same time, the Commission’s intervention is helpful in terms of the decision-making process that many organisations—for which transatlantic transfers are vital—are trying to grapple with.
On November 6, 2015, the European Commission issued its widely anticipated Communication to the European Parliament and Council about the effect of the Court of Justice of the European Union’s Schrems decision, which invalidated the U.S.-EU Safe Harbor framework. The Commission expresses a commitment to negotiate with the U.S. Government a new framework for cross-border transfers of personal data. The Commission also emphasizes that the Communication does not have binding legal effect, but concludes that companies should rely on “alternative tools” for authorizing data flows to third countries like the United States.
In a recent column for The New York Times, Nils Muiznieks, the top human rights official for the Council of Europe, warned that recent surveillance laws in Europe undermine fundamental rights for European citizens. Plus, an October 29, 2015, resolution of the European Parliament complains of an “obvious downward spiral” resulting from mass surveillance laws in the U.S. and Europe. That certain European countries have laws permitting mass surveillance is not news to lawyers who follow the matter. In a 2012 whitepaper, we highlighted the broad and sometimes unsupervised powers of intelligence agencies of certain European governments. As Muiznieks’s column states, intelligence agencies are getting more surveillance power, not less. France’s July 2015 surveillance law permits intelligence agencies to scan metadata of all citizens in order to detect suspicious patterns. Other European countries are also broadening surveillance powers to protect against terrorism.
On Tuesday November 3, the Spanish data protection authority, Agencia Española de Protección de Datos, sent a letter all companies operating in Spain that had previously notified the AEPD of cross-border data transfers to Safe Harbor certified companies. The letter warns companies that because Safe Harbor certifications are no longer recognized as valid, they must take steps to ensure that alternative mechanisms are implemented in order to continue transferring data to Safe Harbor certified companies in the United States. In particular, the AEPD is requiring of all companies that received the letter to inform it not later than January 29, 2016 of any mechanisms that have been implemented to ensure adequate protections for personal data transferred to importers in the United States.
On 9 October 2015, the China Insurance Regulatory Commission issued draft Supervisory Rules for Adoption of Information Technology by Insurance Institutions for public comment. The Draft Insurance IT Rules have been issued to replace the 2009 Guidance on Administration of Adoption of Information Technology by Insurance Companies and they build on the requirements set forth in the 2011 Guidelines on the Information System Security Management of Insurance Companies.
National EU member state courts, as well as the European Court of Justice, have struggled for several years to define the scope of application of EU data protection law in individual member states. In a decision that provides important guidelines on the competence of, and co-operation between, national data protection authorities, the ECJ has clarified how data protection law applies in cross-border situations within the EU.
We are now almost two months into the era of Russia’s Data Localization Law, which came into force on 1 September. While some expected immediate enforcement, the Russian Data protection Authority, Roskomnadzor, has not yet taken any action for a violation of data localization requirements. Last month, Roskomnadzor did take formal enforcement action to block a website and add it to register of violators of data subject rights for maintaining an illegal Internet database containing the contact details of over 1.5 million Russian citizens. This enforcement, however, was not for violation of the data localization law, but rather for the illegal collection and dissemination of personal data under other Russian data protection laws.
Speaking at a recent conference organized jointly by AmCham and EY on “the Internet of Things, Opportunities and Challenges for the Protection of Personal Data”, Sophie Nerbonne, Head of Compliance at the French data protection authority explained how the CNIL views the opportunities and risks raised by connected devices, focusing particularly on smart meters as a scheme that may apply to other devices.
The EU’s Article 29 Working Party issued a statement today on the recent Schrems decision invalidating the adequacy of the EU-U.S. Safe Harbor framework, emphasizing that affected businesses should start to put in place legal and technical solutions in a timely manner to meet EU data protection standards. The statement gave a January 2016 deadline for companies to come into compliance with the ruling, at which point EU data protection authorities would be “committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.” In response, we publish here a high-level analysis of the possible options available for companies—including the EU Standard Contractual Clauses, Intra-Group Agreements and other ad-hoc contracts, Binding Corporate Rules, Safe Harbor 2.0, and consent—and the pros and cons of choosing each one.
In our previous post we outlined the key issues regarding mHealth devices and services from a privacy law perspective. Now, we go further into the details and discuss the scope of the personal data involved, especially relating to sensitive health data. We introduce the relevant statutory requirements in the EU and the legal opinions of the Article 29 Working Party and the European Data Protection Supervisor as well as having a look at the upcoming European General Data Protection Regulation. Against this legal background, one core question we will examine is whether information collected and processed by lifestyle apps and devices must be classified as health data and fall under the strict requirements of European data protection laws.
Thank you to everyone who participated in today’s webinar “Safe Harbor Invalidated – What Next?”, in which we analyzed the implications of yesterday’s decision by the Court of Justice of the European Union invalidating the EU-U.S. Safe Harbor Framework. A copy of the slide deck and a link to a recording of the webinar are attached to this post.