During a November 13, 2014 hearing before the Digital Rights Commission of the French National Assembly, Jean-Marie Delarue, the head of France’s oversight Commission for National Security Interceptions said that France’s 1991 law on national security wiretaps needed to be updated to better protect individuals. Currently, the CNCIS is consulted by the Prime Minister’s office before the implementation of national security wiretaps. According to Mr. Delarue, this system works well for wiretaps. But the collection of metadata falls largely outside this procedure. According to Delarue, a major overhaul of the 1991 law on national security wiretaps is needed to catch up with modern intelligence gathering techniques and to better reflect the case law of the European Court of Human Rights. According to Delarue, justifications for government invasion of privacy need to be narrowly defined by law. Broad justifications such as “fundamental interests of the nation” are too vague to withstand scrutiny under European constitutional principles.
At the heart of EU data protection law is the passionate belief in the right to privacy. Indeed, the Treaty of Lisbon has now recognised both privacy and data protection as fundamental rights under EU law. As fundamental rights, there is a sense in which the scope of privacy and data protection must be expanded to the furthest extent possible. Yet, like any other law, it must be clear when and where EU data protection rules apply and the applicable law provision in the current Data Protection Directive has caused some headaches along the way. Whether the proposed new EU regime will prove to be a calming tonic remains to be seen. Today’s technology pays no attention to geographic borders. What do Cloud Computing networks care about the Atlantic Ocean so long as the network is resilient and customers can access their data? Businesses typically structure their systems in order to provide the best commercial proposition which often (but not always) involves cross-border data transfers. Therefore, cross-border data transfers are a part of everyday business. But businesses need to understand which laws apply to their operations to ensure compliance and avoid being chased by regulators or disgruntled customers. Unfortunately, the Directive’s provision concerning when it applies has not always provided much clarity.
Asia has seen a proliferation of new and stepped-up data privacy laws in recent years. Many of these laws draw from a common source in the APEC Privacy Framework, a principles-based document that shares origins with Europe’s Directive 95/46. But regional framework notwithstanding, these laws have been implemented with unique features and important nuances in each jurisdiction across the Asia region. Critically, these laws are now being enforced, with high profile data security breaches and enforcement action regularly hitting the headlines in Asia, as elsewhere. Data privacy issues are now board level issues in Asia. Our Data Privacy Regulation Comes of Age in Asia gives an overview of regional developments and features a “heat map” that compares and contrasts regulatory standards and the enforcement environment in Asia’s key jurisdictions.
In a recent client alert, partner Natalia Gulyaeva and associate Maria Sedykh from the Hogan Lovells Moscow Office joined associate Bret Cohen from the Hogan Lovells Washington, D.C. office to highlight key insights from the fifth annual conference on “Personal Data Protection” hosted by Roskomnadzor, Russia’s Data Protection Authority.
Until very recently, data protection in South Africa was regulated only under the broad constitutional right to privacy, the common law and a few pieces of legislation that contained interim provisions relating to data protection. In November 2013, South Africa enacted the Protection of Personal Information Act, the country’s first data protection-specific legislation. The Act partially came into force in April 2014 to create an information regulator and to codify concepts such as “processing” and “personal information”. The commencement of those sections is indicative of the processes being put in place by the government of South Africa to ensure that the commencement of the remaining sections is met with relevant support, in the form of regulations and the establishment of an information regulator. Though the remaining sections of the Act (including the material provisions) are not yet enforceable and have no foreseeable or determinable effective date, businesses operating in South Africa should be aware of the Act’s provisions as they may one day come into force.
The European Union’s executive branch has a brand new engine. Following the European Parliament’s election earlier this year and after months of political manoeuvring, a new European Commission is now in place and fully operational. The Commission’s functions remain as they were but under a revised structure of one president – Jean-Claude Juncker – seven vice-presidents responsible for designated policy areas and 20 commissioners. As the main policy making body in the European Union, the Commission continues to be in charge of pushing forward the ongoing data protection legislative reform that will lead to a new legal framework for privacy across the EU.
Thank you to everyone who attended our webinar last Tuesday on the new Russian law introducing rules requiring the local storage of the personal data of Russian citizens. For those who were unable to make it, linked to this blog post are a recording of the entire webinar and a copy of the slide deck.
Assuming a fair amount of hard work and that the EU institutions are able to put their political skills to good use, 2015 may be the year that sees the culmination of a legal modernisation process that has been running for the best part of four years. It was in 2010 when the European Commission formally acknowledged that the 1995 Data Protection Directive was ready for a makeover to address the privacy and data protection needs of the 21 century. Since then, stakeholders covering a whole spectrum of views have participated in a process that is approaching a decisive stage. In early 2014, the European Parliament came forward with a bold proposal to amend the Commission’s original draft and put the ball firmly in the Council of the EU’s court. As the Council finalises its own proposal, a picture of what the new framework will look like is starting to emerge.
On Tuesday, October 28, Natalia Gulyaeva of Hogan Lovells’ Moscow office and Bret Cohen of our Washington, D.C. office will host a complimentary webinar outlining implications for businesses of the new Russian Data Storage Law. The law, which may come into effect as early as January 2015, requires that data “operators” – organizations that process personal data of Russian citizens, including providers of Internet-based services – to store the personal data of Russian citizens on databases located in the country.
The Conference of the German Federal and State Data Protection Authorities during its last meeting on 8 and 9 October adopted the resolution “Data Protection in the Car”. The resolution expresses a concern about what it describes as privacy risks involved in the growing collection and processing of personal data in cars, and the interests of various actors (car manufacturers, service providers, insurance companies, employers) in using those data.
The “Right to be Forgotten” ruling issued by the European Court of Justice in May 2014 has been a key source of controversy this summer. Much criticism has explored the impact of the ruling on freedom of expression and the right of access to information. In an article published in the Privacy and Data Protection Journal, Eduardo Ustaran, Partner in Hogan Lovells’ Global Privacy and Information Management Practice, unpacks the wider implications of the ruling to focus on key legal-applicability considerations for businesses with subsidiaries in the EU. The article also considers how the ruling will impact legislative debate on the forthcoming EU Data Protection Regulation.
Ask any data protection officer or privacy counsel what tops their list of trepidations and engaging global data services’ vendors will be up there. The combination of security threats and burdens, restrictions on international data transfers and data-hungry law enforcement authorities has turned delegating any data processing or storage operations to cloud service providers into an unnerving proposition. This is unfortunate given all the practical benefits and crucial role of cloud computing for the world’s economy and the information society. If we add to this the incessant scrutiny of Safe Harbor and the growing distrust surrounding technology giants which is part of the legacy of the post-Snowden era, things are not looking very rosy for the global guardians of our information. It needs not be this way.
On July 31, a U.S. District Court judge ruled from the bench that Microsoft could be forced to turn over customer emails in the context of a law enforcement investigation even though those emails were stored on servers located in Ireland. Microsoft had contested the government’s request, arguing that the data was subject to Irish law and that the U.S. government was required to utilize law enforcement treaty channels to obtain the data. Since the ruling, many have expressed surprise that the ruling gave such seemingly expansive jurisdiction to the U.S. government. But it shouldn’t come as a surprise to those who follow these issues, including readers of Hogan Lovells’ white papers on government access that U.S. law enforcement can compel companies subject to its jurisdiction to produce data stored abroad, much as it shouldn’t come as a surprise that many other countries’ governments provide the exact same authority.
The dust has yet to settle but much has already been said about the implications of the Google Spain decision by the Court of Justice of the European Union and the right to be forgotten. The controversy has focused on the impact of this judgment on freedom of expression and the right of access to information, as well as the potentially devastating effect of a large amount of deletion requests. EU regulators are wondering – like everybody else – how big and unmanageable this is going to get, whilst search engines scramble for resources to deal with the unknown. With the prospect of an even more demanding EU privacy framework looming over the horizon, the right to be forgotten decision is a potential game changer for the whole Internet industry. But the CJEU did not just enable an unprecedented level of control by individuals over their data, it shook the basis on which the applicability of EU data protection law has been understood until now.
In a recent client alert, Hogan Lovells partners from the firm’s London and Washington, D.C. offices highlighted key takeaways for businesses following the European Data Protection Supervisor’s Workshop on Privacy, Consumers, Competition, and Big Data. The workshop, hosted by EDPS in the European Parliament in Brussels on 2 June 2014, discussed the technological advances and market for ‘big data’ analytics and the policy implications for the fields of data protection, competition and consumer protection of the rapidly expanding digital economy in the EU and in other regions, particularly the in US. Around 70 experts attended, including representatives from the European regulators and the US Federal Trade Commission.
Two developments in Russian law this summer could significantly limit the ability of cloud and other online services to publish online content and to make Russian data remotely available online. The first is the advancement of legislation requiring data operators to store locally in Russia information of Russian citizens. The second is the countdown to the effective date of new rules that impose onerous registration, content, and censorship requirements on certain website operators and electronic communication services. We address each here in turn.
Hogan Lovells today published Pan-American Governmental Access to Data in the Cloud, the fifth installment in a series of White Papers examining government access to data held by Cloud service providers. Examining the right of governments in the United States and Latin America to access data in the Cloud, the White Paper concludes that the physical location of Cloud servers does not significantly affect government access to data stored on those servers, and that it is fundamentally incorrect to assume that the United States government’s access to data in the Cloud is greater than that in the Latin American countries examined.
The French data protection authority has announced that following the “cookie sweep day” due to take place the week commencing 15 September 2014, it will launch a program of website audits in October to verify compliance with the CNIL’s 5 December 2013 cookie recommendations.
On 10 July, the UK government announced cross-party backing for emergency legislation designed to ensure that the police and security services can continue to access communications data held by communications service providers for the purpose of investigating criminal activity and protecting national security. This is in response to the recent European Court of Justice judgment of 8 April 2014 in joined cases (C-293/12 Digital Rights Ireland & C-594/12 Seitlinger) which declared the Data Retention Directive (2006/24/EC) invalid.
In a new turn to the Maximilian Schrems case in Ireland, the Irish High Court on 18 June 2014 decided to refer several questions to the European Court of Justice, including whether national data protection authorities in Europe may disregard the Safe Harbor decision of the European Commission when assessing whether the U.S. recipient of data ensures an adequate level of data protection required under EU law. Depending on the outcome of the case, European and U.S. companies may not be able to rely on Safe Harbor to legitimise cross-border data transfers in the future.
The German Federal Labor Court has published its reasoning underlying a June 2013 decision in which it declared invalid the dismissal by a large supermarket of an employee who was found in possession of stolen goods. According to the Court, the factual evidence leading to the dismissal—obtained upon inspection of the employee’s workplace locker without the presence of the employee—was gathered in violation of the employee’s right to privacy established by the German Federal Data Protection Act. The ruling represents a shift in case law regarding employee data privacy were German courts are likely to exclude from civil law proceedings information collected in violation of statutory data privacy requirements. Companies operating in Germany should be aware of these requirements in order to avoid losing lawsuits as a consequence of non-compliance with strict local data privacy rules.
The “one-stop-shop” EU data protection regulator was originally presented as one of the fundamental pillars of the future Data Protection Regulation, but now hangs in the balance of the EU legislative process. This post provides the latest on the status of one-stop-shop in the Council of the EU, where it currently is being debated.
In an Op-Ed for the National Post entitled “Sorry, but there’s no online ‘right to be forgotten’,” privacy advocates Ann Cavoukian and Christopher Wolf team up to consider the consequences of the European Court of Justice’s “Right to Be Forgotten” ruling. The pair focus on potential conflicts created by the Right to Be Forgotten between the right to privacy and that of free expression and highlight the plausible outcome that companies, in their new forced role as online censors, may “err on the side of deleting links to information.”