A recent survey from the UK Government’s Department for Business, Innovation and Skills has highlighted that the majority of FTSE 350 firms are not regularly taking cyber risks into account in their decision making. Despite a growing international trend in cyber crime targeted at businesses, the survey showed that only 14 percent of FTSE 350 companies regularly consider cyber threats, and nearly half of those surveyed do not even include cyber risks on their company’s strategic risk register.
The continued uncertainty around the draft EU Data Protection Regulation presents something of a challenge for data controllers. It’s clear that it could require them to make significant changes to how they handle individuals’ data, but the ongoing fundamental political disagreements make it difficult to predict which changes will make it into the final form of the legislation. So it is interesting to see the recommendations on the UK ICO’s blog on where to start in preparing for reforms, highlighting three areas: consent, breach notification, and privacy by design.
On November 27, the European Commission released a strategy memo on rebuilding trust in the mechanisms allowing data to flow from the European Union (“EU”) to the United States. The Commission recognizes that EU-U.S. data flows are essential to the strategic and economic partnerships between the two markets. However, revelations about U.S. surveillance programs have, according to the Commission, caused EU Member States and citizens to believe that the current data transfer mechanisms do not provide adequate protections for personal data. To address those concerns and rebuild trust in transatlantic data flows, the Commission recommends six initiatives, including specific recommendations for reforming the U.S. privacy framework. Of particular note, the Commission identified several shortcomings with the EU-U.S. Safe Harbor framework and offered 13 recommendations for reform. And the Commission once again calls on the United States to adopt comprehensive privacy legislation.
The EU’s Work on Data Protection Reform continues following the vote of the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) on 21 October 2013 to adopt compromise amendments. The 104 compromise amendments represent a consolidation of proposals submitted by various European Parliament committees. Hogan Lovells has prepared a detailed analysis of the compromise amendments approved by the LIBE committee, which is attached to this post.
On October 25, 2013, the Standing Committee of China’s National People’s Congress passed an amendment (“Amendment”) to the 1993 Law of Protection of Consumer Rights and Interests, which addresses longstanding issues related to e-commerce fraud and illegal disclosures of consumers’ personal information. The Amendment, which takes effect on March 15, 2014, reforms China’s 20-year-old consumer protection law by providing more robust protections to consumers, including provisions that restrict the collection, use, and disclosure of consumers’ personal information and require consent to send commercial communications.
The Spanish Data Protection Agency has published its annual report for 2012. The report contains a detailed description of the activities undertaken by the Spanish DPA in 2012 together with its view of the latest trends and challenges related to data protection, including an increase in the number of complaints lodged with and monetary sanctions issued by the Agency.
On 16 October 2013, the Polish Ministry of Economy published draft amendments to Poland’s data protection law, the Polish Act of 29 August 1997 on the Protection of Personal Data (“PPD”), aimed at easing administrative obligations regarding the compulsory hiring of data protection officers and registration of data filing systems with the Polish Data Protection Authority (“DPA”). Under the proposed legislation, companies would have the flexibility to decide whether to appoint an administrator of information security (“AIS”), currently a legal requirement. A data controller regulated under the PPD would be able to strategically choose whether to appoint an AIS, a move that would increase its compliance obligations and the company’s visibility to regulators in return for reduced external filing obligations.
The EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) voted on Monday to adopt its report on the draft General Data Protection Regulation and the separate Directive for the law enforcement sector. This vote sets out the Parliament’s position for its negotiations with the Council and Commission (known as the “trialogue” stage). The Committee aims to have a plenary Parliamentary vote in March before the Parliamentary elections.
On October 17, Jan Albrecht, rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”), issued a release in which he claims that “Edward Snowden and the PRISM scandal laid the ground” for including a prohibition against telecommunications and Internet companies transferring data to other countries’ governmental authorities unless otherwise permitted by EU law. Albrecht’s release offers 10 points to describe the draft Regulation that LIBE is scheduled to vote upon on October 21. If LIBE adopts the draft, the Parliament, Council, and Commission will begin work on negotiating the final legislation, which parliamentarians hope will be adopted before elections in May 2014.
On 14 October, the Article 29 Working Party of EU data protection commissioners published a Working Document providing guidance on obtaining consent for cookies, some eighteen months after the effective date of the so-called “cookie consent law” which required EU websites to obtain consent from Internet users before before placing cookies on their devices. The document analyses, to some extent, the practices more commonly used by website operators to obtain the required consent, and attempts to answer the question as to what measures would “be legally compliant for a website operating across all EU Member States.”
Earlier this week, The New York Times published “Europe Aims to Regulate the Cloud,” an article considering the impact on cloud computing of the proposed European Data Protection Regulation which quoted Hogan Lovells Partner Mark Taylor. Taylor commented that over-regulation in this area could impact the adoption and use of cloud services in the EU, and this in turn could have a broader economic impact given the level of penetration which cloud-related services are now achieving. This blog post contains a link to the article.
On Monday, a European Parliament Inquiry established to investigate the recent U.S. National Security Agency surveillance revelations indicated that its final report would recommend suspension of the popular EU-U.S. Safe Harbor Framework.
On 7 October 2013, the Ministries for Justice and Home Affairs of the 28 Member States of the European Union met in Luxembourg to further discuss the draft General Data Protection Regulation that is intended to replace the current European data protection framework, particularly debating the controversial “one-stop-shop” principle that would provide organization’s one lead regulator in Europe.
At this week’s IAPP Privacy Academy in Seattle, Washington, Harriet Pearson, Partner in the Hogan Lovells Privacy and Information Practice, hosted a breakout session entitled How to work with Your European Data Protection Authority. The Session featured Billy Hawkes, Data Protection Commissioner of Ireland, and focused on providing privacy practitioners with practical advice on how to approach a Data Protection Authority (DPA) and earn their trust. The session also addressed practical compliance questions for European markets, gave advice on making successful regulatory filings, and gave tips for handling complaints and other challenging situations.
Hogan Lovells is pleased to announce that we are among the first major law firms to launch implementation of Binding Corporate Rules (“BCRs”) for the worldwide protection by the firm of personal information. The implementation of these rules will not only add a level of protection and efficiency to privacy and data protection, but also provides a concrete example of Hogan Lovells’ experience with BCRs, relevant to clients of the firm also adopting BCRs.
With the focus this summer on nation-states’ collection of electronic data, an important question went unanswered – what rights do individuals have to challenge government access to their data? We set out to answer that question in the fourth installment in Hogan Lovells’ White Paper series examining government access to data held by service providers. In the White Paper, available through this blog post, we compared the ability of citizens and non-citizens to challenge government access to data in the U.S., France, Germany, the UK, and Australia, concluding that of the countries surveyed, the right of redress appears strongest in the United States.
The UK Information Commissioner’s Office (the “ICO”) recently published further guidance on encryption on its blog. The ICO has taken the position for some time that if a business holds sensitive personal information on portable or mobile devices, it should protect that information using appropriate encryption software. If that does not occur and such information is compromised, the ICO has stated that it may pursue regulatory action. The guidance does not modify the ICO’s position on encryption, but it does explain in layman’s terms what the ICO means by encryption and the different types of encryption that are available, so non-technical data protection officers may find it a helpful introduction to this topic.
Price discrimination based on tracking of Internet Protocol addresses – numerical identifiers assigned to devices that are connected to the Internet – was in the news again this week after a Belgian Member of the European Parliament, Marc Tarabella, called for action from the European Commission to investigate the practice.
Somewhat of a furor has been caused in Hong Kong by the decision of the Office of the Privacy Commissioner for Personal Data to issue an enforcement notice to stop a company from supplying data on individuals obtained from publicly available litigation and bankruptcy records via a smartphone application, claiming that the company “seriously invaded” the privacy of those individuals.
The Organization for Economic Cooperation and Development (OECD) has released a revision of its 1980 Privacy Guidelines. The fundamental elements of the original guidelines, the Fair Information Practice Principles (FIPPs), remain in place, but the OECD recognizes the revolutionary changes in technology since the first OECD Guidelines, and the importance of the digital economy and [...]
In the wake of information disclosed by Edward Snowden regarding the U.S. National Security Agency’s and Federal Bureau of Investigation’s actions through the PRISM program, two French individual liberties defense associations have filed a motion to open a criminal investigation regarding these actions which contains, in addition to claims against U.S. law enforcement entities, allegations against U.S.-based companies that provide Internet services.
The UK First Tier Tribunal issued a decision on August 21 finding that the Information Commissioner’s Office (ICO) was wrong to impose a £250,000 fine on Scottish Borders Council in relation to an incident where pension records of former Council employees were discovered overflowing from recycling bins outside a local supermarket. The Tribunal held that the contravention, while serious, was not of a kind likely to cause substantial damage or substantial distress, which is a requirement for imposing such a penalty. The decision may have implications for the ICO’s approach to imposing monetary penalties in the future.
The bromide that people in glass houses should not throw stones comes to mind when one hears European Union authorities criticizing the U.S. privacy framework as a whole because of the recent National Security Agency revelations.
Earlier this summer, EU Vice-President Viviane Reding called EU data protection reform “the answer to PRISM [one of the Snowden NSA disclosures]” and called PRISM a “wake-up call.” Reding said that the EU-U.S. safe harbor “may not be so safe after all” and warned that the commission will present a “solid assessment” of the safe harbor by the end of the year, ominously suggesting that the withdrawal of an adequacy finding for the safe harbor (required under EU law for it to remain in effect).
On September 1, China’s Provisions on the Protection of the Personal Information of Telecommunications and Internet Users will come into force, affecting a wide range of consumer-facing websites, including corporate sites, product information sites, and social media pages. This post examines some of the requirements of the Provisions, and provides a link to a comprehensive Hogan Lovells Corporate Alert describing recent privacy-related legislative developments in China.