On 9 October 2015, the Privacy Commissioner for Personal Data published a Guidance Note on “Data Breach Handling and the Giving of Breach Notifications”, a revised version of its June 2010 edition. The Guidance Note gives guidance to data users on how to deal with data breaches. In particular, the Guidance Note provides more of a focus on the relationship between data users and data processors. A data user engaging a data processor must adopt contractual or other means to ensure personal data security.
The roller coaster of developments affecting the Safe Harbor framework shows no signs of slowing down. It has taken a couple of years since Edward Snowden’s revelations for the train to reach to its highest point, but once the European Court of Justice ruled on the Schrems case, we knew it would be a bumpy ride. In the past weeks, most of the attention has focused on the EU data protection authorities, which are now more emboldened than ever and keen to capitalize on the ECJ’s decision to tighten the regime affecting international dataflows. The European Commission’s communication of 6 November to the European Parliament and the Council of the EU, coupled with its practical guidance, represents yet another turn in this uncertain journey. At the same time, the Commission’s intervention is helpful in terms of the decision-making process that many organisations—for which transatlantic transfers are vital—are trying to grapple with.
On November 6, 2015, the European Commission issued its widely anticipated Communication to the European Parliament and Council about the effect of the Court of Justice of the European Union’s Schrems decision, which invalidated the U.S.-EU Safe Harbor framework. The Commission expresses a commitment to negotiate with the U.S. Government a new framework for cross-border transfers of personal data. The Commission also emphasizes that the Communication does not have binding legal effect, but concludes that companies should rely on “alternative tools” for authorizing data flows to third countries like the United States.
In a recent column for The New York Times, Nils Muiznieks, the top human rights official for the Council of Europe, warned that recent surveillance laws in Europe undermine fundamental rights for European citizens. Plus, an October 29, 2015, resolution of the European Parliament complains of an “obvious downward spiral” resulting from mass surveillance laws in the U.S. and Europe. That certain European countries have laws permitting mass surveillance is not news to lawyers who follow the matter. In a 2012 whitepaper, we highlighted the broad and sometimes unsupervised powers of intelligence agencies of certain European governments. As Muiznieks’s column states, intelligence agencies are getting more surveillance power, not less. France’s July 2015 surveillance law permits intelligence agencies to scan metadata of all citizens in order to detect suspicious patterns. Other European countries are also broadening surveillance powers to protect against terrorism.
On Tuesday November 3, the Spanish data protection authority, Agencia Española de Protección de Datos, sent a letter all companies operating in Spain that had previously notified the AEPD of cross-border data transfers to Safe Harbor certified companies. The letter warns companies that because Safe Harbor certifications are no longer recognized as valid, they must take steps to ensure that alternative mechanisms are implemented in order to continue transferring data to Safe Harbor certified companies in the United States. In particular, the AEPD is requiring of all companies that received the letter to inform it not later than January 29, 2016 of any mechanisms that have been implemented to ensure adequate protections for personal data transferred to importers in the United States.
On 9 October 2015, the China Insurance Regulatory Commission issued draft Supervisory Rules for Adoption of Information Technology by Insurance Institutions for public comment. The Draft Insurance IT Rules have been issued to replace the 2009 Guidance on Administration of Adoption of Information Technology by Insurance Companies and they build on the requirements set forth in the 2011 Guidelines on the Information System Security Management of Insurance Companies.
National EU member state courts, as well as the European Court of Justice, have struggled for several years to define the scope of application of EU data protection law in individual member states. In a decision that provides important guidelines on the competence of, and co-operation between, national data protection authorities, the ECJ has clarified how data protection law applies in cross-border situations within the EU.
We are now almost two months into the era of Russia’s Data Localization Law, which came into force on 1 September. While some expected immediate enforcement, the Russian Data protection Authority, Roskomnadzor, has not yet taken any action for a violation of data localization requirements. Last month, Roskomnadzor did take formal enforcement action to block a website and add it to register of violators of data subject rights for maintaining an illegal Internet database containing the contact details of over 1.5 million Russian citizens. This enforcement, however, was not for violation of the data localization law, but rather for the illegal collection and dissemination of personal data under other Russian data protection laws.
Speaking at a recent conference organized jointly by AmCham and EY on “the Internet of Things, Opportunities and Challenges for the Protection of Personal Data”, Sophie Nerbonne, Head of Compliance at the French data protection authority explained how the CNIL views the opportunities and risks raised by connected devices, focusing particularly on smart meters as a scheme that may apply to other devices.
The EU’s Article 29 Working Party issued a statement today on the recent Schrems decision invalidating the adequacy of the EU-U.S. Safe Harbor framework, emphasizing that affected businesses should start to put in place legal and technical solutions in a timely manner to meet EU data protection standards. The statement gave a January 2016 deadline for companies to come into compliance with the ruling, at which point EU data protection authorities would be “committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.” In response, we publish here a high-level analysis of the possible options available for companies—including the EU Standard Contractual Clauses, Intra-Group Agreements and other ad-hoc contracts, Binding Corporate Rules, Safe Harbor 2.0, and consent—and the pros and cons of choosing each one.
In our previous post we outlined the key issues regarding mHealth devices and services from a privacy law perspective. Now, we go further into the details and discuss the scope of the personal data involved, especially relating to sensitive health data. We introduce the relevant statutory requirements in the EU and the legal opinions of the Article 29 Working Party and the European Data Protection Supervisor as well as having a look at the upcoming European General Data Protection Regulation. Against this legal background, one core question we will examine is whether information collected and processed by lifestyle apps and devices must be classified as health data and fall under the strict requirements of European data protection laws.
Thank you to everyone who participated in today’s webinar “Safe Harbor Invalidated – What Next?”, in which we analyzed the implications of yesterday’s decision by the Court of Justice of the European Union invalidating the EU-U.S. Safe Harbor Framework. A copy of the slide deck and a link to a recording of the webinar are attached to this post.
On 6 October 2015, the Court of Justice of the European Union declared the EU-US Safe Harbor framework invalid as a mechanism to legitimize transfers of personal data from the EU to the US. This decision effectively leaves any organisation that relied on Safe Harbor exposed to claims that such data transfers are unlawful. In this post, we outline the effects of the decision and a suggested plan of action, and include details for a webinar we will be hosting on Wednesday, 7 October to discuss the next steps that organisations should take.
Next Tuesday, the Court of Justice of the European Union is scheduled to publish its decision in Maximillian Schrems v. Data Protection Commissioner, in which it is expected to rule on the validity of the U.S.-EU Safe Harbor Framework. Last week’s opinion of the CJEU’s Advocate General emphatically found Safe Harbor to be inadequate under EU law on the basis that access to Safe Harbor data by U.S. intelligence services is too wide and disproportionate, and that Safe Harbor does not contain appropriate guarantees to prevent this level of access. While the AG’s opinion is not binding on the CJEU, the short turn-around implies that the CJEU will not vary significantly from the opinion.
The Opinion of the Advocate General of the Court of Justice of the European Union on the case assessing the status and validity of Safe Harbor has created significant uncertainty relating to its immediate future. While the CJEU has not yet ruled, the AG’s decisions are typically quite influential. The AG’s view is that the Safe Harbor program does not provide an adequate level of data protection and that it should have already been invalidated by the European Commission.
On 1 September 2015, Russia’s much anticipated data localization law came into force. In recent interviews with European CEO and The Financial Times, Natalia Gulyaeva, partner in Hogan Lovells’ Moscow office, highlighted some key elements for multinationals to consider when doing business in Russia. In the interviews, Natalia explains that Roskomnadzor is not likely to conduct compliance audits on large multinational companies for some time and will allow for the transfer of data out of Russia as long as the primary database is inside Russia. She also highlighted that because Russia’s definition of “personal data” is very broad, companies should treat all information used to assist in the identification of individuals as “personal data.”
Today, on 1 September 2015, the Russian Data Localization Law came into force. So far there have been no unexpected developments or reports of any unplanned inspections by Roskomnadzor, the Russian Data Protection Authority. Existing planning documents, however, provide some predictability for organizations subject to the law about the schedule under which Roskomnadzor plans on conducting compliance inspections.
The Organisation for Economic Co-operation and Development (OECD) has published its 2015 Digital Economy Outlook (“Report”), a survey of changes and opportunities in, and challenges arising from, the digital economy. The Report identifies three broad trends for member countries and their partners to focus on in digitising their economies.
With the aim of keeping pace alongside European practice, on July 13th 2015, the Russian President signed into law a bill amending the Federal Law “On Information, information technologies and on protection of information” No. 149-FZ of 27 July 2006. This law introduces in Russia the so-called “right to be forgotten” or “right to oblivion” and will take effect on January 1st 2016.
The UK’s Information Commissioner’s Office is known to prefer an “engaging” rather than an enforcement approach with organisations. However, when looking at the “action we’ve taken” page on the ICO website the ICO’s enforcement activity seems to be increasing by the day. While the ICO has stated that it wants to focus its enforcement efforts going forward on unsolicited marketing, such as nuisance messages and calls, breaches of security requirements have to date attracted the majority of the ICO’s enforcement attention. Therefore, organisations operating in the UK would be well-served to focus on understanding and adhering to the ICO’s expectations for data security compliance.
As we reported last week, on 3 August 2015 the Russian Ministry of Communications, the agency that oversees the Russian data protection authority which will be enforcing Russia’s Data Localization Law, published unofficial clarifications on its website that provide a view into how the Ministry believes organizations must comply with the law. While these clarifications are non-binding, they constitute the only written regulatory guidance that has been published to date about the law, which takes effect on 1 September and requires organizations that collect personal data from individuals located in Russia to store that data within Russian territory. The Ministry’s website also provides a mechanism to ask further questions online. In this blog post, we summarize the main issues raised in the published clarifications, and the possible impact on global businesses seeking to comply with the law.
Adopted by Parliament in June 2015, France’s new surveillance law was ratified by the President on July 24, 2015 and published in France’s Official Journal on July 26, 2015. France’s Constitutional Court Court reviewed the law prior to its ratification and issued an opinion on July 23, 2015 requiring deletion of certain measures that the Court felt were incompatible with constitutional principles. However a number of observers were surprised that the Court validated a provision of the law allowing intelligence agencies to deploy algorithms to analyze traffic and log data to detect potential terrorist threats. To some lawyers, analyzing the traffic and log data of the entire population of France violates the proportionality principle set forth in the European Court of Justice’s Digital Rights Ireland decision.
In September 2015 the Russian Data Localization Law will come into force, requiring organizations that collect personal data from individuals located in Russia to store that data within Russian territory. In this blog post, we summarize recent developments on how the law will be applied, including the unexpected publication of regulatory guidance issued by the government this week.