Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in International/EU Privacy

Is EU Privacy Law Enforcement About to Become a Team Effort?

European data protection authorities are on a roll. This year started with the unprecedented coordination of enforcement actions across the EU for the alleged breaches by Google to provide sufficiently clear and detailed information about its practices. Then the Article 29 Working Party (WP29) underwent what is possibly its most prolific period ever – with many opinions on topics ranging from breach notification and surveillance to international data transfers and legitimate interests. In fact, WP29 has already adopted seven opinions so far this year – the same number as in the whole of 2013. Further ground breaking enforcement actions for things like not obtaining consent for cookies have also taken place in the past months. More recently, the European Court of Justice (ECJ) sided with the Spanish authority in the landmark ‘right to be forgotten’ case. Continue Reading

Posted in International/EU Privacy

Reflections on Europe’s “Right to Be Forgotten”

In a recent ruling, the European Court of Justice ordered Google to remove links from its search results pages referencing newspaper articles that were considered unflattering and out of date by a plaintiff. The ruling, imposing for the first time the so-called “Right to Be Forgotten” has led to debate among privacy advocates and industry stakeholders about potential conflicts between the right to privacy, the right to free expression, and the potential burden imposed on online companies and the “market-place of ideas.”

In an Op-Ed for the National Post entitled Sorry, but there’s no online ‘right to be forgotten’,” Ontario’s Privacy Commissioner Ann Cavoukian and Hogan Lovells’ Christopher Wolf team up to consider the consequences of the ECJ’s ruling. The pair focus on potential conflicts created by the Right to Be Forgotten between the right to privacy and that of free expression and highlight the plausible outcome that companies, in their new forced role as online censors, may “err on the side of deleting links to information.” Continue Reading

Posted in International/EU Privacy

State Department Issues Advisory Opinion on Cloud Computing

In a recent advisory opinion related to an exemption under the International Traffic In Arms Regulations (ITAR), the State Department confirmed that a company could use a data security method called “tokenization” to protect export-controlled technical data stored in the cloud on servers located outside the United States, provided the company satisfied the conditions of the exemption and took “sufficient means” to prevent foreign persons from accessing such technical data. Although the advisory opinion is quite narrow in scope, it is the first publicly-available formal position from the State Department on the ITAR implications of cloud computing. Continue Reading

Posted in International/EU Privacy

New Canadian Anti-Spam Legislation Requirements Become Effective in Less Than Two Weeks

Canada’s new anti-spam law (commonly known as CASL) was passed in December 2010, and certain provisions will become effective 1 July 2014 — including new consent requirements for e-mails and certain other electronic messages.

As of 1 July 2014, an organization must have consent to send commercial electronic messages (CEMs) to an email account, telephone account or instant messaging account.  In addition, CEMs must include certain identification information and an unsubscribe mechanism.  The law applies to messages whenever a computer system located in Canada is used to send or access the CEM.  Certain exemptions and transition periods also apply. Continue Reading

Posted in International/EU Privacy

Five Reasons to Do BCRs Now

Whilst the reform of the EU data protection framework continues its tortuous course in Brussels’ corridors of power, privacy pros in the real world are doing their best to cope with the current uncertainty. One of the ever-present sources of concern for those with data-related operations in Europe is how to overcome the restrictions affecting international data transfers in a cost-effective, sustainable and effective manner. In reality, there are many paths to follow, but choosing the right one is not always obvious—each case is different, and limited resources and time constraints often add an unwelcome degree of stress and complexity to the process.

Continue Reading

Posted in Financial Privacy

CFPB Announces Inquiry into Mobile Financial Services and Issues Consumer Tips on Use of Mobile Devices

The Consumer Financial Protection Bureau (CFPB) is exploring how consumers—particularly members of economically vulnerable and underserved communities—are using mobile technology to access financial services and manage personal finances.

In a Request for Information (RFI) announced earlier this week, the CFPB notes that a large percentage of unbanked and underbanked consumers, many of whom are low-income, have access to mobile phones, a significant number of which are smartphones, and that accessing financial products, services, and financial management tools via mobile devices has the potential to empower consumers to take more control over their financial lives, to increase savings and reduce debt.

Continue Reading

Posted in International/EU Privacy

Hogan Lovells Partner Appointed to French Digital Rights Commission

The Chairman of the French National Assembly, Claude Bartolone, announced June 11 the creation of a parliamentary commission on digital rights (in French), whose task will be among other things to define guidelines for evaluating legislative proposals affecting digital rights. France’s new Digital Rights Commission consists of 13 members of Parliament and 13 outside experts. Among the outside experts is Hogan Lovell’s partner Winston Maxwell, known for his work on net neutrality and data privacy. Continue Reading

Posted in International/EU Privacy

International Data Transfers – The Challenge Continues

The discussion at the Council of the EU in the context of the European data protection legislative reform that took place on 6 June is by no means the end of a process which is likely to carry on for at least a year, but it provided a helpful pointer as to where the policy making thinking is.  One of the biggest challenges that organisations operating in the EU have faced since the 1990s is the prohibition on transfers of data to jurisdictions outside the EU without equivalent standards of data protection.  The ongoing legislative reform is an opportunity to review the existing regime and bring it into line with today’s data globalisation.

Continue Reading

Posted in International/EU Privacy

Hogan Lovells Assists Vodafone in the Preparation of its First Law Enforcement Disclosure Report

Vodafone’s publication last Friday of its first Law Enforcement Disclosure Report attracted global press attention and comment. The report provides detailed insight into the legal frameworks, governance principles and operating procedures associated with responding to demands for assistance from law enforcement and intelligence agencies in 29 countries in which Vodafone operates.

Our London office team worked closely with Vodafone’s own in-house team to design and co-ordinate a multi-jurisdictional research effort involving Hogan Lovells colleagues and external counsel in the 29 countries in question.

The resulting research informed the creation by Vodafone of a country-by-country legal annexe to the report which seeks to highlight some of the most important legal powers available to government agencies and authorities seeking to access customer communications. In practice very few people are aware of these powers or understand the extent to which they enable agencies and authorities to compel telecommunications operators such as Vodafone to provide assistance of this nature.

By publishing the legal annexe under a creative commons licence, Vodafone hopes that others will re-use and build upon the material to aid greater transparency in this area.

The Law Enforcement Disclosure Report, which will be updated annually, covers the period 1 April 2013 to 31 March 2014 and can be found here.

Posted in International/EU Privacy

Italian DPA Publishes Decision on Cookies

On 3 June, Italy’s data protection authority, the Garante, published a decision on user notice and consent requirements when an organization uses cookies as part of its online services. The decision outlines specific categories of cookies based on their intended uses and the roles played by the entities placing those cookies, and highlights different levels of notice and consent requirements for each.  The decision also offers guidelines for providing users with adequate notice through a two-layer privacy notice and outlines the consequences of failing to comply with Italy’s rules on cookies.

In a detailed summary of the decision, Marco Berliri, Massimiliano Masnada, and Marta Colonna from Hogan Lovells’ Rome office, review key takeaways that will impact organizational practices when using cookies.  For our summary of the decision, click here.