As we reported last week, on 3 August 2015 the Russian Ministry of Communications, the agency that oversees the Russian data protection authority which will be enforcing Russia’s Data Localization Law, published unofficial clarifications on its website that provide a view into how the Ministry believes organizations must comply with the law. While these clarifications are non-binding, they constitute the only written regulatory guidance that has been published to date about the law, which takes effect on 1 September and requires organizations that collect personal data from individuals located in Russia to store that data within Russian territory. The Ministry’s website also provides a mechanism to ask further questions online.
In this blog post, we summarize the main issues raised in the published clarifications, and the possible impact on global businesses seeking to comply with the law. Continue Reading
Adopted by Parliament in June 2015, France’s new surveillance law was ratified by the President on July 24, 2015 and published in France’s Official Journal on July 26, 2015. France’s Constitutional Court (“Court”) reviewed the law prior to its ratification and issued an opinion on July 23, 2015 requiring deletion of certain measures that the Court felt were incompatible with constitutional principles. However a number of observers were surprised that the Court validated a provision of the law allowing intelligence agencies to deploy algorithms to analyze traffic and log data to detect potential terrorist threats. To some lawyers, analyzing the traffic and log data of the entire population of France violates the proportionality principle set forth in the European Court of Justice’s Digital Rights Ireland decision. Continue Reading
In September 2015 the Russian Data Localization Law will come into force, requiring organizations that collect personal data from individuals located in Russia to store that data within Russian territory. In this blog post, we summarize recent developments on how the law will be applied, including the unexpected publication of regulatory guidance issued by the government this week. Continue Reading
On Monday, August 3, the National Telecommunications and Information Administration (NTIA) kicked off the multistakeholder process to develop best practices for commercial and private unmanned aircraft systems (UAS) use. As we previously reported, the NTIA action follows the White House’s February 15, 2015, Presidential Memorandum directing NTIA to lead private sector groups toward the creation of commercial UAS standards and the NTIA’s request for comments on privacy, transparency, and accountability issues related to the use of UAS. Continue Reading
Few areas of regulation are advancing as quickly in Asia as data privacy regulation. This year marks the tenth anniversary of the APEC Privacy Framework and we now see “European style” comprehensive data privacy regimes in a dozen jurisdictions across the Asia-Pacific region.
Hogan Lovells data protection lawyers Mark Parsons and Eugene Low recently hosted in-person seminars at Hogan Lovells’ offices in Hong Kong to take stock of where Asia is in terms of data privacy regulation, and to help chart a roadmap to compliance. The focus of these discussions was on identifying “hot spots” for businesses operating across the region and pointing to practical measures and points of prioritisation. The discussions also considered steps to be taken to prepare for and react to data breach events, with a seasoned view of regulatory attitudes and approaches to enforcement and remediation.
To access a video recording of Data Privacy Regulation in Asia – A Practical Way Forward to Compliance, click here.
Following on from the Article 29 Working Party’s Opinion in June, the European Data Protection Supervisor (EDPS) has now published his own recommendations for the proposed General Data Protection Regulation (GDPR). Unsurprisingly, given that the EDPS is a member of the Working Party, the views expressed are in line with that Opinion. At this point you may be tempted to stop reading, but wait, there is more. In addition to expressing his vision of the GDPR and producing his own recommendations for every single article of the GDPR, the EDPS has demonstrated his commitment to practicality by making this all available as a mobile app. The app allows you to select which of the drafts you wish to see side by side, scroll rapidly through the contents to select a particular article, or search on the whole text so you can see at a glance what each version says, for example, about pseudonymisation or profiling. Whilst the app may have limited appeal, and is unlikely to keep small children entertained on long car journeys, it will be a thing of joy for its target audience. Continue Reading
Making the UK a safe place to live and prosper is not a small matter. Whatever the root causes, the threats to public safety are real and a political priority for government and opposition alike. This huge responsibility combined with the complexities of 21st century communications has resulted in a succession of laws aimed at legitimising the ability of law enforcement and intelligence agencies to tap into our digital lives. Just like technology itself, this is a moving target and policy decisions in this area have come thick and fast – not just in the UK but in many other democracies around the world. Continue Reading
In a move counter to the trending precedent in data breach litigation, the U. S. Court of Appeals for the Seventh Circuit ruled on July 20 that data breach plaintiffs whose personal information was potentially exposed in a confirmed hacking breach of a major retailer’s network alleged enough risk of harm to meet the standing requirements of Article III of the U.S. Constitution. Plaintiffs’ lawyers will herald this decision, but standing is only the first of many hurdles data breach plaintiffs must cross to proceed to the merits in data breach litigation. Continue Reading
Spain is well known for having one of the most restrictive data protection regimes in the European Union (EU). It also counts with some of the highest penalties (fines are up to € 600,000 per infringement), and a data protection authority – the Spanish Data Protection Agency (AEPD) – with a reputation for being one of the fiercest of the EU. Moreover, the penalties envisaged are not only on paper; they are applied on a regular basis by the AEPD. For instance, in the past few years, it has imposed fines of € 450,000, € 900,000 and € 1,400,000.
Fulfillment of the Spanish data protection requirements is not an easy task. However, it is not impossible either. Hogan Lovells has prepared a detailed analysis of key Spanish data protection issue areas—such as consent; disclosures; cookies; access, rectification, cancellation, and objection; and international transfers—to help companies understand Spanish data protection requirements.
To download Data Protection Compliance in Spain: Mission Impossible?, click here.