Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in International/EU Privacy

German Government Presents Revised Draft GDPR Implementation Bill

shutterstock_545082313The EU’s General Data Protection Regulation (GDPR), which comes into force in May 2018, is generally designed to align data protection requirements across the EU. However, its opening clauses offer countries some freedom in their implementation of the Regulation and, thus, room to differ. In August 2016, the German Ministry of the Interior (BMI) released its first GDPR implementation proposal to widespread criticism from both experts and data protection authorities. Recently, the BMI published a revised proposal, a new Federal Data Protection Act (Bundesdatenschutzgesetz, or BDSG). The draft BDSG provides further details regarding the scope and implementation of existing GDPR provisions and also contains additional data protection requirements beyond those provided for in the Regulation. We explore notable specifications to and deviations from the GDPR, below.

Continue Reading

Posted in International/EU Privacy

Trump’s Executive Order Does Not Impact U.S. Privacy Shield Commitments

shutterstock_405295186Last Wednesday, President Trump signed an immigration-related Executive Order (EO) titled “Enhancing Public Safety in the Interior of the United States” that, among other things, removed the ability of federal agencies to extend protections under the Privacy Act to anyone other than U.S. citizens or legal permanent residents. Some initial observers have suggested that this means that the U.S. government is pulling back from its commitments to provide privacy protections to EU citizens, thus putting in peril the EU-U.S. Privacy Shield Framework. Upon closer examination, however, the EO does not impact any of the U.S. commitments under the Privacy Shield, nor does it revoke protections for EU citizens under the Privacy Act provided pursuant to the Judicial Redress Act.

Continue Reading

Posted in Cybersecurity & Data Breaches

NIST Updates Cybersecurity Framework Guidance

36232267_US_Newsletter_CoverIn the past month, the National Institute of Standards and Technology (NIST) has issued a draft update to its flagship cybersecurity framework as well as new standalone guidance on how organizations can plan to recover from cybersecurity events. The publication of these documents demonstrates NIST’s ongoing focus on providing substantive guidance to the private and public sectors alike on cybersecurity risk management. In this post we summarize the highlights of each of these new NIST publications.

Continue Reading

Posted in International/EU Privacy

DSM Watch: European Commission’s Data Package Explores Data Ownership, Localization, Liability and Portability, Highlighting Tensions with GDPR

shutterstock_419561389On January 10, 2017, the European Commission released a Communication, a fact sheet, a working document and a public consultation relating to Europe’s “data economy”.   The fact sheet states that “data is a new type of economic asset”, which is essential for innovation and growth. The Commission’s objective is to remove “unjustified restrictions” and “legal uncertainties” in order to facilitate data sharing and innovation.

Continue Reading

Posted in International/EU Privacy

Privacy in 2017 – From Challenges to Opportunities

shutterstock_506487853After all of the 2016 drama, the start of a brand new year is a welcome development in itself – a clean sheet for a script yet to be written.  However, 2017 will not be without challenges and the same applies to the world of privacy and data protection.  Many of the big issues that arose during 2016 will need to be addressed in 2017.  In addition, new questions will no doubt emerge.  Here is an overview of the privacy challenges that lie ahead and what can be done about them.

Continue Reading

Posted in International/EU Privacy

Russia Releases 2017 Data Privacy Inspection Plans; Microsoft Passes 2016 Inspection

shutterstock_366140141At the end of 2016, territorial divisions of the Russian Data Protection Authority, Roskomnadzor, published their 2017 plans for conducting inspections of local companies’ compliance with Russian data privacy requirements, including data localization. The inspection plans contain a number of prominent multi-national and Russian companies.

Continue Reading

Posted in International/EU Privacy, News & Events

University Panthéon-Assas (Paris II) and Hogan Lovells Launch a Data Protection Officer Degree

Blog imageOn January 5, 2017 Paris Law School Panthéon-Assas launched its first university degree (diplôme d’université) aimed at training future Data Protection Officers (DPOs) under the new European General Data Protection Regulation (GDPR), which becomes effective across the EU on May 25th, 2018.  Created by Paris University Professor Bénédicte Fauvarque-Cosson and Hogan Lovells partner Winston Maxwell, the new program will include courses in law, cybersecurity, data analytics, management and ethics.  The faculty will include professors from various law schools, as well as practicing DPOs, information security specialists, lawyers and regulators from the CNIL (the French data protection authority), and major companies including Sanofi, Renault, GE, Axa, Lagardère, Google, Microsoft, Schneider Electric, BNP Paribas and the Banque Postale.

Speaking at the opening ceremony, Professor Fauvarque-Cosson commented: “This is an exciting time because data protection law is being created before our eyes.  The new European regulation is just the start.”  Winston Maxwell underlined the difficulties of the DPO role under the GDPR: “The DPO is an important management position, but it will not be easy.”

Information about the new program is available here.

To see Professor Fauvarque-Cosson’s and Winston Maxwell’s video, click here.

Posted in International/EU Privacy

New Notice and Consent Rules under Proposed EU e-Privacy Regulation

shutterstock_419561389The European Commission has released its proposal for a new EU e-Privacy Regulation that will replace the existing e-Privacy Directive.  The high level aim of the draft e-Privacy Regulation is to harmonise the specific privacy framework relating to electronic communications within the EU and ensure consistency with the GDPR. Compared to the existing Directive, the draft e-Privacy Regulation has broader territorial reach and applies generally to the provision of electronic communications services to end users in the EU and to the use of such services.  It is also concerned with the protection of information related to the devices of end users located in the EU.

In this particular respect, the draft e-Privacy Regulation introduces revised and complex rules affecting end users’ terminal equipment and how data is collected in that context.  Our high level assessment of the notice and consent requirements affecting various data activities involving users’ devices can be found here.

The consequences for non-compliance follow a two-tier approach as follows:

  • Breaches of the rules regarding notice and consent, default privacy settings, publicly available directories and unsolicited communications may be punished with fines of up to EUR 10 million or 2% of the total worldwide annual turnover, whichever is higher.
  • Breaches of the rules regarding the confidentiality of communications, permitted processing of electronic communications data and the time limits for erasure of data may be punished with fines of up to EUR 20 million or 4% of the total worldwide annual turnover, whichever is higher.

This is the beginning of the formal legislative process and now the draft is in the hands of the European Parliament and the Council of the EU.

Sam Choi, a trainee solicitor in our London office, contributed to this entry.

Posted in News & Events

Privacy and Cybersecurity January 2017 Events

Please join us for our January 2017 Privacy and Cybersecurity Events.

January 11
Japan’s 2017 Data Privacy and Tech Agenda
Julie Brill and Harriet Pearson will host a presentation by two of Japan’s most senior officials and authorities on recent changes to Japan’s privacy law and the establishment of a new Personal Information Protection Commission (PPC). Yoshikazu Okamoto, Director of the PPC Secretariat, will present on the mission and agenda of the PPC, the requirements and implementation timeline of the new law, and Japan’s international engagement on these issues. Professor Fumio Shimpo of Keio University, a noted expert on Japanese privacy and technology law and policy, will add his perspectives on legal and policy aspects of the Internet of Things, artificial intelligence, and robotics. Click here to register for the event.
Location: Hogan Lovells’ office in Washington, D.C.


January 25
Computers, Privacy & Data Protection
Julie Brill and Eduardo Ustaran will speak at the CPDP Conference. Julie will speak on “AI & GDPR: Concretely, What Are the Obligations & Steps to Take?” and Eduardo on “Implementing the Data Protection Regulation.”
Location: Brussels, Belgium


January 31-February 1
GDPRnow: A Practical Guide to Implementing the GDPR
Hogan Lovells will be hosting GDPRnow, two half-day events that will feature speakers from our global Privacy and Cybersecurity practice and Helen Dixon, the Irish Data Protection Commissioner. GDPRnow will offer expert and practical guidance on how to prepare for the GDPR. Hogan Lovells speakers include: Julie Brill and Bret Cohen (Washington, D.C.), Joke Bodewits (Amsterdam), Gonzalo Gállego (Madrid), Marcus Schreibauer (Düsseldorf), Stefan Schuppert (Munich), and Eduardo Ustaran (London).
Location: Hogan Lovells’ offices in Washington, D.C. and New York


Posted in Cybersecurity & Data Breaches

New York Department of Financial Services Cybersecurity Rules Revised and Delayed

shutterstock_71527090The New York Department of Financial Services (NYDFS) just issued major revisions to the cybersecurity regulations for financial institutions that were due to come into effect on January 1, 2017. To allow covered institutions more time to implement the rules, the effective date will now be March 1, 2017, with a series of staggered implementation dates beyond this. There are several notable substantive changes in the revised rules.

Click here to learn more about the major changes to the proposed rules, timing and implementation details, and how to prepare for the new requirements as well as other related cybersecurity developments.

For more details on the NYDFS cybersecurity regulations for financial institutions, please see our previous blog post.