Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in International/EU Privacy

Russia Update: Regulator Publishes Data Localization Clarifications

ARussian Serverss we reported last week, on 3 August 2015 the Russian Ministry of Communications, the agency that oversees the Russian data protection authority which will be enforcing Russia’s Data Localization Law, published unofficial clarifications on its website that provide a view into how the Ministry believes organizations must comply with the law. While these clarifications are non-binding, they constitute the only written regulatory guidance that has been published to date about the law, which takes effect on 1 September and requires organizations that collect personal data from individuals located in Russia to store that data within Russian territory.  The Ministry’s website also provides a mechanism to ask further questions online.

In this blog post, we summarize the main issues raised in the published clarifications, and the possible impact on global businesses seeking to comply with the law. Continue Reading

Posted in International/EU Privacy

French Surveillance Law Permits Data Mining, Drawing Criticism from Privacy Advocates

French BinaryAdopted by Parliament in June 2015, France’s new surveillance law was ratified by the President on July 24, 2015 and published in France’s Official Journal on July 26, 2015.  France’s Constitutional Court (“Court”) reviewed the law prior to its ratification and issued an opinion on July 23, 2015 requiring deletion of certain measures that the Court felt were incompatible with constitutional principles.  However a number of observers were surprised that the Court validated a provision of the law allowing intelligence agencies to deploy algorithms to analyze traffic and log data to detect potential terrorist threats.  To some lawyers, analyzing the traffic and log data of the entire population of France violates the proportionality principle set forth in the European Court of Justice’s Digital Rights Ireland decision. Continue Reading

Posted in International/EU Privacy

Russian Regulator Publishes Data Localization Clarifications One Month Before Sept. 1 Effective Date, Plus Other Developments

Russian-Servers

In September 2015 the Russian Data Localization Law will come into force, requiring organizations that collect personal data from individuals located in Russia to store that data within Russian territory. In this blog post, we summarize recent developments on how the law will be applied, including the unexpected publication of regulatory guidance issued by the government this week. Continue Reading

Posted in Privacy & Security Litigation

NTIA Multistakeholder Process For Unmanned Aircraft Systems Takes Flight

shutterstock_149083385On Monday, August 3, the National Telecommunications and Information Administration (NTIA) kicked off the multistakeholder process to develop best practices for commercial and private unmanned aircraft systems (UAS) use. As we previously reported, the NTIA action follows the White House’s February 15, 2015, Presidential Memorandum directing NTIA to lead private sector groups toward the creation of commercial UAS standards and the NTIA’s request for comments on privacy, transparency, and accountability issues related to the use of UAS. Continue Reading

Posted in International/EU Privacy

Chinese Appellate Court Provides Guidance for Lawful Use of Cookies

Chinese Cookie

On 6 May 2015, the Intermediate People’s Court of Nanjing City, Jiangsu Province, issued a civil judgment ruling that the search engine giant Baidu’s use of cookies to personalize advertisements directed at consumers on partner third party websites does not infringe consumer rights of privacy.  The court based its decision on findings that the information collected by the Baidu cookies did not amount to “personal information” under Chinese law, the complainant did not suffer cognizable injury by receiving targeted ads on other sites, and Baidu afforded consumers mechanisms to opt-out.

Although not binding on other courts, this judgment has significant implications.  It provides insight into how other courts in China are likely to handle similar challenges to the use of cookies in the future, and its detailed analysis of Baidu’s cookie policy sheds light on what policies and practices companies in China would be prudent to adopt in order to best balance industry and consumer interests in compliance with the law. Continue Reading

Posted in International/EU Privacy

Recorded Seminar: Data Privacy Regulation in Asia – A Practical Way Forward to Compliance

Asia Globe BinaryFew areas of regulation are advancing as quickly in Asia as data privacy regulation. This year marks the tenth anniversary of the APEC Privacy Framework and we now see “European style” comprehensive data privacy regimes in a dozen jurisdictions across the Asia-Pacific region.

Hogan Lovells data protection lawyers Mark Parsons and Eugene Low  recently hosted in-person seminars at Hogan Lovells’ offices in Hong Kong to take stock of where Asia is in terms of data privacy regulation, and to help chart a roadmap to compliance. The focus of these discussions was on identifying “hot spots” for businesses operating across the region and pointing to practical measures and points of prioritisation. The discussions also considered steps to be taken to prepare for and react to data breach events, with a seasoned view of regulatory attitudes and approaches to enforcement and remediation.

To access a video recording of Data Privacy Regulation in Asia – A Practical Way Forward to Compliance, click here.

Posted in International/EU Privacy

“Europe’s Big Opportunity” – The European Data Protection Supervisor on the General Data Protection Regulation

EDPS LogoFollowing on from the Article 29 Working Party’s Opinion in June, the European Data Protection Supervisor (EDPS) has now published his own recommendations for the proposed General Data Protection Regulation (GDPR).  Unsurprisingly, given that the EDPS is a member of the Working Party, the views expressed are in line with that Opinion. At this point you may be tempted to stop reading, but wait, there is more.  In addition to expressing his vision of the GDPR and producing his own recommendations for every single article of the GDPR, the EDPS has demonstrated his commitment to practicality by making this all available as a mobile app.  The app allows you to select which of the drafts you wish to see side by side, scroll rapidly through the contents to select a particular article, or search on the whole text so you can see at a glance what each version says, for example, about pseudonymisation or profiling.  Whilst the app may have limited appeal, and is unlikely to keep small children entertained on long car journeys, it will be a thing of joy for its target audience.  Continue Reading

Posted in International/EU Privacy

UK: Surveillance and the Rule of Law

CCTV-shutterstock_180735251-250Making the UK a safe place to live and prosper is not a small matter. Whatever the root causes, the threats to public safety are real and a political priority for government and opposition alike. This huge responsibility combined with the complexities of 21st century communications has resulted in a succession of laws aimed at legitimising the ability of law enforcement and intelligence agencies to tap into our digital lives. Just like technology itself, this is a moving target and policy decisions in this area have come thick and fast – not just in the UK but in many other democracies around the world. Continue Reading

Posted in Cybersecurity & Data Breaches, Privacy & Security Litigation

Seventh Circuit Finds Article III Standing Following Data Breach, but Significant Hurdles Remain for Plaintiffs Seeking Recovery

laptop-gavel-shutterstock_222579625-250In a move counter to the trending precedent in data breach litigation, the U. S. Court of Appeals for the Seventh Circuit ruled on July 20 that data breach plaintiffs whose personal information was potentially exposed in a confirmed hacking breach of a major retailer’s network alleged enough risk of harm to meet the standing requirements of Article III of the U.S. Constitution. Plaintiffs’ lawyers will herald this decision, but standing is only the first of many hurdles data breach plaintiffs must cross to proceed to the merits in data breach litigation. Continue Reading

Posted in International/EU Privacy

Data Protection Compliance in Spain (2015)

AEPD logoSpain is well known for having one of the most restrictive data protection regimes in the European Union (EU). It also counts with some of the highest penalties (fines are up to € 600,000 per infringement), and a data protection authority – the Spanish Data Protection Agency (AEPD) – with a reputation for being one of the fiercest of the EU. Moreover, the penalties envisaged are not only on paper; they are applied on a regular basis by the AEPD. For instance, in the past few years, it has imposed fines of 450,000, 900,000 and 1,400,000.

Fulfillment of the Spanish data protection requirements is not an easy task. However, it is not impossible either. Hogan Lovells has prepared a detailed analysis of key Spanish data protection issue areas—such as consent; disclosures; cookies; access, rectification, cancellation, and objection; and international transfers—to help companies understand Spanish data protection requirements.

To download Data Protection Compliance in Spain: Mission Impossible?, click here.