Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in International/EU Privacy

EU Data Transfers to the U.S.: Considering Your Options after Privacy Shield

International Data Flows GraphicWith the recent approval of the EU-US Privacy Shield framework and the ability to start filing online registrations on 1 August, many companies have questions about the advantages and disadvantages of Privacy Shield as compared to other cross-border transfer mechanisms to cover trans-Atlantic data flows.

To answer your questions, we publish here International Data Transfers – Considering your options, a high-level analysis of the EU cross-border transfer options for companies—including the EU Standard Contractual Clauses, Intra-Group Agreements and other ad-hoc contracts, Binding Corporate Rules, Privacy Shield, and Consent—and the pros and cons of choosing each one.

Continue Reading

Posted in International/EU Privacy

UK Government Consults on Data Security Standards and Data Sharing in the Health Sector

shutterstock_274994318On 6th July, the UK Government published two independent reviews concerning data security and data sharing in the health and care system in England. At the same time the UK Government launched a public consultation on proposals resulting from these reviews. The public consultation will be of interest to organisations that regularly interact with the public health sector in the UK and in particular to those organisations that rely on access to health data from the NHS for research purposes.
Continue Reading

Posted in International/EU Privacy

ENISA Jumpstarts Connected Car Cybersecurity Study for EU

shutterstock_344953541With attention to connected car cybersecuity issues increasing globally, the European Union Agency for Network and Information Security (ENISA) is leading the EU’s first bloc-wide initiative to identify cybersecurity rules of the road for connected cars. On July 13, ENISA announced a study aimed at creating a comprehensive list of cybersecurity policies, tools, standards, and measures to enhance security in next-generation automobiles. ENISA will include interviews with relevant stakeholders like car manufacturers and Tier 1 and 2 suppliers and solicit feedback on its findings at an open workshop October 10 in Munich, Germany. The study will also be reviewed by members of ENISA’s CaRSEC Expert Group, a collection of government, private, and public-sector experts knowledgeable about cybersecurity as it relates to car manufacturing, vehicular hardware and software, road standards, and car security. At the end of the study, ENISA will provide recommendations on how to enhance smart car security for EU consumers.

Continue Reading

Posted in Consumer Privacy, International/EU Privacy, Privacy & Security Litigation

Second Circuit Holds That U.S. Cannot Compel By Warrant Microsoft’s Production of Emails Stored Outside of U.S., Citing The Stored Communications Act’s Privacy Protections and Lack of Extraterritorial Effect

for-blogA three-judge panel of the U.S. Court of Appeals for the Second Circuit today unanimously reversed a lower court’s denial of Microsoft’s motion to quash a warrant seeking the content of emails for a customer of its Outlook.com email service.  The decision is surprising in that that U.S. courts, including the Second Circuit, have traditionally enforced government process seeking documents or data stored abroad from entities that have control over the information under the test of “control, not location.”  See In the Matter of a Grand Jury Subpooena Directed to Marc Rich & Co. v. United States, 707 F.2d 663 (1983) and our earlier blog post on the district court decision.

The Second Circuit focused its analysis on the government’s use of a warrant issued pursuant to section 2703 of the Stored Communications Act (SCA) to obtain the content of emails.  Under the SCA, where the U.S. Government seeks the content of emails from an email service provider, the Government must, in certain specified circumstances, use a warrant following the procedures in Rule 41 of the Federal Rules of Criminal Procedure.  The court concluded that Rule 41, with the exception of certain diplomatic operations, only allows for magistrate judges to issue warrants for information stored in the United States.  Moreover, the court found “Congress did not intend the SCA’s warrant provisions to apply extraterritorially,” citing the presumption against extraterritorial application of United States statutes absent a clear contrary intent.

Although the court acknowledges that “domestic contacts” can eliminate concerns of  extraterritoriality in a given case, the court found that in this case, the SCA’s focus on the “privacy of the content of a user’s stored electronic communications” tipped the balance in favor of the presumption against extraterritorial application of the SCA.  The court addressed earlier cases where subpoenas were issued to businesses that owned the information sought, finding that compelling the production of information stored abroad from the owner of the information is distinguishable from compelling the production of information stored abroad from a caretaker of that information.  The court also noted the importance of international comity that “ordinarily govern the conduct of cross-boundary criminal investigations.”

This case could have a significant impact on cloud providers’ decisions to store information abroad.  It also serves, in the midst of debates about the newly enacted Privacy Shield and the recent challenge to Standard Contractual Clauses now before the Court of Justice of the European Union, as a counterbalance to arguments that some make about the U.S. legal system not respecting personal privacy. Continue Reading

Posted in International/EU Privacy

Privacy Shield Receives Final Approval from European Commission—Some Initial Practical Advice

shutterstock_285945950On 12 July 2016, the European Commission issued its much awaited “adequacy decision” concerning the Privacy Shield framework for the transfer of personal data from the EU to the U.S. This adequacy decision is based on the latest version of the Privacy Shield, which was further negotiated and revised following the Article 29 Working Party’s April 2016 concerns with the terms of the original Privacy Shield framework.

Many of our clients have questions about Privacy Shield—what it is, when it will be available for use, and how it differs from other data transfer mechanisms, among others. We have prepared a blog post to answer these questions about the updated version of Privacy Shield and its implications for companies engaging in trans-Atlantic data flows. Continue Reading

Posted in International/EU Privacy

Julie Brill Advocates in Support of Privacy Shield


Julie Brill, Hogan Lovells partner, and co-head of our global privacy and Cybersecurity practice, recently commented on the EU-US Privacy Shield for the EurActiv publication.  Her comments are republished here, with permission:

The free flow of data is essential to an ever-growing segment of the global economy.  Yet some policymakers and advocates, citing privacy concerns, have called for shutting off the faucet and restricting data flow, to the detriment of European consumers and European businesses, both small and large.

With cooler heads and a laser-like focus on the best interests of all European citizens, the European Commission and the US Department of Commerce have been tirelessly working to build a better framework for maintaining a seamless flow of data across the Atlantic in a manner that respects the privacy of European citizens.

After much debate, a major European court opinion, and at least one act of Congress to address the issue, a solution is at hand that will enhance real, enforceable privacy protections on both sides of the Atlantic.

Continue Reading

Posted in International/EU Privacy

European Union’s Cybersecurity (NIS) Directive adopted

shutterstock_419561389At the Plenary Session held today (July 6th, 2016) in Strasbourg, the European Parliament adopted a position agreed with by the Council on a Directive on common rules of security of network and information systems across the EU on its second reading. The main elements of the Directive are:

Continue Reading

Posted in International/EU Privacy

Russia Imposes New Data Storage Requirements for Telecoms and ISPs

shutterstock_366140141Yesterday, Russian President Vladimir Putin signed the law “On introducing amendments to the Federal law ‘on fighting terrorism’ and other legislative acts of the Russian Federation related to establishment of additional measures against terrorism and ensuring public security” (the “Law”). Specifically, the Law introduces amendments to the Russian Law on Communications and the Russian Law On Information, Information Technologies and Protection of Information.

Continue Reading

Posted in News & Events

July 2016 Privacy and Cybersecurity Events

Please join us for our July 2016 Privacy and Cybersecurity Events.

July 6
Territorial Reach of Data Protection Law
Eduardo Ustaran will chair a panel on “The Weltimmo case in the European Court on the territorial reach of DP law” at the Privacy Laws & Business International Conference.
Location: Cambridge, UK


July 7
Artificial Intelligence
Julie Brill will speak on the social and economic implications of artificial intelligence technologies in the near term at a White House and NYU Workshop.
Location: New York, New York


July 12
Privacy Shield and the Future of Europe
Julie Brill will give the keynote at the Dublin Institute for European and International Affairs.
Location: Dublin, Ireland


July 12
Data Protection General Regulation
Tim Wybitul will hold a workshop on the Implementation of the EU-Data Protection General Regulation in companies. The workshop will address experienced decision-makers who will need to prepare their companies for the upcoming requirements of the DPGR. Using case studies, checklists, charts, and practical examples, the workshop will provide participants with the key information they need to know to plan for DPGR.
Location: Hogan Lovells’ office in Frankfurt, Germany

Continue Reading

Posted in International/EU Privacy

A Way Forward for UK Data Protection

shutterstock_383789209The people of the UK have spoken and our collective choice is to leave the European Union. Some are dreading the likely tsunami of economic hardship. Others are excited about what may lie ahead. Most of us are shocked. But as numbing as the verdict of the UK electorate may be, there are crucial political, legal and economic decisions to be made. The ‘To Do’ list of the UK government will be overwhelming, not least because of the dramatic implications that each of the items on the list will have for the future of the country and indeed the world. Steering the economy will be a number one priority and with that, the direction of travel of the digital economy – which, at the end of the day, is one of the pillars of prosperity in the UK and everywhere else. Continue Reading