Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in International/EU Privacy

Future-Proofing Privacy: New and Stronger Rights

02299 EU Data Protection Regulation Blog Image 02TE5The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data portability, the right to be forgotten, and certain rights in relation to profiling. In this chapter we look at each of these rights in turn and assess the likely practical impact that the changes brought about by the Regulation will have on organisations. Continue Reading

Posted in International/EU Privacy

Future-Proofing Privacy: Justifying Data Uses

02299 EU Data Protection Regulation Blog Image 02TE4Grounds for processing

Currently, under the Data Protection Directive, each instance of data processing requires a legal justification – a “ground for processing”. This fundamental feature of EU data protection law will remain unchanged under the Regulation. However, the bar for showing the existence of certain grounds for processing will be set higher. This is especially true with regards to consent. Continue Reading

Posted in News & Events

June 2016 Privacy and Cybersecurity Events

Please join us for our June 2016 Privacy and Cybersecurity Events.

June 1
Global Data Flows
Julie Brill participated in a Microsoft Forum panel discussion on “We Knew the Global Data Flows Were Hard, but Really! The Year that Was and Will Be.”
Location: Washington, D.C.


June 2
Privacy Regulation and State AGs
Julie Brill spoke on the privacy policymaking of state attorneys general during the 9th Annual Privacy Law Scholars Conference.
Location: Washington, D.C.


June 7
Connected Cars, Privacy, and Cybersecurity
Julie Brill will give the lunch keynote and Tim Tobin will be presenting on a panel regarding connected car privacy and cybersecurity at the Auto Alliance Legal Conference 2016.
Location: Washington, D.C.

Continue Reading

Posted in International/EU Privacy

Future-Proofing Privacy: The Concept of Personal Data Revisited

02299 EU Data Protection Regulation Blog Image 02TE3Pseudonymisation enters the stage

Along with the concept of personal data, as opposed to anonymous data, the Regulation introduces a third category, that of pseudonymous data. Pseudonymous data is information that no longer allows the identification of an individual without additional information and is kept separate from it. Pseudonymisation, while granting higher data security, also enhances data utility. In exchange for the lower level of privacy intrusion, and in order to encourage data controllers to resort to pseudoanonymisation, certain requirements are less stringent. Continue Reading

Posted in International/EU Privacy

Future-Proofing Privacy: Scope of the Application of the Law

02299 EU Data Protection Regulation Blog Image 02TE2What difference does a Regulation make?

Unlike EU ‘directives’, EU ‘regulations’ are by nature directly effective in EU Member States and so do not require further implementation into national laws. Previously, European data protection law was governed by the Data Protection Directive. It was the responsibility of Member States to implement the Data Protection Directive into their national law. When the Regulation becomes law, it will apply immediately throughout the EU due to its direct effect. As a consequence, national data protection acts will cease to be relevant for all matters falling within the scope of the Regulation.

Why does this matter?

It is absolutely crucial for organisations to know if they are or are not subject to the Regulation. Since the Regulation strengthens data protection principles, requires organisations to demonstrate compliance and ushers in greater enforcement powers for regulators, it is essential for all organisations, public and private, local, national or global, to understand in what circumstances the Regulation will apply to their use of personal data. Continue Reading

Posted in International/EU Privacy

Ignoring GDPR, French Senate Votes for a Data Localization Amendment

French BinaryDebated in Parliament since 9 December 2015, the French Digital Bill was subject to a Senate vote on 3 May 2016, two weeks before publication of the General Data Protection Regulation (GDPR) in the EU’s Official Journal.

The Digital Bill as voted for by the French Senate on 3 May 2016 includes a data localization provision: “Data shall be stored in a data center located within any EU Member State territory, without prejudice to international agreements to which France and the EU are parties. They cannot be subject to a transfer to a third country“. The Bill’s data localization provision may be incompatible with Article 44 of the GDPR and perhaps the current Data Protection Directive 95/46, as it places stricter requirements on the transfer of personal data outside of the EU than provided for under those documents. Continue Reading

Posted in International/EU Privacy

Future-Proofing Privacy: The Time Has Come

02299 EU Data Protection Regulation Blog Image 02TE1It has taken several years but we have finally made it to the start line. The modernisation of European privacy laws has reached a critical milestone and with the formal adoption of the new data protection framework, we can now begin to lay the foundations for the future.

Influenced by overwhelming technological advances and the Snowden revelations, the EU Data Protection Regulation introduces new accountability obligations, stronger rights and ongoing restrictions on international data flows. Overall, the new framework is ambitious, complex and strict. Businesses operating in Europe or targeting European customers need to get their act together and start preparing for the new regime. At stake are not only the consequences of non-compliance, but also the ability to take advantage of new technologies, data analytics and the immense value of personal information. From determining when European law applies to devising a workable cooperation strategy with national regulators, there are many intricate novelties to understand and address.

Our guide “Future-proofing privacy” aims to be a useful starting point. 24 authors from 10 European Hogan Lovells offices have contributed their knowledge, efforts and advice to compile a unique resource of practical guidance. We have identified the key issues and explained why they matter. Crucially, we have approached the new framework with a practical mindset, providing concrete suggestions for actions to take now. Continue Reading

Posted in International/EU Privacy

A Brief Analysis of the European Parliament and the Article 29 Working Party’s Criticisms of Privacy Shield


Unveiled February 29, 2016, the new EU-U.S. Privacy Shield attempts to address the shortcomings of the Safe Harbor arrangement identified originally by the European Commission and later by the Court of Justice of the European Union (CJEU) in its Schrems decision.  The Privacy Shield proposes improved data protection principles, better enforcement by the US Department of Commerce and the Federal Trade Commission, redress mechanisms for EU citizens, and safeguards surrounding law enforcement and intelligence activities. Continue Reading

Posted in Cybersecurity & Data Breaches

Cybersecurity Vulnerabilities in the Life Sciences

While many of the recent most highly publicized data breaches have involved high-profile consumer brands, the life sciences sector is an increasingly attractive target for a cyber attack. Criminal attackers are targeting the health sector as part of industrial espionage programs and to obtain patient information that can fetch premium prices on the black market. In developing a cybersecurity strategy to combat potential threats, life sciences companies should employ a comprehensive strategy involving an assessment and analysis of likely risks, and active and continuing planning, training, and updating of cybersecurity strategies. Regulators have already signaled that cybersecurity risk assessments are foundational to meeting legal requirements and can define the baseline for what constitutes reasonable security measures within an organization.
Continue Reading

Posted in International/EU Privacy

CNIL’s New Role: Overseeing Website Blocking

shutterstock_322056467In an April 15, 2016 report, the French Data Protection Authority, the CNIL, provided details about its little-known responsibility as overseer of the French police’s website-blocking powers.  The French legislature gave the CNIL this new role in a November 13, 2014 law designed to enhance French police powers against terrorism. The 2014 law increased French police and intelligence agencies’ powers to collect data without a court order.  A lesser-known aspect of the November 2014 law is the provision that allows the French police to order ISPs to block websites that either provoke terrorist acts or support (provide an “apologia” or defense for) terrorism.  When the French police identify online content that violates these rules, they may order ISPs to block access.  The police also have this power with regard to child pornography. Search engines can also be ordered to delist content from search results. Continue Reading