Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Category Archives: International/EU Privacy

Subscribe to International/EU Privacy RSS Feed
Posted in International/EU Privacy

Getting Cookie Consent Right

One could be forgiven for thinking that knowing how to comply with a legal obligation that has been in place for nearly a decade would be clear cut. However, widespread practice tells us that this is far from the truth. In November 2009, as part of wider reforms to the European telecommunications regulatory framework, the European Union introduced various amendments to the existing Directive 2002/58/EC (e-Privacy Directive), including to the provisions regulating the use of cookies.

Posted in International/EU Privacy

Russia Update: Law Increasing Fines for Violation of Data Protection Laws Comes Into Force

Update: On 3 December 2019 the law imposing multi-million Ruble fines for infringing Russian data localization and information security laws has come into force. Since the law has already come into force, new fines may be imposed on companies based on results of Roskomnadzor’s inspections in 2020. Roskomnadzor has already identified the entities it plans to inspect in 2020 but may initiate unplanned inspections as well based, for example, on data subject complaints or its online monitoring of company activity.

Posted in International/EU Privacy

Hogan Lovells Calls for an Alternative Approach to Regulating Privacy in the Digital Economy

Hogan Lovells has published a study evaluating the ongoing legislative proposal for a new ePrivacy Regulation, a law aimed at updating the current ePrivacy framework in the EU.

After nearly three years of debates and negotiations, the European Union is nowhere near agreeing a position on how to achieve the right balance between the need for technological innovation, public security and the protection of privacy in the context of the digital economy.

Posted in International/EU Privacy

The grand “finale” of China’s Encryption Law

Two years on since the first draft, the final act of the legislative passage saga of the long-awaited People’s Republic of China Encryption Law ended with its passage on 26 October 2019. It will take effect on 1 January 2020. The final text of the Encryption Law clearly represents a step in the right direction in terms of putting in place a comprehensive law in the encryption field, a sensitive and highly regulated area which China closely associates with state secrecy, and which historically has caused foreign investors great confusion with its strange mix of legislation that said one thing and policies that said another.

Posted in International/EU Privacy

Spanish DPA on Use of Cookies: Continued Browsing is Consent

On November 8, the Spanish data protection authority published new Guidelines on the Use of Cookies. The Guidelines have been prepared in collaboration with different organisations in the marketing and online advertising industries, and aim to provide some direction on the use of cookies and similar technologies in compliance with information society services laws and regulations.

Posted in International/EU Privacy

Spanish DPA Publishes Guide for Satisfying PbD Obligation

On October 17, the Spanish data protection authority published the Guide to Privacy by Design. While Privacy by Design first became a legal requirement in the EU with implementation of the General Data Protection Regulation, it is a well-known concept among privacy professionals that dates back to the 1990s. PbD should be construed as “the need to consider privacy and the principles of data protection from the inception of any type of processing.” It is a concept focused on risk management and accountability that aims to incorporate privacy protections throughout the life cycle of systems, services, products, and processes. It involves the application of measures for privacy protection among all business processes and practices associated to personal data.

Posted in International/EU Privacy

EU-U.S. Privacy Shield Passes Its Third Annual Review

Following the joint press statement from Commissioner Věra Jourová and Secretary of Commerce Wilbur Ross of 13 September, on 23 October 2019 the European Commission published its report on the third annual review of the functioning of the EU-U.S. Privacy Shield. In a nutshell, the report of the third review found that the U.S. continues to provide an adequate level of protection for personal data transferred under the Privacy Shield from the EU to participating companies in the U.S.

Posted in Health Privacy/HIPAA, International/EU Privacy

Medical Research Council Advises on How to Anonymise Information for Research Purposes

Anonymisation has always been (and still is) a real challenge for those carrying out clinical research. To shed some light on this matter, the Medical Research Council – which is part of UK Research and Innovation – has recently published guidance on Identifiability, anonymisation and pseudonymisation. Although the guidance itself states that it has been developed with the participation of the Information Commissioner’s Office, it is not ICO-approved and so institutes and organisations should be cautious when relying on the criteria set out in the guidance.

Posted in International/EU Privacy

CJEU: Consent on the Internet Means ‘Opt-In’

On 1 October 2019, the Court of Justice of the European Union handed down a crucial decision impacting the way that consent is obtained on the internet. The judgment relates to Case C-673/17. In the Planet49 case, the German Federal Court referred a number of questions to the CJEU regarding the validity of consent to cookies placed by a website operating an online lottery.

Posted in International/EU Privacy

The ICO Updates Its Data Sharing Code of Practice

On 9 July 2019 the UK data protection authority updated its Data Sharing Code of Practice (first published in 2011). On the same day, the ICO also announced its intention to fine Marriott International just over £99m for infringements of the General Data Protection Regulation, highlighting the importance of due diligence in the context of data sharing.

Posted in International/EU Privacy

New French Guidelines on Cookies and Trackers

On 19 July the French Data Protection Authority published new guidelines on cookies and trackers. These replace the existing Recommendation No. 2013-378 of 5 December 2013, are intended to be in line with relevant GDPR provisions and have been produced in anticipation of the future ePrivacy Regulation. The guidelines will be supplemented, at a later stage, with sectoral recommendations setting out practical methods for obtaining consent. These sectoral recommendations will be included in a final version of the guidelines on cookies and trackers open for public consultation, which will then be subject to final adoption by the CNIL (expected early 2020).

Posted in International/EU Privacy

Dutch DPA: Banks May Not Use Payment Data for Marketing Purposes

In the wake of a recent announcement by a major Dutch bank that it would start providing its customers with personalized advertisements based on their spending patterns, the Dutch Data Protection Authority (DPA) has sent a letter to all Dutch banks urging them to thoroughly review their direct marketing practices. The DPA specifically asked any bank contemplating the use of transaction data for direct marketing to reconsider. In its analysis, the DPA may have introduced a very onerous obligation to re-collect personal data for every single use.

Posted in International/EU Privacy

The UK ICO’s Regulatory Sandbox Points to a Future of Pro-Active Engagement

As companies continue to grapple with interpreting how the GDPR’s principles apply to their own businesses, in particular contexts, there is a growing need for data protection regulators to provide clarity on the practical application of the regulation. In the UK, the Information Commissioner has recently taken steps to address these concerns through the announcement of a ‘Regulatory Sandbox’.

Posted in Cybersecurity & Data Breaches, International/EU Privacy

Time to Take Notice: ICO to Impose Record Fine for Data Security Breach

On 8 July 2019, the UK data protection authority issued a notice of its intention to fine British Airways GBP 183.39 million (approx. USD 229.46 million) for infringements of the General Data Protection Regulation. The proposed fine relates to a data breach in which personal data of approximately 500,000 customers were compromised.

Posted in International/EU Privacy

The French Data Protection Authority Gets Ahead of the Game With New Rules on Cookie Consent Before the ePrivacy Regulation Reaches its Final Draft

The French Data Protection Authority has made targeted online advertising a priority topic in its 2019-2020 agenda and has changed its position on cookie consent. Although the ePrivacy Regulation is still being debated by EU legislators and is far from being finalised, the CNIL has withdrawn its 2013 cookie recommendation and announced that it will publish new guidelines (announcements are available in English on the CNIL’s website here and here). These explicitly rule out the use of implied or “soft” consent to place cookies on users’ devices.

Posted in International/EU Privacy

New Bill Imposing Increased Fines for Violations of Russian Data Protection Laws Under Consideration

On June 13, 2019, a new draft bill imposing multi-million ruble fines for infringing Russian data localization and information security laws—multiplying the maximum penalty under current law by a magnitude of 240—was submitted to the State Duma (the lower chamber of Russian Parliament). This would supplement existing fines, which we reported were previously increased in 2017.

Posted in International/EU Privacy

The Cathay Pacific Breach: Is Data Protection and Cyber Security Law in Hong Kong About to Receive an Upgrade?

On 6 June, 2019, the Privacy Commissioner for Personal Data issued an enforcement notice against Cathay Pacific Airways (and its affiliate Hong Kong Dragon Airlines) (together, “Cathay Pacific”) in respect of a data breach concerning unauthorized access to the personal data of some 9.4 million Cathay Pacific customers.

Posted in International/EU Privacy

Transfers on Trial: Privacy Shield and Standard Contractual Clauses go before the European Courts

July is set to be a busy month in Luxembourg. On the first and second of the month, the General Court of the European Union (which is part of the Court of Justice of the European Union) will hear a case against the EU-U.S. Privacy Shield brought by three French NGOs, La Quadrature du Net, French Data Network and Fédération FDN. A week later, on 9 July, the CJEU will hear arguments in Schrems II, in which the Irish High Court has referred 11 questions relating to whether the European Commission’s Standard Contractual Clauses provide an adequate level of protection for personal data which is transferred to the US.

Posted in International/EU Privacy

China’s First Data Protection Measures Lifting Its Veils

On May 28, 2019, the Cyberspace Administration of China released the draft Measures on the Administration of Data Security for public consultation. This Data Security Measures will be a great leap forward in China’s current data protection landscape, which mainly consists of scattered provisions contained in various pieces of legislations and standards, such as the Cyber Security Law, the E-Commerce Law, the Consumer Rights Protection Law as well as the Personal Information Security Specification, the most comprehensive yet non-binding national standard with respect to data protection. The Data Security Measures, once officially promulgated, will be the first binding administrative regulation in China to specifically and systematically set out explicit protection for personal data and important data collected and processed through the use of cyber technologies, following the effectiveness of the Cyber Security Law in 2017.

Posted in Consumer Privacy, International/EU Privacy

GDPR – The Year in Review

Following the one-year anniversary of the coming into effect of the GDPR, Hogan Lovells’ Privacy and Cybersecurity practice has prepared summaries of key GDPR-related developments of the past 12 months. The summaries cover regulatory guidance, enforcement actions, court proceedings, and various reports and materials.

Posted in International/EU Privacy

GDPR – The Work Ahead

The sky has not fallen. The Internet has not stopped working. The multi-million euro fines have not happened (yet). It was always going to be this way. A year has gone by since the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) became effective and the digital economy is still going and growing. The effect of the GDPR has been noticeable, but in a subtle sort of way. However, it would be hugely mistaken to think that the GDPR was just a fad or a failed attempt at helping privacy and data protection survive the 21st century. The true effect of the GDPR has yet to be felt as the work to overcome its regulatory challenges has barely begun. So what are the important areas of focus to achieve GDPR compliance?

Posted in International/EU Privacy

South Africa Data Protection Regulations Expected to Take Effect in 2019

Although South Africa’s first comprehensive piece of data protection legislation, the Protection of Personal Information Act, was originally signed into law in November 2013, the substantive provisions of the law have not yet taken legal effect. That is likely to change since South Africa’s data protection authority, the Information Regulator, published the final draft of its POPIA regulations in December 2018.

Posted in International/EU Privacy

EDPB’s Position on Clinical Trials Creates Friction with Other EU Legislation

Clinical trials in the EU include the collection of sensitive health data from patients. Trial sponsors are obliged to reconcile their respect of regulations governing data protection with regulations governing the conduct of clinical trials. The GDPR¹ could not fully harmonize these rules since this area is already heavily regulated by public health regulations that vary between EU Member States. One of the most disconcerting areas of divergence between EU Member States is the different national positions on whether patient consent is a valid legal ground for processing personal data in clinical trials.