The General Data Protection Regulation entered into force on 25 May 2018. In light of the urgency to adapt Law no. 78-17 dated 6 January 1978 to the new European Union law, the French Government has initiated an accelerated procedure. This procedure led to the adoption in final reading by the French National Assembly of the bill on personal data protection on 14 May 2018. However, some French Senators lodged a constitutional complaint against the said law on 16 May 2018.
“European data protection rules will become a trademark people recognise and trust worldwide”. That is how, in January 2012, Viviane Reding – then Vice-President of the European Commission and EU Justice Commissioner – ended her announcement of the widest reform of privacy and data protection law ever attempted. Six years later, this ambitious aim is becoming a reality. Organisations from around the world and well beyond Europe are grappling with the new European General Data Protection Regulation (GDPR) and its impact on their data activities. From Australian banks and South American insurers to US universities and Asian telecoms companies, determining the applicability of the GDPR to their operations has become a critical business decision. As many global companies ponder over the right strategy to privacy compliance, a key question has emerged: which organisations, and under which circumstances, are subject to the territorial scope of the GDPR?
The UK Government has announced a new three-tier charging structure for data controllers to ensure the continued funding of the Information Commissioner’s Office to come into effect on 25 May 2018 to coincide with the GDPR coming into force.
Recently, the Russian Data Privacy Authority, Roskomnadzor, organized an Open Doors Day in honor of the International Data Privacy Day. During the occasion, Roskomnadzor officers presented on the authority’s 2017 enforcement activities. They followed this presentation with an open question and answer period, during which they responded to numerous questions raised by attendees. This post summarizes the key takeaways.
Territoriality will continue to be one of the most vexing problems for data regulation in 2018. One aspect of this debate relates to whether a U.S. judge can compel the disclosure of personal data located in Europe without using international treaty mechanisms. This issue is currently being considered by the United States Supreme Court in the case United States v. Microsoft. The case involves the question of whether a U.S. statute relating to search warrants can be interpreted as extending to a search for data located outside the United States; in this case, the data is located in Ireland. The U.S. Court of Appeals found that, in the absence of express wording in the statute relating to extraterritorial application, the statute should be interpreted as being limited to searches conducted within the territory of the United States. The Supreme Court is currently reviewing the case. In December, 2017, the European Commission filed an amicus brief urging the Supreme Court to give due consideration to the principles of international comity and territoriality when interpreting the U.S. statute.
According to the Constitution of Mexico, the protection of personal data is a fundamental right of all Mexican citizens. Under federal law, individuals also have a right to access, change, oppose, or suppress their personal data. Although all private companies process data, some are not sufficiently familiar with Mexico’s data privacy principles and regulations, and many may not have an up-to-date assessment of their own risk of a data breach. In addition, they may not be aware that the Mexican Supreme Court’s recent shift in perspective regarding personal injury cases may herald a change in the way data privacy breaches are handled in the future. This interview explores the impact of Mexico’s data privacy regulations on private companies, discusses the unique approach of Mexican regulators to data privacy enforcement, and offers advice as to how companies can stay compliant.
Data brokers are organisations that obtain data from a variety of sources and then sell or license it to third parties. Many trade in personal data, which is purchased by their customers for several purposes, most commonly to support marketing campaigns. The UK data protection regulator has for some time been actively enforcing against organisations who buy individuals’ personal data for direct marketing purposes without first conducting appropriate due diligence to ensure that those individuals have adequately consented to receiving marketing communications. However, in a recently issued monetary penalty notice, the ICO indicated that it may be shifting its enforcement strategy. This post discusses the latest developments.
The 2016 holiday gift guides have heavily featured consumer drones; as such, it is not unfeasible that you or someone you know will receive a drone in the coming weeks. In anticipation of that happy event, on 21 December the UK Department for Transport gave its own gift: a consultation paper on ensuring the safe use of drones, to help the UK to tap into this growing market.
In yet another key case dealing with the balance between citizens’ privacy and the ability of the state to intrude into it, the Court of Justice of the European Union has ruled on the compatibility with European Union law of legislation that authorises the retention of communications data, which includes personal data. The reference from the UK Court of Appeal resulted from a challenge to the Data Retention and Investigatory Powers Act 2014 brought by individuals that include Tom Watson, deputy leader of the Labour Party and represented by Liberty. Interveners include the Law Society of England and Wales, the Open Rights Group, and Privacy International. The CJEU considered the compatibility of such legislation with the e-Privacy Directive, Articles 7 and 8 of the Charter of Fundamental Rights of the European Union—which protect private and family life and personal data respectively—and its previous decision in C-293/12 Digital Rights Ireland—which invalidated the Data Retention Directive.
In a case with major significance for foreign online businesses that do business in Russia, on Thursday, 10 November the Moscow City Court sustained a lower court ruling that granted the request of the Russian Data Protection Authority to block access to social network LinkedIn within Russian territory. Although the data localization requirement took effect in September 2015, this is the first case of Russia blocking access to a foreign online business due to non-compliance with the Russian data localization requirement. There had been some doubt regarding how rigorously the data localization requirement would be applied, and this case indicates that at least in some circumstances, Roskomnadzor will aggressively push for websites to be blocked. Similar online services should examine their compliance with the data localization requirements in light of this decision.
The Article 29 Working Party has issued a revealing statement about the so-called EU-U.S. Umbrella Agreement, which is aimed at creating a high-level data protection framework in the context of transatlantic cooperation on criminal law enforcement. As a sign of support for the deal, the Working Party welcomes the initiative to set up a general data protection framework in relation to law enforcement cooperation. In a fairly positive tone, the Working Party states that the Umbrella Agreement “considerably strengthens the safeguards in existing law enforcement bilateral treaties with the US, some of which were concluded before the development of the EU data protection framework.” This statement by the Working Party follows its recent announcement that it had created a working group for enforcement actions on organisations targeting several member states, which is yet another sign of the growing international ambitions of the EU data protection authorities.
The Court of Justice of the European Union has ruled that dynamic IP addresses are capable of constituting personal data under certain circumstances, ending years of speculation about whether such essential building blocks of the Internet qualified for protection under the EU Data Protection Directive. In Patrick Breyer v Bundesrepublik Deutschland, Breyer challenged the collection and use of dynamic IP addresses from websites run by the German Federal Government. The CJEU decided that in circumstances where a third party holds information which might likely be used to identify the user of a website when put together with the dynamic IP addresses held by the provider of that website, those IP addresses constitute personal data. In this blog post, we explore the decision in Breyer, which may impact the laws and concept of personal data of Member States beyond Germany.
Part 3 of Future-Proofing Privacy: The Concept of Personal Data Revisited. Along with the concept of personal data, as opposed to anonymous data, the Regulation introduces a third category, that of pseudonymous data. Pseudonymous data is information that no longer allows the identification of an individual without additional information and is kept separate from it. At the moment the standards according to which data is considered as anonymous or pseudonymous are established by the DPAs at a national level. Once the Regulation comes into force, the requirements and the applicable regime will become more uniform and this will provide greater legal certainty. Genetic data and biometric data are also both defined for the first time.
As reported in The New York Times, Hogan Lovells represented a diverse group of 15 major technology companies, such as Google, Facebook, Microsoft, Snapchat, and Cisco in filing last week an amicus brief in In re Search of an Apple iPhone.
On 26 January, Hong Kong’s Privacy Commissioner for Personal Data published his annual report on 2015 complaints and enforcement activity under the Personal Data Privacy Ordinance. The report reveals that 871,000 Hong Kong individuals were affected by data breaches in 2015, compared with 47,000 in 2014. The report is noteworthy that the number of reported breaches continues to increase at a rapid pace notwithstanding the fact that Hong Kong’s data breach notification regime is at the moment a voluntary one. The report is also notable for setting out the Commissioner’s statement of priorities for 2016.
It’s close to 7pm on a Friday evening and my team are trying their best to manage our clients’ stress and frantic desperation. Jokes about how much they love Max Schrems are shared by email. In the meantime, we are diligently working our way through endless charts of dataflows and attempting to cover every single […]
The need for proper and legitimate powers to enable intelligence and law enforcement agencies to do their job and to keep everyone safe requires little justification. However, in our data-rich and uber-connected way of life, those powers necessarily involve a substantial degree of intrusion into our digital comings and goings, and that makes things complicated. In a show of political awareness and legislative dexterity, in November 2015, the UK government presented its draft Investigatory Powers Bill—an attempt to strike a balance between intelligence and law enforcement needs with the protection of ordinary citizens’ privacy. The Bill seeks to adopt a comprehensive and sophisticated framework of modern law enforcement and intelligence gathering powers. It is currently being scrutinized by a parliamentary committee and subject to public consultation.
On November 5, 2015, the Federal Communications Commission Enforcement Bureau announced a $595,000 settlement agreement with Cox Communications, Inc. to resolve an investigation into whether the company failed to properly protect its customers’ personal information when electronic data systems were breached in August 2014. According to the FCC, Cox exposed the personal information of numerous customers and failed to report the breaches through the Commission’s established breach-reporting portal.
In our previous post we outlined the key issues regarding mHealth devices and services from a privacy law perspective. Now, we go further into the details and discuss the scope of the personal data involved, especially relating to sensitive health data. We introduce the relevant statutory requirements in the EU and the legal opinions of the Article 29 Working Party and the European Data Protection Supervisor as well as having a look at the upcoming European General Data Protection Regulation. Against this legal background, one core question we will examine is whether information collected and processed by lifestyle apps and devices must be classified as health data and fall under the strict requirements of European data protection laws.
Along with the concept of personal data, as opposed to anonymous data, the Regulation introduces a third category, that of pseudonymous data. Pseudonymous data is information that no longer allows the identification of an individual without additional information and is kept separate from it. In exchange for the lower level of privacy intrusion, the applicable requirements are less stringent. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”
In a recent client alert, partner Natalia Gulyaeva and associate Maria Sedykh from the Hogan Lovells Moscow Office joined associate Bret Cohen from the Hogan Lovells Washington, D.C. office to highlight key insights from the fifth annual conference on “Personal Data Protection” hosted by Roskomnadzor, Russia’s Data Protection Authority.
In June 2013, the French National Commission on Information Technology and Liberties announced that, following a question of Member of European Parliament Françoise Castex, it was going to investigate IP Tracking practices that e-commerce sites allegedly used to illegitimately increase their prices. This investigation was carried out in close connection with the French Directorate General for Competition Policy, Consumer Affairs and Fraud Control. In January 2013, MEP Françoise Castex had already alerted the European Commission about this alleged unfair commercial practice. The Commission concluded that national authorities in charge of protecting personal data were competent as the IP address is personal data.
On Tuesday, October 30, the California Attorney General Kamala Harris announced that her office has begun “formally notifying” mobile device application (“app”) operators that they are out of compliance with the notice provisions of the California Online Privacy Protection Act of 2003 (“CalOPPA”). The letters are a reminder that app developers and their partners should review their app data privacy and security practices and ensure that any apps collecting PII comply with the CalOPPA requirements, as well as other applicable Federal and state laws.