Privacy & Information Security Law Blog

On April 30, 2013, the regional court of Berlin enjoined Apple Sales International, which is based in Ireland, (“Apple”) from relying on eight of its existing standard data protection clauses in contracts with customers based in Germany. The court also prohibited Apple’s future use of such clauses.

On May 3, 2013, the German Federal Council (Bundesrat) passed a new bill regarding access to telecom user data, such as names, addresses, passwords and credit card PIN codes. This comes after the German Federal Diet (Bundestag) passed the German government’s bill on March 21, 2013, which amends, among other laws, Germany’s Federal Telecommunications Act.

On May 6, 2013, the Global Privacy Enforcement Network (“GPEN”) announced its first “Internet Privacy Sweep,” in which 19 data protection authorities are participating. This joint effort, which runs May 6-12, 2013, involves a review of the information notices posted online by major websites.

On May 6, 2013, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) discussed the progress of the proposed General Data Protection Regulation (”Proposed Regulation”). LIBE’s lead rapporteur, Jan Philipp Albrecht, noted that, in light of the significant number of amendments tabled, more time is needed for the other rapporteurs to deliberate. As a result, the vote originally scheduled for May 29, 2013 on the lead rapporteur’s report regarding amendments to the Proposed Regulation has been postponed.

The Polish Data Protection Authority (Generalny Inspektor Ochrony Danych Osbowych or “GIODO”) has activated the website for the 35th International Conference of Data Protection and Privacy Commissioners to be held in Warsaw, Poland, September 23-26, 2013. The conference theme is “A Compass in a Turbulent World.” Unlike past years, the conference will begin with the closed session for commissioners and concurrent side events. The open conference will take place on September 25 and 26. GIODO currently is working on the conference agenda with an advisory committee that ...

On April 22, 2013, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the proposed data protection impact assessment template for smart grid and smart metering systems (“DPIA Template”). Expert Group 2 of the European Commission’s Smart Grid Task Force submitted the DPIA Template to the Working Party following the European Commission’s March 9, 2012 recommendation regarding preparation for the roll-out of smart metering systems.

On April 29, 2013, the Belgian Privacy Commission announced that it referred a data breach case involving The National Belgian Railway Company to the Brussels Public Prosecutor. The data breach, which occurred in December 2012, resulted in the 1.46 million sets of customer data being made publicly available online. The Privacy Commission investigated the case and concluded that there had been a violation of the Belgian Data Protection Act, but since the Privacy Commission does not have the authority to impose sanctions for the violation, it referred the case to the prosecutor’s office to initiate criminal proceedings. The Privacy Commission commented that this is the first time that it has referred a data breach case to the Public Prosecutor.

On April 22, 2013, the higher administrative court of Schleswig issued two decisions rejecting an appeal by the data protection authority of Schleswig-Holstein (“Schleswig DPA”) that sought to challenge a lower court’s earlier rulings in Facebook’s favor.

On April 12, 2013, the Department of Commerce’s International Trade Administration (“ITA”) issued a guidance document to clarify how the U.S.-European Union Safe Harbor Framework facilitates the transfer of personal data from the European Union to the United States in the cloud computing context. The document underscores that the U.S.- European Union Safe Harbor Framework is an officially recognized means of complying with the adequacy requirement of EU Data Protection Directive 95/46/EC. ITA has received a number of inquiries from Safe Harbor participants indicating that they (and their EU clients, customers and partners) have heard conflicting information and are unsure about how the Safe Harbor Framework may enable data transfers to cloud service providers in the United States.

On April 2, 2013, the Article 29 Working Party (the “Working Party”) adopted an Opinion (the “Opinion”) that elaborates on the purpose limitation principle set out in Article 6(1)(b) of the current EU Data Protection Directive 95/46/EC (the “Data Protection Directive”). The Opinion analyzes the scope of this principle under the Data Protection Directive, clarifies its limits and makes recommendations to strengthen it in the proposed General Data Protection Regulation (the “Proposed Regulation”). It also focuses on how to apply this principle in the context of Big Data and open data.

On March 8, 2013, the German government published a response to a formal inquiry from one of the German Parliament’s parties on the international security, data protection and surveillance implications of cloud computing. The response describes international cooperation between German and foreign law enforcement agencies that have used mutual legal assistance treaties to obtain cloud data in foreign jurisdictions. An earlier study by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs considered the scope of U.S. laws that allow surveillance of non-U.S. residents in a cloud computing context. The German government’s response now provides information on how German law enforcement agencies obtain data from clouds outside their jurisdiction (e.g., in the United States) pursuant to mutual legal assistance treaties.

On March 21-22, 2013, the data protection authorities (“DPAs”) of the Baltic states of Estonia, Latvia and Lithuania met in Riga, Latvia, for their second annual meeting to discuss several practical cooperation matters regarding data protection.

On March 27, 2013, the UK Government announced the Cyber Security Information Sharing Partnership (“CISP”), a partnership between government and industry to share intelligence on cybersecurity threats.

Introduction of the CISP follows a successful pilot program across key UK sectors and is part of the UK’s Cyber Security Strategy to facilitate information-sharing on cyber threats. It introduces a secure web portal where government and industry partners can exchange real-time information regarding threats and vulnerabilities they have identified. It also sets up a team of expert analysts, the Fusion Cell, to draw together a single intelligence picture of cyber threats across the UK. It is understood that the Fusion Cell will be staffed by analysts drawn from industry, as well as the law enforcement and intelligence communities.

On March 26, 2013, the Article 29 Working Party issued a press release on the recent developments concerning cooperation between the EU and the Asia-Pacific Economic Cooperation group (“APEC”) on cross-border data transfer rules. A joint EU-APEC committee, which includes the French and German data protection authorities as well as the European Data Protection Supervisor and the European Commission, has been studying similarities and differences between the EU’s binding corporate rules (“BCRs”) framework and APEC Cross-Border Privacy Rules. The committee’s goal is to facilitate data protection compliance in this area for international businesses operating in the EU and the APEC region, including by creating a common frame of reference for both sets of cross-border data transfer rules.

On March 1, 2013, the Irish Presidency published a note to the European Council of Ministers regarding its progress on the European Commission’s proposed General Data Protection Regulation (“Proposed Regulation”). The Note details the Irish Presidency’s work to bring a more risk-based approach to the Proposed Regulation.

On March 20, 2013, the French Data Protection Authority (“CNIL”) issued (in French) guidance on keylogger software (the “Guidance”). Keylogger software enables an employer to monitor all the activities that take place on an employee’s computer (such as every key typed on the computer’s keyboard and every screen viewed by the employee), without the employee’s knowledge.

On March 20, 2012, the UK Information Commissioner’s Office announced that it has issued a monetary penalty of £90,000 against DM Design Bedrooms Ltd. (“DM Design”) for making thousands of unwanted marketing calls.

On March 19, 2013, the French Data Protection Authority (“CNIL”) announced (in French) its annual inspection program, providing an overview of its inspections of data controllers in 2012 and a list of inspections that it plans to conduct in 2013. Under French data protection law, the CNIL is authorized to collect any useful information in connection with its investigations and has access to data controllers’ electronic data and data processing programs.

On March 20, 2013, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) held legislative deliberations regarding the European Commission’s proposed General Data Protection Regulation (”Proposed Regulation”). The LIBE Committee Chair, Juan Fernando López Aguilar, noted that 2,783 amendments to the Proposed Regulation and 504 amendments to the proposed Police and Criminal Justice Directive (“Proposed Directive”) have been tabled.

On February 12, 2013, the UK Information Commissioner’s Office published a further analysis of the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”). This latest analysis supplements the initial analysis paper on the Proposed Regulation published on February 27, 2012. Although the general views expressed in its initial paper stand, the ICO has now provided greater detail regarding its views of the substantive provisions of the Proposed Regulation.

On March 15, 2013, European Data Protection Supervisor Peter Hustinx sent a letter to Juan Fernando López Aguilar, Chair of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”), with his comments regarding certain aspects of the European Commission’s proposed revised data protection framework. On March 20, 2013, Peter Hustinx was invited to present his comments during a LIBE Committee meeting, together with the President of the Article 29 Working Party, Jacob Kohnstamm.

On March 12, 2013, the UK Government Justice Committee published a report on the functions, powers and resources of the UK Information Commissioner’s Office (the “Report”). The Report highlights several key issues raised during an oral evidence session held with the UK Information Commissioner, Christopher Graham, and his two Deputy Commissioners, David Smith and Graham Smith. The Justice Select Committee published the Report to draw these key issues to the attention of the UK Parliament.

On March 14, 2013, the 85th Conference of the German Data Protection Commissioners concluded in Bremerhaven. This biannual conference provides a private forum for the 16 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information, Peter Schaar, to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

The U.S. Department of Commerce’s International Trade Administration (“ITA”) will host a data privacy seminar in Waltham, Massachusetts, on Monday, March 25 from 8:30 – 11:30 a.m. EST. Seminar participants will hear from a number of Commerce privacy experts who will discuss the Obama Administration’s privacy blueprint and provide updates on significant international developments involving the U.S.-European Union and U.S.-Swiss Safe Harbor Frameworks and the Asia-Pacific Economic Cooperation group’s work to implement the Cross-Border Privacy Rules System. These privacy developments could have a significant impact on your company and its compliance with laws and privacy regulations in the United States, Asia and Europe.

On February 27, 2013, the Article 29 Working Party (the “Working Party”) adopted an Opinion (the “Opinion”) addressing personal data protection issues related to the development and use of applications on mobile devices. The Opinion identifies the key data protection risks associated with mobile apps and clarifies the legal framework and obligations applicable to the various parties involved in the development and distribution of mobile apps, including app stores, app developers, operating system and device manufacturers and advertisers.

On March 5, 2013, Costa Rica published the Reglamento a la Ley de Protección de la Persona Frente al Tratamiento de sus Datos Personales (Regulations of the Law of Protection of the Person in the Processing of His Personal Data) (the “Regulations”). The wide-ranging Regulations, which took effect immediately, expand and clarify many aspects of the underlying law and include the requirements described below.

On March 7, 2013, the UK Information Commissioner’s Office (“ICO”) published guidance (the “Guidance”) on Bring Your Own Device (“BYOD”) to explain to data controllers “what they need to consider when permitting the use of personal devices to process personal data for which they are responsible.” BYOD refers to the use of individuals’ personal devices to access and store corporate information.

On March 5, 2013, the German Federal Ministry of the Interior published proposed amendments (in German) to the German Federal Office for Information Security Law. These proposed amendments are significant because they establish a new duty to notify the German Federal Office for Information Security in the event of a cybersecurity breach.

The UK Information Commissioner’s Office has opened a public consultation on a proposed code of practice for the press (the “Consultation”). Pursuant to Section 51 of the UK Data Protection Act 1998 (the “DPA”), the ICO has the authority to issue industry codes of practice.

On February 20, 2013, the UK Court of Appeal issued its decision in Smeaton v Equifax Plc, [2013] EWCA Civ 108, overturning an award of damages to an individual about whom a credit reference agency had maintained an inaccurate record.

On March 8, 2013, the European Union’s Justice and Home Affairs Council held legislative deliberations regarding the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”).

On March 5, 2013, the French Data Protection Authority (the “CNIL”) announced that the French High Council for Statutory Auditors (“H3C”) and the U.S. Public Company Accounting Oversight Board (“PCAOB”) signed a Statement of Protocol (the “Protocol”) on January 31, 2013, to govern the exchange of information, including personal data, between them.

The French Data Protection Authority (the “CNIL”) reports that in late January 2013, representatives of the Article 29 Working Party and the Asia-Pacific Economic Cooperation group (“APEC”) met in Jakarta, Indonesia, to discuss interoperability between EU Binding Corporate Rules and APEC Cross-Border Privacy Rules governing international data transfers. The U.S. Department of Commerce also is participating in the process to develop a roadmap for future progress toward establishing tools companies can use to facilitate true interoperability ...

On March 6, 2013, the French Data Protection Authority (the “CNIL”) announced that it launched a consultation of relevant private and public actors for the purpose of determining whether the CNIL should adopt an initiative on “Open Data.”

Two recently-published German court decisions have clarified German employee data protection law. The decisions validate the independence of works councils in determining how to comply with data protection law and clarify when unused employee email accounts can be deleted.

On March 1, 2013, the German Federal Council (Bundesrat) passed a new registration law after insisting on a number of important amendments (in German). Among other issues covered in the bill, the new law regulates how businesses can obtain the registered addresses of individuals in Germany from Germany’s public authorities (“official address data”) and use that information for commercial purposes.

On February 27, 2013, the Article 29 Working Party (the “Working Party”) issued a statement on the European Commission’s proposed revised data protection framework (“Statement”), including the proposed General Data Protection Regulation (“Proposed Regulation”). The Working Party offered amendments to the Proposed Regulation in the form of two Annexes to the Statement on the topics of competence and lead data protection authority (“DPA”) and the exemption for household or personal activities.

On February 20, 2013, Hunton & Williams LLP hosted a webinar on cybersecurity risks and the Obama Administration’s recently-issued Executive Order on cybersecurity issues related to critical infrastructure. The webinar, entitled “The Cybersecurity Executive Order: Understanding Its Impact on Your Business,” covered issues such as the current threat landscape, U.S. and EU regulatory initiatives related to cybersecurity, and guidelines to help businesses prevent and manage cyber events.

On February 7, 2013, the European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, launched their cybersecurity strategy for the European Union (“Strategy”). As part of this Strategy, the European Commission also proposed a draft directive on measures to ensure a common level of network and information security (“NIS”) across the EU (the “Directive”).

On February 4, 2013, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik or “BSI”) published a paper (in German) providing an overview of the information technology risks inherent in consumerization and bring your own device (“BYOD”) strategies. The Paper responds to what the BSI views as a growing trend of employees making personal use of employer IT systems as well as using their personal IT devices for work purposes.

On January 29, 2013, the UK Court of Appeal ruled that the UK criminal records disclosure regime is disproportionate and incompatible with the UK Human Rights Act 1998 (the “Act”). The landmark judgment focused on the case of an appellant named “T,” who had received two “cautions” for stealing two bicycles when he was 11 years old. After a number of years, the appellant had to disclose these cautions twice in connection with required criminal records checks: first, at the age of 17, when he applied for a part-time job at a local football club, and again when he applied for a college course.

On January 28, 2013, the London office of Hunton & Williams marked European Data Privacy Day with the launch of the fourth edition of Data Protection Law & Practice, written by Senior Attorney Rosemary Jay. A panel comprised of the current UK Information Commissioner, Christopher Graham; his three predecessors, Eric Howe CBE, Elizabeth France CBE and Richard Thomas CBE; and the UK Minister of State for Justice, Lord McNally, spoke at the event and provided a retrospective on data protection in the United Kingdom since the Information Commissioner’s Office’s (“ICO’s”) inception in 1984.

On January 22, 2013, the Article 29 Working Party released Opinion 01/2013 (the “Opinion”) on the implementing acts contained in the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”).

Following up on the UK Information Commissioner’s Office’s (“ICO’s”) positive reaction to the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”), the ICO has now published additional thoughts on the European Commission’s proposed revised data protection framework, reacting to the recent draft report prepared by the rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs, Jan Philipp Albrecht. In February 2012, the ICO released an initial analysis of the Commission’s package of proposals, which included the proposed Police and Criminal Justice Data Protection Directive (“Proposed Directive”).

On January 11, 2013, the UK Government published its response (the “Response”) to the UK Justice Select Committee’s opinion on the European Commission’s proposed revised data protection framework. The Response highlights a number of concerns expressed by the UK Government regarding the Commission’s legislative proposals.

On January 28, 2013, European Data Privacy Day, the London office of Hunton & Williams hosted the launch of senior attorney Rosemary Jay’s fourth edition book, Data Protection Law & Practice, by publisher Sweet & Maxwell.

On January 24, 2013, the UK Information Commissioner’s Office (“ICO”) served Sony Computer Entertainment Europe Limited (“Sony”) with a monetary penalty of £250,000 resulting from a serious breach of the Data Protection Act 1998. An April 2011 security incident involving the Sony PlayStation Network Platform affected the personal data of millions of customers, including names, addresses, email addresses, dates of birth, account passwords and credit card details.

In an interview with Tom Field of BankInfoSecurity, Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP, discussed the top privacy trends and threats for 2013. Lisa predicts that security vulnerabilities will remain the biggest threat to privacy, particularly with the move toward mobile computing. She also talked about key issues to watch in 2013, such as online behavioral advertising, big data and evolving privacy legislation and regulation, especially in the EU and other countries around the globe.

Listen to Lisa’s ...

On January 16, 2013, the French Data Protection Authority (“CNIL”) released its opinion on the draft report issued by Jan Philipp Albrecht, the rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (the “Report”). The Report included detailed amendments to the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”) submitted by various stakeholders which Rapporteur Albrecht consolidated and distilled into a single text. The CNIL’s Report welcomes these amendments and in particular, the following:

Recently, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) released a study titled Fighting cyber crime and protecting privacy in the cloud (the “Study”). The Study originally was prepared in October 2012 at the request of the LIBE Committee by the European Parliament’s Policy Department of Citizens’ Rights and Constitutional Affairs, with the help of the Centre for European Policy Studies and the Centre d’Etudes sur les Conflits.

On January 10, 2013, the rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”), Jan Philipp Albrecht, presented his draft report (the “Report”) on the proposed amendments to the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”) to the LIBE Committee.

On December 19, 2012, the Irish Data Protection Commissioner (“DPC”) wrote to 80 website operators requesting details regarding how they are complying with recent changes to Irish law governing the use of cookies and other similar technologies (SI 336/ 2011, the “Regulations”). The letter expects website operators, which include government departments as well as companies, to comply fully with the Regulations, which took effect 18 months ago and require user consent before deploying or accessing cookies or other information stored on users’ computer equipment. If the relevant organizations have not yet achieved compliance, they are expected to provide an explanation to the DPC explaining “why it has not been possible to comply by now, a clear timescale for when compliance will be achieved, and details of specifically what work is being done to make that happen.”

Internet users have expressed increasing concern about efforts to track their online activities. As the online tracking methods used to target advertisements have expanded in both scope and complexity, regulators have taken notice and have begun to act in the online behavioral tracking and advertising space. In an article published in the November/December 2012 issue of IP Litigator, Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP, and Melinda L. McLellan, a senior associate on the firm’s Privacy and Data Security team ...

On December 21, 2012, the Article 29 Working Party issued a press release announcing the launch of Binding Corporate Rules (“BCRs”) for processors effective January 1, 2013. This announcement follows the Article 29 Working Party’s adoption of a Working Document (WP 195) on June 6, 2012, which set forth requirements for BCRs for processors, and an application form for submitting BCRs for processors issued on September 17, 2012.

On December 19, 2012, the European Commission announced its formal recognition of personal data protection in New Zealand. The European Commission approved New Zealand’s status as a country that provides “adequate protection”  of personal data under the European Data Protection Directive 95/46/EC. This determination means that personal information from Europe may flow freely to New Zealand.  Although the law in New Zealand has been modernized over the years, it is not new.  New Zealand will be celebrating the 25th anniversary of its data protection law in 2013. Furthermore, New Zealand has been very active in the development of international standards at the OECD and APEC, and has participated in initiatives such as the Global Accountability Project. New Zealand’s request to be deemed adequate has been pending for several years. This determination follows the positive Opinion of the Article 29 Working Party issued on April 4, 2011, concerning the level of protection under New Zealand’s law.

On December 13, 2012, the UK Information Commissioner’s Office (“ICO”) announced a consultation on a draft subject access code of practice (the “Code”). The Code is open for public comment until February 21, 2013.

On December 18, 2012, the Information Commissioner’s Office (“ICO”) released an enforcement report (the “Report”) on the extent of compliance with recent changes to UK law governing the use of cookies (The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011). The ICO previously issued an interim report on organizations’ attempts to achieve compliance, in which it concluded that organizations “must try harder” with their cookie compliance efforts.

On December 12, 2012, the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) released an accountability self-assessment tool designed to help organizations evaluate their internal privacy programs and practices. The tool is the product of the Global Accountability Project for which the Centre serves as Secretariat.

On November 23, 2012, a German data protection working group on advertising and address trading published guidelines (in German) on the collection, processing and use of personal data for advertising purposes (the “Guidelines”). The working group was established by the committee of German data protection authorities (“DPAs”) and is chaired by the Bavarian DPA.

On November 23, 2012, the German Federal Council (Bundesrat or the “Council”) published its comments on the European Commission’s strategy on cloud computing and also submitted them to the Commission.

On November 20, 2012, the European Network and Information Security Agency (“ENISA”) published a new report entitled “The Right to Be Forgotten – Between Expectations and Practice.” The report complements two earlier papers which focused on data collection and storage and online behavioral advertising, and focuses on the technical implications of the proposed General Data Protection Regulation’s new right to be forgotten.

On November 21, 2012, the UK Committee of Advertising Practice (“CAP”) released new rules on online behavioral advertising (“OBA”). CAP is the UK body which writes and maintains the UK advertising codes, which are administered and enforced by the UK Advertising Standards Authority (“ASA”).

On November 21, 2012, the UK Supreme Court handed down a judgment in The Rugby Football Union vs. Consolidated Information Services Limited (Formerly Viagogo Limited), a case addressing the application of Article 8 of the EU Charter of Fundamental Rights (Protection of Personal Data) in the context of court orders seeking to disclose the identities of alleged wrongdoers.

On November 22, 2012, the Brussels-based publication European Voice published an editorial by U.S. Department of Commerce General Counsel Cameron Kerry entitled Avoiding a Data Divide Between the US and the EU. The article notes the importance of continued collaboration between the European Union and the United States as both assess their respective privacy frameworks to ensure that any changes encourage enhanced trade and strong economic growth, but also contain robust protections for consumers. Mr. Kerry’s editorial emphasizes the need to foster global privacy ...

On November 22, 2012, the UK Ministry of Justice released a written ministerial statement (“Statement”) announcing the publication of its Government Impact Assessment on the European Commission’s legislative reform package on the EU data protection framework. The European Commission has claimed that a regulation implementing a single set of data protection rules across the European Union would save businesses around €2.3 billion a year. In its Statement, the Ministry of Justice disagrees, stating that the Commission’s proposals will impose burdens that “far outweigh” the benefits. At a time of great economic upheaval across Europe, the Ministry of Justice asserts that the regulatory burden should be reduced, not increased, to stimulate growth, and that it is “difficult therefore to justify the extra red-tape and tick box compliance that the proposals represent.” The Ministry of Justice also notes that “[t]he UK Government is seriously concerned about the potential economic impact of the proposed data protection Regulation.”

On November 28, 2012, the UK Information Commissioner’s Office (“ICO”) issued monetary penalties totaling £440,000 to two owners of a marketing company that sent millions of unlawful spam SMS text messages over a period of three years.

On November 27, 2012, the International Chamber of Commerce of the United Kingdom (“ICC UK”) released the second edition of its cookie guidance (the “Guidance”). The ICC UK released the first edition of the Guidance in April of this year, and has produced this latest version to take into account updated guidance released by the UK Information Commissioner’s Office (“ICO”), the Article 29 Working Party Opinion 04/2012 on cookie consent exemption and new UK advertising rules on online behavioral advertising.

On November 19, 2012, 40 German advertising associations launched the “German Data Protection Council for Online Advertising,” a new initiative to coordinate and enforce self-regulation in the German online behavioral advertising (“OBA”) sector. The initiative is linked to the European Interactive Digital Advertising Alliance (“EDAA”), which manages the self-regulation efforts of the European online advertising industry.

On December 3, 2012, the Centre for Information Policy Leadership (the “Centre”) at Hunton & Williams will co-host a special International Association of Privacy Professionals (“IAPP”) KnowledgeNet meeting in Brussels, Belgium. The meeting will explore global developments in accountability in the context of the proposed EU Data Protection Regulation and the impact of accountability on data protection management.

Hunton & Williams is pleased to announce the firm maintained its top-tier “Band 1” ranking in Data Protection in the 2013 edition of Chambers UK. Our London-based principals also maintained their high rankings as leading Data Protection lawyers:

• Bridget Treacy, managing partner of the firm’s London office and head of the UK Privacy and Data Security practice, was ranked as a “Star Individual.”
• Richard Thomas, Global Strategy Advisor to the Centre for Information Policy Leadership at Hunton & Williams LLP, was ranked as a “Senior Statesman.”
• Rosemary Jay, a senior ...

On November 16, 2012, European Data Protection Supervisor Peter Hustinx published an Opinion on the European Commission’s Communication on cloud computing (part of the Commission’s broader cloud computing strategy). The Opinion focuses on the accountability principle and emphasizes the importance of clearly defining the responsibilities of all parties involved in cloud computing, and analyzes specific cloud computing issues in the context of both the current EU data protection framework, as well as the proposed General Data Protection Regulation.

On November 15, 2012, the UK Office of Fair Trading (the “OFT”) launched a call for information to investigate whether offering “personalized pricing” based on data companies collect about consumers’ online behavior violates consumer protection legislation in the UK. The OFT will look at how companies gather data related to “consumers’ browsing history, purchases, demographic, hardware, operating system, etc and use this to personalise products and prices.” In particular, as indicated on the OFT’s website, the OFT will analyze:

On November 20, 2012, the UK Information Commissioner’s Office (“ICO”) published guidance on IT asset disposal for organizations (the “Guidance”) to explain “to data controllers what they need to consider when disposing of electronic equipment that may contain personal data.”

On November 20, 2012, the UK Information Commissioner’s Office (“ICO”) published “Anonymisation: Managing Data Protection Risk Code of Practice” (the “Code”). The purpose of the Code is to provide organizations with a framework for assessing the risks of anonymization. It also sets forth good practice recommendations that may be adopted by organizations to provide a “reasonable degree of confidence” that the publication and sharing of anonymized data will not lead to an “inappropriate disclosure of personal data.” The published Code follows a consultation on the same topic earlier this year. The ICO also announced the creation of the UK Anonymisation Network, which will promote the sharing of good practices related to anonymization across the public and private sectors.

On December 5, 2012, at 1:00 p.m. EST, the U.S. Department of Commerce’s International Trade Administration (“ITA”) will be hosting a webinar to discuss data privacy issues. Webinar participants will hear from Commerce privacy experts on the Obama Administration’s privacy blueprint. There also will be an update on significant international data privacy developments such as the Asia-Pacific Economic Cooperation (“APEC”) forum’s work to implement the Cross-Border Privacy Rules (“CBPRs”) system and the U.S.-European Union and U.S.-Swiss Safe Harbor ...

Following the launch of Hunton & Williams’ Data Protection Executive Briefing Paper on the proposed EU Data Protection Regulation, we are pleased to announce that on November 29, 2012, we will host a further workshop to explore the challenges facing processors under the draft Regulation. In this workshop, attendees will:

• Explore how obligations on processers are likely to expand significantly;
• Learn how these new obligations will affect both processors and controllers; and
• Create a checklist for preparing for the changes ahead.

On November 13-15, 2012, delegates at the IAPP Europe Data Protection Congress in Brussels were given insight into how discussions with key policymakers are progressing. As European Parliament rapporteur and Member of the European Parliament Jan Philipp Albrecht aims to finalize the reform of the EU Data Protection Directive by the end of the current European Parliament’s mandate in 2014, this ambitious goal faces numerous hurdles.

In partnership with SC Magazine, we are pleased to announce that on November 22-23, 2012, SC Magazine will host its 2012 Virtual Summit “Tackling the Big 3: Clouds, Consumerisation, Cybercrime,” featuring Hunton & Williams partner Bridget Treacy. Following a year of sharp increases in data breaches and regulatory fines, the SC Summit will explore and focus on cybercrime, mobile devices and cloud security – three key priorities for 2013. Bridget Treacy and Paul Swarbrick, Chief Information Security Officer and Head of Cybersecurity for National Air Traffic Services, will open the Summit with their keynote presentation, “Where’s the Danger? From Cybercrime to Consumerisation to the Cloud, Today’s Most Potent Threats Unmasked.” Paul will discuss the data security issues that keep him awake at night and Bridget will offer vital, current perspective on the ever-changing legal landscape.

On November 8, 2012, the 84th Conference of the German Data Protection Commissioners concluded in Frankfurt (Oder). This bi-annual conference provides a private forum for the 16 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information Peter Schaar to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

On November 10, 2012, the German working group on technical and organizational data protection matters published guidelines (in German) on the technical and organizational separation requirements for automated data processing on shared IT systems (the “Guidelines”). The working group is part of the Conference of the German Data Protection Commissioners, which recently concluded its 84th Conference in Frankfurt (Oder).

The UK Information Commissioner’s Office (“ICO”) recently published a questionnaire to gather feedback on how privacy seals might be used to improve data protection compliance and customer privacy awareness. The questionnaire is available online until November 30, 2012.

On October 26, 2012, three resolutions were adopted by the closed session of the 34th International Conference of Data Protection and Privacy Commissioners and have been published on the conference website. Below we provide an overview of these resolutions.

On October 29, 2012, the UK Information Commissioner’s Office (“ICO”) served private sector financial services company The Prudential Assurance Company Limited (“Prudential”) with a monetary penalty of £50,000 in connection with a serious violation of the Data Protection Act 1998 (“DPA”). The violation concerned a mix-up involving Prudential customer details. In March 2007, the customer records of two individuals who shared the same first name, surname and date of birth were mistakenly merged into a single customer record. Over the course of the following three years, mortgage and pension policy information relating to each customer was routinely sent to the wrong individual until Prudential took steps to separate the two customers’ records in September 2010.

On October 31, 2012, the UK Information Commissioner’s Office (“ICO”) published a consultation on changes to the notification process in the UK (the “Consultation”), which will be open for comment until November 30, 2012. The purpose of the Consultation is to provide the ICO with feedback on its proposed changes regarding: (1) whether an online and telephone payment service would be beneficial to data controllers, (2) whether the inclusion of contact details for information requests is useful and (3) whether the format of the public register should become narrative-based. The ICO is also seeking input regarding whether these changes would make the public register more meaningful and notification simpler for data controllers.

On October 24, 2012, the UK Justice Select Committee (the “Committee”), appointed by the House of Commons to examine the expenditure, administration and policy of the UK Ministry of Justice, published its opinion on the proposed General Data Protection Regulation (the “Proposed Regulation”) and proposed Police and Criminal Justice Data Protection Directive (the “Proposed Directive”). In the opinion, the Committee agrees that new proposals are necessary, both to update the existing data protection framework and to “confer on individuals their new rights and freedoms.” The Committee expresses reservations, however, regarding a number of key issues, and concludes that the European Union data protection proposals “need to go back to the drawing board.” The Committee notes that in its present form, the Proposed Regulation will not produce a “proportionate, practicable, affordable or effective system of data protection in the EU.”

On October 26, 2012, following the Justice Council’s meeting, Viviane Reding, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, delivered a speech highlighting that the Commission’s proposed data protection law reform package is currently at a crucial stage in the negotiation process. Commissioner Reding stated that “[a] high level of data protection will turn the European Union into an international standard setter” and that “[o]nly a high level of data protection will generate trust between citizens and private enterprises.” Commissioner Reding conceded, however, that “[w]e do not want rules that place an excessive burden on business,” and that the Commission is prepared to make certain concessions relating to the draft proposals in order to “strike the right balance.”

On October 23, 2012, just two weeks after issuing a series of reports highlighting the UK Information Commissioner’s Office’s (“ICO’s”) concerns regarding data protection compliance within the public sector, the ICO has imposed a monetary penalty of £120,000 and issued an enforcement notice against Stoke-on-Trent City Council (“Stoke Council”) in relation to a serious data breach. The breach involved the transmission of sensitive personal information related to a child protection case by email in an unmarked and unprotected manner to the incorrect email address.

On October 24, 2012, Peter Hustinx, the European Data Protection Supervisor, speaking at the 34th International Conference of Data Protection and Privacy Commissioners in Uruguay, called the proposed EU Data Protection Regulation an “ambitious” undertaking, designed to achieve three goals.

First, Hustinx said the regulation is intended to provide the structure for European data protection for at least the next 20 years.

Second, the draft regulation will eliminate the wide variety of requirements that has resulted from the current EU Data Protection Directive’s being transposed into national law in 27 member states.

This year, the International Conference of Data Protection and Privacy Commissioners takes place in Punta del Este, Uruguay. On October 22, 2012, Article 29 Working Party President Jacob Kohnstamm kicked off the conference with the Public Voice session, sending a clear message that the Article 29 Working Party will resist EU data protection reform proposals involving the use of consent and legitimate business interests as legal bases for data processing.

Governance for next generation data applications increasingly will depend less on individual consent, and more on ...

On October 15, 2012, Privacy Commissioner of Canada Jennifer Stoddart and the Federal Commissioner for Data Protection and Freedom of Information in Germany, Peter Schaar, signed an agreement to increase intra-authority collaboration between their organizations. The agreement covers the exchange of information between the two data protection authorities, for example by informing each other of pending complaints. Notably, the agreement also addresses coordination between the DPAs with respect to their supervision of international data processing activities.

On October 5, 2012, the Article 29 Working Party (the “Working Party”) issued an Opinion providing further input on the recent data protection reform discussions in the EU. The Opinion follows the Working Party’s first Opinion on the EU data protection reform proposals issued on March 23, 2012.

On September 27, 2012, the German Federal Network Agency, the Bundesnetzagentur (or “BNetzA”), together with the German Federal Commissioner for Data Protection, published a guide on traffic data retention. The guide, which is aimed at telecom providers, includes a comprehensive chart that clarifies data retention periods for different types of services, such as telephone, SMS, Internet and email, and their respective types of traffic data (e.g., mobile identification numbers, IP addresses and International Mobile Equipment Identity data) based on the purposes for the data storage.

On September 27, 2012, the European Commission presented its new strategy on cloud computing, entitled “Unleashing the Potential of Cloud Computing in Europe.” The Commission’s strategy is outlined on a new webpage that includes a communication document and a more detailed staff working paper.

On September 27, 2012, the UK Information Commissioner’s Office (“ICO”) published guidance on complying with the requirements of the UK Data Protection Act 1998 (“DPA”) in the context of cloud computing services (the “Guidance”). In its Guidance, the ICO reminds data controllers that transferring personal data to the cloud does not absolve them of their compliance obligations under the DPA.

As of September 1, 2012, all personal data in Germany may only be processed and used for marketing purposes (including address trading) with the express opt-in consent of the affected individuals. Furthermore, the consent language must have been specifically drawn to the attention of the relevant individual as part of the terms and conditions governing the use of his or her personal data.

On August 21, 2012, the European Commission formally approved Uruguay’s status as a country providing “adequate protection” for personal data within the meaning of the European Data Protection Directive (Article 25(6) of Directive 95/46/EC). This follows the Article 29 Working Party’s earlier favorable Opinion issued in 2010, and takes into account certain interpretative assurances and clarifications provided by Uruguay. Accordingly, transfers of personal data from the EU to Uruguay may now take place without additional intergovernmental guarantees and in accordance with applicable data protection provisions.

On July 24, 2012, Lisa J. Sotto, partner and head of the Global Privacy and Data Security Practice at Hunton & Williams LLP, gave a presentation on “Data Privacy in the Global Era” to the Western Independent Bankers Service Corporation. Sotto discussed U.S., EU and other international privacy laws, with a focus on two specific areas of interest, cloud computing and vendor management. 

On July 26, 2012, acting U.S. Secretary of Commerce Rebecca Blank announced that APEC’s Joint Oversight Panel has approved the United States’ request to participate in the APEC Cross-Border Privacy Rules System. The panel also approved the Federal Trade Commission’s participation as the system’s first privacy enforcement authority. The next step will be for the United States to nominate one or more accountability agents for the panel’s approval. Accordingly, the Department of Commerce will publish a Federal Register Notice in the coming days to provide guidance on how potential accountability agents may seek recognition. Once a U.S. accountability agent has been approved, American companies will be able to submit their cross-border privacy rules to be recognized as meeting the APEC standard.

On July 12, 2012, the National Telecommunications and Information Administration (“NTIA”) of the U.S. Department of Commerce initiated a multistakeholder process to develop guidance for transparency in the mobile environment. The NTIA has announced that they will schedule a second meeting in August, and encouraged small group discussions in the interim. This is not the first multistakeholder process to wrestle with transparency in the mobile environment, and those previous efforts – which date back almost a decade – may prove useful to such discussions.

In a July 9, 2012 press release issued by Rodoljub Sabic, Serbia’s Commissioner for Information of Public Importance and Personal Data Protection, the Commissioner commented on his meeting with Hunton & Williams’ Lisa Sotto, who was invited to Serbia by the Commissioner and the USAID-funded Judicial Reform and Government Accountability Project to provide advice and education on data protection issues.