Privacy & Information Security Law Blog

On April 5, 2011, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the current EU personal data breach framework and recommendations for future policy developments (the “Opinion”).

In 2009, the revised e-Privacy Directive 2002/58/EC (the “e-Privacy Directive”) introduced a mandatory data breach notification regime for the telecommunications sector.  Pursuant to the e-Privacy Directive, telecommunications and internet service providers are required to report certain data breaches to their national regulator and to affected individuals.

On April 4, 2011, the Article 29 Working Party (the “Working Party”) issued an Opinion finding that New Zealand ensures an adequate level of data protection within the meaning of the EU Data Protection Directive 95/46/EC (the “Data Protection Directive”).  The Working Party’s assessment in the Opinion focuses on the New Zealand Privacy Act 1993 and is based primarily on a comparison of the Act and relevant case law, against the provisions of the Data Protection Directive.

On April 6, 2011, the European Commission (“the Commission”) signed a voluntary agreement with private and public stakeholders to establish data protection guidelines for companies that use radio frequency identification device (“RFID”) technology within Europe.

The agreement, entitled “Privacy and Data Protection Impact Assessment Framework for RFID Applications” (the “Framework”) requires companies to conduct privacy impact assessments for all RFID applications they implement and to take measures to address identified data protection risks before those applications are deployed in the market.  Reports of the completed privacy impact assessments must be made available to the national data protection authorities.  The Framework, which was designed in close cooperation with the European Network and Information Security Agency after consultation with the Article 29 Working Party, provides the first clear, comprehensive methodology that can be applied across all industry sectors to assess and mitigate RFID-related privacy risks.  It is intended both to assure companies that their use of RFID technology is compatible with European data protection legislation, and to enhance privacy protections for European citizens and consumers.

On April 6, 2011, the European Commission formally requested that Germany immediately comply with a March 9, 2010 judgment (C-518/07) by the European Court of Justice (the “Court”) concerning the independence of German data protection authorities (“DPAs”).

As we previously reported, the Court ruled in March 2010 that Germany had failed to properly implement the requirement that DPAs are to act with “complete independence” in exercising the functions entrusted to them, as explicitly provided by the EU Data Protection Directive 95/46/EC. According to the Commission, 15 out of Germany’s 16 federal states have not yet undertaken any action to rectify the violation identified in the Court’s judgment. In its formal notice letter, the Commission ordered Germany to comply with the Court’s judgment within two months or risk a fine or penalty imposed by the Court.

A new French law containing several key amendments to the French Data Protection Act and creating a new public authority referred to as the “Defender of Rights” (Loi n°2011-334 du 29 mars 2011 relative au Défenseur des droits, or the “Law”) came into effect on March 30, 2011.  The Defender of Rights, whose role is to defend civil rights and liberties, to promote children’s rights and to fight against discrimination, also will serve as a member of the CNIL’s plenary committee.

On March 21, 2011, the French Data Protection Authority (the “CNIL”) published its decision to fine Google €100,000 for violating the French Data Protection Act.

In 2009, the CNIL inspected Google’s geolocation service (“Street View”), which revealed that Google had collected huge quantities of undeclared personal data (e.g., navigation data, email content, logins and passwords) through Wi-Fi connections accessed by its Street View cars.  Google responded that the personal data had been collected by mistake, and promised to stop the Wi-Fi data collection.

On March 16, 2011, UK Information Commissioner Christopher Graham shared details of the government’s proposals for the implementation of the e-Privacy Directive with delegates at the Direct Marketing Association’s Data Protection Conference in London. A letter from the Minister for Culture, Communications and Creative Industries, Ed Vaizey, provides important reassurance to business that “Government is committed to introducing the amended provision in a way that minimises impacts to business and consumers.”

On March 16, 2011, a meeting of the “European Privacy Platform” group of the European Parliament was held in Brussels.  The meeting provided important insights into the likely structure and content of proposed revisions to the European Data Protection Directive 95/46/EC that the European Commission has been working on for the past several months.

On March 8, 2011, the UK Information Commissioner’s Office (the “ICO”) issued a warning to UK businesses on the forthcoming amendments to the Privacy and Electronic Communications Directive (2002/58/EC as amended by 2009/136/EC) that will require businesses operating websites in the UK to obtain consent from website visitors to store information on their computers and retrieve that information in the form of cookies.

The Committee of Experts on New Media (the “Expert Committee”) of the Council of Europe (“CoE”) has issued draft recommendations and guidelines regarding the protection of human rights by search engines and social networking providers. The draft recommendations and guidelines observe that the way in which search engines and social networking providers operate impacts various human rights, especially the rights to freedom of expression and information and the right to privacy and data protection. Current drafts of both sets of recommendations and guidelines are open for public consultation and comments until March 18, 2011.

On March 2, 2011, the German Federal government adopted a draft law revising certain sector-specific data protection provisions in the German Telecommunications Act.  The draft law addresses the implementation of data breach notification requirements in the European e-Privacy Directive by introducing a breach notification obligation for telecommunications companies.

The Council of the European Union (the “Council”) released its conclusions following meetings held on February 24 and 25, 2011, regarding the European Commission’s November 4, 2010 Communication proposing “a comprehensive approach on personal data protection in the European Union” which we reported on last November.

On February 18, 2011, the European Network and Information Security Agency (“ENISA”), an advisory body created to enhance information security in the EU, announced the issuance of its report on cookies, entitled “Bittersweet cookies.  Some security and privacy considerations.”

On February 8, 2011, the German Federal Commissioner for Data Protection and Freedom of Information issued a concept paper setting forth concrete suggestions for the creation of a Data Protection Foundation (the “Foundation”). The German government has reserved a budget of €10 million to establish the Foundation, which it plans to do in 2011.

On February 3, 2011, the German Federal Commissioner for Data Protection and Freedom of Information issued a press release announcing that it has approved the privacy policy formulated by Deutsche Post DHL.  This allows Deutsche Post DHL to transfer personal data abroad in accordance with its privacy policy without having to obtain approval in individual cases.  Deutsche Post DHL is the first German company to have its binding corporate rules (“BCRs”) approved at the European level, following an extensive consultation process among EU data protection authorities.

Reporting from Israel, legal consultant Dr. Omer Tene writes:

On January 31, 2011, the European Commission formally approved Israel’s status as a country providing “adequate protection” for personal data under the European Data Protection Directive.  The decision is restricted to automated international data transfers from the EU, as well as to non-automated data transfers that are subject to further automated processing in Israel.  It will allow unrestricted transfers of personal data from the EU to Israel, for example between corporate affiliates or from European companies to data centers in Israel.

On January 24, 2011, the data protection authority of the German state of Rhineland-Palatinate issued a press release regarding significant breaches of data protection law by companies that maintain websites and create user profiles.

On January 17, 2011, the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) released a response to the European Commission’s consultation paper, “A comprehensive approach on personal data protection in the European Union.”  In its response, prepared by Richard Thomas, former UK Information Commissioner and Global Strategy Advisor of the Centre, the Centre calls for a modernized European framework for data protection that addresses the realities of the digital age.

On January 14, 2011, the European Network and Information Security Agency (“ENISA”), which was created to enhance information security within the European Union, published a report entitled “Data breach notifications in the EU” (the “Report”).

Currently, there is wide debate throughout the EU regarding data breach notification requirements.  The debate stems from recent high-profile data breach incidents and the introduction of mandatory data breach notification requirements for telecommunication service providers imposed by EU Directive 2009/136/EC (amending EU Directive 2002/58/EC, the “e-Privacy Directive”), which must be integrated into EU Member States’ national laws by May 25, 2011.  The goal of the Report is to assist Member States, regulatory authorities and private organizations with their implementation of data breach notification policies.

On January 13, 2011, a Bill (Projet de loi organique relatif au Défenseur des droits) containing several amendments to the French Data Protection Act was preliminarily adopted by the French National Assembly.  If enacted, the Bill would amend several key provisions of the French Data Protection Act, including revisions regarding the powers of the French Data Protection Authority (the “CNIL”), and the role of Chairman of the CNIL.  The amendments are summarized below.

Earlier this month, the Belgian Privacy Commission (the “Belgian DPA”) published its December 15, 2010 Recommendation on Mobile Mapping (Recommandation d’initiative en matière de Mobile Mapping, or “the Recommendation”).  The Recommendation defines Mobile Mapping as “technology by which a vehicle equipped with a camera and/or a scanner can digitally record all data on a specific road, including by taking 360° photos.”  The scope of the Recommendation covers not only applications such as Google Street View, but also other types of Mobile Mapping such as mapping by public authorities, mapping for tourism, real estate applications and GPS navigation mapping.

On January 11, 2011, Michelle O’Neill, U.S. Department of Commerce Deputy Under Secretary for International Trade, held a briefing on her November 2010 meetings in Brussels with European data protection authorities.  She discussed a data protection and privacy forum that was convened in November at which she met with several high-level European regulators, including Jacob Kohnstamm, Viviane Reding and Peter Hustinx.  O’Neill mentioned “the right to be forgotten” as a current hot-button issue in Europe.  Commissioner Reding, who is firmly in charge of the reconsideration of the EU Data Protection Directive, focused on ensuring easier compliance with EU data protection rules and greater harmonization among Member States.  O’Neill stated that Peter Hustinx was encouraged by the work ongoing in the United States, including the “Green Paper” issued by the Department of Commerce.  He considers the various U.S. efforts a basis for further dialogue with U.S. authorities.  O’Neill noted that comments to the EU consultation are due January 15, 2011.  The Department of Commerce intends to file a response.

Early this week, the Article 29 Working Party issued its December 16, 2010 Opinion on applicable law, providing guidance on the scope of EU data protection law and the practical implications of Article 4 of the EU Data Protection Directive (95/46/EC, the “Directive”).

The purpose of the Working Party’s Opinion 8/2010 (the “Opinion”) is twofold.  First, it intends to clarify the current scope of EU data protection law with regard to the processing of personal data within and outside the European Economic Area (the “EEA”).  The clarifications by the Working Party are aimed at enhancing legal certainty for data controllers, providing a clearer framework for individuals and stakeholders and avoiding legal loopholes and potential conflicts between overlapping national data protection laws.  Throughout the Opinion, practical examples are used to demonstrate the clarifications, such as in the context of centralized HR databases, geolocation services, cloud computing and online social networks.  Furthermore, in light of the general revision of the EU data protection framework, the Opinion includes suggestions to improve the existing applicable law provisions in the EU Data Protection Directive.

On November 25, 2010, the German data protection authorities responsible for the private sector (also known as the “Düsseldorfer Kreis”) issued a resolution on the minimum requirements for the qualifications and independence of company data protection officers (“DPOs”).  This initiative follows inspections carried out within companies that revealed a generally insufficient level of expertise among DPOs given data processing complexities and the requirements set by the Federal Data Protection Act.  The DPAs recognize that a DPO’s workload depends primarily on the size and number of data controllers the DPO supervises, industry-specific factors related to data processing and the level of protection required for the types of personal data being processed.  Changes with respect to these factors frequently increase the burden on DPOs without a compensating increase in resources needed to ensure proper oversight.

On October 14, 2010, the French Data Protection Authority (the “CNIL”) adopted several amendments to its single authorization AU-004 regarding the use of whistleblowing schemes (the “Single Authorization”).

Since 2005, companies in France must register their whistleblowing schemes with the CNIL either by self-certifying to the CNIL’s Single Authorization or by filing a formal request for approval with the CNIL.  Companies that self-certify to the Single Authorization make a formal undertaking that their whistleblowing scheme complies with the pre-established conditions set out in this authorization.  In particular, the scope of the Single Authorization is limited to the following specific areas: finance, accounting, banking, fight against corruption and compliance with Section 301(4) of the Sarbanes-Oxley Act.  Under the revised framework, the CNIL has extended the scope of the Single Authorization to include the prevention of anti-competitive practices and compliance with the Japanese Financial Instrument and Exchange Act.

On December 1, 2010, the German Federal Ministry of the Interior (the “BMI”) issued a paper entitled “Data Protection on the Internet,” which contains a draft law to protect against particularly serious violations of privacy rights online.

Regulation of Geo Data Services

The BMI’s paper was developed in context of recent discussions regarding the regulation of geo data services.  A draft data protection code for geo data services (the “Code”), prepared by businesses under the leadership of the German Federal Association for Information Technology, Telecommunications and New Media (“BITKOM e.V.”), was also published on December 1, and now will be assessed by the BMI.

In its paper, the BMI rejects the adoption of a specific law to regulate services such as Google Street View.  The BMI believes that, to the extent service providers implement sufficient technical and organizational measures to protect data, statutory regulation is not necessary.

On December 1, 2010, the European Parliament hosted a Privacy Platform on the European Commission’s recent Communication proposing “a comprehensive approach on personal data protection in the European Union,” which is aimed at modernizing the current EU data protection framework.

The panel, hosted by European Parliament Member Sophie in ‘t Veld, included:

• The Head of Cabinet of the European Commission’s Commissioner for Justice, Fundamental Rights and Citizenship, Martin Selmayr (in Commissioner Viviane Reding’s absence);
• The Chairman of the Article 29 Working Party, Jacob Kohnstamm; and
• The European Data Protection Supervisor, Peter Hustinx.

The Platform was very well attended, bringing together a wide range of stakeholders from both the public and private sectors.

On November 25, 2010, the Council of Europe’s Committee of Ministers adopted a recommendation (the “Recommendation”) on the protection of individuals with regard to the automatic processing of personal data in the context of profiling.  View the press release.

The Recommendation is designed to set up safeguards for profiling activities by applying the principles established in Convention 108 to the challenges raised by profiling and by defining new principles.  It defines profiling as “an automatic data processing technique that consists of applying a ‘profile’ to an individual, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.”  The term ‘profile’ refers to a set of data characterizing a group of individuals which is intended to be applied to an individual.  Interestingly, Members States may decide to exclude the public sector under certain conditions.

In the first use of his powers to impose monetary penalties, the UK Information Commissioner has announced fines for two organizations with respect to serious breaches of the UK Data Protection Act.

• Hertfordshire County Council must pay a fine of £100,000 after staff accidentally faxed highly sensitive information to the wrong recipients, on two separate occasions.
• A4e Limited, an employment services company, must pay £60,000 following the theft of an unencrypted laptop from an employee’s home, putting the data of 24,000 people at risk.

On November 23, 2010, the data protection authority of the German federal state of Hamburg issued a €200,000 fine against financial institution Hamburger Sparkasse AG (“Haspa”) for illegally allowing its customer service representatives access to customers’ bank data, and for profiling its customers. The bank cooperated with the DPA and has discontinued the illegal practices.

On November 19, 2010, the UK Information Commissioner’s Office (the “ICO”) announced that Google has signed an undertaking committing it to improve its data processing practices.  The undertaking follows an ICO investigation into the collection of payload data by Google Street View cars in the UK.  Google’s Senior Vice President, Alan Eustace, signed the undertaking on behalf of Google, Inc.

On November 10, 2010, the American Bar Association’s Section of Antitrust Law’s International Committee and Corporate Counseling Committee hosted a webinar on “Regulating Privacy Across Borders in the Digital Age: An Emerging Global Consensus or Vive la Difference?”.  A panel of senior officials and private sector experts provided insights on emerging cross-border data privacy and security issues.  Hunton & Williams partner Lisa Sotto was tapped to moderate an outstanding panel which included Billy Hawkes, Commissioner, Office of the Data Protection Commissioner ...

In a move toward implementation of the EU e-Privacy Directive, on November 3, 2010, the Dutch Minister of Economic Affairs submitted a bill to the Dutch Parliament that would amend the Dutch Telecommunications Act to obligate telecom and internet service providers to provide notification of data security breaches, and require consent for the use of cookies (the “Bill”).

The proposed Bill would require telecom and internet service providers to notify the Dutch Telecom Authority (the “OPTA”) without delay in the event of a security breach involving personal data.  They also would be required to notify affected individuals without delay if the breach is likely to have an adverse effect on the protection of their personal data.  The Bill does not affect initiatives to introduce a broader data breach notification regime applicable to other industries outside the telecom sector.  The Dutch Minister of Justice recently stated that he expects to issue a proposal to implement a more general data breach notification law in 2011.

As the EU released new data protection proposals recommending stricter controls on individual online privacy, Hunton & Williams Brussels counsel Wim Nauwelaerts appeared on BBC TV and spoke to the Associated Press and The New York Times.  The articles also were featured globally in Forbes Magazine, Bloomberg Businessweek, CNBC, The International-Herald Tribune, The Parliament Magazine and other media sources.  London partner Bridget Treacy spoke with The Wall Street Journal, and the firm’s practice head Lisa Sotto spoke with The Washington Post.

On November 4, 2010, the European Commission (the “Commission”) released a draft version of its Communication proposing “a comprehensive approach on personal data protection in the European Union” (the “Communication”) with a view to modernizing the EU legal system for the protection of personal data.  The Communication is the result of the Commission’s review of the current legal framework (i.e., Directive 95/46/EC), which started with a high-level conference in Brussels in May 2009, followed by a public consultation and additional targeted stakeholders’ consultations throughout 2010.  Although the Commission considers the core principles of the Directive to still be valid, the Communication equally acknowledges that the existing legal framework for data protection in the European Union is no longer able to meet the challenges of rapid technological developments and globalization.

The UK Information Commissioner’s Office (“ICO”) has announced the outcome of its investigation into the collection of payload data by Google Street View cars in the UK.  The ICO has concluded that there was a “significant breach” of the UK Data Protection Act in that “the collection of this information was not fair or lawful and constitutes a significant breach of the first principle [of the Act].”

While the ICO has the power to impose monetary penalties for serious breaches of the Act, capped at £500,000 per breach, in this case the ICO has determined that the appropriate course is to secure an undertaking from Google, requiring it to implement additional data protection safeguards.

The International Conference of Data Protection and Privacy Commissioners is convening in Jerusalem.  Appropriately, given the ancient history of the host city, the conference theme is “Privacy: Generations.”  The debate on Day One has drawn on the founding principles of data protection, but also has heavily focused on the future challenges in safeguarding the fundamental rights of privacy and data protection in a world of ubiquitous computing and social networking.

The tone was set in the opening plenary when Dr. Yuval Steinitz, the Israeli Minister of Finance, reminded us of the key tensions in privacy policy.  While privacy may be a fundamental tenet of every democracy, individual cultures must make choices between the competing values of privacy and security, and privacy and transparency.  The balance between these values, and the priority given to one over the other, will shift over time and from one culture to another.  The conference provides a timely opportunity to reassess where that balance currently lies, and what balance may be appropriate in the near future.

On October 11, 2010, the French Data Protection Authority (the “CNIL”) released guidance (the “Guidance”) on data protection issues related to the outsourcing of data processing activities to non-EU countries (Les questions posées pour la protection des données personnelles par l’externalisation hors de l’Union européenne des traitements informatiques).

The Guidance was prepared following interviews held in 2009 by the CNIL’s international affairs department with consultancy groups, law firms advising on outsourcing deals, and companies actively engaged in offshore activities.  The interviews were conducted to provide the CNIL with insight regarding the impact of data protection requirements on outsourcing activities.  The Guidance is part of a broader analysis of the concepts of data controller and data processor carried out by the Article 29 Working Party (see the Working Party’s Opinion on the concepts of controller and processor).

In November 2009, the French Secretary of State in charge of the digital economy, Nathalie Kosciusko-Morizet, launched a wide-ranging campaign designed to secure the “right to be forgotten” on the Internet (“droit à l’oubli”).  The main objectives of the initiative were to: (1) educate Internet users about their exposure to privacy risks on the Internet; (2) encourage professionals to adopt codes of good practice and to develop privacy-enhancing tools; and (3) foster data protection and the right to be forgotten at both the national and EU level.

On September 20, 2010, the German government under the leadership of the Federal Minister of the Interior held a summit on “Digitization of Cities and States - Opportunities and Limits of Private and Public Geo Data Services.”  Approximately 50 experts attended, including the Federal Minister of Food, Agriculture and Consumer Protection, the Federal Minister of Justice and representatives from various companies, such as Deutsche Telekom, Google, Microsoft, Apple Inc., OpenStreetMap and panogate.  Numerous data protection authorities attended as well, including the Federal Commissioner for Data Protection and Freedom of Information, the Chair of the Düsseldorfer Kreis and the DPA of Hamburg.  The discussions at the summit were based on a discussion paper issued by the Federal Minister of the Interior.

On October 15, 2010, the Article 29 Working Party published an Opinion finding that Uruguay ensures an adequate level of protection within the meaning of the European Data Protection Directive (Article 25(6) of Directive 95/46/EC).

This Opinion was issued pursuant to an official request Uruguay filed with the European Commission in October 2008.  While the Article 29 Working Party’s Opinion is an important step toward adequacy, the European Commission must now make a formal decision that the Uruguayan legal framework provides an adequate level of data protection under EU data protection law.  The European Commission will take the Article 29 Working Party’s Opinion into account when determining whether to issue an “adequacy decision” in the coming months.  As recently illustrated by the adequacy procedure for Israel, this process may prove to be difficult.

On October 5, 2010, the Commission for Economic Affairs of the French National Assembly introduced a Resolution (the “Resolution”) to support the International Standards on the Protection of Personal Data and Privacy adopted in Madrid on November 5, 2009, at the 31st International Conference of Data Protection and Privacy Commissioners (also known as the “Madrid Resolution”).

The Resolution states: “the right to privacy is a fundamental value in our society; the development of information and communication systems must be contained in order to prevent uses of personal data which threaten this right.

On behalf of a group of interested parties (the “Group”), Hunton & Williams and Acxiom submitted a response to the UK Ministry of Justice’s (“MoJ”) recent Call for Evidence on the effectiveness of current data protection legislation in the UK.  The Group is comprised of representatives from more than 40 organizations, including Barclays Bank, Dell, Fujitsu and GE Capital, all of which are committed to using personal data responsibly.  Hunton & Williams and Acxiom, a global leader in interactive marketing services, with the attendance of the Group, worked together over the last two months to host two discussion meetings, and produced a submission summarizing the Group’s views.

On October 7, 2010, the French Data Protection Authority (the “CNIL”) released its first comprehensive handbook on the security of personal data (the “Guidance”).  The Guidance follows the CNIL’s “10 tips for the security of your information system” issued on October 12, 2009, which were based on the CNIL’s July 21, 1981 recommendations regarding security measures applicable to information systems.

The Guidance reiterates that data controllers have an obligation under French law to take “useful precautions” given the nature of the data and the risks associated with processing the data, to ensure data security and, in particular, prevent any alteration or damage, or access by non-authorized third parties (Article 34 of the French Data Protection Act).  Failure to comply with this requirement is punishable by up to five years imprisonment or a fine of €300,000.

On September 28, 2010, the German Federal Office for Information Security, (the Bundesamt für Sicherheit in der Informationstechnik or “BSI”) released a draft framework paper on information security issues related to cloud computing.  The draft paper defines minimum security requirements for cloud solution service providers, and provides a basis for discussions between service providers and users.  The paper addresses the following issues:

• The definition of cloud computing
• Service provider security management requirements
• ID and rights management
• Monitoring and security incident response
• Emergency management
• Security checks and verification
• Requirements for personnel
• Transparency
• Organizational requirements
• User control
• Portability of data and applications
• Interoperability
• Data protection and compliance
• Cloud certification
• Additional requirements for public cloud service providers that support cloud solutions for the Federal Administration

On October 4, 2010, the French Data Protection Authority (the “CNIL”) stated in a press release that a recently enacted environmental law (Act No. 2010-788 of July 12, 2010, known as “Grenelle II”) expands the CNIL’s authority to regulate devices used to measure the viewership of advertisements in public places like shopping malls, train stations and airports.  Grenelle II introduces a new provision under Article L. 581-9 of the French Environmental Code, which states: “Any system that automatically measures the audience of an advertising device or which analyzes the typology or behavior of individuals passing within the vicinity of such advertising device requires prior approval of the CNIL.”

On October 8, 2010, the UK Information Commissioner’s Office launched a consultation on a new statutory code of practice on the sharing of personal data.

As stated in the ICO’s press release, the draft code sets out a model of good practice, covering routine and one-off arrangements for sharing data with third parties.  The code offers guidance on issues such as:

• The factors that an organization must take into account when deciding whether or not to share personal data
• The point at which individuals should be told that their data will be shared
• The security and staff training measures that must be implemented
• The rights of individuals to access their personal data
• Circumstances in which it is not acceptable to share personal data

On September 14, 2010, a French Appeals Court in Dijon (the “Court”) upheld a decision against an employer that had terminated an employee who not only used a company car for personal reasons, but also committed serious traffic violations while using the vehicle.  The Court rejected evidence collected using a Global Positioning System (“GPS”) device embedded in the company’s vehicle on the grounds that the employer (1) had failed to register this data processing activity with the French Data Protection Authority (the “CNIL”) and (2) had not given proper notice to employees regarding the use of GPS devices in company cars.  Nevertheless, the Court ruled that the use of a geolocation device in the employment context does not necessarily constitute an invasion of an employee’s right to privacy, provided the employer complies with applicable laws.

According to a press report dated October 2, 2010, the German state data protection authorities responsible for the private sector (also known as the “Düsseldorfer Kreis”) continue to consider the use of Google Analytics on company websites to be illegal.  The Düsseldorfer Kreis reached this decision at a recent meeting of its Telemedia working group.  The group has indicated that it hopes to continue negotiations with Google.  Dr. Alexander Dix, the Berlin Commissioner for Data Protection and Freedom of Information who was interviewed on this issue, stated that although ...

On August 25, 2010, the German government approved a draft law concerning special rules for employee data protection, originally proposed by the Federal Ministry of the Interior.  A background paper on the draft law was published on August 25, 2010.  The draft law would amend the German Federal Data Protection Act (the Bundesdatenschutzgesetz or “BDSG”) by adding provisions that specifically address data protection in the employment context.  Currently, employee data protection is regulated by (1) general provisions in the BDSG, (2) the new Section 32 of the BDSG introduced by the most recent reform in September 2009, (3) the Works Constitution Act, (4) guidance from state data protection authorities, and (5) comprehensive case law from federal and local labor courts.

The UK Information Commissioner’s Office (the “ICO”) has indicated that UK law firm ACS:Law could face a maximum penalty of £500,000 following a major data breach.

Personal information, including names and addresses, of over 8,000 Sky broadband subscribers and 400 PlusNet users was made publicly available following an apparent attack on ACS:Law’s website.  The broadband customers involved are suspected by ACS:Law’s clients of illegally file-sharing copyright work, including music and, in some instances, pornographic films.

The United States Federal Trade Commission ("FTC") recently joined forces with privacy authorities from eleven other countries to launch the Global Privacy Enforcement Network ("GPEN"), which aims to promote cross-border information sharing and enforcement of privacy laws.  On September 21, 2010, GPEN unveiled its new website, www.privacyenforcement.net, designed to educate the public about the network.  The GPEN website, which is supported by the Organization for Economic Co-Operation and Development ("OECD"), provides guidelines and application instructions for ...

The Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (generally referred to as “Convention 108”), enacted in 1981, is the only legally-binding international treaty dealing with privacy and data protection.  The Convention is also of fundamental importance in providing the underlying legal framework for instruments such as the EU Data Protection Directive 95/46.  So far, 42 countries have become parties to Convention 108.

As the European Commission reviews the EU Directive, the Council of Europe also is preparing to review Convention 108.  The review will be conducted by the Council of Europe’s Consultative Committee on data protection (referred to as T-PD) in a process that will likely take several years.  The T-PD, which meets at the Council of Europe’s headquarters in Strasbourg, is primarily composed of representatives of national governments and data protection authorities, with the International Chamber of Commerce being the only private-sector entity with formal observer status.  The group has commissioned a legal study from an outside consultant to analyze Convention 108 and provide any recommended revisions by the end of 2010, and the T-PD will begin discussions at its upcoming meeting in November.

On July 27, 2010, the German Federal Network Agency, the Bundesnetzagentur (or “BNetzA”), issued a press release stating that it had recently levied €194,000 in administrative fines in two cases against companies accused of violating a ban on cold calling.  The cases involved consumer complaints implicating the companies in several illegal acts.  The companies claimed they had obtained prior consent from the consumers they contacted.  The BNetzA, which is the regulatory office for electricity, gas, telecommunications, post and railway markets in Germany, rejected the companies’ argument on the grounds that the “consent” was based on the consumers’ implicit acceptance of the terms of use associated with certain Internet games.  The terms of use included a provision regarding a participant’s consent to telemarketing by partners, sponsors and other companies.  The BNetzA stated that, because these terms of use did not satisfy the legal requirements for consent, the company had not obtained valid consent to call the consumers.

In a statement released on August 2, 2010, the French Data Protection Authority (the “CNIL”) announced that the European Commission has adopted a new time frame for the revision of the EU Data Protection Directive 95/46/EC (the “Directive”).  Following a public consultation on the EU Data Protection Framework late last year, Commissioner Viviane Reding, who is in charge of Justice, Fundamental Rights and Citizenship, had announced that a proposal for the revision of the Directive would be presented in November 2010.  However, several European data protection authorities ...

On July 14, 2010, the Article 29 Working Party issued a press release regarding its findings on the implementation of the European Data Retention Directive (Directive 2006/24/EC).  The findings, compiled in a report to be contributed to the European Commission’s forthcoming evaluation of the Directive, indicate that the obligation to retain all telecom and Internet traffic data is not being applied correctly or uniformly across the EU Member States.  Specifically, the Working Party’s press release states that service providers retain and share data in ways contrary to the Directive.  The Working Party further noted that Member States’ reluctance to provide statistics on the use of retained data limits the ability to verify the value of data retention practices.

On July 7, 2010, the German Federal Office for Information Security, the Bundesamt für Sicherheit in der Informationstechnik (“BSI”), published a basic paper on data security and data protection for radio-frequency identification (“RFID”) applications.  The paper, Technical Guidelines RFID as Templates for the PIA-Framework, describes how to use RFID in compliance with data protection requirements, and explains the relationship between the BSI’s technical guidelines for the secure use of RFIDs and the European Commission’s Privacy Impact Assessment (“PIA”) Framework.

On July 19, 2010, the Article 29 Working Party published a new set of frequently asked questions aimed at addressing some of the issues raised by the European Commission’s new Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries (2010/87/EU).  Among other things, the FAQs address the scope of the new model clauses and whether they can be used for intra-EEA data transfers.  The FAQs also clarify certain issues related to sub-processing.

The UK Ministry of Justice has issued a Call for Evidence on the effectiveness of current data protection legislation in the UK.  Responses must be submitted by October 6, 2010.  “It will give the [UK] Government a solid evidence base to use in negotiations with other European Union parties.  I believe we have everything to gain from a sensible, proportionate and rights-based data protection framework, and one that works for you as businesses, service-providers and citizens,” said Minister of State for Justice, Lord McNally.

The European Union’s Article 29 Working Party adopted a detailed recommendation on accountability which was submitted to the European Commission on July 13, 2010.  Opinion 3/2010 elaborates on the Working Party’s 2009 recommendation to include a new principle on accountability in the revised EU Data Protection Directive.  

On June 21, 2010, the French Data Protection Authority (the “CNIL”) published its Opinion on a new security bill, the Loi d'orientation et de programmation de la performance de la sécurité intérieure (referred to as “LOPPSI”), which was adopted by the French National Assembly on February 16, 2010, and recently amended by the Senate's Commission of Laws on June 2, 2010.

In a recently published decision rendered on June 16, 2010, the Frankfurt am Main Higher Regional Court ruled that an Internet access provider may store IP addresses for seven days, and therefore, customers have no right to demand immediate deletion of their IP addresses.  The Court’s ruling upheld a decision originally rendered by the regional court of Darmstadt.

The claimant had requested that Deutsche Telekom AG delete the dynamic IP address assigned and stored for each Internet session immediately upon disconnection by a user.  Up to that point, the Internet provider had been retaining IP addresses for 80 days after each billing cycle.  In June 2007, the lower court granted the claimant request, imposing a maximum retention period of seven days for IP addresses.  The Internet provider reduced its IP address retention period accordingly, based on an agreement with the German federal data protection authority.

On July 6, 2010, the Irish government formally objected to the adequacy procedure initiated by the European Commission that would have allowed the free flow of European personal data to Israel, over concerns of the possible use of the information by Israeli officials.  This political move follows recent revelations regarding forgery of European passports, including several from Ireland, and their alleged use by Israel’s intelligence services.

On July 7, 2010, the UK Information Commissioner’s Office published a new code of practice for the collection of personal data online.  Launching the new code at a data protection conference, UK Information Commissioner Christopher Graham said, “the benefits of the internet age are clear: the chance to make more contacts, quicker transactions and greater convenience.  But there are risks too.  A record of our online activity can reveal our most personal interests.  Get privacy right and you will retain the trust and confidence of your customers and users; mislead consumers or collect information you don’t need and you are likely to diminish customer trust and face enforcement action from the ICO.”

On June 24, 2010, the Article 29 Working Party adopted Opinion 2/2010 (the “Opinion”) providing further clarification on online behavioral advertising.  The Working Party also issued a press release on this topic.  Although the scope of the Opinion is limited to online profiling, its interpretation of Article 5(3) of the amended e-Privacy Directive provides some useful clarifications regarding the legal framework applicable to online behavioral advertising and the use of cookies.  We provide a short analysis of the Opinion below.

Opt-in?  Browser setting as opt-in?  Opt-out?  The Opinion clarifies the Working Party’s interpretation of the new Article 5(3) and Recital 66 of the e-Privacy Directive.  According to the Working Party, Article 5(3) and Recital 66, along with the General Data Protection Directive (“Directive 95/46/EC”), require prior opt-in consent since “prior opt-in consent mechanisms are better suited to deliver informed consent.”

On June 17, 2010, the French data protection authority (the “CNIL”) reported that it had conducted an on-site investigation at Google on May 19 to examine activities by Google’s Street View cars.  This investigation followed Google’s May 14 announcement that it had inadvertently captured Wi-Fi signals emitted in locations where its vehicles were taking photos.

On June 18, 2010, the data protection authority of the German federal state of Schleswig-Holstein published a press release and a comprehensive legal opinion on cloud computing.  The opinion provides an overview of cloud computing and discusses various practical and legal matters, including:

• Applicable law issues
• The legal basis for cloud computing and related processor and controller issues
• Problems associated with the possibility of third-party access
• The minimum requirements for data processor relationships and service provider contracts under the new German data protection law
• Technical and organizational security measures
• The legal landscape for clouds located outside the European Union

On June 17, 2010, the French data protection authority (the “CNIL”) published its Annual Activity Report for 2009 (the “Report”) in which it outlines some of its priorities for the upcoming year.

In February 2009, the CNIL published a report on online targeted advertising. Among other things, the CNIL voiced its concern regarding online behavioral and advertising activities and analyzed the risks of increasing user profiling.  In 2010, the CNIL is expected to issue a joint opinion with the Article 29 Working Party on targeted advertising and behavioral analysis.  The CNIL also will open a dialogue with several stakeholders from the marketing sector to work on adopting a code of best practices.

On May 28, 2010, the UK Information Commissioner’s Office issued a press release stating that it has been notified of more than 1,000 data security breaches since it began keeping records in late 2007.  There is no mandatory reporting requirement in the UK, so the actual number of breaches is likely to be significantly higher.  The ICO’s press release notes that the majority of breaches occur as a result of human or technical errors, such as employees improperly disclosing data to third parties or automated machines sending out letters to the wrong addresses.

On April 29, 2010, German data protection authorities issued a resolution regarding the obligations of German data exporters with respect to U.S. data importers that have self-certified under the Safe Harbor program.  By requiring additional diligence when transferring data to Safe Harbor-certified entities, the resolution may appear to raise questions with respect to the European Commission’s decision that Safe Harbor certification is sufficient to demonstrate an adequate level of privacy protection.

In a letter to the U.S. Federal Trade Commission dated May 26, 2010, the Article 29 Working Party expressed concerns regarding the retention and anonymization policies of Google, Yahoo! and Microsoft.  Specifically, the Working Party requested that the FTC examine the compatibility of the three search engine providers’ actions with provisions of Section 5 of the FTC Act which prohibits unfair or deceptive trade practices.

At a meeting held April 7-9, 2010, the Council on General Affairs and Policy of the Hague Conference on Private International Law adopted a document entitled 'Cross-Border Data Flows and Protection of Privacy' that outlines the organization's possible future work in the area of privacy and data protection law.  The document contains an overview of international data protection initiatives of the last few years, and addresses various cross-border cooperation issues, including problems created by the difficulty of determining applicable law and jurisdiction in cross-border data flows.  In

Following the first “hung parliament” since 1974, the UK is facing considerable legislative reform under the newly formed Conservative - Liberal Democrat coalition government.  Although the parties appear to have differing opinions on a number of legislative issues, one issue that unites them is their commitment (at least in theory) to strengthening the current data protection regime implemented under the Labour government.

Each party’s manifesto states that, should it be elected, it will enhance the audit powers of the Information Commissioner (the UK data protection regulator).  Currently, the Information Commissioner may audit government departments and public authorities suspected of violating data protection principles without their prior consent.  The Conservatives and Liberal Democrats propose to extend the Information Commissioner’s audit powers to private sector organizations.  This could be achieved in theory by secondary legislation.

According to a report issued by the EU Agency for Fundamental Rights (“FRA”), European data protection authorities lack sufficient independence and funding.  In addition, DPAs impose few sanctions for violations of data protection laws.  DPAs “are often not equipped with full powers of investigation and intervention or the capacity to give legal advice or engage in legal proceedings.”  In a number of countries, including Austria, France, Germany, Latvia, the Netherlands, Poland and the UK, “prosecutions and sanctions for violations are limited or non-existing.”  ...

On May 7, 2010, the data protection authority of the German federal state of North Rhine-Westphalia imposed a fine of €120,000 on Deutsche Postbank AG for illegal disclosure of customers’ bank account transaction data.  The bank unlawfully allowed approximately 4,000 self-employed agents to access information on more than a million customer accounts for sales purposes.

On April 19, 2010, the Privacy Commissioner of Canada, Jennifer Stoddart, and the heads of nine other international data protection authorities took part in an unprecedented collaboration by issuing a strongly worded letter of reproach to Google’s Chief Executive Officer, Eric Schmidt.  The joint letter, which was also signed by data protection officials from France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the United Kingdom, highlighted growing international concern that “the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications.”

On April 8, 2010, the Digital Economy Act (the “Act”), containing provisions relating to online copyright infringement, network infrastructure and digital safety, became law in the UK.  The Act’s main provisions include:

• new duties for the Office of Communications (the UK’s communications regulator), to report every three years on issues such as the UK’s communications infrastructure and Internet domain name registration;
• additional obligations on Internet Service Providers (“ISPs”) that seek to reduce online copyright infringement;
• increased penalties for online copyright infringement; and
• intervention powers with respect to Internet domain registries.

Following up on our previous post on the sentencing of three Google executives by an Italian court, the New York Times reports that an 111-page explanation of the verdict has been released.  Judge Oscar Magi found that Google had an obligation to make users more aware of its EU privacy policies, and cited Google’s active marketing of its Google Video site as indicative of the company’s profit motive for not removing the video sooner.

In the wake of recent amendments to the German Federal Data Protection Act, the German Federal Ministry of the Interior (the Bundesinnenministerium des Innern) is working on a draft law on special rules for employee data protection.  The draft law is intended to provide clarification on some issues that were not addressed fully in the amendments that entered into force on September 1, 2009.  The Ministry’s overarching considerations are set forth in a key issues paper that was published April 1, 2010.

Demos, an independent UK-based think tank, has published a report describing the views of a cross-section of British people on how their personal data are used by the public and private sectors.  Private Lives: A People’s Inquiry Into Personal Information (the “Report”) was researched in the context of the UK Information Commissioner’s Office’s consultation on the Personal Information Online Code of Practice.  The Information Commissioner called for industry and research groups to provide context for the new Code of Practice. “What emerges from the study is a fascinating picture of a public who certainly care about information rights, but who are by no means hysterical about perceived threats to liberty or privacy,” observed UK Information Commissioner Christopher Graham.

Justice Michael Kirby was invited by the Organization for Economic Cooperation and Development (the “OECD”) to open the celebration of the 30th anniversary of the adoption of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.  Justice Kirby led the group of experts who worked from 1978-1980 to develop the Guidelines, which have formed the basis of modern privacy and data protection law.

On February 19, 2010, the Court of Appeals of Versailles (the “Court”) upheld the unlimited seizure and review of a company’s emails by several agents of the French Competition Authority (Autorité de la Concurrence).  The agents had been authorized by a lower court judge to inspect the emails pursuant to an investigation into an alleged abuse of dominant position in the pharmaceutical market.

On March 17, 2010, the French Data Protection Authority (the “CNIL”) published a report concerning on-site inspections and outlined its objectives for the coming year.  In the report, which was adopted on February 18, 2010, the CNIL indicated that it intends to conduct at least 300 on-site inspections throughout France in 2010, with a special focus on the following issues:

• ensuring compliance with CNIL decisions, in particular the CNIL’s standards for simplified notifications;
• verifying that data controllers comply with the technical recommendations defined in their registration forms; and
• assessing the effectiveness of data protection officers within organizations.

Earlier this year, the EU’s Article 29 Working Party published an opinion finding that Israeli data protection law largely provides an “adequate level of data protection” under EU Data Protection Directive 95/46/EC.  The recommendation breaks new ground.  Law professor Omer Tene, who acted as an advisor to the Israeli government during the process, discussed Israel’s approval during this recorded segment from the Centre for Information Policy Leadership’s “First Friday” call on March 5, 2010.

In a decision handed down on February 25, 2010, the French Constitutional Court ruled that the right to privacy derives from Article 2 of the Declaration of Human Rights, and is therefore considered a constitutional right under French law.  The Court also ruled that the legislature must strike a balance between the right to privacy and other fundamental interests, such as preventing threats to public safety, which are necessary to preserve constitutional rights and principles.

In conjunction with the celebration of its 10th anniversary on March 16, the International Association of Privacy Professionals is releasing a white paper on the future of the privacy profession entitled, “A Call for Agility: The Next-Generation Privacy Professional.”  When the IAPP initially was formed, the role of the chief privacy officer was newly emerging following the dot-com boom.  Over the past 10 years, the exponential increase in data collection and retention have propelled the privacy professional into senior levels of management.  Reflecting the growth of the privacy professional’s role, the IAPP’s membership has grown to include over 6,500 privacy professionals from businesses, governments and academic institutions across 50 countries.

On March 9, 2010, the European Court of Justice ruled that the Federal Republic of Germany’s practice of “state supervision” over data protection authorities violates EU Data Protection Directive 95/46/EC.  The case, brought by the EU Commission, is a milestone which will force Germany to change the structure of its DPA system and could have ramifications in other countries as well.

The Court’s decision is based on Article 28(1) of the Directive, which requires that data protection authorities (“DPAs”) act with “complete independence.” German law makes a distinction with regard to DPA supervision depending on whether the data processing is carried out by public or non-public bodies.  There are therefore different authorities responsible for monitoring public entities’ compliance with data protection provisions versus those that monitor compliance by private parties and undertakings governed by public law which compete on the market (öffentlich-rechtliche Wettbewerbsunternehmen) outside the public sector (such as transportation and utility companies).

On March 3, 2010, the UK Information Commissioner launched a report on the "Privacy Dividend" (the “Report”), which outlines the business case for proactively investing in privacy protection.  The lack of a robust business case is a common barrier to privacy investment, and too often such investment is approved only after a privacy breach or other crisis occurs.

On February 24, 2010, the French Senate’s Committee of Laws published an amended bill on the right to privacy in the digital age (“Proposition de loi visant à garantir le droit à la vie privée à l’heure du numérique”) (the “Bill”).  Following the initial draft presented by Senators Yves Détraigne and Anne-Marie Escoffier, this revised version is based on a second Senate Report in which concrete proposals are made to amend the Data Protection Act.

On March 2, 2010, the German Federal Constitutional Court ruled that the mass storage of telephone and Internet data for law enforcement purposes is unlawful in its current form.

Since 2008, the challenged law has required telecom companies to retain data from telephone, email and Internet traffic, as well as mobile phone location data, for six months.  This information may be retrieved for law enforcement and safety purposes.  Constitutional claims were brought before the Court by nearly 35,000 citizens, representing the largest mass claim proceeding in German history. 

On February 16, 2010, the Article 29 Working Party adopted Opinion 1/2010 (the “Opinion”) providing further clarification and guidance on the interpretation of the concepts of “data controller” and “data processor” in the context of the EU’s Data Protection Directive 95/46/EC.

In February 24, 2010, an Italian court in Milan found three Google executives guilty of violating applicable Italian privacy laws.  The executives were accused of violating Italian law by having allowed a video showing an autistic teenager being bullied to be posted online.  The Google executives, Senior Vice President and Chief Legal Officer David Drummond, Chief Privacy Counsel Peter Fleischer and former Chief Financial Officer George Reyes, were fined and received six-month suspended jail sentences.

On February 11, 2010, the plenary of the European Parliament rejected by a vote of 378 to 196 the agreement reached in 2009 between the EU and the U.S. to allow access by U.S. law enforcement authorities to the payment database of the financial consortium SWIFT.  The agreement had been negotiated between the EU Council of Ministers and the European Commission with the U.S. government to allow continued access to the database, a mirror copy of which had been moved by SWIFT from the U.S. to Europe.  With the Lisbon Treaty’s entry into force, the Parliament gained new powers to approve measures affecting law enforcement and civil liberties, and a number of members of the Parliament have expressed concern regarding the level of data protection provided for in the agreement.  According to news reports, several top U.S. government officials (including Secretary of State Hillary Rodham Clinton and Treasury Secretary Timothy Geithner) had been lobbying the European Parliament to approve the agreement, on the grounds that it was essential to fight terrorism in both the U.S. and Europe.

On February 1, 2010, it became compulsory for randomly selected passengers at Heathrow and Manchester airports in the UK to pass through full body scanners before boarding their flights.  This enhanced security screening has been implemented following the attempted Christmas Day terrorist attack at the Detroit airport in the United States, after which the British government announced that it would begin mandatory body scanning at all UK airports.  The move has raised concerns about the excessive collection of personal data.

On February 5, 2010, the European Commission adopted a new set of standard contractual clauses (“SCCs”) for transfers of personal data from data controllers in the EU to data processors outside the EU.  View the European Commission press release.

Cloud computing raises complex legal issues related to privacy and information security.  As legislators and regulators around the world grapple with the privacy and data security implications of cloud computing, companies seeking to implement cloud-based solutions should closely monitor this rapidly evolving legal landscape for developments.  In an article published on February 3, 2010, Lisa Sotto, Bridget Treacy and Melinda McLellan explore U.S. and EU legal requirements applicable to data stored by cloud providers, and highlight some of the risks associated with the use ...

On January 29, 2009, the German Federal Network Agency (the “Agency”) stated in a press release that it has imposed fines for unauthorized telephone advertising in six cases.  This brings the total to nine procedures (resulting in €500,000 in fines) during the months of December 2009 and January 2010, and marks the first time the Agency has imposed sanctions for violations of the prohibition on unauthorized telephone advertising and for breach of the caller ID requirement for marketing calls.

On January 11, 2010, the data protection authority of the German federal state of Baden-Wurtemberg issued a press release stating that it had fined the Müller Group €137,500 for illegal retention of health-related data and failure to appoint a Data Protection Officer.

In April 2009, the German press reported that the Müller Group, a drugstore chain comprised of twelve entities and employing some 20,000 workers, was illegally collecting health data from its employees.  Specifically, employees returning from sick leave were required to complete a form and provide the reason for their sicknesses.  After conducting an investigation, the DPA confirmed these allegations.  Since 2006, the Müller Group entities had systematically requested employees returning from sick leave to identify the reasons for their sicknesses on a form that was then sent to the Group’s central Human Resources department to be scanned.  As of April 2009, approximately 24,000 records containing data on employee illnesses were being stored in Müller’s centralized HR files.

On January 12, 2010, Ms. Viviane Reding, Commissioner-designate for Justice, Fundamental Rights and Citizenship, was questioned during a public hearing before the European Parliament.  During this hearing, Ms. Reding revealed her priorities in the field of privacy and data protection.  “Fundamental rights and data protection will be top of the line” said Ms. Reding, who explained that she intends to incorporate the EU’s data protection rules into a modern and comprehensive legal instrument.

On January 12, 2010, the UK government laid regulations before Parliament to bring into force civil monetary penalties of up to £500,000 ($800,000) for serious data breaches.  These penalties are likely to take effect starting April 6, 2010.  Significantly, the penalties will apply not only to data security breaches, but also to all serious breaches of the UK Data Protection Act 1998.  Accordingly, collecting personal data for a sweepstakes contest then deliberately, and without consent, disclosing the data to a third party to populate a tracing database for commercial purposes might well be subject to a penalty.