Posts in European Union.
Time 2 Minute Read

In December 2009, the German data protection authorities (“DPAs”) for the private sector published a resolution on data protection compliance for website audience measurement.  The resolution was adopted at the Düsseldorfer Kreis meeting on November 26-27, 2009.

Many website operators analyze users’ surfing behavior for advertising and market research purposes, or to adapt their websites to suit consumer preferences. To create user profiles, website operators often use software or other services that are offered by third party service providers (sometimes free of charge).

Time 1 Minute Read

On January 5, 2010, the Article 29 Working Party published an opinion dated December 1, 2009, finding that Israeli data protection law largely provides an "adequate level of data protection" under the European Union Data Protection Directive 95/46.  The European Commission will now take this opinion into account when determining whether to issue an "adequacy decision" for Israel in the coming months.  Such a decision would provide that data transfers to Israel from the EU are adequately protected for purposes of compliance with the Directive ...

Time 2 Minute Read

On December 1, 2009, the Article 29 Working Party adopted a contribution (the “Contribution”) to the Consultation of the European Commission on the legal framework for the fundamental right to the protection of personal data (the “Consultation”).  The Consultation was launched on July 9, 2009, to explore the challenges to personal data protection presented by new technologies and globalization.  The Consultation was also motivated by the recent adoption by the EU of the Lisbon Treaty, which will necessitate a reworking of structure of the EU legal framework for data protection.  The Contribution’s thoughtful examination of several important data protection issues makes it one of the most significant documents that the Working Party has issued in recent years.

Time 1 Minute Read

On November 3, 2009, the Higher Regional Court of Düsseldorf (OLG Düsseldorf, Az. I-20 U 137/09) ruled on the duty to verify consent for email marketing with respect to purchased email addresses. According to the Court, a company that purchases email addresses for marketing purposes must verify customer consent itself – the company cannot rely on a data broker’s statement that it obtained the necessary consents.

This decision came in an interim injunction proceeding to cease unsolicited email marketing. The Court ruled in favor of the claimant, finding that the company ...

Time 2 Minute Read

On November 30, the Council of the European Union agreed to allow U.S. anti-terrorism authorities access to financial data of individuals located in the EU under certain circumstances. Under the agreement, U.S. authorities will continue to have access to data collected by Society for Worldwide Interbank Financial Telecommunication ("SWIFT") after a SWIFT database located in Switzerland becomes active later this year (the data had previously been processed in a database located in the U.S.). The agreement contains restrictions on access to the data that have been negotiated ...

Time 1 Minute Read

Commissioner Viviane Reding has been chosen as Commissioner for Justice, Fundamental Rights, and Citizenship in the new European Commission that is set to take office in early 2010 (assuming approval by the European Parliament).  Ms. Reding's responsibilities will thus include data protection, including the Commission's ongoing review of the EU framework for data protection.  She is currently EU Commissioner for Information Society & Media, where she oversaw review of the e-Privacy Directive and the EU legislative framework for telecommunications.  Commission President ...

Time 2 Minute Read

On November 12, 2009, the Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband e.V., “vzbv”), a non-governmental organization acting as an umbrella for 41 German consumer associations announced that the social networks Xing, MySpace, Facebook, Lokalisten, Wer-kennt-Wen and StudiVZ signed undertakings that they would discontinue use of certain terms and conditions and data protection provisions.  The vzbv sent warning notices to the six leading social network providers regarding a number of clauses.

The main criticism from vzbv referred to ...

Time 1 Minute Read

On November 24, 2009, the European Parliament formally approved the European Union's telecoms reform package.  This reform proposed by the European Commission in November 2007 consists of various different EU Directives that set-up the legal framework applicable to the electronic communications sector (telecoms) and includes a new e-Privacy Directive.

New provisions of the e-Privacy Directive will strengthen the protection of privacy and personal data in the electronic communication sector and includes the following:

  • mandatory notification for personal data breaches ...
Time 2 Minute Read

On October 29, 2009, the European Commission (the “Commission”) proceeded to the second phase of infringement proceedings against the UK relating to the UK’s implementation of EU e-privacy and personal data protection laws.  EU Member States must ensure the confidentiality of communications by prohibiting interception and surveillance without user's consent.  The Commission maintains that the UK has failed to fully implement these requirements into its national laws and has identified three specific flaws in the existing UK laws governing the confidentiality of electronic communications:

  • The UK does not have an independent national authority responsible for (i) supervising the interception of communications and (ii) complaints about unlawful interception of electronic communications, despite the requirement to this effect contained within EU laws and imposed on Member States;
Time 3 Minute Read

On November 6, 2009, the French Senate proposed a new draft law to reinforce the right to privacy in the digital age (“Proposition de loi visant à garantir le droit à la vie privée à l’heure du numérique”) (the “Draft Law”).  Following a Report on the same topic issued last spring, the Senate made concrete proposals with this Draft Law to amend the Data Protection Act.

Time 2 Minute Read

In a closed session on November 5, 2009, the 31st International Conference of Data Protection and Privacy Commissioners adopted the International Standards on the Protection of Personal Data and Privacy (the “Standards”).  Although the document is advisory in nature and is not legally binding, it offers guidance to States that have not yet adopted comprehensive data protection laws.  The Spanish Data Protection Agency, which acted as the secretariat for drafting the Standards, held two meetings that included more than fifty privacy enforcement agencies, privacy advocates and businesses before hosting a final drafting session that was reserved for recognized data protection authorities.

Time 1 Minute Read

Every year since 2005, the United States, the European Commission and the Article 29 Working Party on Data Protection meet to review the latest developments in the U.S.-EU Safe Harbor Framework, as well as changes in privacy compliance, information security and data protection.  This year’s  International Conference on Cross Border Data Flows, Data Protection and Privacy occurs November 16 - 18 and features leading experts who will examine these issues and others, as well as changes made to the approval process for binding corporate rules.  Join our privacy professionals, Martin ...

Time 6 Minute Read

Background

On November 9, 2009, the UK's Ministry of Justice launched a consultation seeking the public's views on the proposed implementation of a maximum penalty of £500,000 (approximately US$837,950) for serious breaches of the UK Data Protection Act 1998 (the "DPA").  This Consultation follows the Information Commissioners' publication of draft guidance this week, explaining the circumstances in which a fine will be imposed.  The launch of the Consultation puts to rest recent speculation as to the level of fine likely to be imposed for a deliberate or serious breach of the DPA, including for data security breaches.

The DPA imposes obligations on data controllers that process personal data to: (i) process personal data fairly and lawfully; (ii) obtain personal data only for specified lawful purposes, and not further process personal data in any manner incompatible with such purposes; (iii) ensure that personal data are adequate, relevant and not excessive in relation to the purposes for which they are processed; (iv) ensure that personal data are accurate and, where necessary, kept up-to-date; (v) keep personal data only for as long as is necessary for the purposes for which they are collected; (vi) process personal data in accordance with individuals' rights; (vii) implement appropriate technical and organizational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; and (viii) not transfer personal data to a jurisdiction outside the European Economic Area unless that jurisdiction affords adequate protection levels for individuals' rights and freedoms in relation to the processing of personal data.

Time 3 Minute Read

In 1980, the Organization for Economic Cooperation and Development (“OECD”) first published privacy guidelines that included an accountability principle.  Since that time, little work has been done to define accountability or to describe what it means for organizations to be accountable for the responsible use and protection of data.  In an effort to fill that gap, The Centre for Information Policy Leadership has authored “Data Protection Accountability: The Essential Elements” which articulates the conditions organizations would have to meet to be accountable.  

Time 2 Minute Read

Janet Napolitano, Secretary of the Department of Homeland Security, and Alfredo Perez Rubalcaba, the Spanish Minister of the Interior, spoke in contrasting tones today of the difficulties of finding the right balance between security and privacy.  The theme "Striving for a Balance Between Security and Privacy" was debated during the first plenary session of the 31st International Conference of Data Protection and Privacy Commissioners in Madrid.

Time 1 Minute Read

On November 4, join our privacy professionals at the 31st International Conference of Data Protection and Privacy Commissioners in Madrid, Spain.  Participate in various presentations on ways to manage the most challenging data protection issues in today’s global environment.  In addition, the International Association of Privacy Professionals (“IAPP”) will host a Data Protection and Privacy Workshop in conjunction with the conference.

Time 2 Minute Read

On Friday, October 23, 2009, the German Railways Operator Deutsche Bahn AG announced that they would pay a fine of over €1.1 million that was imposed on October 16, 2009 by the Berlin data protection authority.  This fine is the highest ever imposed by a German data protection authority.  The imposition of this fine follows a major data protection scandal that reportedly broke out within the company.  From 2002 to 2005, Deutsche Bahn had screened a large quantity of employee data and compared it to supplier data in an effort to combat corruption, but without specific suspicions related to ...

Time 1 Minute Read

Hunton & Williams is pleased to announce that Richard Thomas CBE, the former UK Information Commissioner, has joined the firm as Global Strategy Adviser.  Richard Thomas was the UK’s Information Commissioner from November 2002 until his retirement at the end of June 2009.  He was appointed by HM The Queen and held independent status, reporting directly to Parliament, on a range of regulatory, promotional and advisory responsibilities under the Data Protection Act 1998, the Freedom of Information Act 2000 and related laws.  He also served as a member of the European Union’s Article ...

Time 2 Minute Read

The new UK Information Commissioner, Christopher Graham, shared his vision for data protection regulation at his first conference speech in London yesterday.  As the keynote speaker at the 8th Annual Privacy and Data Protection Conference, chaired by Hunton & Williams partner, Bridget Treacy, Christopher Graham positioned himself as a fair, but tough, regulator who will not be afraid to use his strengthened enforcement powers.

Time 3 Minute Read

On October 6, 2009, the Federal Trade Commission (“FTC”) announced proposed settlement agreements with six companies over charges that they falsely claimed membership in the U.S. Department of Commerce Safe Harbor program.  In six separate complaints, the FTC alleged that ExpatEdge Partners LLC, Onyx Graphics, Inc., Directors Desk LLC, Collectify LLC, and Progressive Gaitways LLC deceived consumers by representing that they maintained current certifications to the Safe Harbor program when such certifications had previously lapsed.  The terms of the proposed settlement agreements prohibit the companies from misrepresenting their membership in any privacy, security or other compliance program.  The six enforcement actions are significant as they mark a considerable uptick in the FTC’s enforcement related to the Safe Harbor program. The FTC recently brought its first enforcement action relevant to the program, which is detailed in our post titled FTC's First Safe Harbor Enforcement Action.

Time 1 Minute Read

On October 2, the Council of Europe's Consultative Committee of the Convention 108 on Data Protection ("T-PD") for the first time made publicly available its "Draft Recommendation on the Protection of Individuals with regard to Automatic Processing of Personal Data in the Framework of Profiling."  When it is finalized, the Draft Recommendation will be one of the first documents dealing with online profiling in the private sector issued by an international organization.  The International Chamber of Commerce ("ICC"), which has observer status in the T-PD, has been working to obtain ...

Time 2 Minute Read

On September 23, 2009, the Information Commissioner's Office (the "ICO"), the UK's data protection regulator, issued a press release announcing the approval of the Hyatt Hotels Corporation's binding corporate rules ("BCR") under the new mutual recognition procedure. Hyatt is the first UK applicant to receive approval under the mutual recognition procedure.

Mutual recognition was devised to speed up the process of BCR approval by EU Data Protection Authorities ("DPAs"). Under "mutual recognition," one EU Member State's DPA acts as the lead authority on a company's BCR application. Once approved by the lead authority, the other participating members of the procedure automatically approve the BCR application.

Time 3 Minute Read

The Federal Trade Commission (“FTC”) has secured a temporary restraining order against a company that allegedly falsely claimed to have self-certified to the EU/U.S. Safe Harbor Program.  One count of the FTC's complaint claims that the company (named Balls of Kryptonite, LLC) misled consumers by inaccurately representing that it had self-certified to the U.S. Department of Commerce that it was Safe Harbor compliant.  While the FTC has not alleged a substantive violation of the Safe Harbor, this case is significant for two reasons.  First, it marks the first time the FTC has brought an enforcement action with respect to the Safe Harbor Program.  The court order prohibits the defendants from misrepresenting the extent to which they “are members of, adhere to, comply with, are certified by, are endorsed by, or otherwise participate in any privacy, security, or any other compliance program sponsored by any government or third party.”  Second, the FTC acted in concert with the UK Office of Fair Trading after consumers in the UK registered complaints with the FTC using a website established by 25 international consumer protection agencies to facilitate global consumer protection efforts.  This is the first time the FTC has used the U.S. SAFE WEB Act of 2006 to enforce consumer protection regulations against a U.S. company operating exclusively outside the United States.

Time 1 Minute Read

On August 19, 2009, the state DPA in North Rhine-Westphalia fined a subsidiary of the discount supermarket chain Lidl €36,000 (approximately $51,000) for illegally keeping records of employee health data.

The case was triggered by a report in the German news magazine Der Spiegel.  A Bochum resident found papers and forms containing Lidl employees' health data in a trash bin at a car wash and forwarded them to the magazine.  Subsequent investigations revealed that at least four Lidl branches in North Rhine-Westphalia were using a form to record data about employees' medical ...

Time 3 Minute Read

On August 19, 2009, the Official Journal published guidelines issued by the French Data Protection Authority (Commission nationale de l’informatique et des libertés (the “CNIL”)) regarding transfers of personal data carried out in the context of U.S. discovery proceedings (the “Guidelines”). The CNIL’s publication comes in the wake of a recent increase in the volume of requests made to French-based companies involved in U.S. litigation to disclose information or documents for the purposes of civil pre-trial discovery.

Time 1 Minute Read

On July 3, 2009, the German Federal Parliament passed comprehensive amendments to the Federal Data Protection Act (the "Federal Act"). These amendments also passed the Federal Council on July 10, 2009, and the revised law will enter into force on September 1, 2009. The new amendments cover a range of data protection-related issues, including marketing, security breach notification, service provider contracts and protections for employee data. They also include new powers for data protection authorities and provide for increased fines for violations of data protection law ...

Time 2 Minute Read

The UK Financial Services Authority (FSA) has announced today fines for three HSBC entities totaling £3 million for failing to have adequate systems and controls in place to protect their customers' confidential data. HSBC Life UK Limited (HSBC Life) was fined £1,610,000, HSBC Actuaries and Consultants Limited (HSBC Actuaries) was fined £875,000 and HSBC Insurance Brokers Limited (HSBC Insurance Brokers) was fined £700,000.

Time 2 Minute Read

The cost to register as a data controller in the United Kingdom is likely to increase significantly later this year, rising from £35 to £500 for companies with annual sales of at least £25.9 million and 250 or more employees.

The UK Information Commissioner has proposed a two-tiered fee structure as part of the Data Protection (Notification and Notification Fees) (Amendment) Regulations 2009 (the “Regulations”).  The Regulations are expected to come into force as of October 1, 2009.

Time 1 Minute Read

The UK Information Commissioner is initiating a consultation to develop a code of practice that will help companies address online privacy issues. It is anticipated that the code will provide guidance on the following matters:

  • Operating a privacy-friendly website
  • Rights and protections for individuals
  • Privacy choices and default settings
  • Cyberspace and territoriality
The UK Information Commissioner's Office has requested that interested parties host discussion sessions. Hunton & Williams' London office, together with the firm's Centre for Information Policy ...
Time 2 Minute Read

On June 3, 2009, the French Senate’s Commission on Laws issued a report on the right to privacy in the digital age (‘La vie privée à l’heure des mémoires numériques’) (the “Report”). The issuance of the Report is perhaps the most important legislative initiative in France in the field of privacy and data protection since the implementation of the EU Data Protection Directive in 2004.

Time 1 Minute Read

On April 27, 2009, the Article 29 Working Party issued a new working document (WP 155 rev.04) on frequently asked questions relating to binding corporate rules ("BCRs").  Two new FAQs were adopted: (1) FAQ 10 deals with the relationship between EEA data protection laws and BCRs; and (2) FAQ 11 relates to the reversal of the burden of proof in the context of BCRs.  The Working Party reiterated that, although BCRs may offer an adequate level of protection to personal data being transferred within the same company, they do not exempt multinationals from complying with national data ...

Time 2 Minute Read

On May 13, 2009, the French Data Protection Authority (“CNIL”) published its Annual Activity Report.  The Report highlights increasing enforcement activity, noting a record number of investigations, formal notifications and fines.  Having recently celebrated its thirtieth anniversary, the CNIL stated that it seeks to constantly evolve and meet the challenges of modern society by pursuing three key points: (i) diversifying its sources of financing; (ii) increasing the number of personnel; and (iii) including data protection and privacy rights in the French constitution in the near future.

Time 2 Minute Read

On May 19 and 20 the European Commission held a conference which was perhaps the most important data protection event in Brussels since the Commission conference on evaluation of the EU Data Protection Directive 95/46/EC held in 2002. The conference was part of the Commission's current evaluation of the Directive, and was designed to explore both the current status of data protection in the EU and where it is headed in the coming years. Speakers included Jacques Barrot, the European Commissioner in charge of justice, freedom and security; Alex Türk, chairman of the CNIL (French Data Protection Authority) and the Article 29 Working Party; European Data Protection Supervisor Peter Hustinx; and representatives of European academia, business and non-governmental organizations.

Time 1 Minute Read

On May 15, 2009, the German Federal Council adopted the "Act against unsolicited commercial phone calls and improvement of consumer protection."  According to the Act, violations of the existing prohibition on unsolicited commercial phone calls can now be sanctioned with a fine up to € 50,000.

In addition, the Act clarifies that a commercial phone call is only lawful if the recipient has given his or her prior explicit consent to receive the call.  The provision is intended to prevent the caller's reliance on consent that may have been given by the recipient in a totally different ...

Time 1 Minute Read

As a consequence of the data protection scandals at Deutsche Telekom AG over the last few years, the company is committed to reviewing these incidents by publishing an annual data protection report.  On April 28, 2009, the first data protection report for year-end 2008 was issued and is intended to show the public that Deutsche Telekom is focused on the transparency of its data protection practice.  The first chapter of the report contains an overview of the crucial incidents relating to data protection issues in 2008.  The following chapters present the operative focal points of the ...

Time 3 Minute Read

In November, the 31st International Conference of Data Protection and Privacy Commissioners will approve a resolution that will include an international standard for privacy protection called the “Joint Proposal for a Draft of International Standards on the Protection of Privacy with regard to the processing of Personal Data.”  The standard will be submitted to the United Nations as the basis for a treaty.  This is not the conference’s first attempt to reach consensus on an international standard, but it is the first to include robust processes that will begin to narrow the issues that divide nations on data protection law.

Time 2 Minute Read

On May 12, 2009, the European Commission issued a long-awaited recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification (“RFID”).  The recommendation follows a process initiated in 2006 when the European Commission launched a public consultation on RFID technologies.  Following this public consultation and in order to protect consumers’ privacy and data protection, the European Commission decided to take further steps by preparing a recommendation to regulate the use of RFID.

Time 2 Minute Read

The UK Information Commissioner's Office has published a review of the strengths and weaknesses of the EU Data Protection Directive, commissioned from RAND Europe.

The concept of such a review was highly radical when first proposed. It provoked the promise of a similar study from the European Commission and generated much debate as to whether, and if so when, the Directive itself might be reviewed. The conclusions of the RAND study are much less radical than anticipated but more likely, as a consequence, to stimulate constructive debate within Europe as to the future shape of data protection law. Whilst not endorsing the RAND study, in April 2009, the European Privacy and Data Protection Commissioners' Conference discussed the themes raised by RAND and issued a declaration committing to contribute to the ongoing debate concerning the future of data protection law, including better implementation and enforcement of the existing legal framework.

Time 3 Minute Read

On May 6, 2009, the proposed amendments to the e-Privacy Directive received a second reading in the European Parliament.  In addition to other measures, it will include a definition of “personal data breach” and will introduce a data breach notification requirement. 

The review of the e-Privacy Directive forms part of a wider review of telecoms legislation.  The objective of that review is to improve network security and integrity, to increase protection for user personal data and to improve measures to prevent spam and “cyber attacks.”  The scope of the amended Directive will include the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks within the European Community, including public communications networks supporting data collection and identification devices.

Time 1 Minute Read

In February 2009, the Ponemon Institute published the results of its inaugural study "Germany - 2008 Annual Study: Cost of a Data Breach."  The study is the first such research study undertaken in Germany, using data from actual incidents to estimate the costs of dealing with data breaches by German companies.  The study examined the experience of 18 German organizations that suffered a breach.  These case studies reviewed ranged in size an incident involving less than 3,750 records to an incident involving more than 90,000 records.  The breaches reviewed occurred across ten industry ...

Time 1 Minute Read

On March 17, 2009, the Article 29 Working Party released Opinion 3/2009 on the Commission’s draft decision for standard contractual clauses (SCCs), which discusses proposed updates of the clauses allowing the transfer of personal data to sub-processors established in third-world countries, in light of increased global outsourcing practices. Opinion 3/2009 is available here, and further analysis on the Working Party’s Opinion is available here.

To read more and for more EU data protection updates, please click here.

Time 4 Minute Read

Following numerous complaints about the use of behavioral advertising technology by internet service providers, the European Commission (the “Commission”) launched infringement proceedings against the United Kingdom for an alleged failure to keep people’s online details confidential. The EU Telecoms Commissioner, Viviane Reding, has called upon the UK to change its national laws to ensure the confidentiality of communications by prohibiting interception and surveillance without the user's consent. If the UK does not comply, the Commission can issue a final warning before taking the UK to the European Court of Justice.

Time 2 Minute Read

Various authorities, both at a European and a national level, are currently addressing the issue of online behavioral advertising. On March 31, 2009, Meglena Kuneva, the European Commissioner for Consumer Affairs, gave a keynote address in Brussels in which she raised the issue of online behavioral advertising and addressed the need to enhance consumer protection related to the practice. While recognizing the numerous beneficial applications for consumers made possible by the Internet, Kuneva expressed her concern that the World Wide Web could become the “world wide west” and called for a better balance between the interests of businesses and consumers. 

Time 2 Minute Read

On March 17, the Article 29 Working Party released its Opinion 3/2009 (dated March 5) on standard contractual clauses for the transfer of personal data from data controllers in the EU to data processors outside the EU. The Opinion deals with proposed changes to the European Commission's decision 2002/16 containing standard clauses for controller to processor transfers. The Opinion discusses proposals to update these clauses to accommodate data transfers to sub-processors, in light of increased global outsourcing. Although not mentioned in the Opinion, the March 17 Opinion is based on the proposal made in October 2006 to the European Commission by three business groups (the International Chamber of Commerce (ICC), the American Chamber of Commerce to the European Union (AmCham EU) and the Federation of European Direct and Interactive Marketing (FEDMA)). The proposal of the three business groups would amend the existing clauses from 2002 to bring them into line with business realities.

Time 2 Minute Read

On March 11, 2009, the operators of Germany's leading social networks, which include "schuelerVZ," "studiVZ,"  "lokalisten" and "wer-kennt-wen," signed a 17-page Code of Conduct by the Association for Voluntary Self-Regulation of Multimedia Service Providers (the “Code”) in order to protect children and young people. The Code of Conduct aims to improve data protection and consumer protection in social networks and, in particular, to protect young people against harassment. The Code requires that a privacy notice be displayed directly after the registration process and ...

Time 2 Minute Read

On 2 March 2009, a Belgian Criminal court (Tribunal correctionnel de Termonde, No. DE 20.95.16/08/25) fined Yahoo! Inc., €55,000 ($71,745) for refusing to disclose to a Belgian Public Prosecutor the personal data of its e-mail users who were under criminal investigation for fraud. The Criminal court also imposed a daily penalty fee of €10,000 ($13,045) in a case of non-compliance with the judgment.  This decision was reached despite Yahoo!’s argument that Belgian law did not apply because the company does not maintain a legal entity in Belgium and does not store any customer data in Belgium.

Time 1 Minute Read

On February 16, 2009, the US-Swiss Safe Harbor Framework, which is comparable to the EU-US Safe Harbor Framework, was adopted. The US-Swiss framework is intended to simplify the transfer of personal data by Swiss companies to American companies that are self-certified with the US Department of Commerce (DOC). Self-certified US companies are bound by the principles contained in the framework. They will automatically be considered as providing an adequate level of data protection under Swiss law.

Read more about EU data protection updates.

Time 3 Minute Read

The Information Commissioner’s Office (the “ICO”) has conducted a dawn raid on a business which operated a covert database containing details of 3,213 workers in the construction industry (the “Database”). Subscribers included over 40 construction companies, publicly named by the ICO, who used the database to vet prospective employees, without their knowledge or consent.

Time 2 Minute Read

The UK Advertising Standards Authority (“ASA”) recently upheld a complaint under the UK Committee of Advertising Practice Code (“CAP Code”) which requires UK marketers to obtain the explicit consent of consumers before disclosing their personal information to third parties for direct marketing purposes.

Time 7 Minute Read

On February 11, 2009, the EU Article 29 Data Protection Working Party released its long-awaited Working Document (the “Working Document”) on reconciling U.S. civil discovery requirements with European data protection law. The guidelines the Working Document offers for data controllers highlight the challenges that multinational businesses face to comply with competing legal obligations in civil litigation.

Time 1 Minute Read

The Criminal Court of Milan has suspended proceedings against four Google executives to allow time to address relevant procedural considerations.  The proceedings mark the culmination of a two-year investigation conducted by Italian authorities.  The investigation focused on video footage made available on Google Video that depicted a disabled boy being taunted by his fellow classmates.  As result of the video footage, Google executives face charges of defamation and privacy infringement.

For purposes of the criminal proceedings, Google is considered an internet content ...

Time 3 Minute Read

In SACEM v. Cyrille Saminadin (Cour de Cassation, chambre criminelle, 13 janvier 2009), the SACEM (a representative body of authors, composers, and music editors) asked one of its agents to carry out an investigation and to collect evidence of copyright infringements on a peer-to-peer network. After selecting a peer-to-peer network, the agent manually typed in the title of a song belonging to one of the rights holders and searched for all available files corresponding to this title. The agent then randomly selected one of these files and saved all the information relating to it (IP address, country of origin, name of the internet service provider, etc.) onto a CD-ROM as evidence for use in filing a complaint. The question raised in this case was whether such activity constitutes data processing requiring the prior authorization of the French Data Protection Authority (CNIL).

Time 1 Minute Read

On December 2, 2008, the European Court of Human Rights (ECHR) ruled in K.U. v. Finland that Article 8 of the European Convention on Human Rights requires national laws to protect individuals from serious online privacy infringements, but also that the national legal framework must allow for the identification and prosecution of offenders. This case involved an advertisement of a sexual nature, which was placed on an Internet dating site on behalf of the applicant, who was twelve years old at the time, without his knowledge ...

Time 2 Minute Read

Wednesday, January 28, 2009, marks the second annual international Data Privacy Day, which brings together a broad coalition of privacy professionals from both the private and public sectors, as well as corporations, academics and policymakers, with the goal of promoting awareness and collaboration on a variety of data privacy issues.

A wide variety of events celebrating Data Privacy Day has been scheduled throughout the week across the United States, Canada and the European Union. The Triangle Center on Terrorism and Homeland Security and Intel Corporation are sponsoring a ...

Time 4 Minute Read

The Centre for Information Policy Leadership’s Executive Director, Marty Abrams, brings you these thoughts on a recent data protection summit in Barcelona.

Harmonized international data protection rules have been privacy’s Holy Grail since the EU Directive was enacted in 1995. Harmonized, globally recognized rules would simplify life for privacy protection authorities and companies. Numerous efforts have been undertaken to create a harmonized code. The most recent, an international standards project led by the Spanish Data Protection Commissioner, began on January 12 as international privacy experts met in Barcelona. The Spanish Data Protection Commissioner leads the project, and the finished product — a harmonized privacy code that will be the basis for a data protection treaty— will be a center-piece of the 31st International Conference of Data Protection and Privacy Commissioners on November 2009 in Madrid. 

The Barcelona meeting focused on a draft standards document developed by the Spanish Data Protection Authority, Agencia Espanola de Proteccion de Datos.  The document integrates many of the elements from the OECD Privacy Guidelines, Council of Europe Convention, EU Directive and APEC Privacy Framework.  In its 30 sections, the document recognizes almost every concept found in this existing guidance.

Time 1 Minute Read

On December 5, 2008, the Austrian data protection authority ("DPA") issued its first decision on the implementation of a whistleblowing hotline as required by the Sarbanes-Oxley Act ("SOX"), to be administered by the Austrian subsidiary of a U.S.-based company. The DPA partly approved the data transfers from the Austrian entity to the U.S. entity for the purpose of enabling it to prosecute "serious incidents" caused by the behavior of executive managers. The DPA ordered the Austrian subsidiary to implement a contract guarantying data subjects the ability to exercise their rights ...

Time 1 Minute Read

On October 1, 2008, the Article 29 Working Party issued a toolkit on Binding Corporate Rules (BCRs) aimed at promoting them as a mechanism for transferring data to countries without an adequate level of data protection. The toolkit includes: (1) a table highlighting the elements and principles to be found in BCRs (WP 153); (2) a document setting up a framework for the structure of BCRs (WP 154); and (3) a revised version of the FAQs on BCRs (WP 155). The toolkit also announced the creation of a mutual recognition procedure between nine national data protection authorities ...

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page