Privacy & Information Security Law Blog

On February 27, 2014, Chairwoman of the French Data Protection Authority (the “CNIL”) Isabelle Falque-Pierrotin was elected Chairwoman of the Article 29 Working Party effective immediately. Ms. Falque-Pierrotin succeeds Jacob Kohnstamm, Chairman of the Dutch Data Protection Authority, who chaired the Article 29 Working Party for four years. The Working Party also elected two new Vice-Chairs: Wojciech Rafal Wiewiórowski of the Polish Data Protection Authority, and Gérard Lommel of the Luxembourg Data Protection Authority.

On February 21, 2014, Peter Hustinx, the European Data Protection Supervisor (“EDPS”), highlighted the need to enforce existing EU data protection law and swiftly adopt EU data protection law reforms as an essential part of rebuilding trust in EU-U.S. data flows.

On January 31, 2014, the Greek Presidency of the Council of the European Union issued four notes regarding the proposed EU Data Protection Regulation. These notes, discussed below, address the following topics: (1) one-stop-shop mechanism; (2) data portability; (3) data protection impact assessments and prior checks; and (4) rules applicable to data processors.

On January 24, 2014, the Chamber Court of Berlin rejected Facebook’s appeal of an earlier judgment by the Regional Court of Berlin in cases brought by a German consumer rights organization. In particular, the court: 

In a decision published on February 11, 2014, the French Data Protection Authority (“CNIL”) adopted several amendments to its Single Authorization AU-004 regarding the processing of personal data in the context of whistleblowing schemes (the “Single Authorization”).

On February 11, 2014, Germany’s Federal Minister of Justice and Consumer Protection announced that consumer rights organizations will soon be able to sue businesses directly for breaches of German data protection law. Such additional powers had already been contemplated by the German governing coalition’s agreement and the Minister now expects to present a draft law in April of this year to implement them.

On February 5, 2014, the Member States of the EU and European Free Trade Association (“EFTA”) as well as the European Network and Information Security Agency (“ENISA”) issued Standard Operational Procedures (“SOPs”) to provide guidance on how to manage cyber incidents that could escalate to a cyber crisis.

On January 28, 2014, the Federal Court of Justice of Germany clarified the scope of a data subject’s right of access to personal data in the context of credit scoring. Germany’s Federal Data Protection Act contains detailed and expansive provisions on the right of access where personal data are processed and shared to determine a data subject’s future behavior.

On January 28, 2014, Data Protection Day, Vice-President of the European Commission and Commissioner for Justice Fundamental Rights and Citizenship Viviane Reding gave a speech in Brussels proposing a new data protection compact for Europe. She focused on three key themes: (1) the need to rebuild trust in data processing, (2) the current state of data protection in the EU, and (3) a new data protection compact for Europe.

On January 23, 2014, the Privacy and Civil Liberties Oversight Board (“PCLOB”) released a report (the “Report”) concluding that the National Security Agency (“NSA”) does not have a valid legal basis for its bulk telephone records collection program. The NSA’s bulk collection of consumer telephone records has been under increased scrutiny since Edward Snowden leaked information about the program in June 2013, and recently has faced legal challenges. According to the Report, the NSA’s program exceeded its statutory parameters.

On January 22, 2014, at the World Economic Forum in Davos-Klosters, Switzerland, Sweden’s Minister for Foreign Affairs Carl Bildt announced the creation of a new independent commission that will examine the future of Internet governance. The Global Commission on Internet Governance (the “Commission”) is being launched by think tanks Chatham House and The Centre for International Governance Innovation (“CIGI”). The Commission will be chaired by Bildt, Sweden’s former Prime Minister, and supported by expert members representing business, government, academia and civil society. In announcing the initiative, Bildt stated that “[n]et freedom is as fundamental as freedom of information and freedom of speech in our societies.”

On January 21, 2014, the Federal Trade Commission announced settlements with twelve companies that allegedly falsely claimed that they complied with the U.S.-EU Safe Harbor Framework. The settlements stem from allegations that the companies violated Section 5 of the FTC Act by falsely representing that they held current Safe Harbor certifications despite having allowed their certifications to expire. The companies involved represent a variety of industries, ranging from technology and accounting to consumer products and National Football League teams.

On January 21, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program highlighted some of the key privacy developments that companies will encounter in 2014, including cybersecurity issues in the U.S., California’s Do Not Track legislation, Safe Harbor, the EU General Data Protection Regulation and the CNIL’s new cookie guidance.

In January 2014, the Department of Commerce’s International Trade Administration (“ITA”) posted a Key Points document to provide additional information about the benefits, oversight and enforcement of the U.S.-European Union and U.S.-Swiss Safe Harbor Frameworks. The Key Points document supplements information about the Safe Harbor Frameworks already available on the Department of Commerce website. For example, in the Key Points, the ITA notes that: 

On January 16, 2014 the High Court in London rejected submissions made on behalf of Google Inc. (“Google”) that the case brought against it by three UK-based users of Apple’s Safari browser should be heard in the U.S., rather than before an English court. The decision means that the case could be heard before a court in England, although media reports suggest Google will appeal the decision.

As reported by Bloomberg BNA, on January 13, 2014, Ukrainian Parliament Commissioner for Human Rights Valeriya Lutkovska (the “Ombudsman”) announced the adoption of new data protection regulations. The Ombudsman became the new data protection authority in Ukraine as of January 1, 2014, when amendments to abolish the previous data protection authority became effective. As we previously reported, Ukraine first passed personal data protection legislation in June 2010.

The EU-U.S. Safe Harbor Framework is an important cross-border data transfer mechanism that enables certified organizations to move personal data from the European Union to the United States in compliance with European data protection laws. Recently, however, the Safe Harbor’s future has been thrown into doubt. In an article published on October 30, 2013 by Practical Law, Lisa J. Sotto, partner and head of the Global Privacy and Cybersecurityhttps://www.huntonak.com/services/Privacy-and-Cybersecurity practice at Hunton & Williams LLP, partner Bridget Treacy and ...

On December 18, 2013, the UK Information Commissioner’s Office (“ICO”) published its proposed strategy for handling complaints, stating that, beginning in April 2014, it will focus its efforts on the investigation of serious and repeat violations of data protection laws. The ICO also intends to publish regular reports highlighting the number of complaints it receives about organizations and enforcement actions it has taken. The ICO is seeking comments on the proposed strategy, which is explained in a public consultation document, before January 31, 2014.

In December 2013, the UK Information Commissioner’s Office (“ICO”) issued non-binding guidance aimed at app developers (the “Guidance”). The Guidance applies to all types of mobile devices, including smart TVs and video game consoles.

On December 10, 2013, a German data protection working group on advertising and address trading published new guidelines on the collection, processing and use of personal data for advertising purposes (the “Guidelines”). The working group was established by the committee of German data protection authorities (“DPAs”) and is chaired by the Bavarian DPA. The first set of guidelines were published in November 2012.

In recent months, the Chinese government has devoted attention to the protection of personal information with, as we previously reported, the promulgation of a number of new data protection regulations. This focus is also illustrated by recent actions related to crimes involving personal information.

On November 27, 2013, the State Post Bureau of the People’s Republic of China (the “SPBC”) released five draft normative rules for solicitation of public comment. Three of these rules, respectively entitled Provisions on the Management of the Security of Personal Information of Postal and Delivery Service Users (the “Draft Provisions”), Provisions on the Reporting and Handling of Security Information in the Postal Sector (the “Reporting and Handling Provisions”), and Provisions on the Management of Undeliverable Express Mail Items (the “Management Provisions”) contain significant requirements regarding the protection of personal information. The deadline for submitting comments on the rules is December 27, 2013.

On December 16, 2013, the French Data Protection Authority (“CNIL”) released a set of practical FAQs (plus technical tools and relevant source code) providing guidance on how to obtain consent for the use of cookies and similar technologies in compliance with EU and French data protection requirements (the “CNIL’s Guidance”). Article 5.3 of the revised e-Privacy Directive 2002/58/EC imposes an obligation to obtain prior consent before placing or accessing cookies and similar technologies on web users’ devices. Article 32-II of the French Data Protection Act transposes this obligation into French law.

On December 12, 2013, Advocate-General Cruz Villalón of the European Court of Justice (“ECJ”) issued his Opinion on the compatibility of the EU Data Retention Directive 2006/24/EC (the “Data Retention Directive”) with the Charter of Fundamental Rights of the European Union (the “EU Charter”).

As we previously reported, on October 21, 2013, the European Parliament approved its Compromise Text of the proposed EU General Data Protection Regulation (the “Proposed Regulation”). Hunton & Williams has now published an analysis of these proposals.

On November 15, 2013, the People’s Bank of China (the “PBOC”) issued its Administrative Measures for Credit Reference Agencies (the “Measures”) – eight months after the Administrative Regulations on the Credit Information Collection Sector (the “Regulations”) became effective on March 15, 2013. The Measures, which will take effect on December 20, 2013, were formulated to enhance the supervision and regulation of credit reference agencies and to promote positive developments in the credit information services sector.

On November 21, 2013, the Supreme People’s Court of China passed the Provisions on the Online Issuance of Judgment Documents by People’s Courts (the “Provisions”), which will take effect on January 1, 2014. The Provisions replace earlier rules (of the same title) enacted by the Supreme People’s Court on November 8, 2010, and generally focus on improved implementation of the principles of standardizing the online issuance of judgment documents, promoting judicial justice and enhancing the public credibility of the judiciary.

On November 28, 2013, the UK government published a paper in response to its March 2013 consultation on cybersecurity standards (“Response Paper”), and announced that it will create a new cybersecurity standard. The original consultation concluded in October 2013.

On November 19, 2013, the National Health and Family Planning Commission of the People’s Republic of China published a draft of its proposed new Administrative Measures on Personal Health Information (the “Draft Measures”) and solicited public comments by December 20, 2013.

On November 27, 2013, the European Commission published an analysis of the EU-U.S. Safe Harbor Framework, as well as other EU-U.S. data transfer agreements. The analysis includes the following documents:

Brazilian lawmakers, including José Eduardo Cardozo, the Minister of Justice of Brazil, and Ideli Salvatti, the Secretariat of Institutional Relations, held several consensus-building meetings with party leaders over the past two weeks to reach a voting agreement on the Marco Civil da Internet (“Marco Civil”), a draft bill introduced in the Brazilian Congress in 2011. The Marco Civil would establish Brazil’s first set of Internet regulations, including requirements regarding personal data protection and net neutrality.

As reported by Bloomberg BNA, Mexico’s Federal Institute for Access to Information and Data Protection (“IFAI”) recently issued data security guidelines that implement the security provisions of the Federal Law for the Protection of Personal Data Held by Private Parties (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares).

On November 15, 2013, the Supreme Court of Canada declared the Alberta Personal Information Protection Act (“PIPA”) invalid because the legislation interfered with the right to freedom of expression in the labor context under Section 2(b) of the Canadian Charter of Rights and Freedoms (the “Canadian Charter”). The case arose in the context of a labor union representing employees of a casino in Alberta. During a lawful strike, the union recorded and photographed individuals crossing the union’s picket line near the main entrance of the casino. The union had posted a sign that the images of persons crossing the picket line might be placed on a website. A number of individuals who were recorded crossing the picket line filed complaints under PIPA with the Alberta Information and Privacy Commissioner, who appointed an adjudicator to determine whether the union had contravened PIPA by collecting and disclosing personal information about individuals without their consent. Under PIPA, organizations cannot collect, use or disclose personal information without the individual’s consent, unless an exception applies.

On November 4, 2013, the China Insurance Regulatory Commission, which is the Chinese regulatory and administrative authority for the insurance sector, issued the Interim Measures for the Management of the Authenticity of Information of Life Insurance Customers (the “Measures”). The Measures require life insurance companies and their agents to ensure the authenticity of personal data of life insurance policy holders. To help achieve this objective, the Measures impose rules for the collection, recording, management and use of the personal data of policy holders.

On November 19, 2013, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the second webcast in its Hunton Global Privacy Update series. The program focused on the latest updates regarding the EU General Data Protection Regulation (“Proposed Regulation”), including a discussion of the European Parliament’s recent approval of its Compromise Text for the Proposed Regulation.

The Luxembourg data protection authority (Commission nationale pour la protection des donées, “CNPD”) has stated that it will not investigate complaints relating to the alleged involvement of Microsoft Luxembourg (“Microsoft”) and Skype Software S.a.r.l. and Skype Communications S.a.r.l. (collectively, “Skype”) in the PRISM surveillance program. The PRISM surveillance program involves the transfer of EU citizens’ data to the U.S. National Security Agency (the “NSA”).

On November 14, 2013, the Minister of the Malaysian Communications and Multimedia Commission (the “Minister”) announced that Malaysia’s Personal Data Protection Act 2010 (the “Act”) would be going into effect as of November 15, marking the end of years of postponements. The following features of the law are of particular significance:

On November 4, 2013, the data protection authority (“DPA”) of the German state of Rhineland-Palatinate announced two sets of recommendations for mobile payment systems, including contactless payments. The recommendations were prepared in conjunction with the state consumer protection agency, the Ministry of Justice for Rhineland-Palatinate, the mobile payment industry and research organizations.

On October 27, 2013, the South Korean Ministry of Security and Public Administration indicated that the government will issue certifications to private and public organizations that meet certain requirements of the Personal Information Protection Act. According to The Korea Times, organizations will be able to apply for the certification with the National Information Society Agency (“NISA”) beginning on November 28, 2013. The number of requirements that an organization will be assessed against will depend on the size of the organization. The Korea Times reports ...

As we reported on October 8, 2013, the Information Commissioner’s Office (“ICO”) has announced it is reviewing its Privacy Notices Code of Practice (the “Code”) to assess whether it should be updated. In anticipation of the November 30^th closing date for comments on the Code, today the ICO’s Head of Policy Delivery posted a request for feedback on the ICO’s blog.

On November 26, 2013, Kazakhstan’s new data privacy law, On Personal Data and Their Protection, will come into effect. The law was passed on May 21, 2013. Kazakhstan is the second country in Central Asia to enact a data privacy law, joining the Kyrgyz Republic, which passed the Law on Personal Data in 2008.

On October 25, 2013, the Standing Committee of the National People’s Congress of the People’s Republic of China passed an amendment to the P.R.C. Law on the Protection of Consumer Rights and Interests (the “Amendment”). The Amendment, which was adopted after three readings and will take effect on March 15, 2014, adds provisions designed to respond to the recent boom in online shopping and focuses on improving protections in the area of consumer rights and interests by:

On October 21, 2013, the European Parliament approved its Compromise Text of the proposed EU General Data Protection Regulation (the “Proposed Regulation”). The approval follows months of negotiations between the various parliamentary committees. The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) has been in charge of working toward an agreement on the Compromise Text in the European Parliament.

On October 19, 2013, the Center for Internet and Society (“CIS”), the Federation of Indian Chambers of Commerce and Industry, and the Data Security Council of India held a Privacy Roundtable in New Delhi, the last in a series of roundtables that began in April 2013. The events were designed to elicit comments on a draft Privacy Protection Bill, proposed legislation for a privacy and personal data protection regime in India. The law would regulate the collection and use of personal data in India, as well as surveillance and interception of communications.

On October 2, 2013, the Article 29 Working Party (the “Working Party”) issued a Working Document providing guidance on how to obtain consent for the use of cookies and similar technologies in compliance with EU legal requirements (“Working Document”).

At its meeting on October 7, 2013, the Council of the European Union voiced support for the “one-stop-shop” mechanism in the draft General Data Protection Regulation (the “Regulation”). The “one-stop-shop” mechanism allocates responsibility for overseeing data processing activities in multiple EU Member States to the data protection authority of the EU Member State where the data controller or processor has its main establishment. At the Council meeting, a majority of the EU Member States indicated that the responsible data protection authority should have exclusive decision powers with regard to enforcement actions, but acknowledged that the “local” DPAs should be involved in the decisionmaking process as well. The Council emphasized the need for further exploration of the European Data Protection Board’s role in ensuring consistent application of EU data protection rules.

On October 8, 2013, a Royal Decree was published completing the transposition of the EU Data Retention Directive 2006/24/EC (the “Data Retention Directive”) into Belgian law. The Royal Decree was adopted on September 19, 2013.

On October 2, 2013, the 86th Conference of the German Data Protection Commissioners concluded in Bremen. This biannual conference provides a private forum for the 16 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information, Peter Schaar, to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

In its October 2013 e-newsletter, the UK Information Commissioner’s Office (“ICO”) announced that it is reviewing its Privacy Notices Code of Practice (the “Code”) to assess whether it should be updated. The Code, last updated in December 2010 and issued under Section 51 of the UK Data Protection Act 1998 (the “DPA”), is designed to assist organizations “to collect and use information appropriately by drafting clear and genuinely informative privacy notices.”

On October 4, 2013, The Centre for Information Policy Leadership’s Senior Policy Advisor Fred Cate reported on the 35th International Conference of Data Protection and Privacy Commissioners which concluded on September 24 in Warsaw, Poland. The report indicates that four main issues dominated the Conference: (1) challenges presented by technologies such as mobile apps and online profiling, (2) multinational interoperability and enforcement, (3) pending EU data protection regulation and alternatives, and (4) repercussions of NSA surveillance activities.

Read the ...

On September 30, 2013, Hunton & Williams LLP hosted representatives from the U.S. Department of Commerce for a timely discussion of the Safe Harbor Framework, the Asia-Pacific Economic Cooperation (“APEC”) Cross-Border Privacy Rules System (“CBPRs”), and the Transatlantic Trade and Investment Partnership (“TTIP”) negotiations. The panel also addressed the development of privacy codes of conduct and privacy legislation being developed by the Department of Commerce.

On September 24, 2013, the Singapore Personal Data Protection Commission (the “Commission”) published guidelines to facilitate implementation of the Singapore Personal Data Protection Act (the “PDPA”). The Advisory Guidelines on Key Concepts in the Personal Data Protection Act and the Advisory Guidelines on the Personal Data Protection Act for Selected Topics provide explanations of concepts underlying the data protection principles in the PDPA, and offer guidance on how the Commission may interpret and apply the PDPA with respect to certain issues (e.g., anonymization, employment, national identification numbers). The guidelines are advisory only; they are not legally binding.

On September 23 and 24, 2013, a declaration and eight resolutions were adopted by the closed session of the 35th International Conference of Data Protection and Privacy Commissioners and have been published on the conference website. This blog post provides an overview of the declaration and the most significant resolutions.

On September 26, 2013, the UK Information Commissioner’s Office (“ICO”) published new breach notification guidance (the “Guidance”), applicable to telecom operators, Internet service providers (“ISPs”) and other public electronic communications service (“ECS”) providers.

On September 6, 2013, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding traveled to Berlin where she commented on the status of the negotiations on the proposed EU General Data Protection Regulation (the “Proposed Regulation”). Commissioner Reding indicated that she was looking for Germany to become involved in the discussions about the Proposed Regulation at the highest level, and she argued in favor of stricter regulations given recent revelations about surveillance programs such as PRISM. Because the vote on the Proposed Regulation only requires a majority to pass, she also emphasized that it would not be necessary to obtain the agreement of all of the EU Member States (for example, the UK or Ireland).

On September 19, 2013, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the first webcast in its new Hunton Global Privacy Update series. The program focused on the latest updates regarding the EU General Data Protection Regulation, recent Safe Harbor issues from both European and American perspectives, and cybersecurity developments on both sides of the Atlantic.

Listen to a recording of the September Hunton Global Privacy Update.

Hunton Global Privacy Update sessions are 30-minutes in length and are scheduled to take place every two months.

On September 9, 2013, the Organization for Economic Cooperation and Development (“OECD”) published its revised guidelines governing the protection of privacy and transborder flows of personal data (the “Revised Guidelines”), updating the OECD’s original guidelines from 1980 that became the first set of accepted international privacy principles.

On August 30, 2013, following the effort by the People’s Republic of China to establish a Consumer Rights Protection Bureau in 2012, the China Banking Regulatory Commission (the “CBRC”) issued a document entitled “Guidance for the Banking Sector on the Protection of the Rights of Consumers” (the “Guidance”). Among other things, the Guidance re-emphasizes the principle of protecting personal financial information. Banking institutions are required (1) to take effective measures to protect consumers’ personal financial information; (2) not to modify or illegally use consumers’ personal financial information; and (3) to prevent the disclosure of consumers’ personal financial information to any third party without the relevant consumers’ authorization or consent.

On September 5, 2013, the 16 German state data protection authorities and the Federal Commissioner for Data Protection and Freedom of Information (the “DPAs”) passed a resolution concerning recent revelations about the PRISM, Tempora and XKeyscore surveillance programs.

On September 10, 2013, the UK Information Commissioner’s Office (“ICO”) published guidance for companies receiving unwanted marketing (the “Guidance”). This Guidance was published as part of a broader focus on unwanted marketing in the UK.

On September 10, 2013, the UK Information Commissioner’s Office (“ICO”) published new guidance on direct marketing (the “Guidance”). The Guidance explains the application of the two principal legislative instruments that affect direct marketing in the UK: (1) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), which relates specifically to direct marketing; and (2) the Data Protection Act 1998 (the “DPA”), which governs data protection issues generally. The Guidance is not legally binding, but it reflects the ICO’s interpretation of the requirements and indicates how the ICO is likely to enforce them.

Recent news reports regarding the alleged purchase of personal information by a corporate investigative service firm in Shanghai have raised questions about the possibility of obtaining information about domestic Chinese companies from government corporate registration agencies.

On August 8, 2013, the State Council of the People’s Republic of China released its “Opinions Regarding Facilitating Information Consumption and Boosting Domestic Demand” (Guofa [2013] No. 32, the “Opinions”). The Opinions provide guidelines for encouraging the development of the “consumption of information” in the next few years. “Consumption of information” is a recently-coined Chinese term that encompasses the demand for, and possession, processing and reproduction of, information.

In recent months, the Chinese government has focused an increasing amount of attention on the protection of personal information. As we previously reported, there have been a number of new data protection regulations in China, including the Decision on Strengthening the Protection of Information on the Internet issued by the Standing Committee of the National People’s Congress in December 2012, and new rules issued by the Ministry of Industry and Information Technology this July to protect personal information collected by telecommunications and Internet service providers. This focus also is illustrated by Shanghai authorities’ recent crackdown on crimes involving personal information.

As reported by Bloomberg BNA, the South African Parliament passed the Protection of Personal Information Bill on August 22, 2013. The bill, which was sent to President Jacob Zuma to be signed into law, represents South Africa’s first comprehensive data protection legislation.

On August 28, 2013, on the UK Information Commissioner’s Office’s (“ICO’s”) blog, Simon Rice, Technology Group Manager for the ICO, discussed the importance of encryption as a data security measure. He stated that storing any personal information is “inherently risky” but encryption can be a “simple and effective means” to safeguard personal information and reduce the risk of security breaches.

As always, the privacy team at Hunton & Williams continues to closely monitor the latest global developments in data protection, privacy and cybersecurity, including progress on the proposed EU General Data Protection Regulation. To keep you informed, we will be hosting regular, 30-minute webcasts to provide brief updates on the most pressing issues. These Hunton Global Privacy Update sessions will take place every two months. Please join us on September 19, 2013, at 11:00 a.m. EDT, for the first Hunton Global Privacy Update webcast.

Register for the complimentary September 19th ...

This week a new breach notification regulation takes effect across the EU. The Regulation on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC (the “Regulation”) specifies the technical measures of how Internet service providers, telecommunications providers and other public electronic communications service (“ECS”) providers must notify of data breaches.

On September 30, 2013, Hunton & Williams LLP will host a panel discussion with the U.S. Department of Commerce on The Latest International Data Privacy Developments. The panel will take place in Hunton & Williams’ New York office from 5:30 – 7:00 p.m. EDT, with a cocktail reception following the presentation. The Department of Commerce’s International Trade Administration (“ITA”) will brief participants on important international data privacy issues, including:

On August 9, 2013 the UK Information Commissioner’s Office (“ICO”) published a new code of practice providing guidance to organizations on how to respond to subject access requests (the “Code”). The Code follows a public consultation on a draft code during 2012 and 2013.

On August 6, 2013, the UK Information Commissioner’s Office (“ICO”) opened a new consultation on a draft code of practice on conducting privacy impact assessments (the “Code”).

As reported by Bloomberg BNA, the Irish Office of the Data Protection Commissioner (“ODPC”) has stated that it will not investigate complaints relating to the alleged involvement of Facebook Ireland Inc. (“Facebook”) and Apple Distribution International (“Apple”) in the PRISM surveillance program.

On July 16, 2013, the Ministry of Industry and Information Technology of the People’s Republic of China (the “MIIT”) issued a new rule entitled Provisions on the Registration of Real Identity Information of Telephone Users (the “Provisions”), which will take effect on September 1, 2013. The Provisions were issued pursuant to the Resolution of the Standing Committee of the National People’s Congress Relating to Strengthening the Protection of Information on the Internet (the “Resolution”) and the Telecommunications Regulations of the People’s Republic of China. In April 2013, the MIIT issued a draft of the Provisions and solicited public comment.

On July 16, 2013, the Ministry of Industry and Information Technology of the People’s Republic of China (the “MIIT”) issued a new rule entitled Provisions on the Protection of Personal Information of Telecommunications and Internet Users (the “Provisions”). The Provisions, which will take effect on September 1, 2013, are intended to implement the general requirements set forth in last December’s Resolution of the Standing Committee of the National People’s Congress Relating to Strengthening the Protection of Information on the Internet (the “Resolution”). The Provisions are the first specific regulations concerning personal information protection by telecommunications service providers in China.

On July 22-23, 2013, the APEC E-Commerce Business Alliance and the China International Electronic Commerce Center, a subsidiary organization of the Ministry of Commerce of the People’s Republic of China, held a seminar in Beijing entitled Workshop on the Online Data Privacy Protection in APEC Region. In addition to delegates from Mainland China, representatives from numerous other jurisdictions were in attendance, including the United States, the United Kingdom, Malaysia, Vietnam, South Korea, Hong Kong and Taiwan.

On July 24, 2013, the Conference of the German Data Protection Commissioners at both the Federal and State levels issued a press release stating that surveillance activities by foreign intelligence and security agencies threaten international data traffic between Germany and countries outside the EEA.

On July 18-19, 2013, the European Union Justice and Home Affairs Council held an informal meeting in Vilnius, Lithuania, where Viviane Reding, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, openly criticized the U.S.-EU Safe Harbor Framework.

On July 12, 2013, during the Centre for Information Policy Leadership’s First Friday call, José Alejandro Bermúdez Durana, Deputy Superintendent for Data Protection for Colombia’s Superintendency of Industry and Commerce, discussed the secondary regulations issued on June 27, 2013 to implement Colombia’s omnibus data protection law enacted in 2012. The Deputy Superintendent discussed key aspects of the regulations, and provided information regarding additional regulations that are needed to implement binding codes of conduct.

On June 25, 2013, the Belgian Data Protection Authority (the “Privacy Commission”) and the Belgian Ministry of Justice agreed on a Protocol establishing new rules for the approval of international data transfer agreements.

Senior Attorney Rosemary Jay reports from London:

On June 25, 2013, Advocate-General Jääskinen of the European Court of Justice (“ECJ”) delivered his Opinion in Google Spain S.L. and Google Inc. v Agencia Española de Protección de Datos (Case C-131/12, “Google v AEPD” or the “case”).

The case concerns Google Search results, and whether individuals have a right to erasure of search result links about them. The Opinion concludes that under current law, individuals have no such right. The European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”) would introduce a right to be forgotten. However, this Opinion appears to demonstrate unease with the basic concept of such a right.

In a recording prepared for the Centre for Information Policy Leadership at Hunton & Williams LLP’s (“Centre’s”) annual retreat, former UK Information Commissioner and Centre Global Strategy Advisor Richard Thomas discussed some of the challenges facing Big Data with respect to the purpose limitation principle set out in Article 6(1)(b) of the current EU Data Protection Directive 95/46/EC. In April 2013, the Article 29 Working Party adopted an Opinion on this topic, focusing on how to apply the purpose limitation principle in the Big Data context. Richard Thomas ...

On June 27, 2013, the Colombian Ministry of Commerce, Industry and Tourism issued regulations pursuant to the country’s new data protection law. The regulations, entitled Decreto Número 1377 de 2013, por el cual se reglamenta parcialmente la Ley 1581 de 2012, address a variety of topics, including the following:

• Consent requirements relating to the collection of personal data;
• Restrictions on the processing of children’s personal data;
• Content and delivery of privacy notices;
• Cross-border data transfer restrictions;
• Data transfer agreements;
• Internal privacy ...

On June 28, 2013, the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) issued its 20th annual Report of Activities (the “Report”), highlighting the FDPIC’s main activities during the period from April 2012 to March 2013. The Report is available in French and in German, and the FDPIC also has prepared a summary of the Report in English.

On July 4, 2013, the European Parliament adopted new EU legislation to fight cyber crime. The Directive on attacks against information systems (the “Directive”) (see the Committee on Civil Liberties, Justice and Home Affairs’ report tabled for plenary), together with the launch of the European Cybercrime Centre and the adoption of the EU cybersecurity strategy, will strengthen the EU’s overall response to cyber crime and contribute to improving cybersecurity for all EU citizens.

The U.S. Department of Commerce’s International Trade Administration (“ITA”) will host a data privacy seminar in Providence, Rhode Island, on Thursday, July 18 from 8:30 – 11:00 a.m. EDT. Seminar participants will hear from Commerce privacy experts who will discuss the Obama Administration’s privacy blueprint and provide updates on significant international developments, including the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks and the Asia-Pacific Economic Cooperation (“APEC”) group’s work to implement the Cross-Border Privacy Rules System. These privacy developments could have a significant impact on how companies comply with laws and privacy regulations in the United States, Asia and Europe. A representative from the Safe Harbor-certified company Textron Inc. (“Textron”) also will discuss the company’s experience developing and implementing a privacy compliance program.

On July 3, 2013, the French Data Protection Authority (“CNIL”) released its decision in a case against PS Consulting, imposing a fine of €10,000 on the information systems consulting company for violations related to the operation of its CCTV system.

On July 2, 2013, the Indian government released its ambitious National Cyber Security Policy 2013. The development of the policy was prompted by a variety of factors, including the growth of India’s information technology industry, an increasing number of cyber attacks and the country’s “ambitious plans for rapid social transformation.” The policy sets forth 14 diverse objectives that range from enhancing the protection of India’s critical infrastructure, to assisting the investigation and prosecution of cyber crime, to developing 500,000 skilled cybersecurity professionals over the next five years.

On July 1, 2013, the Republic of Croatia joined the European Union, increasing the number of EU Member States to 28. As of the day of its accession, Croatia must implement the acquis communautaire (the complete body of the EU legislation), which includes the EU Data Protection Directive 95/46/EC (“Data Protection Directive”).

In recent months, the Belgian media has reported on a significant increase in data breaches. In December 2012, the National Belgian Railway Company inadvertently published 1.46 million sets of customer data online. The rise in data security incidents has caught the attention of the Belgian Privacy Commission, which has the authority to make recommendations on any matter relating to the application of the fundamental data protection principles in the Belgian Data Protection Act of December 8, 1992. In a May 2013 article published in Bloomberg BNA’s World Data Protection Report

The Bavarian data protection authority recently updated its compliance initiative regarding online tracking tools to include Adobe’s online tracking product (Adobe Analytics (Omniture)). As with previous initiatives of this nature, the underlying analyses were carried out in an automated manner, using a program specifically developed by the Bavarian data protection authority to verify compliance.

On June 24, 2013, the European Commission announced new technical implementing measures that address the EU data breach notification requirement for telecom operators and internet service providers (“ISPs”). Based on a Commission Regulation, these companies must:

• notify the competent national authority of the incident (or at least provide an initial description thereof) within 24 hours after detection of the breach;
• outline which data are affected and what measures have been or will be taken by the company;
• pay attention to the type of data compromised when assessing whether to notify subscribers (i.e. evaluating whether the breach is likely to have an adverse effect on personal data or privacy); and
• use a standardized format for notifying the competent national authority (e.g. an online form which is the same for all EU Member States).

On July 1, 2013, Practising Law Institute (“PLI”) hosts its first symposium on Cybersecurity 2013: Managing the Risk in New York. Hunton & Williams partner Lisa J. Sotto is the Chair of the event. The program features timely cybersecurity topics, including the threat landscape, the legal environment (such as the Obama Administration’s Executive Order on Cybersecurity), and how companies can manage cybersecurity incidents when they occur and seek to prevent cyber attacks before they occur. Hunton & Williams partner Paul M. Tiao and Centre for Information Policy Leadership ...

On June 20, 2013, the UK Information Commissioner’s Office (“ICO”) launched its Annual Report and Financial Statements for 2012/13 (the “Report”). Introducing the Report, Information Commissioner Christopher Graham strongly emphasized that, as consumers become increasingly aware of their information rights, good privacy practices will become a commercial benefit and a business differentiator. He outlined the seven key “e”s of the ICO’s role: enforce, educate, empower, enable, engage, and to be effective and efficient.

On June 14, 2013, the European Data Protection Supervisor (the “EDPS”) issued an Opinion regarding a joint communication by the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy, Cyber Security Strategy of the European Union: an Open, Safe and Secure Cyberspace (the “Strategy”), as well as the European Commission’s proposed draft directive to ensure uniformly high security measures for network and information security across the EU (the “NIS Directive”). The EDPS welcomes recognizing privacy and data protection as core values of a robust cybersecurity policy, as opposed to separating out security and privacy, but draws attention to several deficiencies, stating that “the ambitions of the strategy are not reflected in how it will be implemented.”

On June 14, 2013, the French Data Protection Authority (“CNIL”) announced that last March it had created an internal working group to study the privacy issues arising from the access of the personal data of French citizens by foreign public authorities. The CNIL further announced that the working group has decided to organize meetings with the various concerned stakeholders (attorneys, telecommunications operators, public institutions and non-governmental organizations) and that it has already had discussions with some of them. A summary of the CNIL’s findings is expected to be published in September 2013.

The UK Information Commissioner’s Office (“ICO”) has published guidance on the application of the Data Protection Act 1998 (“DPA”) to social networking sites and online forums. The guidance emphasizes that organizations and individuals that process data for non-personal purposes must comply with DPA requirements in their use of social networking sites and online forums just as they would in any other context.

On June 7, 2013, the Japanese Government applied to participate in the APEC Cross-Border Privacy Rules program. Japan’s application will be reviewed to verify that Japan has the necessary legal mechanisms to ensure that certified companies can be held accountable. If approved, Japan will join the United States and Mexico, which also are APEC-certified economies, and it is likely a number of Japanese seal programs will apply for certification as accountability agents. Once the requisite elements are in place, Japanese companies will be able to apply for approval of their cross-border privacy rules.

As we previously reported, on May 31, 2013, the Irish Presidency of the Council of the European Union’s Justice and Home Affairs released a draft compromise text in response to the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”). This compromise text narrows the scope of the Proposed Regulation and seeks to move from a detailed, prescriptive approach toward a risk-based framework.

On June 6, 2013, the European Union’s Justice and Home Affairs Council held legislative deliberations regarding key issues concerning the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”). The discussions were based on the Irish Presidency’s draft compromise text on Chapters I to IV of the Proposed Regulation, containing the fundamentals of the proposal and reflecting the Presidency’s view of the state of play of negotiations. At the Council meeting, the Presidency was seeking general support for the conclusions drawn in their draft compromise text on the key issues in Chapters I to IV.

On June 3, 2013, the French Data Protection Authority (“CNIL”) published an article outlining the importance of binding corporate rules (“BCRs”) for data processors, and describing how to use them.