Privacy & Information Security Law Blog

On December 5, 2012, at 1:00 p.m. EST, the U.S. Department of Commerce’s International Trade Administration (“ITA”) will be hosting a webinar to discuss data privacy issues. Webinar participants will hear from Commerce privacy experts on the Obama Administration’s privacy blueprint. There also will be an update on significant international data privacy developments such as the Asia-Pacific Economic Cooperation (“APEC”) forum’s work to implement the Cross-Border Privacy Rules (“CBPRs”) system and the U.S.-European Union and U.S.-Swiss Safe Harbor ...

Following the launch of Hunton & Williams’ Data Protection Executive Briefing Paper on the proposed EU Data Protection Regulation, we are pleased to announce that on November 29, 2012, we will host a further workshop to explore the challenges facing processors under the draft Regulation. In this workshop, attendees will:

• Explore how obligations on processers are likely to expand significantly;
• Learn how these new obligations will affect both processors and controllers; and
• Create a checklist for preparing for the changes ahead.

On November 13-15, 2012, delegates at the IAPP Europe Data Protection Congress in Brussels were given insight into how discussions with key policymakers are progressing. As European Parliament rapporteur and Member of the European Parliament Jan Philipp Albrecht aims to finalize the reform of the EU Data Protection Directive by the end of the current European Parliament’s mandate in 2014, this ambitious goal faces numerous hurdles.

In partnership with SC Magazine, we are pleased to announce that on November 22-23, 2012, SC Magazine will host its 2012 Virtual Summit “Tackling the Big 3: Clouds, Consumerisation, Cybercrime,” featuring Hunton & Williams partner Bridget Treacy. Following a year of sharp increases in data breaches and regulatory fines, the SC Summit will explore and focus on cybercrime, mobile devices and cloud security – three key priorities for 2013. Bridget Treacy and Paul Swarbrick, Chief Information Security Officer and Head of Cybersecurity for National Air Traffic Services, will open the Summit with their keynote presentation, “Where’s the Danger? From Cybercrime to Consumerisation to the Cloud, Today’s Most Potent Threats Unmasked.” Paul will discuss the data security issues that keep him awake at night and Bridget will offer vital, current perspective on the ever-changing legal landscape.

On November 8, 2012, the 84th Conference of the German Data Protection Commissioners concluded in Frankfurt (Oder). This bi-annual conference provides a private forum for the 16 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information Peter Schaar to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

On November 10, 2012, the German working group on technical and organizational data protection matters published guidelines (in German) on the technical and organizational separation requirements for automated data processing on shared IT systems (the “Guidelines”). The working group is part of the Conference of the German Data Protection Commissioners, which recently concluded its 84th Conference in Frankfurt (Oder).

The UK Information Commissioner’s Office (“ICO”) recently published a questionnaire to gather feedback on how privacy seals might be used to improve data protection compliance and customer privacy awareness. The questionnaire is available online until November 30, 2012.

On October 26, 2012, three resolutions were adopted by the closed session of the 34th International Conference of Data Protection and Privacy Commissioners and have been published on the conference website. Below we provide an overview of these resolutions.

The Polish Data Protection Authority (Generalny Inspektor Ochrony Danych Osbowych or “GIODO”) announced that it will host the 35th International Conference of Data Protection and Privacy Commissioners on September 23-27, 2013, in Warsaw, Poland. The first two days will be dedicated to the closed session, with the open sessions and side events taking place September 25-27.

In February 2013, the GIODO will facilitate the Global Accountability Project for which the Centre for Information Policy Leadership acts as Secretariat.

On October 29, 2012, the UK Information Commissioner’s Office (“ICO”) served private sector financial services company The Prudential Assurance Company Limited (“Prudential”) with a monetary penalty of £50,000 in connection with a serious violation of the Data Protection Act 1998 (“DPA”). The violation concerned a mix-up involving Prudential customer details. In March 2007, the customer records of two individuals who shared the same first name, surname and date of birth were mistakenly merged into a single customer record. Over the course of the following three years, mortgage and pension policy information relating to each customer was routinely sent to the wrong individual until Prudential took steps to separate the two customers’ records in September 2010.

On October 31, 2012, the UK Information Commissioner’s Office (“ICO”) published a consultation on changes to the notification process in the UK (the “Consultation”), which will be open for comment until November 30, 2012. The purpose of the Consultation is to provide the ICO with feedback on its proposed changes regarding: (1) whether an online and telephone payment service would be beneficial to data controllers, (2) whether the inclusion of contact details for information requests is useful and (3) whether the format of the public register should become narrative-based. The ICO is also seeking input regarding whether these changes would make the public register more meaningful and notification simpler for data controllers.

On October 24, 2012, the UK Justice Select Committee (the “Committee”), appointed by the House of Commons to examine the expenditure, administration and policy of the UK Ministry of Justice, published its opinion on the proposed General Data Protection Regulation (the “Proposed Regulation”) and proposed Police and Criminal Justice Data Protection Directive (the “Proposed Directive”). In the opinion, the Committee agrees that new proposals are necessary, both to update the existing data protection framework and to “confer on individuals their new rights and freedoms.” The Committee expresses reservations, however, regarding a number of key issues, and concludes that the European Union data protection proposals “need to go back to the drawing board.” The Committee notes that in its present form, the Proposed Regulation will not produce a “proportionate, practicable, affordable or effective system of data protection in the EU.”

On October 26, 2012, following the Justice Council’s meeting, Viviane Reding, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, delivered a speech highlighting that the Commission’s proposed data protection law reform package is currently at a crucial stage in the negotiation process. Commissioner Reding stated that “[a] high level of data protection will turn the European Union into an international standard setter” and that “[o]nly a high level of data protection will generate trust between citizens and private enterprises.” Commissioner Reding conceded, however, that “[w]e do not want rules that place an excessive burden on business,” and that the Commission is prepared to make certain concessions relating to the draft proposals in order to “strike the right balance.”

On October 23, 2012, just two weeks after issuing a series of reports highlighting the UK Information Commissioner’s Office’s (“ICO’s”) concerns regarding data protection compliance within the public sector, the ICO has imposed a monetary penalty of £120,000 and issued an enforcement notice against Stoke-on-Trent City Council (“Stoke Council”) in relation to a serious data breach. The breach involved the transmission of sensitive personal information related to a child protection case by email in an unmarked and unprotected manner to the incorrect email address.

On October 24, 2012, Peter Hustinx, the European Data Protection Supervisor, speaking at the 34th International Conference of Data Protection and Privacy Commissioners in Uruguay, called the proposed EU Data Protection Regulation an “ambitious” undertaking, designed to achieve three goals.

First, Hustinx said the regulation is intended to provide the structure for European data protection for at least the next 20 years.

Second, the draft regulation will eliminate the wide variety of requirements that has resulted from the current EU Data Protection Directive’s being transposed into national law in 27 member states.

This year, the International Conference of Data Protection and Privacy Commissioners takes place in Punta del Este, Uruguay. On October 22, 2012, Article 29 Working Party President Jacob Kohnstamm kicked off the conference with the Public Voice session, sending a clear message that the Article 29 Working Party will resist EU data protection reform proposals involving the use of consent and legitimate business interests as legal bases for data processing.

Governance for next generation data applications increasingly will depend less on individual consent, and more on ...

In the opening session of the 34th International Conference of Data Protection and Privacy Commissioners, Conference Executive Committee Chair and Article 29 Working Party President Jacob Kohnstamm introduced this year’s conference. He noted that the topic of this year’s closed session will be profiling. Kohnstamm also indicated that future DPA conferences would focus on the closed session, which typically is comprised of current and former data protection authorities. Among the speakers in the 2012 closed session is Professor Fred H. Cate, Senior Policy Advisor for the Centre for Information Policy Leadership at Hunton & Williams LLP.

On October 17, 2012, Colombia enacted a new omnibus data protection law known as Ley 1581 del 17 de octubre de 2012 por el cual se dictan disposiciones generales para la protección de datos personales. The law contains significant notice and consent requirements, special provisions for the processing of children’s data, European-style data subject rights (e.g., access and correction), special obligations applicable specifically and directly to service providers, a registration requirement and cross-border data transfer restrictions. The law also provides for the ...

On October 15, 2012, Privacy Commissioner of Canada Jennifer Stoddart and the Federal Commissioner for Data Protection and Freedom of Information in Germany, Peter Schaar, signed an agreement to increase intra-authority collaboration between their organizations. The agreement covers the exchange of information between the two data protection authorities, for example by informing each other of pending complaints. Notably, the agreement also addresses coordination between the DPAs with respect to their supervision of international data processing activities.

On October 15, 2012, the Singapore Parliament passed the Personal Data Protection Act 2012. Though a law has been under discussion for quite some time, this bill was introduced before Parliament only recently, in September of this year. The new law will apply only to data processing in the private sector as data processing by public agencies (or organizations acting on behalf of public agencies) are already subject to internal government rules. Reportedly, the bill will become law in January 2013, enforceable after 18 months, in mid-2014.

On October 5, 2012, the Article 29 Working Party (the “Working Party”) issued an Opinion providing further input on the recent data protection reform discussions in the EU. The Opinion follows the Working Party’s first Opinion on the EU data protection reform proposals issued on March 23, 2012.

On September 22, 2012, the Peruvian Ministry of Justice and Human Rights issued a draft regulation to implement Peru’s new Personal Data Protection Law. The comment period expires on October 5, 2012; however, the U.S. Department of Commerce’s International Trade Administration has requested an extension to allow additional time for comments. The Centre for Information Policy Leadership at Hunton & Williams LLP is considering high-level comments on the draft regulation. It is thought that Peru may intend to issue the final regulation prior to the 34th International ...

On September 27, 2012, the German Federal Network Agency, the Bundesnetzagentur (or “BNetzA”), together with the German Federal Commissioner for Data Protection, published a guide on traffic data retention. The guide, which is aimed at telecom providers, includes a comprehensive chart that clarifies data retention periods for different types of services, such as telephone, SMS, Internet and email, and their respective types of traffic data (e.g., mobile identification numbers, IP addresses and International Mobile Equipment Identity data) based on the purposes for the data storage.

On September 27, 2012, the European Commission presented its new strategy on cloud computing, entitled “Unleashing the Potential of Cloud Computing in Europe.” The Commission’s strategy is outlined on a new webpage that includes a communication document and a more detailed staff working paper.

On September 27, 2012, the UK Information Commissioner’s Office (“ICO”) published guidance on complying with the requirements of the UK Data Protection Act 1998 (“DPA”) in the context of cloud computing services (the “Guidance”). In its Guidance, the ICO reminds data controllers that transferring personal data to the cloud does not absolve them of their compliance obligations under the DPA.

On July, 19, 2012, the Article 29 Working Party (the “Working Party”) issued an Opinion finding that the Principality of Monaco ensures an “adequate level of protection” for personal data within the meaning of the European Data Protection Directive (Article 25 of Directive 95/46/EC) (the “Directive”). Under the Directive, strict conditions apply to personal data transfers to countries outside the European Economic Area that are not considered to provide an “adequate” level of data protection.

Reporting from Israel, legal consultant Dr. Omer Tene writes:

In a detailed, 27-page decision (Admin. App. 24867-02-11 IDI Insurance v. Database Registrar), the Tel Aviv District Court recently upheld the validity of an instruction issued by the data protection regulator restricting financial institutions from using information about a third party’s attachment of their client’s account for the financial institution’s own purposes. The court held that the regulator is authorized to issue market instructions interpreting the law. The decision is likely to have far-reaching effects on the validity and weight given to a series of detailed guidance documents and market instructions published by the Israeli Law, Information and Technology Authority (“ILITA”) over the past two years. These include instructions regarding:

As of September 1, 2012, all personal data in Germany may only be processed and used for marketing purposes (including address trading) with the express opt-in consent of the affected individuals. Furthermore, the consent language must have been specifically drawn to the attention of the relevant individual as part of the terms and conditions governing the use of his or her personal data.

On August 21, 2012, the European Commission formally approved Uruguay’s status as a country providing “adequate protection” for personal data within the meaning of the European Data Protection Directive (Article 25(6) of Directive 95/46/EC). This follows the Article 29 Working Party’s earlier favorable Opinion issued in 2010, and takes into account certain interpretative assurances and clarifications provided by Uruguay. Accordingly, transfers of personal data from the EU to Uruguay may now take place without additional intergovernmental guarantees and in accordance with applicable data protection provisions.

On August 30, 2012, Taiwan’s Executive Yuan announced that the Personal Data Protection Act will become effective on October 1, 2012. In connection with the announcement, the Executive Yuan also proposed several amendments to certain controversial provisions to be discussed by the Legislative Yuan in September.

Reportedly, the amendments would include the following changes:

1. adding “medical records” as a type of sensitive personal data, and inserting exceptions to restrictions on the use of sensitive personal data (e.g., for public interest reasons or with the data ...

On August 15, 2012, Philippines President Benigno S. Aquino III signed the Data Privacy Act of 2012 passed earlier this year by the Philippine Senate and House of Representatives. Concerns about the creation of the National Privacy Commission and the criminal penalties associated with the Act delayed final enactment.

On August 8, 2012, the Federal Trade Commission settled with HireRight Solutions, Inc. (“HireRight”) for failure to comply with certain Fair Credit Reporting Act (“FCRA”) requirements. At first blush, the case may appear to be a simple FCRA matter – the FTC alleged that HireRight functioned as a consumer reporting agency when providing employment screening services to companies, but then failed to take steps to assure the accuracy of those reports and prevented consumers from dispute inaccurate information. Despite initial appearances, however, the case has broader geopolitical implications.

On July 24, 2012, Lisa J. Sotto, partner and head of the Global Privacy and Data Security Practice at Hunton & Williams LLP, gave a presentation on “Data Privacy in the Global Era” to the Western Independent Bankers Service Corporation. Sotto discussed U.S., EU and other international privacy laws, with a focus on two specific areas of interest, cloud computing and vendor management. Listen to the webcast now.

On July 26, 2012, acting U.S. Secretary of Commerce Rebecca Blank announced that APEC’s Joint Oversight Panel has approved the United States’ request to participate in the APEC Cross-Border Privacy Rules System. The panel also approved the Federal Trade Commission’s participation as the system’s first privacy enforcement authority. The next step will be for the United States to nominate one or more accountability agents for the panel’s approval. Accordingly, the Department of Commerce will publish a Federal Register Notice in the coming days to provide guidance on how potential accountability agents may seek recognition. Once a U.S. accountability agent has been approved, American companies will be able to submit their cross-border privacy rules to be recognized as meeting the APEC standard.

Lisa Sotto, partner and head of the Global Privacy and Data Security Practice at Hunton & Williams, was interviewed on July 18, 2012 about her participation in the USAID-funded Judicial Reform and Government Accountability Project’s initiative to educate and provide data protection awareness to the Serbian government. As we reported last week, Sotto was invited to Belgrade to assist Rodoljub Sabic, Serbia’s Commissioner for Information of Public Importance and Personal Data Protection, and the JRGA Project. Sotto, who also is Chair of the U.S. Department of Homeland Security’s Data Privacy and Integrity Advisory Committee, spent last week advising the Commission on steps to enhance Serbia’s data protection framework.

On July 12, 2012, the National Telecommunications and Information Administration (“NTIA”) of the U.S. Department of Commerce initiated a multistakeholder process to develop guidance for transparency in the mobile environment. The NTIA has announced that they will schedule a second meeting in August, and encouraged small group discussions in the interim. This is not the first multistakeholder process to wrestle with transparency in the mobile environment, and those previous efforts – which date back almost a decade – may prove useful to such discussions.

On June 27, 2012, the Hong Kong Legislative Council passed a bill to amend the Personal Data (Privacy) Ordinance (the “Ordinance”). The amendment will become effective in phases. Most provisions will become effective on October 21, 2012, and the others will take effect on a day to be announced by publication in the Hong Kong Government Gazette.

In a July 9, 2012 press release issued by Rodoljub Sabic, Serbia’s Commissioner for Information of Public Importance and Personal Data Protection, the Commissioner commented on his meeting with Hunton & Williams’ Lisa Sotto, who was invited to Serbia by the Commissioner and the USAID-funded Judicial Reform and Government Accountability Project to provide advice and education on data protection issues.

In June, China’s National Internet Information Office and its Ministry of Industry and Information Technology jointly published draft amendments to the Regulation on Internet Information Services (the “Regulation”). The amendments update the Regulation to cover new issues related to the rapid development of Internet services in China since the Regulation first took effect on September 25, 2000. Although the Regulation originally contained no specific provisions directly pertaining to the protection of personal information, the draft amendments do address personal information protection issues.

On July 1, 2012, the Article 29 Working Party (the “Working Party”) adopted WP196 (the “Opinion”) setting out an analysis of the legal framework associated with cloud computing, as well as recommendations directed at both data controllers and data processors in the European Economic Area (the “EEA”). The Opinion identifies two data protection risks associated with the deployment of cloud computing services, namely: (1) lack of control over the data and (2) lack of information on data processing. Cloud computing and the range and geographical dispersion of the various parties involved also have raised significant uncertainty in terms of applicable law, which the Working Party previously analyzed in its Opinion 8/2010. Below is an overview of the different topics covered in the Opinion issued on July 1.

On June 27, 2012, the Conference of the German Federal and State Data Protection Commissioners (the “Conference”) issued a Resolution and a comprehensive guidance paper regarding data protection compliance with respect to smart metering.

Smart metering is the use of intelligent energy networks and meters for monitoring and billing purposes. According to the Resolution, smart meter systems help guarantee a sustainable energy supply in terms of resource efficiency, environmental friendliness and the efficient production, distribution and use of energy. The guidance paper issued by the Conference describes and analyzes the individual processing activities involved in the various uses of smart metering in light of German data protection law. In particular, the guidance paper describes the “use cases” in terms of the respective level of data protection involved.

On June 28, 2012, the UK Ministry of Justice outlined its negotiating position on the proposed EU Data Protection Regulation (the “Proposed Regulation”) in its published “Summary of Responses - Call for Evidence on Proposed EU Data Protection Legislative Framework” (the “Summary”).

The Call for Evidence sought to gain perspective and solicit feedback on how the Proposed Regulation would impact organizations and individuals in the UK. The responses received from the private sector were the most significant, which is not surprising given the potentially huge impact on business.

On June 6, 2012, the Article 29 Working Party (the “Working Party”) adopted WP 195 (the “Opinion”) setting out the requirements for Binding Corporate Rules (“BCRs”) for processors. Similar to WP 153, the Opinion lists the requirements to be covered in the processor BCRs application form and the BCRs document itself. The Opinion likely will be welcomed by processors, in particular those that provide large-scale, multinational data processing services.

On May 31, 2012, the UK Information Commissioner’s Office (“ICO”) published a draft anonymization code of practice (the “Code”) which will be open to public consultation until August 23, 2012. The purpose of the Code is to provide organizations with guidance on how personal data can be anonymized successfully, and how to assess the risk of individuals being identified using data that has been anonymized. The ICO also has launched a £15,000 invitation to tender to establish a network of experts to share best practices regarding anonymization.

On June 7, 2012, the Federal Trade Commission announced settlement agreements with two businesses that allegedly exposed customers’ sensitive personal information by allowing peer-to-peer (“P2P”) file-sharing software to be installed on their company computers and networks.

In its complaint against Franklin’s Budget Car Sales (“Franklin”), a Georgia automobile dealership that also provides financing services to its customers, the FTC alleged that Franklin failed to implement reasonable security measures to protect the consumer personal information that Franklin routinely collects in connection with its business. The FTC claimed that personal information of approximately 95,000 customers, including names, Social Security numbers, addresses, dates of birth, and drivers’ license numbers were made available and disclosed by a P2P application installed on a computer that was connected to Franklin’s computer network. In addition to alleging violations of Section 5 of the FTC Act, the FTC also claimed that Franklin violated the Gramm-Leach Bliley Act (“GLB”). This is the first FTC case against an auto dealer involving GLB violations. The FTC stated in its complaint that Franklin failed to implement reasonable security policies and procedures in violation of the GLB Safeguards Rule, and also failed to send consumers annual privacy notices and to provide the required opt-out mechanisms in violation of the GLB Privacy Rule.

On June 7, 2012, the Article 29 Working Party (the “Working Party”) adopted an Opinion analyzing the exemptions to the prior opt-in consent requirement for cookies. Although the Opinion focuses on cookies, the Working Party also notes that the same analysis applies to any technology allowing information to be stored or accessed on a user’s computer or mobile device.

On May 24, 2012, the German Federal Government submitted to the Parliament (Bundestag) a proposal to amend the Geodatenzugangsgesetz, a federal law concerning access to geographical data that has been in force since 2009.

The current law implements Directive 2007/2/EC of the European Parliament and of the Council of 14 March 2007 establishing an Infrastructure for Spatial Information in the European Community (“INSPIRE”). In addition to establishing a national geographical data infrastructure, the law aims to provide a legal framework for (1) accessing geographical data, geographical data services and metadata of organizations that maintain such data, and (2) using such data and services, in particular with regard to measures that may affect the environment. The law applies to federal agencies and corporations under public law.

On May 26, 2012, the United States government submitted its request to participate in the APEC Cross-Border Privacy Rules (“CBPRs”) system. The CBPRs system was endorsed by APEC leaders in November 2011. The protocol requires a participating economy to submit:

• A letter of intent to participate;
• Confirmation that a privacy enforcement agency in the economy is a participant in the Cross-Border Privacy Enforcement Arrangement;
• Notice that the economy intends to make use of at least one APEC-recognized accountability agency; and
• A description of the domestic laws and other legal mechanisms to give effect to the enforcement activities related to the activities of the accountability agent, which also must include an enforcement map.

On May 25, 2012, the UK Information Commissioner’s Office posted updated guidance on how to comply with amendments to EU data protection law requiring businesses to obtain consent from website visitors to store information on their computers and retrieve that information in the form of cookies. Last year, the ICO gave organizations a grace period expiring on May 26, 2012, to comply with the new cookie rules.

On May 4, 2012, Marty Abrams, President of the Centre for Information Policy Leadership at Hunton & Williams LLP (“the Centre”), interviewed British Columbia’s Information and Privacy Commissioner Elizabeth Denham during the Centre’s First Friday call. Commissioner Denham discussed the April 2012 release of “Getting Accountability Right with a Privacy Management Program,” new guidance issued by the Office of the Privacy Commissioner of Canada and the Offices of the Information and Privacy Commissioners of Alberta and British Columbia. The guidance addresses the Commissioners’ expectations for accountable privacy programs as required by Canadian law. Commissioner Denham described the guidance as “a tool to help organizations comply with the law,” providing “a roadmap to sound data governance,” with clear, practical terms for organizations to achieve accountability.

Hunton & Williams is pleased to announce that Chambers and Partners has ranked the firm in “Band 2” in its 2012 Chambers Europe guide for TMT: Information Technology: Belgium. Brussels managing partner Wim Nauwelaerts was recognized for his “very straightforward” and “no-nonsense approach.”

The Uruguayan Personal Data Control and Regulatory Unit has released the preliminary agenda for the 34th International Conference of Data Protection and Privacy Commissioners to take place October 23-24, 2012 in Punta del Este, Uruguay, at the Conrad Hotel. The conference theme is “Privacy and Technology in Balance.” The preliminary agenda with session descriptions and other information is available on the conference website at www.privacyconference2012.org.

As we previously reported, on May 3-4, 2012, the European data protection authorities’ (“DPAs’”) Spring Conference was held in Luxembourg, and the Data Protection Commissioners closed the conference by issuing a resolution on European data protection reform. In their resolution, the Data Protection Commissioners expressed general satisfaction with the ongoing modernization of the data protection frameworks of the European Union, the Council of Europe and the Organization for Economic Cooperation and Development.

Following a meeting in Sopot, Poland, on April 24, 2012, the International Working Group on Data Protection in Telecommunications (the “Working Group”), led by the Berlin Commissioner for Data Protection and Freedom of Information, issued a Working Paper that focuses on privacy and data protection issues related to the use of cloud computing in the international context. The Working Paper aims to reduce uncertainty regarding the definition of cloud computing and how the technology intersects with privacy, data protection and other legal issues.

On May 2, 2012, Australia’s Attorney General Nicola Roxon announced that the Australian government will introduce a bill to the Australian Parliament that will enact a number of the recommendations from the 2008 Law Reform Commission Report (ALRC Report 108) and reform privacy law in Australia. Discussion drafts of segments of the bill were considered by a Senate Committee in 2011. On May 4, Australian Privacy Commissioner Timothy Pilgrim presented an overview of the draft legislation at an event held during the iappANZ Privacy Awareness Week. Commissioner Pilgrim noted that the legislative package includes:

On May 3, 2012, Viviane Reding, Justice Commissioner and European Commission Vice-President, delivered a speech during the European data protection authorities’ (“DPAs’”) Spring Conference, which was held in closed sessions in Luxembourg. In her speech, Commissioner Reding discussed how the proposed EU Data Protection Regulation aimed to empower the DPAs and addressed some of the DPAs’ primary concerns with the reform.

On April 27, 2012, the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) submitted comments to the latest Singapore consultation on proposed personal data protection legislation, the Personal Data Protection Act 2012. The consultation is being conducted by the Ministry of Information, Communications and the Arts and expired on April 30, 2012.

On April 19, 2012, the French Data Protection Authority (the “CNIL”) issued a press release detailing its enforcement agenda for 2012. In a report adopted March 29, 2012, the CNIL announced that it will conduct 450 on-site inspections this year, with particular focus on the specific themes described below. The CNIL also indicated that it will continue the work started in 2011 with at least 150 additional inspections related to video surveillance, especially with respect to surveillance in locations that are frequented by large numbers of individuals.

The UK Information Commissioner’s Office’s (“ICO”) has revised its statutory Code of Practice on assessment notices (the “Code”). The ICO first issued the Code in 2010, when its audit powers came into force. The Code has now been updated to reflect changes in auditing standards and practices.

Join Hunton & Williams at the 2012 Europe Data Protection Intensive, now hosted by the International Association of Privacy Professionals (“IAPP”) in London, April 25-26, 2012. Hunton & Williams privacy professionals will be featured speakers in the following sessions:

On April 17, 2012, the Office of the Privacy Commissioner of Canada and the Information and Privacy Commissioners of Alberta and British Columbia released guidance on their expectations for accountable privacy programs as required by Canadian law. The guidance, entitled “Getting Accountability Right with a Privacy Management Program,” discusses the building blocks of a comprehensive privacy program for businesses of all sizes. Although intended for a Canadian audience, the paper likely will have worldwide influence given recent privacy law developments around the globe.

On March 8, 2012, during the CeBIT international IT trade show, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik or “BSI”) accepted the German Insurance Association’s application for certification of the “Trusted German Insurance Cloud,” a project that aims to establish a secure IT platform for the German insurance industry.  The parties previously had agreed to work together to develop practical requirements for a secure cloud solution, and to implement appropriate security measures in the “Trusted ...

On March 22, 2012, the Article 29 Working Party (the “Working Party”), adopted an Opinion analyzing the privacy and data protection law framework applicable to the use of facial recognition technology in online and mobile services, such as social networks and smartphones. The Working Party defines facial recognition as the “automatic processing of digital images which contain the faces of individuals for the purpose of identification, authentication/verification or categorization of those individuals.”

On March 23, 2012, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the European Commission’s data protection law reform proposals, including the draft Regulation that is of particular importance for businesses. The Working Party’s Opinion serves as the national data protection authorities’ contribution to the legislative process before the European Parliament and the European Council.

On March 19, 2012, the European Commission hosted this year’s Safe Harbor Conference in Washington, D.C., to address the transfer of data from Europe to the United States. Although it appears the Safe Harbor framework will remain unchanged for the time being, it seems unlikely the United States will be considered adequate, or even interoperable, with the EU for purposes of cross-border data transfers.

On March 22, 2012, the 83rd Conference of the German Data Protection Commissioners came to an end in Potsdam. The attendees indicated their general support for the European Commission’s proposed reform package aimed at modernizing and harmonizing data protection laws in the EU, but insist that Member States should have the authority to implement more stringent data protection measures for the area of public administration.

On March 20, 2012, the Senate of the Philippines unanimously approved the omnibus Data Privacy Act of 2011, also known as “An Act Protecting Individual Personal Information in Information and Communications Systems in the Government and the Private Sector, Creating for This Purpose a National Data Protection Commission, and for Other Purposes” (S.B. 2965). Once signed into law, the legislation will impose a privacy regime modeled on the EU Data Protection Directive. It features significant notice, consent and data breach notification requirements, and it imposes direct ...

Join us at the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C., March 7-9, 2012. Hunton & Williams privacy professionals will be featured speakers in the following sessions:

• Mending Fences after a Breach Thursday, March 8, 12:15 p.m. Speakers include: Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice, Hunton & Williams LLP; Susan Grant, Director of Consumer Protection, Consumer Federation of America; and Joanne B. McNabb, Chief, California Office of Privacy Protection.

On February 24, 2012, the German Federal Constitutional Court (Bundesverfassungsgericht) ruled that certain provisions in the Federal Telecommunications Act concerning the disclosure of telecom user data to law enforcement agencies violate the German constitution. The Court held that strict conditions apply when law enforcement authorities and intelligence agencies ask telecommunications service providers (which may include hospitals and hotels) to turn over certain user data, i.e. passwords and PIN codes.

On January 25, 2012, the UK Information Commissioner’s Office (“ICO”) published an initial statement welcoming the European Commission’s proposed new General Data Protection Regulation (the “Proposed Regulation”), and commended the Commission’s efforts to strengthen the rights of individuals, recognize important privacy concepts such as privacy by design and privacy impact assessments, and include accountability requirements.

The American Bar Association’s (“ABA’s”) House of Delegates adopted a non-binding resolution urging courts to consider foreign data protection and privacy laws when resolving discovery issues. The full text of the resolution is as follows:

“RESOLVED, That the American Bar Association urges that, where possible in the context of the proceedings before them, U.S. federal, state, territorial, tribal and local courts consider and respect, as appropriate, the data protection and privacy laws of any applicable foreign sovereign, and the interests of any person who is subject to or benefits from such laws, with regard to data sought in discovery in civil litigation.”

On February 16, 2012, the European Court of Justice held in the SABAM vs. Netlog case (C-360/10) that imposing an obligation on social networks to install a “general filtering system” to prevent all users from sharing copyrighted music is disproportionate to the extent that such filters may infringe on user privacy rights or block lawful communications. SABAM, a Belgian copyright association, had filed an injunction against social network provider Netlog that would have required Netlog to install filtering systems to prevent copyright infringements by Netlog users. The Belgian court deciding on the injunction requested a preliminary ruling from the ECJ.

Since October 2011, the Hong Kong Office of the Privacy Commissioner for Personal Data has published three “Guidance Notes” to help data users comply with the Personal Data (Privacy) Ordinance (the “Ordinance”). These Notes are not legally binding, nor are they intended to serve as an exhaustive guide to the application of the Ordinance, but they provide good, practical examples and tips that the Commissioner has developed as it has implemented the Ordinance.

On January 25, 2012, the Article 29 Working Party (the “Working Party”) issued a Working Document providing guidance on data protection issues relating to the European Patients Smart Open Services (“epSOS”) project. epSOS is a pilot project focused on developing an information and communications technology infrastructure that enables access to patient health information (i.e., Patient Summaries) among different EU Member States for the purpose of providing medical treatment. The project also aims to facilitate the cross-border use of electronic prescriptions (i.e., ePrescriptions). epSOS involves the collaboration of a significant number of health care provider organizations and companies that contribute their knowledge and expertise to the project.

On July 13, 2011, Hong Kong’s Personal Data (Privacy) (Amendment) Bill 2011 (the “Bill”), was introduced in the Legislative Council. Although the Bill has not yet been subject to an official vote, there have been several noteworthy developments.

Monetary penalties are one mechanism in a suite of tools that the UK Information Commissioner’s Office (“ICO”) uses to encourage compliance with data protection regulations. The ICO generally uses monetary penalties to sanction deliberate or negligent breaches of the law, but the purpose is not to impose financial hardship but rather to “act as an encouragement towards compliance, or at least as a deterrent against non-compliance.” The following is a brief overview of the ICO’s authority to issue monetary penalties.

On February 7, 2012, the UK Ministry of Justice launched its Call for Evidence on the European Commission’s proposed general data protection regulation and criminal justice data protection directive (the “Proposals”). The Ministry is looking to gain perspective and solicit feedback on how the Proposals likely would impact organizations and individuals in the UK.

The Ministry of Industry and Information Technology of the People’s Republic of China (the “MIIT”) recently issued a regulation entitled “Several Provisions on Regulating Market Orders of Internet Information Services” (the “New Regulations”). The New Regulations, which will take effect on March 15, 2012, include significant new data protection requirements applicable to Internet information service providers (“IISPs”). Consistent with data protection regimes currently in place elsewhere in the world, IISPs will be required to provide much stronger protection for the personal data they collect from users in China, and will be subject to notice and consent requirements, collection limitations and use limitations.

In recent weeks, regulators in California and Illinois have issued guidance on responding to data security breaches, while UK and California authorities released online forms for organizations to use when providing notification of a breach to regulators.

In December 2011, the UK Information Commissioner’s Office (“ICO”) released a new breach notification form, reinforcing its expectation that organizations provide notification whether or not such notification is legally required. Sector-specific breach notification requirements were introduced in the UK by The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, and since May 2011, public electronic communication service providers have been required to notify the ICO, and in some cases affected individuals, in the event of a data security breach. All other organizations are strongly encouraged to notify the ICO of serious security breaches, and the fact that an incident was reported voluntarily is something the ICO takes into consideration when determining the appropriate enforcement action.

Throughout 2011, the UK Information Commissioner’s Office (“ICO”) escalated its use of data protection audits, encouraging organizations to submit to voluntary audits and seeking to increase its ability to conduct compulsory audits. Currently, the ICO has the authority to compel central government departments to undergo audits, but it would like to extend compulsory audits to include local government, the national health service and the private sector.

On January 26, 2012, the German Data Protection Commissioners (“DPAs”) of the federal states Rhineland-Palatinate and Hesse held a joint press conference to present their views on the European Commission’s legislative proposal for a comprehensive reform of current EU data protection rules. The day before, the European Commission proposed replacing the existing EU Data Protection Directive 95/46/EC with a Regulation that would be directly applicable in all European Member States and therefore not require implementing legislation on the national level.

On January 25, 2012, the European Commission released a data protection law reform package, including its proposed General Data Protection Regulation (the “Proposed Regulation”). The UK Information Commissioner’s Office (“ICO”) has reacted positively to the Proposed Regulation, in particular commending efforts to strengthen the rights of individuals, the recognition of important privacy concepts such as privacy by design and privacy impact assessments, and new accountability requirements to ensure organizations properly demonstrate and document their data protection safeguards and procedures.

On January 12, 2012, Hunton & Williams hosted an hour-long webinar on the current enforcement environment in the U.S. and EU. The webinar, Current Trends in Global Privacy Enforcement, covered issues ranging from the Federal Trade Commission’s tougher approach to investigations to increased monitoring of corporate privacy practices by European data protection authorities. Hunton & Williams speakers included Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice, London partner Bridget Treacy, London senior attorney Rosemary Jay and Brussels ...

On December 28, 2011, UK Information Commissioner Christopher Graham outlined the ICO’s agenda for 2012 in a post on the ICO blog, highlighting the European Commission’s proposals for reviewing the EU data protection framework, the post-legislative scrutiny process with respect to the UK Freedom of Information Act (“FOIA”) and the ICO’s Information Rights Strategy. The Commissioner cautioned against allowing data protection compliance to fall by the wayside in the current, tough economic climate, especially given the inevitable reputational damage caused by big data breaches and the ICO’s power to impose fines.

As reported in BNA’s Privacy Law Watch, EU Member States are working on an overarching privacy framework agreement with the United States. The framework agreement, which may be used as a starting point for future negotiations, aims to reduce the amount of time and resources required to prepare new agreements between the European Union and the United States.

On January 25, 2012, the European Commission published its long-awaited legislative package to reform EU data protection rules. The package includes a regulation that covers data processing in the private sector and by public authorities and a directive covering data processing for criminal justice purposes, as well as a communication, a report on the protection of personal data processed in the framework of police and judicial cooperation, and an impact assessment with a summary.

On January 17, 2012, the European Commission initiated expedited infringement proceedings against Hungary over recent changes to its Constitution which are considered incompatible with EU law. The proceedings follow a number of changes made to the Hungarian Constitution that came into effect on January 1, 2012. Of particular concern to the Commission are amendments affecting the independence of the national data protection authority. The Hungarian government has one month to comply, or face enforcement proceedings in the European Court of Justice.

On November 30, 2011, the French Court of Cassation upheld a decision that excluded the application of the French Data Protection Act (Loi relative à l’informatique, aux fichiers et aux libertés) to an investigation conducted by the French Competition Authority (Autorité de la Concurrence) on the grounds that the search and seizure was authorized by an “freedoms and custody judge” (juge des libertés et de la détention).

According to a spokesperson at the European Commission, the publication of the proposal for the review of the EU Data Protection Directive (95/46/EC) has been postponed until late February or March 2012. The draft proposal was scheduled to be officially released in late January after it was leaked in December 2011. According to various sources, the proposal received negative responses from several Directorates-General over the course of the “inter-service consultation,” some of whom have voiced their concern that the proposed new framework would be stricter than the current legal framework and thus may have a negative impact on businesses. For example, parts of the proposal, such as the right to be forgotten, are viewed by some as potentially too burdensome for companies.

On December 13, 2011, the Information Commissioner issued updated guidance on compliance with recent changes to UK law governing the use of cookies (The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (“Regulations”)). Organizations were given a twelve-month grace period to comply with the new law. Initial guidance on the Regulations was released on May 9, 2011, but the Information Commissioner characterized that guidance as merely a “starting point for getting compliant rather than a definitive guide,” signaling that further advice would follow if appropriate. The release of the updated guidance coincides with the Information Commissioner’s interim report on organizations’ attempts to achieve compliance in which he concluded that organizations “must try harder” with their cookie compliance efforts.

On December 21, 2011, Mexico issued the final version of its Regulations of the Federal Law for the Protection of Personal Data Held by Private Parties (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares). The regulations, which contain mostly minor changes to the prior draft that was released in October, will take effect on December 22, 2011. Notable updates in this final draft include:

• clarification of notice and consent requirements;
• changes to restrictions on cloud computing;
• updates to requirements regarding data transfers; and

On December 8, 2011, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the European Advertising Standards Alliance (“EASA”) and IAB Europe best practice recommendations for the online behavioral advertising (“OBA”) industry to comply with Article 5.3 of the revised e-Privacy Directive 2002/58/EC (the “cookie clause”). The cookie clause requires a user’s informed consent for the use of cookies and similar technologies that store and access information in the user’s terminal device. Finding practical ways of complying with the cookie clause has proven challenging for the OBA industry, which relies heavily on these kinds of tracking mechanisms.

Shortly before Viviane Reding, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, gave her keynote address on binding corporate rules (“BCRs”) at the IAPP Europe Data Protection Congress in Paris, Hunton & Williams co-authored two articles on BCRs with the French Data Protection Authority (“CNIL”):

Lithuanian firm LAWIN Lideika, Petrauskas, Valiūnas ir partneriai reports that recent amendments to Lithuania’s Law on Legal Protection of Personal Data and the Law on Electronic Communications have established a breach notification requirement. Specifically, providers of publicly-available electronic communications services or of public communications networks must notify the data protection authority of data security breaches, and, when the breach is likely to have an adverse effect on the privacy of affected individuals, the data controller also may be required ...

On November 29, 2011, at the International Association of Privacy Professionals (“IAPP”) Europe Data Protection Congress in Paris, France, Viviane Reding, Vice President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, provided insight into details of the proposals for the revised EU data protection framework. She focused explicitly on solutions for international data transfers, promoting Binding Corporate Rules ("BCRs") as a solution that can offer a simplified, yet comprehensive, structure for safeguarding international flows of data. Commissioner Reding referred to BCRs as offering the possibility of consistent enforcement and legal certainty, without stifling innovation.

On November 17, 2011, the German Association for Data Protection and Data Security (“GDD”) held its 35th Privacy Conference (“DAFTA”) in Cologne, Germany. At the opening plenary session, Paul Nemitz, Director for Fundamental Rights and Citizenship of the European Commission, announced that the European Commission plans to implement a Regulation that is directly applicable to all EU Member States, to harmonize data protection laws in Europe.

On November 16, 2011, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2010 (the “Report”) highlighting its main 2010 accomplishments and outlining some of its priorities for the upcoming year. This year’s Report covers events that occurred since last year’s publication of the Annual Activity Report for 2009.

On November 3, 2011, the Labor Chamber of the French Court of Cassation (the “Court”) upheld a decision against a company that unlawfully used a geolocation device to track the company car of one of its salesmen. Although the company notified the salesman that a geolocation device would be used to optimize productivity by analyzing the time he spent on business trips, the device was in fact used to monitor his working hours, which ultimately led to a pay cut.

On November 2, 2011, Germany’s Federal Minister of the Interior met with stakeholders from the social networking industry and announced the development of a self-regulatory code for social networks. According to the Ministry’s press release, the code is aimed at enhancing data protection, consumer protection and the protection of minors on the Internet.

In endorsing the initiative, the Interior Minister stated, “self-regulation can also prove efficient in the social networking context, allowing for quick and flexible arrangements that enhance transparency and user ...

In the past two months, Chinese national authorities amended a law, and provincial authorities in Jiangsu Province issued a new regulation, both of which include provisions concerning the protection of personal information.

Law of the People’s Republic of China on Resident Identity Cards

Any Chinese citizen who resides in China is required to obtain a resident identity card when he or she turns 16 years old. The cards carry information which generally would be considered personal information under Chinese law, such as name, gender, date of birth, home address and identity card number. The Law of the People’s Republic of China on Resident Identity Cards, a national law originally enacted in 2003, was amended on October 29, 2011, to include the following new provisions on the protection of personal information: