Privacy & Information Security Law Blog

On January 11, 2010, the data protection authority of the German federal state of Baden-Wurtemberg issued a press release stating that it had fined the Müller Group €137,500 for illegal retention of health-related data and failure to appoint a Data Protection Officer.

In April 2009, the German press reported that the Müller Group, a drugstore chain comprised of twelve entities and employing some 20,000 workers, was illegally collecting health data from its employees.  Specifically, employees returning from sick leave were required to complete a form and provide the reason for their sicknesses.  After conducting an investigation, the DPA confirmed these allegations.  Since 2006, the Müller Group entities had systematically requested employees returning from sick leave to identify the reasons for their sicknesses on a form that was then sent to the Group’s central Human Resources department to be scanned.  As of April 2009, approximately 24,000 records containing data on employee illnesses were being stored in Müller’s centralized HR files.

On January 12, 2010, Ms. Viviane Reding, Commissioner-designate for Justice, Fundamental Rights and Citizenship, was questioned during a public hearing before the European Parliament.  During this hearing, Ms. Reding revealed her priorities in the field of privacy and data protection.  “Fundamental rights and data protection will be top of the line” said Ms. Reding, who explained that she intends to incorporate the EU’s data protection rules into a modern and comprehensive legal instrument.

On January 12, 2010, the UK government laid regulations before Parliament to bring into force civil monetary penalties of up to £500,000 ($800,000) for serious data breaches.  These penalties are likely to take effect starting April 6, 2010.  Significantly, the penalties will apply not only to data security breaches, but also to all serious breaches of the UK Data Protection Act 1998.  Accordingly, collecting personal data for a sweepstakes contest then deliberately, and without consent, disclosing the data to a third party to populate a tracing database for commercial purposes might well be subject to a penalty.

On December 26, 2009, the Standing Committee of China’s National People’s Congress passed a landmark new law that contains provisions affecting personal data. The new law will go into effect on July 1, 2010.

The P.R.C. Tort Liability Law is a wide-ranging law that imposes tort liability for matters ranging from environmental damage to product liability to animal bites. Certain of its provisions relate, expressly or in a general sense, to personal information. These provisions can cause data users to incur liability to data subjects for the mishandling of personal information.

On January 8, 2010, the Swiss Federal Administrative Court (“Bundesverwaltungsgericht”) published a decision that declared the transfer of banking data to U.S. law enforcement authorities by the Swiss bank UBS to be illegal.  In late 2009, UBS transferred the data of over 300 customers suspected of evading U.S. taxes to the U.S. Department of Justice and Internal Revenue Service following an order issued by the Swiss Financial Market Supervisory Authority (“Finma”) pursuant to an agreement Finma reached with the U.S. authorities.

In December 2009, the German data protection authorities (“DPAs”) for the private sector published a resolution on data protection compliance for website audience measurement.  The resolution was adopted at the Düsseldorfer Kreis meeting on November 26-27, 2009.

Many website operators analyze users’ surfing behavior for advertising and market research purposes, or to adapt their websites to suit consumer preferences. To create user profiles, website operators often use software or other services that are offered by third party service providers (sometimes free of charge).

On January 5, 2010, the Article 29 Working Party published an opinion dated December 1, 2009, finding that Israeli data protection law largely provides an "adequate level of data protection" under the European Union Data Protection Directive 95/46.  The European Commission will now take this opinion into account when determining whether to issue an "adequacy decision" for Israel in the coming months.  Such a decision would provide that data transfers to Israel from the EU are adequately protected for purposes of compliance with the Directive ...

On December 1, 2009, the Article 29 Working Party adopted a contribution (the “Contribution”) to the Consultation of the European Commission on the legal framework for the fundamental right to the protection of personal data (the “Consultation”).  The Consultation was launched on July 9, 2009, to explore the challenges to personal data protection presented by new technologies and globalization.  The Consultation was also motivated by the recent adoption by the EU of the Lisbon Treaty, which will necessitate a reworking of structure of the EU legal framework for data protection.  The Contribution’s thoughtful examination of several important data protection issues makes it one of the most significant documents that the Working Party has issued in recent years.

On November 3, 2009, the Higher Regional Court of Düsseldorf (OLG Düsseldorf, Az. I-20 U 137/09) ruled on the duty to verify consent for email marketing with respect to purchased email addresses. According to the Court, a company that purchases email addresses for marketing purposes must verify customer consent itself – the company cannot rely on a data broker’s statement that it obtained the necessary consents.

This decision came in an interim injunction proceeding to cease unsolicited email marketing. The Court ruled in favor of the claimant, finding that the company ...

On November 30, the Council of the European Union agreed to allow U.S. anti-terrorism authorities access to financial data of individuals located in the EU under certain circumstances. Under the agreement, U.S. authorities will continue to have access to data collected by Society for Worldwide Interbank Financial Telecommunication ("SWIFT") after a SWIFT database located in Switzerland becomes active later this year (the data had previously been processed in a database located in the U.S.). The agreement contains restrictions on access to the data that have been negotiated ...

Commissioner Viviane Reding has been chosen as Commissioner for Justice, Fundamental Rights, and Citizenship in the new European Commission that is set to take office in early 2010 (assuming approval by the European Parliament).  Ms. Reding's responsibilities will thus include data protection, including the Commission's ongoing review of the EU framework for data protection.  She is currently EU Commissioner for Information Society & Media, where she oversaw review of the e-Privacy Directive and the EU legislative framework for telecommunications.  Commission President ...

On November 12, 2009, the Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband e.V., “vzbv”), a non-governmental organization acting as an umbrella for 41 German consumer associations announced that the social networks Xing, MySpace, Facebook, Lokalisten, Wer-kennt-Wen and StudiVZ signed undertakings that they would discontinue use of certain terms and conditions and data protection provisions.  The vzbv sent warning notices to the six leading social network providers regarding a number of clauses.

The main criticism from vzbv referred to ...

On November 24, 2009, the European Parliament formally approved the European Union's telecoms reform package.  This reform proposed by the European Commission in November 2007 consists of various different EU Directives that set-up the legal framework applicable to the electronic communications sector (telecoms) and includes a new e-Privacy Directive.

New provisions of the e-Privacy Directive will strengthen the protection of privacy and personal data in the electronic communication sector and includes the following:

• mandatory notification for personal data breaches ...

On October 29, 2009, the European Commission (the “Commission”) proceeded to the second phase of infringement proceedings against the UK relating to the UK’s implementation of EU e-privacy and personal data protection laws.  EU Member States must ensure the confidentiality of communications by prohibiting interception and surveillance without user's consent.  The Commission maintains that the UK has failed to fully implement these requirements into its national laws and has identified three specific flaws in the existing UK laws governing the confidentiality of electronic communications:

• The UK does not have an independent national authority responsible for (i) supervising the interception of communications and (ii) complaints about unlawful interception of electronic communications, despite the requirement to this effect contained within EU laws and imposed on Member States;

On November 6, 2009, the French Senate proposed a new draft law to reinforce the right to privacy in the digital age (“Proposition de loi visant à garantir le droit à la vie privée à l’heure du numérique”) (the “Draft Law”).  Following a Report on the same topic issued last spring, the Senate made concrete proposals with this Draft Law to amend the Data Protection Act.

In a closed session on November 5, 2009, the 31st International Conference of Data Protection and Privacy Commissioners adopted the International Standards on the Protection of Personal Data and Privacy (the “Standards”).  Although the document is advisory in nature and is not legally binding, it offers guidance to States that have not yet adopted comprehensive data protection laws.  The Spanish Data Protection Agency, which acted as the secretariat for drafting the Standards, held two meetings that included more than fifty privacy enforcement agencies, privacy advocates and businesses before hosting a final drafting session that was reserved for recognized data protection authorities.

Every year since 2005, the United States, the European Commission and the Article 29 Working Party on Data Protection meet to review the latest developments in the U.S.-EU Safe Harbor Framework, as well as changes in privacy compliance, information security and data protection.  This year’s  International Conference on Cross Border Data Flows, Data Protection and Privacy occurs November 16 - 18 and features leading experts who will examine these issues and others, as well as changes made to the approval process for binding corporate rules.  Join our privacy professionals, Martin ...

Background

On November 9, 2009, the UK's Ministry of Justice launched a consultation seeking the public's views on the proposed implementation of a maximum penalty of £500,000 (approximately US$837,950) for serious breaches of the UK Data Protection Act 1998 (the "DPA").  This Consultation follows the Information Commissioners' publication of draft guidance this week, explaining the circumstances in which a fine will be imposed.  The launch of the Consultation puts to rest recent speculation as to the level of fine likely to be imposed for a deliberate or serious breach of the DPA, including for data security breaches.

The DPA imposes obligations on data controllers that process personal data to: (i) process personal data fairly and lawfully; (ii) obtain personal data only for specified lawful purposes, and not further process personal data in any manner incompatible with such purposes; (iii) ensure that personal data are adequate, relevant and not excessive in relation to the purposes for which they are processed; (iv) ensure that personal data are accurate and, where necessary, kept up-to-date; (v) keep personal data only for as long as is necessary for the purposes for which they are collected; (vi) process personal data in accordance with individuals' rights; (vii) implement appropriate technical and organizational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; and (viii) not transfer personal data to a jurisdiction outside the European Economic Area unless that jurisdiction affords adequate protection levels for individuals' rights and freedoms in relation to the processing of personal data.

In 1980, the Organization for Economic Cooperation and Development (“OECD”) first published privacy guidelines that included an accountability principle.  Since that time, little work has been done to define accountability or to describe what it means for organizations to be accountable for the responsible use and protection of data.  In an effort to fill that gap, The Centre for Information Policy Leadership has authored “Data Protection Accountability: The Essential Elements” which articulates the conditions organizations would have to meet to be accountable.  The Accountability paper is the result of the Galway Accountability Project, an initiative facilitated by Ireland’s Office of the Data Protection Commissioner and co-sponsored by the OECD.  As the project’s secretariat, the Centre served as principal drafter of the Accountability paper, which considers the concept of accountability as it applies in the current data environment where data collection and use is ubiquitous, data flows are difficult or impossible to track, and jurisdictional issues abound as data crosses national borders.  The Galway Project enlisted specialists from twelve countries, and the participation of privacy protection agencies from Europe, Asia and North America.  Consumer advocates and business representatives also took part.  The Accountability paper will bring a critical international perspective to the dialogue on changing privacy law in Europe, the United States and Canada.

Janet Napolitano, Secretary of the Department of Homeland Security, and Alfredo Perez Rubalcaba, the Spanish Minister of the Interior, spoke in contrasting tones today of the difficulties of finding the right balance between security and privacy.  The theme "Striving for a Balance Between Security and Privacy" was debated during the first plenary session of the 31st International Conference of Data Protection and Privacy Commissioners in Madrid.

On November 4, join our privacy professionals at the 31st International Conference of Data Protection and Privacy Commissioners in Madrid, Spain.  Participate in various presentations on ways to manage the most challenging data protection issues in today’s global environment.  In addition, the International Association of Privacy Professionals (“IAPP”) will host a Data Protection and Privacy Workshop in conjunction with the conference.

On Friday, October 23, 2009, the German Railways Operator Deutsche Bahn AG announced that they would pay a fine of over €1.1 million that was imposed on October 16, 2009 by the Berlin data protection authority.  This fine is the highest ever imposed by a German data protection authority.  The imposition of this fine follows a major data protection scandal that reportedly broke out within the company.  From 2002 to 2005, Deutsche Bahn had screened a large quantity of employee data and compared it to supplier data in an effort to combat corruption, but without specific suspicions related to ...

Although China has yet to enact a national data protection law, certain provincial-level rules implementing national consumer protection laws impact the collection and use of personal data.  These provincial regulations may warrant specific attention by entities doing business in the relevant Chinese provinces.  The impact of each of these will often be limited, both because they affect only enterprises doing business in the respective provinces and because the actual requirements of each of these regulations are typically modest.  Also, the potential penalties for violation ...

Hunton & Williams is pleased to announce that Richard Thomas CBE, the former UK Information Commissioner, has joined the firm as Global Strategy Adviser.  Richard Thomas was the UK’s Information Commissioner from November 2002 until his retirement at the end of June 2009.  He was appointed by HM The Queen and held independent status, reporting directly to Parliament, on a range of regulatory, promotional and advisory responsibilities under the Data Protection Act 1998, the Freedom of Information Act 2000 and related laws.  He also served as a member of the European Union’s Article ...

On October 14, 2009, the Australian government released a report entitled “Enhancing National Privacy Protection” that contains proposed reforms to Australia’s privacy laws, including the Privacy Act 1988 (“Privacy Act”).  In announcing the report, Cabinet Secretary and Special Minister of State Joe Ludwig stated that the reforms aim to “provide for one set of streamlined Privacy Principles for Australian Government agencies and private sector organizations which will provide greater clarity and cut red tape.”  The report comprises the first stage of a two-stage response to a report issued by the Australian Law Reform Commission (“ALRC”) in 2008 that contained 295 recommendations to revise Australian privacy laws and practices.

The new UK Information Commissioner, Christopher Graham, shared his vision for data protection regulation at his first conference speech in London yesterday.  As the keynote speaker at the 8th Annual Privacy and Data Protection Conference, chaired by Hunton & Williams partner, Bridget Treacy, Christopher Graham positioned himself as a fair, but tough, regulator who will not be afraid to use his strengthened enforcement powers.

On October 6, 2009, the Federal Trade Commission (“FTC”) announced proposed settlement agreements with six companies over charges that they falsely claimed membership in the U.S. Department of Commerce Safe Harbor program.  In six separate complaints, the FTC alleged that ExpatEdge Partners LLC, Onyx Graphics, Inc., Directors Desk LLC, Collectify LLC, and Progressive Gaitways LLC deceived consumers by representing that they maintained current certifications to the Safe Harbor program when such certifications had previously lapsed.  The terms of the proposed settlement agreements prohibit the companies from misrepresenting their membership in any privacy, security or other compliance program.  The six enforcement actions are significant as they mark a considerable uptick in the FTC’s enforcement related to the Safe Harbor program. The FTC recently brought its first enforcement action relevant to the program, which is detailed in our post titled FTC's First Safe Harbor Enforcement Action.

On October 2, the Council of Europe's Consultative Committee of the Convention 108 on Data Protection ("T-PD") for the first time made publicly available its "Draft Recommendation on the Protection of Individuals with regard to Automatic Processing of Personal Data in the Framework of Profiling."  When it is finalized, the Draft Recommendation will be one of the first documents dealing with online profiling in the private sector issued by an international organization.  The International Chamber of Commerce ("ICC"), which has observer status in the T-PD, has been working to obtain ...

On September 23, 2009, the Information Commissioner's Office (the "ICO"), the UK's data protection regulator, issued a press release announcing the approval of the Hyatt Hotels Corporation's binding corporate rules ("BCR") under the new mutual recognition procedure. Hyatt is the first UK applicant to receive approval under the mutual recognition procedure.

Mutual recognition was devised to speed up the process of BCR approval by EU Data Protection Authorities ("DPAs"). Under "mutual recognition," one EU Member State's DPA acts as the lead authority on a company's BCR application. Once approved by the lead authority, the other participating members of the procedure automatically approve the BCR application.

The Federal Trade Commission (“FTC”) has secured a temporary restraining order against a company that allegedly falsely claimed to have self-certified to the EU/U.S. Safe Harbor Program.  One count of the FTC's complaint claims that the company (named Balls of Kryptonite, LLC) misled consumers by inaccurately representing that it had self-certified to the U.S. Department of Commerce that it was Safe Harbor compliant.  While the FTC has not alleged a substantive violation of the Safe Harbor, this case is significant for two reasons.  First, it marks the first time the FTC has brought an enforcement action with respect to the Safe Harbor Program.  The court order prohibits the defendants from misrepresenting the extent to which they “are members of, adhere to, comply with, are certified by, are endorsed by, or otherwise participate in any privacy, security, or any other compliance program sponsored by any government or third party.”  Second, the FTC acted in concert with the UK Office of Fair Trading after consumers in the UK registered complaints with the FTC using a website established by 25 international consumer protection agencies to facilitate global consumer protection efforts.  This is the first time the FTC has used the U.S. SAFE WEB Act of 2006 to enforce consumer protection regulations against a U.S. company operating exclusively outside the United States.

On August 19, 2009, the state DPA in North Rhine-Westphalia fined a subsidiary of the discount supermarket chain Lidl €36,000 (approximately $51,000) for illegally keeping records of employee health data.

The case was triggered by a report in the German news magazine Der Spiegel.  A Bochum resident found papers and forms containing Lidl employees' health data in a trash bin at a car wash and forwarded them to the magazine.  Subsequent investigations revealed that at least four Lidl branches in North Rhine-Westphalia were using a form to record data about employees' medical ...

On August 19, 2009, the Official Journal published guidelines issued by the French Data Protection Authority (Commission nationale de l’informatique et des libertés (the “CNIL”)) regarding transfers of personal data carried out in the context of U.S. discovery proceedings (the “Guidelines”). The CNIL’s publication comes in the wake of a recent increase in the volume of requests made to French-based companies involved in U.S. litigation to disclose information or documents for the purposes of civil pre-trial discovery.

Privacy laws in China are still evolving, and at this time there is no coordinated legal framework addressing data protection.  There are, however, a number of Chinese laws that are applicable to the processing and protection of personal information.  Navigating the indirect, piecemeal Chinese approach to regulation in this area may prove challenging for foreign counsel accustomed to practicing in jurisdictions with explicit privacy protection legislation and data security laws.  To shed some light on these issues, we have prepared an overview of various Chinese laws that bear on ...

On July 28, 2009,  the Data Privacy Subgroup meeting at the Asia-Pacific Economic Cooperation (APEC) Forum in Singapore reported a number of privacy-related legislative developments on the horizon.  Among the highlights:

• On July 15, the Malaysian Cabinet approved privacy legislation to be enacted by the Parliament in early 2010 
• Vietnam is set to enact consumer protection legislation including privacy provisions in 2010 
• Hong Kong's Privacy Commissioner will soon begin a review process to evaluate how privacy law has kept up with changing technology
• The Philippines is set to enact ...

On July 3, 2009, the German Federal Parliament passed comprehensive amendments to the Federal Data Protection Act (the "Federal Act"). These amendments also passed the Federal Council on July 10, 2009, and the revised law will enter into force on September 1, 2009. The new amendments cover a range of data protection-related issues, including marketing, security breach notification, service provider contracts and protections for employee data. They also include new powers for data protection authorities and provide for increased fines for violations of data protection law ...

The UK Financial Services Authority (FSA) has announced today fines for three HSBC entities totaling £3 million for failing to have adequate systems and controls in place to protect their customers' confidential data. HSBC Life UK Limited (HSBC Life) was fined £1,610,000, HSBC Actuaries and Consultants Limited (HSBC Actuaries) was fined £875,000 and HSBC Insurance Brokers Limited (HSBC Insurance Brokers) was fined £700,000.

The cost to register as a data controller in the United Kingdom is likely to increase significantly later this year, rising from £35 to £500 for companies with annual sales of at least £25.9 million and 250 or more employees.

The UK Information Commissioner has proposed a two-tiered fee structure as part of the Data Protection (Notification and Notification Fees) (Amendment) Regulations 2009 (the “Regulations”).  The Regulations are expected to come into force as of October 1, 2009.

The UK Information Commissioner is initiating a consultation to develop a code of practice that will help companies address online privacy issues. It is anticipated that the code will provide guidance on the following matters:

• Operating a privacy-friendly website
• Rights and protections for individuals
• Privacy choices and default settings
• Cyberspace and territoriality

On June 3, 2009, the French Senate’s Commission on Laws issued a report on the right to privacy in the digital age (‘La vie privée à l’heure des mémoires numériques’) (the “Report”). The issuance of the Report is perhaps the most important legislative initiative in France in the field of privacy and data protection since the implementation of the EU Data Protection Directive in 2004.

On April 27, 2009, the Article 29 Working Party issued a new working document (WP 155 rev.04) on frequently asked questions relating to binding corporate rules ("BCRs").  Two new FAQs were adopted: (1) FAQ 10 deals with the relationship between EEA data protection laws and BCRs; and (2) FAQ 11 relates to the reversal of the burden of proof in the context of BCRs.  The Working Party reiterated that, although BCRs may offer an adequate level of protection to personal data being transferred within the same company, they do not exempt multinationals from complying with national data ...

On May 13, 2009, the French Data Protection Authority (“CNIL”) published its Annual Activity Report.  The Report highlights increasing enforcement activity, noting a record number of investigations, formal notifications and fines.  Having recently celebrated its thirtieth anniversary, the CNIL stated that it seeks to constantly evolve and meet the challenges of modern society by pursuing three key points: (i) diversifying its sources of financing; (ii) increasing the number of personnel; and (iii) including data protection and privacy rights in the French constitution in the near future.

On May 19 and 20 the European Commission held a conference which was perhaps the most important data protection event in Brussels since the Commission conference on evaluation of the EU Data Protection Directive 95/46/EC held in 2002. The conference was part of the Commission's current evaluation of the Directive, and was designed to explore both the current status of data protection in the EU and where it is headed in the coming years. Speakers included Jacques Barrot, the European Commissioner in charge of justice, freedom and security; Alex Türk, chairman of the CNIL (French Data Protection Authority) and the Article 29 Working Party; European Data Protection Supervisor Peter Hustinx; and representatives of European academia, business and non-governmental organizations.

On May 15, 2009, the German Federal Council adopted the "Act against unsolicited commercial phone calls and improvement of consumer protection."  According to the Act, violations of the existing prohibition on unsolicited commercial phone calls can now be sanctioned with a fine up to € 50,000.

In addition, the Act clarifies that a commercial phone call is only lawful if the recipient has given his or her prior explicit consent to receive the call.  The provision is intended to prevent the caller's reliance on consent that may have been given by the recipient in a totally different ...

As a consequence of the data protection scandals at Deutsche Telekom AG over the last few years, the company is committed to reviewing these incidents by publishing an annual data protection report.  On April 28, 2009, the first data protection report for year-end 2008 was issued and is intended to show the public that Deutsche Telekom is focused on the transparency of its data protection practice.  The first chapter of the report contains an overview of the crucial incidents relating to data protection issues in 2008.  The following chapters present the operative focal points of the ...

In November, the 31st International Conference of Data Protection and Privacy Commissioners will approve a resolution that will include an international standard for privacy protection called the “Joint Proposal for a Draft of International Standards on the Protection of Privacy with regard to the processing of Personal Data.”  The standard will be submitted to the United Nations as the basis for a treaty.  This is not the conference’s first attempt to reach consensus on an international standard, but it is the first to include robust processes that will begin to narrow the issues that divide nations on data protection law.

On May 12, 2009, the European Commission issued a long-awaited recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification (“RFID”).  The recommendation follows a process initiated in 2006 when the European Commission launched a public consultation on RFID technologies.  Following this public consultation and in order to protect consumers’ privacy and data protection, the European Commission decided to take further steps by preparing a recommendation to regulate the use of RFID.

The UK Information Commissioner's Office has published a review of the strengths and weaknesses of the EU Data Protection Directive, commissioned from RAND Europe.

The concept of such a review was highly radical when first proposed. It provoked the promise of a similar study from the European Commission and generated much debate as to whether, and if so when, the Directive itself might be reviewed. The conclusions of the RAND study are much less radical than anticipated but more likely, as a consequence, to stimulate constructive debate within Europe as to the future shape of data protection law. Whilst not endorsing the RAND study, in April 2009, the European Privacy and Data Protection Commissioners' Conference discussed the themes raised by RAND and issued a declaration committing to contribute to the ongoing debate concerning the future of data protection law, including better implementation and enforcement of the existing legal framework.

On May 6, 2009, the proposed amendments to the e-Privacy Directive received a second reading in the European Parliament.  In addition to other measures, it will include a definition of “personal data breach” and will introduce a data breach notification requirement. 

The review of the e-Privacy Directive forms part of a wider review of telecoms legislation.  The objective of that review is to improve network security and integrity, to increase protection for user personal data and to improve measures to prevent spam and “cyber attacks.”  The scope of the amended Directive will include the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks within the European Community, including public communications networks supporting data collection and identification devices.

In February 2009, the Ponemon Institute published the results of its inaugural study "Germany - 2008 Annual Study: Cost of a Data Breach."  The study is the first such research study undertaken in Germany, using data from actual incidents to estimate the costs of dealing with data breaches by German companies.  The study examined the experience of 18 German organizations that suffered a breach.  These case studies reviewed ranged in size an incident involving less than 3,750 records to an incident involving more than 90,000 records.  The breaches reviewed occurred across ten industry ...

On March 17, 2009, the Article 29 Working Party released Opinion 3/2009 on the Commission’s draft decision for standard contractual clauses (SCCs), which discusses proposed updates of the clauses allowing the transfer of personal data to sub-processors established in third-world countries, in light of increased global outsourcing practices. Opinion 3/2009 is available here, and further analysis on the Working Party’s Opinion is available here.

To read more and for more EU data protection updates, please click here.

Following numerous complaints about the use of behavioral advertising technology by internet service providers, the European Commission (the “Commission”) launched infringement proceedings against the United Kingdom for an alleged failure to keep people’s online details confidential. The EU Telecoms Commissioner, Viviane Reding, has called upon the UK to change its national laws to ensure the confidentiality of communications by prohibiting interception and surveillance without the user's consent. If the UK does not comply, the Commission can issue a final warning before taking the UK to the European Court of Justice.

Various authorities, both at a European and a national level, are currently addressing the issue of online behavioral advertising. On March 31, 2009, Meglena Kuneva, the European Commissioner for Consumer Affairs, gave a keynote address in Brussels in which she raised the issue of online behavioral advertising and addressed the need to enhance consumer protection related to the practice. While recognizing the numerous beneficial applications for consumers made possible by the Internet, Kuneva expressed her concern that the World Wide Web could become the “world wide west” and called for a better balance between the interests of businesses and consumers. 

On March 17, the Article 29 Working Party released its Opinion 3/2009 (dated March 5) on standard contractual clauses for the transfer of personal data from data controllers in the EU to data processors outside the EU. The Opinion deals with proposed changes to the European Commission's decision 2002/16 containing standard clauses for controller to processor transfers. The Opinion discusses proposals to update these clauses to accommodate data transfers to sub-processors, in light of increased global outsourcing. Although not mentioned in the Opinion, the March 17 Opinion is based on the proposal made in October 2006 to the European Commission by three business groups (the International Chamber of Commerce (ICC), the American Chamber of Commerce to the European Union (AmCham EU) and the Federation of European Direct and Interactive Marketing (FEDMA)). The proposal of the three business groups would amend the existing clauses from 2002 to bring them into line with business realities.

On March 11, 2009, the operators of Germany's leading social networks, which include "schuelerVZ," "studiVZ,"  "lokalisten" and "wer-kennt-wen," signed a 17-page Code of Conduct by the Association for Voluntary Self-Regulation of Multimedia Service Providers (the “Code”) in order to protect children and young people. The Code of Conduct aims to improve data protection and consumer protection in social networks and, in particular, to protect young people against harassment. The Code requires that a privacy notice be displayed directly after the registration process and ...

On 2 March 2009, a Belgian Criminal court (Tribunal correctionnel de Termonde, No. DE 20.95.16/08/25) fined Yahoo! Inc., €55,000 ($71,745) for refusing to disclose to a Belgian Public Prosecutor the personal data of its e-mail users who were under criminal investigation for fraud. The Criminal court also imposed a daily penalty fee of €10,000 ($13,045) in a case of non-compliance with the judgment.  This decision was reached despite Yahoo!’s argument that Belgian law did not apply because the company does not maintain a legal entity in Belgium and does not store any customer data in Belgium.

On February 16, 2009, the US-Swiss Safe Harbor Framework, which is comparable to the EU-US Safe Harbor Framework, was adopted. The US-Swiss framework is intended to simplify the transfer of personal data by Swiss companies to American companies that are self-certified with the US Department of Commerce (DOC). Self-certified US companies are bound by the principles contained in the framework. They will automatically be considered as providing an adequate level of data protection under Swiss law.

Read more about EU data protection updates.

The Federal Trade Commission, the Asia-Pacific Economic Cooperation forum, and the Organisation for Economic Co-operation and Development are hosting a multinational workshop on "Securing Personal Data in the Global Economy" in Washington, D.C. on March 16-17, 2009. In anticipation of that workshop, the Centre for Information Policy Leadership at Hunton & Williams LLP is releasing this white paper with ten key recommendations for data breach and information security policy, drawn from published research and extensive experience with data breaches, breach notices, and ...

The Information Commissioner’s Office (the “ICO”) has conducted a dawn raid on a business which operated a covert database containing details of 3,213 workers in the construction industry (the “Database”). Subscribers included over 40 construction companies, publicly named by the ICO, who used the database to vet prospective employees, without their knowledge or consent.

Emerging economies developing privacy laws are confronted with two challenges: how best to protect the privacy interests of local citizens and how to put in place privacy governance that assures companies and individuals outside the economy that information that flows into the region is properly protected and secured.  The APEC Privacy Framework provides sound guidance for drafters engaged in this effort.  By recognizing that privacy reflects the mores and values of local culture, it provides an approach to privacy protection that can be adapted to reflect the needs of local citizens within a widely recognized and adopted architecture.  At the same time, it sets out requirements for strong security, compliance with rules governing the use and management of data and cross-border cooperation for dispute resolution and enforcement. 

The UK Advertising Standards Authority (“ASA”) recently upheld a complaint under the UK Committee of Advertising Practice Code (“CAP Code”) which requires UK marketers to obtain the explicit consent of consumers before disclosing their personal information to third parties for direct marketing purposes.

The Standing Committee of the National People’s Congress recently passed an amendment to the P.R.C. Criminal Law.  The amendment includes a provision imposing criminal liability on persons who misappropriate personal information during the course of performing their professional duties.  A previous Hunton & Williams Client Alert reported on the amendment that has now become effective as law.

On February 11, 2009, the EU Article 29 Data Protection Working Party released its long-awaited Working Document (the “Working Document”) on reconciling U.S. civil discovery requirements with European data protection law. The guidelines the Working Document offers for data controllers highlight the challenges that multinational businesses face to comply with competing legal obligations in civil litigation.

The Criminal Court of Milan has suspended proceedings against four Google executives to allow time to address relevant procedural considerations.  The proceedings mark the culmination of a two-year investigation conducted by Italian authorities.  The investigation focused on video footage made available on Google Video that depicted a disabled boy being taunted by his fellow classmates.  As result of the video footage, Google executives face charges of defamation and privacy infringement.

For purposes of the criminal proceedings, Google is considered an internet content ...

In SACEM v. Cyrille Saminadin (Cour de Cassation, chambre criminelle, 13 janvier 2009), the SACEM (a representative body of authors, composers, and music editors) asked one of its agents to carry out an investigation and to collect evidence of copyright infringements on a peer-to-peer network. After selecting a peer-to-peer network, the agent manually typed in the title of a song belonging to one of the rights holders and searched for all available files corresponding to this title. The agent then randomly selected one of these files and saved all the information relating to it (IP address, country of origin, name of the internet service provider, etc.) onto a CD-ROM as evidence for use in filing a complaint. The question raised in this case was whether such activity constitutes data processing requiring the prior authorization of the French Data Protection Authority (CNIL).

On February 4, 2009 the Trilateral Committee on Transborder Data Flows met in Mexico City.  The committee is comprised of representatives from the Canadian, Mexican and U.S. governments and is part of the Security and Prosperity Partnership of North America.  The Trilateral Committee invited representatives from the private sector to give testimony on current and potential impediments to the free flow of personal data in North America.

On December 2, 2008, the European Court of Human Rights (ECHR) ruled in K.U. v. Finland that Article 8 of the European Convention on Human Rights requires national laws to protect individuals from serious online privacy infringements, but also that the national legal framework must allow for the identification and prosecution of offenders. This case involved an advertisement of a sexual nature, which was placed on an Internet dating site on behalf of the applicant, who was twelve years old at the time, without his knowledge ...

The Centre for Information Policy Leadership’s Executive Director, Marty Abrams, brings you these thoughts on a recent data protection summit in Barcelona.

Harmonized international data protection rules have been privacy’s Holy Grail since the EU Directive was enacted in 1995. Harmonized, globally recognized rules would simplify life for privacy protection authorities and companies. Numerous efforts have been undertaken to create a harmonized code. The most recent, an international standards project led by the Spanish Data Protection Commissioner, began on January 12 as international privacy experts met in Barcelona. The Spanish Data Protection Commissioner leads the project, and the finished product — a harmonized privacy code that will be the basis for a data protection treaty— will be a center-piece of the 31st International Conference of Data Protection and Privacy Commissioners on November 2009 in Madrid. 

The Barcelona meeting focused on a draft standards document developed by the Spanish Data Protection Authority, Agencia Espanola de Proteccion de Datos.  The document integrates many of the elements from the OECD Privacy Guidelines, Council of Europe Convention, EU Directive and APEC Privacy Framework.  In its 30 sections, the document recognizes almost every concept found in this existing guidance.

On December 5, 2008, the Austrian data protection authority ("DPA") issued its first decision on the implementation of a whistleblowing hotline as required by the Sarbanes-Oxley Act ("SOX"), to be administered by the Austrian subsidiary of a U.S.-based company. The DPA partly approved the data transfers from the Austrian entity to the U.S. entity for the purpose of enabling it to prosecute "serious incidents" caused by the behavior of executive managers. The DPA ordered the Austrian subsidiary to implement a contract guarantying data subjects the ability to exercise their rights ...

A law that could increase the level of protection of personal information is circulating among legislative bodies in China. The proposed PRC Tort Liability Law would include clauses providing protections for personal information, by giving a person whose rights are infringed by the use of Internet services a right to demand deletion of the infringing materials. Another clause imposes liability on an Internet service provider that fails to take timely measures after receiving such a demand. Read more...

On December 1, 2008, a strict anti-spam law came into effect in Israel.  The legislation, enacted as an amendment to the country’s Communications Law, prohibits the delivery of advertisements using mobile text messaging, email, fax or automatic dialing systems without first obtaining the recipient’s explicit written consent.  The law contains several exceptions to the prior consent requirement.  For example, advertisers may reach out to businesses to inquire whether they wish to receive marketing communications.  Advertisers also may send unsolicited marketing ...

Scarcely a month after the world media was flooded with news of the catastrophic terrorist attacks in Mumbai, headlines are once again rife with articles on the global impact of events in India. This time, the news has focused on Satyam Computer Services (“Satyam”), previously one of India’s largest and most prestigious outsourcing providers, and a series of missteps that began in October 2008, when alarming allegations of possible involvement in a customer security breach surfaced in the media. After that news, there were allegations of misdeeds with customers, a failed ...

On October 1, 2008, the Article 29 Working Party issued a toolkit on Binding Corporate Rules (BCRs) aimed at promoting them as a mechanism for transferring data to countries without an adequate level of data protection. The toolkit includes: (1) a table highlighting the elements and principles to be found in BCRs (WP 153); (2) a document setting up a framework for the structure of BCRs (WP 154); and (3) a revised version of the FAQs on BCRs (WP 155). The toolkit also announced the creation of a mutual recognition procedure between nine national data protection authorities ...