Privacy & Information Security Law Blog

On June 6, 2014, Viviane Reding, Vice-President of the European Commission and EU Commissioner for Justice, outlined the progress that has been made with respect to the proposed EU General Data Protection Regulation (the “Proposed Regulation”) in a meeting of the Council of the European Union, acting through the Justice Council (the “Council”). In particular, the Council has agreed on two important aspects of the Proposed Regulation.

On May 9, 2014, the Federal Trade Commission announced a settlement with clothing manufacturer American Apparel related to charges that the company falsely claimed to comply with the U.S.-EU Safe Harbor Framework. According to the FTC’s complaint, the company violated Section 5 of the FTC Act by deceptively representing, through statements in its privacy policy, that it held a current Safe Harbor certification even though it had allowed the certification to expire.

On April 10, 2014, the Article 29 Working Party (the “Working Party”) issued a letter (the “Letter”) to Viviane Reding, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, expressing its views on the European Commission’s ongoing revision of the EU-U.S. Safe Harbor Framework.

On March 21, 2014, the Article 29 Working Party (the “Working Party”) issued a Working Document containing draft ad-hoc contractual clauses for transfers of personal data from data processors in the EU to data sub-processors outside the EU (the “Working Document”).

On March 25, 2014, the Article 29 Working Party adopted Opinion 03/2014 (the “Opinion”) providing guidance on whether individuals should be notified in case of a data breach.

The Opinion goes beyond considering the notification obligations contained in the e-Privacy Directive 2002/58/EC, which requires telecommunications service providers to notify the competent national authority of all data breaches. The Directive also requires notification (without undue delay) to the affected individuals when the data breach is likely to adversely affect the personal data or privacy of individuals, unless the service provider has satisfactorily demonstrated that it has implemented appropriate technological safeguards that render the relevant data unintelligible to unauthorized parties and that these measures were applied to the data concerned by the security breach.

On March 13, 2014, the European Parliament voted to adopt the draft directive on measures to ensure a uniform level of network and information security (“NIS Directive”). The NIS Directive was proposed by the European Commission on February 7, 2013 as part of its cybersecurity strategy for the European Union. The NIS Directive aims to ensure a uniform level of cybersecurity across the EU. The European Parliament will next negotiate with the Council of the European Union to reach an agreement on the final text of the NIS Directive.

View the European Commission’s press release.

On March 12, 2014, the European Parliament formally adopted the compromise text of the proposed EU General Data Protection Regulation (the “Regulation”). The text now adopted by the Parliament is unchanged and had already been approved by the Parliament’s Committee on Civil Liberties, Justice and Home Affairs in October of last year. The Parliament voted with 621 votes in favor, 10 against and 22 abstentions for the Regulation.

On February 27, 2014, Chairwoman of the French Data Protection Authority (the “CNIL”) Isabelle Falque-Pierrotin was elected Chairwoman of the Article 29 Working Party effective immediately. Ms. Falque-Pierrotin succeeds Jacob Kohnstamm, Chairman of the Dutch Data Protection Authority, who chaired the Article 29 Working Party for four years. The Working Party also elected two new Vice-Chairs: Wojciech Rafal Wiewiórowski of the Polish Data Protection Authority, and Gérard Lommel of the Luxembourg Data Protection Authority.

On February 21, 2014, Peter Hustinx, the European Data Protection Supervisor (“EDPS”), highlighted the need to enforce existing EU data protection law and swiftly adopt EU data protection law reforms as an essential part of rebuilding trust in EU-U.S. data flows.

On February 11, 2014, the Federal Trade Commission announced a proposed settlement with Fantage.com stemming from allegations that the company made statements in its privacy policy that deceptively claimed that Fantage.com was complying with the U.S.-EU Safe Harbor Framework.

On January 28, 2014, Data Protection Day, Vice-President of the European Commission and Commissioner for Justice Fundamental Rights and Citizenship Viviane Reding gave a speech in Brussels proposing a new data protection compact for Europe. She focused on three key themes: (1) the need to rebuild trust in data processing, (2) the current state of data protection in the EU, and (3) a new data protection compact for Europe.

On January 21, 2014, the Federal Trade Commission announced settlements with twelve companies that allegedly falsely claimed that they complied with the U.S.-EU Safe Harbor Framework. The settlements stem from allegations that the companies violated Section 5 of the FTC Act by falsely representing that they held current Safe Harbor certifications despite having allowed their certifications to expire. The companies involved represent a variety of industries, ranging from technology and accounting to consumer products and National Football League teams.

The EU-U.S. Safe Harbor Framework is an important cross-border data transfer mechanism that enables certified organizations to move personal data from the European Union to the United States in compliance with European data protection laws. Recently, however, the Safe Harbor’s future has been thrown into doubt. In an article published on October 30, 2013 by Practical Law, Lisa J. Sotto, partner and head of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP, partner Bridget Treacy and associate Naomi McBride, examine the Safe Harbor Framework and its future ...

As we previously reported, on October 21, 2013, the European Parliament approved its Compromise Text of the proposed EU General Data Protection Regulation (the “Proposed Regulation”). Hunton & Williams has now published an analysis of these proposals.

On December 3, 2013, Lawrence Strickling, Department of Commerce Assistant Secretary for Communications and Information, spoke at the American European Community Association Conference in Brussels on Data Protection: The Challenges and Opportunities for Individuals and Businesses. Strickling discussed the Obama Administration’s commitment to “preserving the dynamism and openness of the Internet, enhancing the free flow of information, and strengthening our Internet economy.” He addressed the issues surrounding U.S. surveillance operations and the European Commission’s recent report on Safe Harbor. Strickling also provided a progress report on improvements to consumer privacy protection since the White House released its Consumer Privacy Bill of Rights in February 2012, including an update on the National Telecommunications and Information Administration’s (“NTIA’s”) multistakeholder process to develop industry codes of conduct.

On November 27, 2013, the European Commission published an analysis of the EU-U.S. Safe Harbor Framework, as well as other EU-U.S. data transfer agreements. The analysis includes the following documents:

The Luxembourg data protection authority (Commission nationale pour la protection des donées, “CNPD”) has stated that it will not investigate complaints relating to the alleged involvement of Microsoft Luxembourg (“Microsoft”) and Skype Software S.a.r.l. and Skype Communications S.a.r.l. (collectively, “Skype”) in the PRISM surveillance program. The PRISM surveillance program involves the transfer of EU citizens’ data to the U.S. National Security Agency (the “NSA”).

On October 21, 2013, the European Parliament approved its Compromise Text of the proposed EU General Data Protection Regulation (the “Proposed Regulation”). The approval follows months of negotiations between the various parliamentary committees. The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) has been in charge of working toward an agreement on the Compromise Text in the European Parliament.

On September 26, 2013, the UK Information Commissioner’s Office (“ICO”) published new breach notification guidance (the “Guidance”), applicable to telecom operators, Internet service providers (“ISPs”) and other public electronic communications service (“ECS”) providers.

On September 6, 2013, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding traveled to Berlin where she commented on the status of the negotiations on the proposed EU General Data Protection Regulation (the “Proposed Regulation”). Commissioner Reding indicated that she was looking for Germany to become involved in the discussions about the Proposed Regulation at the highest level, and she argued in favor of stricter regulations given recent revelations about surveillance programs such as PRISM. Because the vote on the Proposed Regulation only requires a majority to pass, she also emphasized that it would not be necessary to obtain the agreement of all of the EU Member States (for example, the UK or Ireland).

This week a new breach notification regulation takes effect across the EU. The Regulation on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC (the “Regulation”) specifies the technical measures of how Internet service providers, telecommunications providers and other public electronic communications service (“ECS”) providers must notify of data breaches.

As reported by Bloomberg BNA, the Irish Office of the Data Protection Commissioner (“ODPC”) has stated that it will not investigate complaints relating to the alleged involvement of Facebook Ireland Inc. (“Facebook”) and Apple Distribution International (“Apple”) in the PRISM surveillance program.

On July 24, 2013, the Conference of the German Data Protection Commissioners at both the Federal and State levels issued a press release stating that surveillance activities by foreign intelligence and security agencies threaten international data traffic between Germany and countries outside the EEA.

On July 18-19, 2013, the European Union Justice and Home Affairs Council held an informal meeting in Vilnius, Lithuania, where Viviane Reding, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, openly criticized the U.S.-EU Safe Harbor Framework.

On June 25, 2013, the Belgian Data Protection Authority (the “Privacy Commission”) and the Belgian Ministry of Justice agreed on a Protocol establishing new rules for the approval of international data transfer agreements.

Senior Attorney Rosemary Jay reports from London:

On June 25, 2013, Advocate-General Jääskinen of the European Court of Justice (“ECJ”) delivered his Opinion in Google Spain S.L. and Google Inc. v Agencia Española de Protección de Datos (Case C-131/12, “Google v AEPD” or the “case”).

The case concerns Google Search results, and whether individuals have a right to erasure of search result links about them. The Opinion concludes that under current law, individuals have no such right. The European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”) would introduce a right to be forgotten. However, this Opinion appears to demonstrate unease with the basic concept of such a right.

On July 4, 2013, the European Parliament adopted new EU legislation to fight cyber crime. The Directive on attacks against information systems (the “Directive”) (see the Committee on Civil Liberties, Justice and Home Affairs’ report tabled for plenary), together with the launch of the European Cybercrime Centre and the adoption of the EU cybersecurity strategy, will strengthen the EU’s overall response to cyber crime and contribute to improving cybersecurity for all EU citizens.

On June 24, 2013, the European Commission announced new technical implementing measures that address the EU data breach notification requirement for telecom operators and internet service providers (“ISPs”). Based on a Commission Regulation, these companies must:

• notify the competent national authority of the incident (or at least provide an initial description thereof) within 24 hours after detection of the breach;
• outline which data are affected and what measures have been or will be taken by the company;
• pay attention to the type of data compromised when assessing whether to notify subscribers (i.e. evaluating whether the breach is likely to have an adverse effect on personal data or privacy); and
• use a standardized format for notifying the competent national authority (e.g. an online form which is the same for all EU Member States).

On June 7, 2013, the Japanese Government applied to participate in the APEC Cross-Border Privacy Rules program. Japan’s application will be reviewed to verify that Japan has the necessary legal mechanisms to ensure that certified companies can be held accountable. If approved, Japan will join the United States and Mexico, which also are APEC-certified economies, and it is likely a number of Japanese seal programs will apply for certification as accountability agents. Once the requisite elements are in place, Japanese companies will be able to apply for approval of their cross-border privacy rules.

As we previously reported, on May 31, 2013, the Irish Presidency of the Council of the European Union’s Justice and Home Affairs released a draft compromise text in response to the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”). This compromise text narrows the scope of the Proposed Regulation and seeks to move from a detailed, prescriptive approach toward a risk-based framework.

On June 6, 2013, the European Union’s Justice and Home Affairs Council held legislative deliberations regarding key issues concerning the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”). The discussions were based on the Irish Presidency’s draft compromise text on Chapters I to IV of the Proposed Regulation, containing the fundamentals of the proposal and reflecting the Presidency’s view of the state of play of negotiations. At the Council meeting, the Presidency was seeking general support for the conclusions drawn in their draft compromise text on the key issues in Chapters I to IV.

On June 3, 2013, the French Data Protection Authority (“CNIL”) published an article outlining the importance of binding corporate rules (“BCRs”) for data processors, and describing how to use them.

On June 5, 2013, Hunton & Williams hosted a seminar in the firm’s London office: Tracking the Draft EU Regulation ̶ General Update and the Concept of the “One-Stop Shop.” Bridget Treacy, Rosemary Jay and Tim Hickman of Hunton & Williams gave a presentation on the operation and effects of the “consistency mechanism” to be introduced in the proposed General Data Protection Regulation. The June 5 update was the most recent in Hunton & Williams’ ongoing series of Executive Briefings on the Proposed Regulation. The consistency mechanism is intended to ensure that, once the ...

On May 30, 2013, the European Court of Justice held that Sweden failed to fulfill its obligations under EU law when it delayed complying with the Court’s 2010 ruling regarding the country’s implementation of the EU Data Retention Directive 2006/24/EC (the “Data Retention Directive”). The Court ordered Sweden to pay a lump sum of €3,000,000.

On May 31, 2013, the Council of the European Union’s Justice and Home Affairs released a draft compromise text in response to the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”). This compromise text narrows the scope of the Proposed Regulation and seeks to move from a detailed, prescriptive approach toward a risk-based framework.

On May 16, 2013, UK Trade & Investment (“UKTI”), a UK government department working with businesses based in the UK to ensure their success in international markets, published the first export strategy paper (the “Paper”) on the UK’s approach to the $100 billion annual cybersecurity export market.

In November 2011, the UK’s Cyber Security Strategy was published. ‘Objective 1’ of the strategy’s implementation plan recognized that cyberspace is an important and expanding part of the UK economy. One of the supporting actions for Objective 1 was to develop a ...

On April 30, 2013, the UK government announced guidance on its consultation on cybersecurity standards (the ”Consultation”). The Consultation was launched in March 2013, and follows the UK government’s recent announcement regarding a cybersecurity partnership initiative to facilitate information-sharing on cyber threats.

In March 2013, the UK government launched its consultation on cybersecurity standards (the “Consultation”) following the government’s recent announcement regarding a cybersecurity partnership initiative to facilitate information sharing on cyber threats.

On May 6, 2013, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) discussed the progress of the proposed General Data Protection Regulation (”Proposed Regulation”). LIBE’s lead rapporteur, Jan Philipp Albrecht, noted that, in light of the significant number of amendments tabled, more time is needed for the other rapporteurs to deliberate. As a result, the vote originally scheduled for May 29, 2013 on the lead rapporteur’s report regarding amendments to the Proposed Regulation has been postponed.

On April 22, 2013, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the proposed data protection impact assessment template for smart grid and smart metering systems (“DPIA Template”). Expert Group 2 of the European Commission’s Smart Grid Task Force submitted the DPIA Template to the Working Party following the European Commission’s March 9, 2012 recommendation regarding preparation for the roll-out of smart metering systems.

On March 27, 2013, the UK Government announced the Cyber Security Information Sharing Partnership (“CISP”), a partnership between government and industry to share intelligence on cybersecurity threats.

Introduction of the CISP follows a successful pilot program across key UK sectors and is part of the UK’s Cyber Security Strategy to facilitate information-sharing on cyber threats. It introduces a secure web portal where government and industry partners can exchange real-time information regarding threats and vulnerabilities they have identified. It also sets up a team of expert analysts, the Fusion Cell, to draw together a single intelligence picture of cyber threats across the UK. It is understood that the Fusion Cell will be staffed by analysts drawn from industry, as well as the law enforcement and intelligence communities.

On March 26, 2013, the Article 29 Working Party issued a press release on the recent developments concerning cooperation between the EU and the Asia-Pacific Economic Cooperation group (“APEC”) on cross-border data transfer rules. A joint EU-APEC committee, which includes the French and German data protection authorities as well as the European Data Protection Supervisor and the European Commission, has been studying similarities and differences between the EU’s binding corporate rules (“BCRs”) framework and APEC Cross-Border Privacy Rules. The committee’s goal is to facilitate data protection compliance in this area for international businesses operating in the EU and the APEC region, including by creating a common frame of reference for both sets of cross-border data transfer rules.

On March 1, 2013, the Irish Presidency published a note to the European Council of Ministers regarding its progress on the European Commission’s proposed General Data Protection Regulation (“Proposed Regulation”). The Note details the Irish Presidency’s work to bring a more risk-based approach to the Proposed Regulation.

On March 20, 2013, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) held legislative deliberations regarding the European Commission’s proposed General Data Protection Regulation (”Proposed Regulation”). The LIBE Committee Chair, Juan Fernando López Aguilar, noted that 2,783 amendments to the Proposed Regulation and 504 amendments to the proposed Police and Criminal Justice Directive (“Proposed Directive”) have been tabled.

On February 12, 2013, the UK Information Commissioner’s Office published a further analysis of the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”). This latest analysis supplements the initial analysis paper on the Proposed Regulation published on February 27, 2012. Although the general views expressed in its initial paper stand, the ICO has now provided greater detail regarding its views of the substantive provisions of the Proposed Regulation.

On March 12, 2013, the UK Government Justice Committee published a report on the functions, powers and resources of the UK Information Commissioner’s Office (the “Report”). The Report highlights several key issues raised during an oral evidence session held with the UK Information Commissioner, Christopher Graham, and his two Deputy Commissioners, David Smith and Graham Smith. The Justice Select Committee published the Report to draw these key issues to the attention of the UK Parliament.

On March 14, 2013, the 85th Conference of the German Data Protection Commissioners concluded in Bremerhaven. This biannual conference provides a private forum for the 16 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information, Peter Schaar, to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

On March 5, 2013, the German Federal Ministry of the Interior published proposed amendments (in German) to the German Federal Office for Information Security Law. These proposed amendments are significant because they establish a new duty to notify the German Federal Office for Information Security in the event of a cybersecurity breach.

On March 8, 2013, the European Union’s Justice and Home Affairs Council held legislative deliberations regarding the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”).

On March 5, 2013, the French Data Protection Authority (the “CNIL”) announced that the French High Council for Statutory Auditors (“H3C”) and the U.S. Public Company Accounting Oversight Board (“PCAOB”) signed a Statement of Protocol (the “Protocol”) on January 31, 2013, to govern the exchange of information, including personal data, between them.

On March 6, 2013, the French Data Protection Authority (the “CNIL”) announced that it launched a consultation of relevant private and public actors for the purpose of determining whether the CNIL should adopt an initiative on “Open Data.”

On February 7, 2013, the European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, launched their cybersecurity strategy for the European Union (“Strategy”). As part of this Strategy, the European Commission also proposed a draft directive on measures to ensure a common level of network and information security (“NIS”) across the EU (the “Directive”).

On January 22, 2013, the Article 29 Working Party released Opinion 01/2013 (the “Opinion”) on the implementing acts contained in the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”).

Following up on the UK Information Commissioner’s Office’s (“ICO’s”) positive reaction to the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”), the ICO has now published additional thoughts on the European Commission’s proposed revised data protection framework, reacting to the recent draft report prepared by the rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs, Jan Philipp Albrecht. In February 2012, the ICO released an initial analysis of the Commission’s package of proposals, which included the proposed Police and Criminal Justice Data Protection Directive (“Proposed Directive”).

On January 11, 2013, the UK Government published its response (the “Response”) to the UK Justice Select Committee’s opinion on the European Commission’s proposed revised data protection framework. The Response highlights a number of concerns expressed by the UK Government regarding the Commission’s legislative proposals.

On January 10, 2013, the rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”), Jan Philipp Albrecht, presented his draft report (the “Report”) on the proposed amendments to the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”) to the LIBE Committee.

On December 19, 2012, the European Commission announced its formal recognition of personal data protection in New Zealand. The European Commission approved New Zealand’s status as a country that provides “adequate protection”  of personal data under the European Data Protection Directive 95/46/EC. This determination means that personal information from Europe may flow freely to New Zealand.  Although the law in New Zealand has been modernized over the years, it is not new.  New Zealand will be celebrating the 25th anniversary of its data protection law in 2013. Furthermore, New Zealand has been very active in the development of international standards at the OECD and APEC, and has participated in initiatives such as the Global Accountability Project. New Zealand’s request to be deemed adequate has been pending for several years. This determination follows the positive Opinion of the Article 29 Working Party issued on April 4, 2011, concerning the level of protection under New Zealand’s law.

On November 23, 2012, the German Federal Council (Bundesrat or the “Council”) published its comments on the European Commission’s strategy on cloud computing and also submitted them to the Commission.

On November 20, 2012, the European Network and Information Security Agency (“ENISA”) published a new report entitled “The Right to Be Forgotten – Between Expectations and Practice.” The report complements two earlier papers which focused on data collection and storage and online behavioral advertising, and focuses on the technical implications of the proposed General Data Protection Regulation’s new right to be forgotten.

On November 22, 2012, the Brussels-based publication European Voice published an editorial by U.S. Department of Commerce General Counsel Cameron Kerry entitled Avoiding a Data Divide Between the US and the EU. The article notes the importance of continued collaboration between the European Union and the United States as both assess their respective privacy frameworks to ensure that any changes encourage enhanced trade and strong economic growth, but also contain robust protections for consumers. Mr. Kerry’s editorial emphasizes the need to foster global privacy ...

On November 22, 2012, the UK Ministry of Justice released a written ministerial statement (“Statement”) announcing the publication of its Government Impact Assessment on the European Commission’s legislative reform package on the EU data protection framework. The European Commission has claimed that a regulation implementing a single set of data protection rules across the European Union would save businesses around €2.3 billion a year. In its Statement, the Ministry of Justice disagrees, stating that the Commission’s proposals will impose burdens that “far outweigh” the benefits. At a time of great economic upheaval across Europe, the Ministry of Justice asserts that the regulatory burden should be reduced, not increased, to stimulate growth, and that it is “difficult therefore to justify the extra red-tape and tick box compliance that the proposals represent.” The Ministry of Justice also notes that “[t]he UK Government is seriously concerned about the potential economic impact of the proposed data protection Regulation.”

On November 16, 2012, European Data Protection Supervisor Peter Hustinx published an Opinion on the European Commission’s Communication on cloud computing (part of the Commission’s broader cloud computing strategy). The Opinion focuses on the accountability principle and emphasizes the importance of clearly defining the responsibilities of all parties involved in cloud computing, and analyzes specific cloud computing issues in the context of both the current EU data protection framework, as well as the proposed General Data Protection Regulation.

On November 13-15, 2012, delegates at the IAPP Europe Data Protection Congress in Brussels were given insight into how discussions with key policymakers are progressing. As European Parliament rapporteur and Member of the European Parliament Jan Philipp Albrecht aims to finalize the reform of the EU Data Protection Directive by the end of the current European Parliament’s mandate in 2014, this ambitious goal faces numerous hurdles.

On November 8, 2012, the 84th Conference of the German Data Protection Commissioners concluded in Frankfurt (Oder). This bi-annual conference provides a private forum for the 16 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information Peter Schaar to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

On October 24, 2012, the UK Justice Select Committee (the “Committee”), appointed by the House of Commons to examine the expenditure, administration and policy of the UK Ministry of Justice, published its opinion on the proposed General Data Protection Regulation (the “Proposed Regulation”) and proposed Police and Criminal Justice Data Protection Directive (the “Proposed Directive”). In the opinion, the Committee agrees that new proposals are necessary, both to update the existing data protection framework and to “confer on individuals their new rights and freedoms.” The Committee expresses reservations, however, regarding a number of key issues, and concludes that the European Union data protection proposals “need to go back to the drawing board.” The Committee notes that in its present form, the Proposed Regulation will not produce a “proportionate, practicable, affordable or effective system of data protection in the EU.”

On October 26, 2012, following the Justice Council’s meeting, Viviane Reding, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, delivered a speech highlighting that the Commission’s proposed data protection law reform package is currently at a crucial stage in the negotiation process. Commissioner Reding stated that “[a] high level of data protection will turn the European Union into an international standard setter” and that “[o]nly a high level of data protection will generate trust between citizens and private enterprises.” Commissioner Reding conceded, however, that “[w]e do not want rules that place an excessive burden on business,” and that the Commission is prepared to make certain concessions relating to the draft proposals in order to “strike the right balance.”

On October 5, 2012, the Article 29 Working Party (the “Working Party”) issued an Opinion providing further input on the recent data protection reform discussions in the EU. The Opinion follows the Working Party’s first Opinion on the EU data protection reform proposals issued on March 23, 2012.

On September 27, 2012, the European Commission presented its new strategy on cloud computing, entitled “Unleashing the Potential of Cloud Computing in Europe.” The Commission’s strategy is outlined on a new webpage that includes a communication document and a more detailed staff working paper.

On July, 19, 2012, the Article 29 Working Party (the “Working Party”) issued an Opinion finding that the Principality of Monaco ensures an “adequate level of protection” for personal data within the meaning of the European Data Protection Directive (Article 25 of Directive 95/46/EC) (the “Directive”). Under the Directive, strict conditions apply to personal data transfers to countries outside the European Economic Area that are not considered to provide an “adequate” level of data protection.

On August 21, 2012, the European Commission formally approved Uruguay’s status as a country providing “adequate protection” for personal data within the meaning of the European Data Protection Directive (Article 25(6) of Directive 95/46/EC). This follows the Article 29 Working Party’s earlier favorable Opinion issued in 2010, and takes into account certain interpretative assurances and clarifications provided by Uruguay. Accordingly, transfers of personal data from the EU to Uruguay may now take place without additional intergovernmental guarantees and in accordance with applicable data protection provisions.

On July 1, 2012, the Article 29 Working Party (the “Working Party”) adopted WP196 (the “Opinion”) setting out an analysis of the legal framework associated with cloud computing, as well as recommendations directed at both data controllers and data processors in the European Economic Area (the “EEA”). The Opinion identifies two data protection risks associated with the deployment of cloud computing services, namely: (1) lack of control over the data and (2) lack of information on data processing. Cloud computing and the range and geographical dispersion of the various parties involved also have raised significant uncertainty in terms of applicable law, which the Working Party previously analyzed in its Opinion 8/2010. Below is an overview of the different topics covered in the Opinion issued on July 1.

On June 28, 2012, the UK Ministry of Justice outlined its negotiating position on the proposed EU Data Protection Regulation (the “Proposed Regulation”) in its published “Summary of Responses - Call for Evidence on Proposed EU Data Protection Legislative Framework” (the “Summary”).

The Call for Evidence sought to gain perspective and solicit feedback on how the Proposed Regulation would impact organizations and individuals in the UK. The responses received from the private sector were the most significant, which is not surprising given the potentially huge impact on business.

On March 23, 2012, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the European Commission’s data protection law reform proposals, including the draft Regulation that is of particular importance for businesses. The Working Party’s Opinion serves as the national data protection authorities’ contribution to the legislative process before the European Parliament and the European Council.

On March 19, 2012, the European Commission hosted this year’s Safe Harbor Conference in Washington, D.C., to address the transfer of data from Europe to the United States. Although it appears the Safe Harbor framework will remain unchanged for the time being, it seems unlikely the United States will be considered adequate, or even interoperable, with the EU for purposes of cross-border data transfers.

On March 22, 2012, the 83rd Conference of the German Data Protection Commissioners came to an end in Potsdam. The attendees indicated their general support for the European Commission’s proposed reform package aimed at modernizing and harmonizing data protection laws in the EU, but insist that Member States should have the authority to implement more stringent data protection measures for the area of public administration.

On January 25, 2012, the UK Information Commissioner’s Office (“ICO”) published an initial statement welcoming the European Commission’s proposed new General Data Protection Regulation (the “Proposed Regulation”), and commended the Commission’s efforts to strengthen the rights of individuals, recognize important privacy concepts such as privacy by design and privacy impact assessments, and include accountability requirements.

The American Bar Association’s (“ABA’s”) House of Delegates adopted a non-binding resolution urging courts to consider foreign data protection and privacy laws when resolving discovery issues. The full text of the resolution is as follows:

“RESOLVED, That the American Bar Association urges that, where possible in the context of the proceedings before them, U.S. federal, state, territorial, tribal and local courts consider and respect, as appropriate, the data protection and privacy laws of any applicable foreign sovereign, and the interests of any person who is subject to or benefits from such laws, with regard to data sought in discovery in civil litigation.”

On February 7, 2012, the UK Ministry of Justice launched its Call for Evidence on the European Commission’s proposed general data protection regulation and criminal justice data protection directive (the “Proposals”). The Ministry is looking to gain perspective and solicit feedback on how the Proposals likely would impact organizations and individuals in the UK.

On January 26, 2012, the German Data Protection Commissioners (“DPAs”) of the federal states Rhineland-Palatinate and Hesse held a joint press conference to present their views on the European Commission’s legislative proposal for a comprehensive reform of current EU data protection rules. The day before, the European Commission proposed replacing the existing EU Data Protection Directive 95/46/EC with a Regulation that would be directly applicable in all European Member States and therefore not require implementing legislation on the national level.

On January 25, 2012, the European Commission released a data protection law reform package, including its proposed General Data Protection Regulation (the “Proposed Regulation”). The UK Information Commissioner’s Office (“ICO”) has reacted positively to the Proposed Regulation, in particular commending efforts to strengthen the rights of individuals, the recognition of important privacy concepts such as privacy by design and privacy impact assessments, and new accountability requirements to ensure organizations properly demonstrate and document their data protection safeguards and procedures.

On January 25, 2012, the European Commission published its long-awaited legislative package to reform EU data protection rules. The package includes a regulation that covers data processing in the private sector and by public authorities and a directive covering data processing for criminal justice purposes, as well as a communication, a report on the protection of personal data processed in the framework of police and judicial cooperation, and an impact assessment with a summary.

On January 17, 2012, the European Commission initiated expedited infringement proceedings against Hungary over recent changes to its Constitution which are considered incompatible with EU law. The proceedings follow a number of changes made to the Hungarian Constitution that came into effect on January 1, 2012. Of particular concern to the Commission are amendments affecting the independence of the national data protection authority. The Hungarian government has one month to comply, or face enforcement proceedings in the European Court of Justice.

According to a spokesperson at the European Commission, the publication of the proposal for the review of the EU Data Protection Directive (95/46/EC) has been postponed until late February or March 2012. The draft proposal was scheduled to be officially released in late January after it was leaked in December 2011. According to various sources, the proposal received negative responses from several Directorates-General over the course of the “inter-service consultation,” some of whom have voiced their concern that the proposed new framework would be stricter than the current legal framework and thus may have a negative impact on businesses. For example, parts of the proposal, such as the right to be forgotten, are viewed by some as potentially too burdensome for companies.

The U.S. Department of Commerce has confirmed that the European Commission will host this year’s Safe Harbor Conference in Washington, D.C., on March 19, 2012. The venue marks a change from the tradition of previous sessions which have taken place in the host authority’s capital city (Washington, D.C. or Brussels). The Conference will follow the release of the European Commission’s draft revisions to the EU Data Protection Directive 95/46, which are expected on or around January 25, 2012. The widely leaked draft of the proposal does not contain language pertaining to the ...

Shortly before Viviane Reding, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, gave her keynote address on binding corporate rules (“BCRs”) at the IAPP Europe Data Protection Congress in Paris, Hunton & Williams co-authored two articles on BCRs with the French Data Protection Authority (“CNIL”):

In early December 2011, drafts of two legal instruments prepared by DG Justice of the European Commission to reform the EU data protection framework entered interservice consultation. This process will give other Directorates-General of the Commission the opportunity to comment on the drafts before they are formally released as legislative proposals; accordingly, changes to the drafts are likely. Following this comment period, the drafts will enter the EU legislative process, which is likely to take at least two to three years before they become law. It is believed that Justice Commissioner and Commission Vice-President Viviane Reding will formally announce final versions of the drafts at an appearance at the World Economic Forum in late January 2012.

On November 17, 2011, the German Association for Data Protection and Data Security (“GDD”) held its 35th Privacy Conference (“DAFTA”) in Cologne, Germany. At the opening plenary session, Paul Nemitz, Director for Fundamental Rights and Citizenship of the European Commission, announced that the European Commission plans to implement a Regulation that is directly applicable to all EU Member States, to harmonize data protection laws in Europe.

On Tuesday, September 27, 2011, the European Privacy Officers Forum (“EPOF”) celebrated its 10th anniversary with a gala reception at the BELvue Museum in Brussels. EPOF is composed of EU-based data protection compliance officers and internal legal counsel from over 30 multinational companies and public-sector institutions who meet three times a year in Brussels to exchange ideas and to hear presentations by data protection authorities and other government representatives. The gala, which was attended by approximately 100 people, featured opening remarks from Peter Hustinx, European Data Protection Supervisor, the Honorable William E. Kennard, U.S. Ambassador to the EU, and Paul Nemitz, Director of Fundamental Rights and Citizenship of the European Commission.

On July 13, 2011, the Belgian Privacy Commission (the “Belgian DPA”) signed a Protocol with the Ministry of Justice which significantly simplifies the authorization procedure for binding corporate rules (“BCRs”) under Belgian law.  The Protocol was just made public on the Belgian DPA's website. 

On June 28-30, 2011, the Council of Europe’s Bureau of the Consultative Committee of the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (known as the “T-PD-Bureau”) met in Strasbourg, France, to discuss, among other things, amending the Council of Europe’s Convention 108.  Convention 108, which underlies the European Union’s legal framework for data protection, is the only legally-binding international convention that addresses data protection.  Amendment of the Convention is thus closely linked to the current review of the EU data protection framework, and many of the same actors are involved in both exercises.

Speaking at the British Bankers’ Association’s Data Protection and Privacy Conference in London on June 20, 2011, Viviane Reding, Vice President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, signaled her intention to streamline data protection to “simplify the regulatory environment” and “substantially reduce the administrative burden” for businesses.  In return, Reding expects businesses to ensure “safe and transparent digital products and services.”

On June 15, 2011, European Data Protection Supervisor (“EDPS”) Peter Hustinx gave a press conference to present his annual report for 2010.  The annual report provides an overview of the EDPS’ main activities in 2010 and sets forth key priorities and challenges for the future.

In his speech, Hustinx focused primarily on the review of the EU data protection framework and the Data Retention Directive.  He referenced his recent Opinion in which he concluded that the Data Retention Directive does not meet general EU data protection requirements and that the European Commission should explore the possibility of replacing it with alternative measures such as data preservation through a “quick freeze” procedure.  Hustinx also stated his intention to keep a close eye on any developments with respect to RFID technology, cloud computing and online enforcement of intellectual property rights.

As reported yesterday, on June 16 and 17, 2011, the Hungarian Presidency of the Council of the European Union hosted a high-level international data protection conference in Budapest.  The following are some highlights from the second day’s events:

• During the “New principles in the field” panel, Professor Paul De Hert of the Vrije Universiteit Brussel gave an explanation of the case I v. Finland, which was decided by the European Court of Human Rights on July 17, 2008, and which both he and European Data Protection Supervisor Peter Hustinx agreed was a key document for the concept of accountability in European data protection law.  Endre Szabó of the Hungarian Ministry of Public Administration and Justice noted that the principle of accountability had not yet been fully accepted by all members of the European Council.

On June 16, 2011, the Hungarian Presidency of the Council of the European Union hosted the first day of a high-level international data protection conference in Budapest.  The conference was attended by approximately 150 people, most of whom are representatives of EU governments, data protection authorities (“DPAs”), the European Commission, and other governmental groups such as the Council of Europe.

On April 18, 2011, the European Commission (the “Commission”) adopted an Evaluation Report on the EU Data Retention Directive 2006/24/EC (the “Data Retention Directive”).

The Data Retention Directive requires that, for law enforcement purposes, telecommunications service and network providers (“Operators”) must retain certain categories of telecommunications data (excluding the content of the communication) for not less than six months and not more than two years.  To date, most of the EU Member States have implemented the Data Retention Directive, but Czech Republic, Germany and Romania no longer have implementing laws in place because their constitutional courts have annulled the implementing laws as unconstitutional.

On April 4, 2011, the Article 29 Working Party (the “Working Party”) issued an Opinion to clarify the legal framework applicable to smart metering technology in the energy sector (the “Opinion”).

Smart meters are digital meters that record energy consumption and enable two-way remote communication with the wider network for purposes such as monitoring and billing, and to forecast energy demand.  Smart meters are intended to allow the industry to better regulate energy supply, and to help individuals reduce consumption.  According to the Working Party, however, the analysis and exchange of smart metering information has the potential to be privacy-invasive.

On April 4, 2011, the Article 29 Working Party (the “Working Party”) issued an Opinion finding that New Zealand ensures an adequate level of data protection within the meaning of the EU Data Protection Directive 95/46/EC (the “Data Protection Directive”).  The Working Party’s assessment in the Opinion focuses on the New Zealand Privacy Act 1993 and is based primarily on a comparison of the Act and relevant case law, against the provisions of the Data Protection Directive.

On April 6, 2011, the European Commission (“the Commission”) signed a voluntary agreement with private and public stakeholders to establish data protection guidelines for companies that use radio frequency identification device (“RFID”) technology within Europe.

The agreement, entitled “Privacy and Data Protection Impact Assessment Framework for RFID Applications” (the “Framework”) requires companies to conduct privacy impact assessments for all RFID applications they implement and to take measures to address identified data protection risks before those applications are deployed in the market.  Reports of the completed privacy impact assessments must be made available to the national data protection authorities.  The Framework, which was designed in close cooperation with the European Network and Information Security Agency after consultation with the Article 29 Working Party, provides the first clear, comprehensive methodology that can be applied across all industry sectors to assess and mitigate RFID-related privacy risks.  It is intended both to assure companies that their use of RFID technology is compatible with European data protection legislation, and to enhance privacy protections for European citizens and consumers.

On April 6, 2011, the European Commission formally requested that Germany immediately comply with a March 9, 2010 judgment (C-518/07) by the European Court of Justice (the “Court”) concerning the independence of German data protection authorities (“DPAs”).

As we previously reported, the Court ruled in March 2010 that Germany had failed to properly implement the requirement that DPAs are to act with “complete independence” in exercising the functions entrusted to them, as explicitly provided by the EU Data Protection Directive 95/46/EC. According to the Commission, 15 out of Germany’s 16 federal states have not yet undertaken any action to rectify the violation identified in the Court’s judgment. In its formal notice letter, the Commission ordered Germany to comply with the Court’s judgment within two months or risk a fine or penalty imposed by the Court.

On March 16, 2011, a meeting of the “European Privacy Platform” group of the European Parliament was held in Brussels.  The meeting provided important insights into the likely structure and content of proposed revisions to the European Data Protection Directive 95/46/EC that the European Commission has been working on for the past several months.