Privacy & Information Security Law Blog

On June 18, 2014, the German state data protection authorities responsible for the private sector (the Düsseldorfer Kreis) issued guidelines concerning the data protection requirements for app developers and app publishers (the “Guidelines”). The Guidelines were prepared by the Bavarian state data protection authority and cover requirements in Germany’s Telemedia Act as well as the Federal Data Protection Act. Topics addressed in the 33-page document include:

On June 23, 2014, the Article 29 Working Party (the “Working Party”) published its Opinion 7/2014 on the protection of personal data in Québec (the “Opinion”). In this Opinion, the Working Party provides its recommendations to the European Commission on whether the relevant provisions of the Civil Code of Québec and the Québec Act on the Protection of Personal Information in the Private Sector (the “Québec Privacy Act”) ensure an adequate level of protection for international data transfers in accordance with the EU Data Protection Directive 95/46/EC (the “Directive”). Under the Directive, strict conditions apply to personal data transfers to countries outside the European Economic Area that are not considered to provide an adequate level of data protection.

In response to increasing interest in a “risk-based” approach among privacy experts, including policymakers working on the proposed EU General Data Protection Regulation, the Article 29 Working Party (the “Working Party”) published a statement on the role of a risk-based approach in data protection legal frameworks (the “Statement”).

On June 6, 2014, Viviane Reding, Vice-President of the European Commission and EU Commissioner for Justice, outlined the progress that has been made with respect to the proposed EU General Data Protection Regulation (the “Proposed Regulation”) in a meeting of the Council of the European Union, acting through the Justice Council (the “Council”). In particular, the Council has agreed on two important aspects of the Proposed Regulation.

On June 3 and 4, 2014, the Article 29 Working Party held a meeting to discuss the consequences of the European Court of Justice’s May 13, 2014 judgment in Costeja, which is widely described as providing a “right to be forgotten.” Google gave effect to the Costeja decision by posting a web form that enables individuals to request the removal of URLs from the results of Google searches that include that individual’s name. The Working Party announced that it welcomed Google’s initiative, but pointed out that it is “too early to comment on whether the form is entirely satisfactory.” The Working Party also announced that it will prepare guidelines to ensure a common approach to the implementation of Costeja by the national data protection authorities. Finally, the Working Party called on search engine operators to implement user-friendly processes that enable users to exercise their right to deletion of search result links containing their personal data.

On May 30, 2014, Google posted a web form that enables individuals to request the removal of URLs from the results of searches that include that individual’s name. The web form acknowledges that this is Google’s “initial effort” to give effect to the recent and controversial decision of the Court of Justice of the European Union in Costeja, widely described as providing a “right to be forgotten.” That Google has moved quickly to offer individuals a formal removal request process will be viewed favorably, but the practicalities of creating a removals process that satisfies all interested parties will remain challenging, and not just for Google.

On May 14, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program provided a global overview of some of the most debated topics in data protection and privacy, including cross-border data flows, global data breach issues and the EU Cybersecurity Directive. In addition, we highlighted the latest information regarding the GPEN enforcement sweep.

On May 13, 2014, the European Court of Justice (the “CJEU”) rendered its judgment in Google Spain S.L. and Google Inc. v Agencia Española de Protección de Datos (Case C-131/12, “Google v. AEPD” or the “case”). The case concerns a request made by a Spanish individual, Mr. Costeja, to the Spanish Data Protection Authority (Agencia Española de Protección de Datos or “AEPD”) to order the removal of certain links from Google’s search results. The links relate to an announcement in an online newspaper of a real estate auction for the recovery of Mr. Costeja’s social security debts. The information was lawfully published in 1998, but Mr. Costeja argued that the information had become irrelevant as the proceedings concerning him had been fully resolved for a number of years. The AEPD upheld the complaint and ordered Google Spain S.L. and Google Inc. (“Google”) to remove the links from their search results. Google appealed this decision before the Spanish High Court, which referred a series of questions to the ECJ for a preliminary ruling. The ECJ ruled as follows:

On May 19, 2014, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2013 (the “Report”) highlighting its main accomplishments in 2013 and outlining some of its priorities for the upcoming year.

Hunton & Williams LLP, in coordination with the U.S. Chamber of Commerce, recently issued a report entitled Business Without Borders: The Importance of Cross-Border Data Transfers to Global Prosperity, highlighting the benefits of cross-border data transfers to businesses in the international marketplace. The report underscores the importance of developing data transfer mechanisms that protect privacy and facilitate the free-flow of data, and also explores opportunities for new data transfer regimes.

On May 13, 2014, the French data protection authority (“CNIL”) decided to examine 100 mobile apps most commonly used in France.

On May 12, 2014, the U.S. Chamber of Commerce released a report highlighting the benefits of cross-border data transfers across all sectors of the economy. Hunton & Williams LLP’s Global Privacy and Cybersecurity team developed the report with the Chamber of Commerce. The report, Business Without Borders: The Importance of Cross-Border Data Transfers to Global Prosperity, presents pragmatic solutions for developing international mechanisms that both protect privacy and facilitate cross-border data flows.

On May 9, 2014, the Federal Trade Commission announced a settlement with clothing manufacturer American Apparel related to charges that the company falsely claimed to comply with the U.S.-EU Safe Harbor Framework. According to the FTC’s complaint, the company violated Section 5 of the FTC Act by deceptively representing, through statements in its privacy policy, that it held a current Safe Harbor certification even though it had allowed the certification to expire.

Hunton & Williams LLP’s Centre for Information Policy Leadership president, Bojana Bellamy, has been selected to participate in the “Privacy Bridge Project,” a new transatlantic initiative that seeks to develop practical solutions to bridge the gap between European and U.S. privacy regimes. Bellamy joins a distinguished group of approximately 20 privacy experts from the EU and U.S., convened by Jacob Kohnstamm, Chairman of the Dutch Data Protection Authority and former Chairman of the Article 29 Working Party.

On February 18, 2014, the Frankfurt am Main Regional Court issued a ruling addressing the use of opt-out notices for web analytics tools. The case concerned Piwik web analytics software and its “AnonymizeIP” function. The court held that website users must be informed clearly about their right to object to the creation of pseudonymized usage profiles. This information must be provided when a user first visits the website (e.g., via a pop-up or highlighted/linked wording on the first page) and must be accessible at all times (e.g., via a privacy notice).

On April 25, 2014, a judge in the U.S. District Court for the Southern District of New York ruled that Microsoft must release user data to U.S. law enforcement when issued a search warrant, even if the data is stored outside of the U.S.

On April 16, 2014, the Article 29 Working Party (the “Working Party”) sent a letter (the “Letter”) to Lilian Mitrou, Chair of the Working Group on Information Exchange and Data Protection (the “DAPIX”) of the Council of the European Union, to support a compromise position on the one-stop-shop mechanism within the proposed EU General Data Protection Regulation (the “Proposed Regulation”).

On April 9, 2014, the Article 29 Working Party (the “Working Party”) issued an Opinion on using the “legitimate interests” ground listed in Article 7 of the EU Data Protection Directive 95/46/EC as the basis for lawful processing of personal data. Citing “legitimate interests” as a ground for data processing requires a balancing test, and it may be relied on only if (1) the data processing is necessary for the legitimate interests of the controller (or third parties), and (2) such interests are not overridden by the interests or fundamental rights and freedoms of the data subject. With the Opinion, the Working Party aims to ensure a common understanding of this concept.

On April 10, 2014, the Article 29 Working Party (the “Working Party”) adopted Opinion 04/2014. The Opinion analyzes the implications of electronic surveillance programs on the right to privacy and provides several recommendations for protecting EU personal data in the surveillance context.

On April 10, 2014, the Article 29 Working Party (the “Working Party”) issued a letter (the “Letter”) to Viviane Reding, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, expressing its views on the European Commission’s ongoing revision of the EU-U.S. Safe Harbor Framework.

On March 21, 2014, the Article 29 Working Party (the “Working Party”) issued a Working Document containing draft ad-hoc contractual clauses for transfers of personal data from data processors in the EU to data sub-processors outside the EU (the “Working Document”).

On April 8, 2014, the European Court of Justice ruled that the EU Data Retention Directive is invalid because it disproportionally interferes with the European citizens’ rights to private life and protection of personal data. The Court’s ruling applies retroactively to the day the Directive entered into force.

On April 3, 2014, Markus Heyder published an opinion piece on global privacy interoperability in the International Association of Privacy Professionals’ Privacy Perspectives blog, entitled Getting Practical and Thinking Ahead: ‘Interoperability’ is Gaining Momentum. Heyder recently left the Federal Trade Commission to join the Centre for Information Policy Leadership at Hunton & Williams as Vice President and Senior Policy Counselor. During his tenure at the FTC, Heyder spent a significant amount of time working on EU-U.S. Safe Harbor and APEC Cross-Border Privacy Rules (“CBPRs”) issues.

On March 28, 2014, the 87th Conference of the German Data Protection Commissioners concluded in Hamburg. This biannual conference provides a private forum for the 17 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information, Andrea Voßhoff, to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

On March 25, 2014, the Article 29 Working Party adopted Opinion 03/2014 (the “Opinion”) providing guidance on whether individuals should be notified in case of a data breach.

The Opinion goes beyond considering the notification obligations contained in the e-Privacy Directive 2002/58/EC, which requires telecommunications service providers to notify the competent national authority of all data breaches. The Directive also requires notification (without undue delay) to the affected individuals when the data breach is likely to adversely affect the personal data or privacy of individuals, unless the service provider has satisfactorily demonstrated that it has implemented appropriate technological safeguards that render the relevant data unintelligible to unauthorized parties and that these measures were applied to the data concerned by the security breach.

On March 18, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program focused on some of the recent developments in privacy, including observations from the International Association of Privacy Professionals’ Global Privacy Summit in Washington, D.C., earlier this month, the National Institute of Standards and Technology final Cybersecurity Framework and the Article 29 Working Party’s recent Opinion on Binding Corporate Rules and Cross-Border Privacy Rules.

On March 18, 2014, a new French consumer law (Law No. 2014-344) was published in the Journal Officiel de la République Franҫaise. The new law strengthens the investigative powers of the French Data Protection Authority (the “CNIL”) by giving the CNIL the ability to conduct online inspections.

On March 13, 2014, the European Parliament voted to adopt the draft directive on measures to ensure a uniform level of network and information security (“NIS Directive”). The NIS Directive was proposed by the European Commission on February 7, 2013 as part of its cybersecurity strategy for the European Union. The NIS Directive aims to ensure a uniform level of cybersecurity across the EU. The European Parliament will next negotiate with the Council of the European Union to reach an agreement on the final text of the NIS Directive.

View the European Commission’s press release.

On March 12, 2014, the European Parliament formally adopted the compromise text of the proposed EU General Data Protection Regulation (the “Regulation”). The text now adopted by the Parliament is unchanged and had already been approved by the Parliament’s Committee on Civil Liberties, Justice and Home Affairs in October of last year. The Parliament voted with 621 votes in favor, 10 against and 22 abstentions for the Regulation.

On March 10, 2014, the German Federal Commissioner for Data Protection and Freedom of Information and all 16 German state data protection authorities responsible for the private sector issued guidelines on the use of closed-circuit television (“CCTV”) by private companies. The guidelines provide information regarding the conditions under which CCTV may be used and outline the requirements for legal compliance. The guidelines feature:

On March 6, 2014 the Article 29 Working Party (the “Working Party”) published a comprehensive Opinion: Opinion 02/2014 on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in the EU and Cross-Border Privacy Rules submitted to APEC CBPR Accountability Agents. This blog post provides an overview of the Opinion.

On March 6, 2014, the U.S. Federal Trade Commission (“FTC”) and UK Information Commissioner’s Office (“ICO”) signed a memorandum of understanding (“MOU”) to promote increased cooperation and information sharing between the two enforcement agencies.

On March 5, 2014, the French Data Protection Authority (the “CNIL”) issued new guidelines in the form of five practical information sheets that address online purchases, direct marketing, contests and sweepstakes, and consumer tracking (the “Guidelines”).

Join us at the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C., March 5-7, 2014. Hunton & Williams privacy professionals will be featured speakers in the following sessions:

On February 25, 2014, the UK Information Commissioner’s Office (“ICO”) published an updated code of practice on conducting privacy impact assessments (“PIAs”) (the “Code”). The updated Code takes into account the ICO’s consultation and research project on the conduct of PIAs, and reflects the increased use of PIAs in practice.

On February 27, 2014, Chairwoman of the French Data Protection Authority (the “CNIL”) Isabelle Falque-Pierrotin was elected Chairwoman of the Article 29 Working Party effective immediately. Ms. Falque-Pierrotin succeeds Jacob Kohnstamm, Chairman of the Dutch Data Protection Authority, who chaired the Article 29 Working Party for four years. The Working Party also elected two new Vice-Chairs: Wojciech Rafal Wiewiórowski of the Polish Data Protection Authority, and Gérard Lommel of the Luxembourg Data Protection Authority.

On February 21, 2014, Peter Hustinx, the European Data Protection Supervisor (“EDPS”), highlighted the need to enforce existing EU data protection law and swiftly adopt EU data protection law reforms as an essential part of rebuilding trust in EU-U.S. data flows.

On January 31, 2014, the Greek Presidency of the Council of the European Union issued four notes regarding the proposed EU Data Protection Regulation. These notes, discussed below, address the following topics: (1) one-stop-shop mechanism; (2) data portability; (3) data protection impact assessments and prior checks; and (4) rules applicable to data processors.

On January 24, 2014, the Chamber Court of Berlin rejected Facebook’s appeal of an earlier judgment by the Regional Court of Berlin in cases brought by a German consumer rights organization. In particular, the court: 

In a decision published on February 11, 2014, the French Data Protection Authority (“CNIL”) adopted several amendments to its Single Authorization AU-004 regarding the processing of personal data in the context of whistleblowing schemes (the “Single Authorization”).

On February 11, 2014, Germany’s Federal Minister of Justice and Consumer Protection announced that consumer rights organizations will soon be able to sue businesses directly for breaches of German data protection law. Such additional powers had already been contemplated by the German governing coalition’s agreement and the Minister now expects to present a draft law in April of this year to implement them.

On February 5, 2014, the Member States of the EU and European Free Trade Association (“EFTA”) as well as the European Network and Information Security Agency (“ENISA”) issued Standard Operational Procedures (“SOPs”) to provide guidance on how to manage cyber incidents that could escalate to a cyber crisis.

On January 28, 2014, the Federal Court of Justice of Germany clarified the scope of a data subject’s right of access to personal data in the context of credit scoring. Germany’s Federal Data Protection Act contains detailed and expansive provisions on the right of access where personal data are processed and shared to determine a data subject’s future behavior.

On January 28, 2014, Data Protection Day, Vice-President of the European Commission and Commissioner for Justice Fundamental Rights and Citizenship Viviane Reding gave a speech in Brussels proposing a new data protection compact for Europe. She focused on three key themes: (1) the need to rebuild trust in data processing, (2) the current state of data protection in the EU, and (3) a new data protection compact for Europe.

On January 21, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program highlighted some of the key privacy developments that companies will encounter in 2014, including cybersecurity issues in the U.S., California’s Do Not Track legislation, Safe Harbor, the EU General Data Protection Regulation and the CNIL’s new cookie guidance.

In January 2014, the Department of Commerce’s International Trade Administration (“ITA”) posted a Key Points document to provide additional information about the benefits, oversight and enforcement of the U.S.-European Union and U.S.-Swiss Safe Harbor Frameworks. The Key Points document supplements information about the Safe Harbor Frameworks already available on the Department of Commerce website. For example, in the Key Points, the ITA notes that: 

On January 16, 2014 the High Court in London rejected submissions made on behalf of Google Inc. (“Google”) that the case brought against it by three UK-based users of Apple’s Safari browser should be heard in the U.S., rather than before an English court. The decision means that the case could be heard before a court in England, although media reports suggest Google will appeal the decision.

The EU-U.S. Safe Harbor Framework is an important cross-border data transfer mechanism that enables certified organizations to move personal data from the European Union to the United States in compliance with European data protection laws. Recently, however, the Safe Harbor’s future has been thrown into doubt. In an article published on October 30, 2013 by Practical Law, Lisa J. Sotto, partner and head of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP, partner Bridget Treacy and associate Naomi McBride, examine the Safe Harbor Framework and its future ...

On December 18, 2013, the UK Information Commissioner’s Office (“ICO”) published its proposed strategy for handling complaints, stating that, beginning in April 2014, it will focus its efforts on the investigation of serious and repeat violations of data protection laws. The ICO also intends to publish regular reports highlighting the number of complaints it receives about organizations and enforcement actions it has taken. The ICO is seeking comments on the proposed strategy, which is explained in a public consultation document, before January 31, 2014.

In December 2013, the UK Information Commissioner’s Office (“ICO”) issued non-binding guidance aimed at app developers (the “Guidance”). The Guidance applies to all types of mobile devices, including smart TVs and video game consoles.

On December 10, 2013, a German data protection working group on advertising and address trading published new guidelines on the collection, processing and use of personal data for advertising purposes (the “Guidelines”). The working group was established by the committee of German data protection authorities (“DPAs”) and is chaired by the Bavarian DPA. The first set of guidelines were published in November 2012.

On December 16, 2013, the French Data Protection Authority (“CNIL”) released a set of practical FAQs (plus technical tools and relevant source code) providing guidance on how to obtain consent for the use of cookies and similar technologies in compliance with EU and French data protection requirements (the “CNIL’s Guidance”). Article 5.3 of the revised e-Privacy Directive 2002/58/EC imposes an obligation to obtain prior consent before placing or accessing cookies and similar technologies on web users’ devices. Article 32-II of the French Data Protection Act transposes this obligation into French law.

On December 12, 2013, Advocate-General Cruz Villalón of the European Court of Justice (“ECJ”) issued his Opinion on the compatibility of the EU Data Retention Directive 2006/24/EC (the “Data Retention Directive”) with the Charter of Fundamental Rights of the European Union (the “EU Charter”).

As we previously reported, on October 21, 2013, the European Parliament approved its Compromise Text of the proposed EU General Data Protection Regulation (the “Proposed Regulation”). Hunton & Williams has now published an analysis of these proposals.

On November 28, 2013, the UK government published a paper in response to its March 2013 consultation on cybersecurity standards (“Response Paper”), and announced that it will create a new cybersecurity standard. The original consultation concluded in October 2013.

On November 27, 2013, the European Commission published an analysis of the EU-U.S. Safe Harbor Framework, as well as other EU-U.S. data transfer agreements. The analysis includes the following documents:

On November 19, 2013, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the second webcast in its Hunton Global Privacy Update series. The program focused on the latest updates regarding the EU General Data Protection Regulation (“Proposed Regulation”), including a discussion of the European Parliament’s recent approval of its Compromise Text for the Proposed Regulation.

The Luxembourg data protection authority (Commission nationale pour la protection des donées, “CNPD”) has stated that it will not investigate complaints relating to the alleged involvement of Microsoft Luxembourg (“Microsoft”) and Skype Software S.a.r.l. and Skype Communications S.a.r.l. (collectively, “Skype”) in the PRISM surveillance program. The PRISM surveillance program involves the transfer of EU citizens’ data to the U.S. National Security Agency (the “NSA”).

On November 4, 2013, the data protection authority (“DPA”) of the German state of Rhineland-Palatinate announced two sets of recommendations for mobile payment systems, including contactless payments. The recommendations were prepared in conjunction with the state consumer protection agency, the Ministry of Justice for Rhineland-Palatinate, the mobile payment industry and research organizations.

As we reported on October 8, 2013, the Information Commissioner’s Office (“ICO”) has announced it is reviewing its Privacy Notices Code of Practice (the “Code”) to assess whether it should be updated. In anticipation of the November 30^th closing date for comments on the Code, today the ICO’s Head of Policy Delivery posted a request for feedback on the ICO’s blog.

On October 21, 2013, the European Parliament approved its Compromise Text of the proposed EU General Data Protection Regulation (the “Proposed Regulation”). The approval follows months of negotiations between the various parliamentary committees. The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) has been in charge of working toward an agreement on the Compromise Text in the European Parliament.

On October 2, 2013, the Article 29 Working Party (the “Working Party”) issued a Working Document providing guidance on how to obtain consent for the use of cookies and similar technologies in compliance with EU legal requirements (“Working Document”).

At its meeting on October 7, 2013, the Council of the European Union voiced support for the “one-stop-shop” mechanism in the draft General Data Protection Regulation (the “Regulation”). The “one-stop-shop” mechanism allocates responsibility for overseeing data processing activities in multiple EU Member States to the data protection authority of the EU Member State where the data controller or processor has its main establishment. At the Council meeting, a majority of the EU Member States indicated that the responsible data protection authority should have exclusive decision powers with regard to enforcement actions, but acknowledged that the “local” DPAs should be involved in the decisionmaking process as well. The Council emphasized the need for further exploration of the European Data Protection Board’s role in ensuring consistent application of EU data protection rules.

On October 8, 2013, a Royal Decree was published completing the transposition of the EU Data Retention Directive 2006/24/EC (the “Data Retention Directive”) into Belgian law. The Royal Decree was adopted on September 19, 2013.

On October 2, 2013, the 86th Conference of the German Data Protection Commissioners concluded in Bremen. This biannual conference provides a private forum for the 16 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information, Peter Schaar, to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

In its October 2013 e-newsletter, the UK Information Commissioner’s Office (“ICO”) announced that it is reviewing its Privacy Notices Code of Practice (the “Code”) to assess whether it should be updated. The Code, last updated in December 2010 and issued under Section 51 of the UK Data Protection Act 1998 (the “DPA”), is designed to assist organizations “to collect and use information appropriately by drafting clear and genuinely informative privacy notices.”

On October 4, 2013, The Centre for Information Policy Leadership’s Senior Policy Advisor Fred Cate reported on the 35th International Conference of Data Protection and Privacy Commissioners which concluded on September 24 in Warsaw, Poland. The report indicates that four main issues dominated the Conference: (1) challenges presented by technologies such as mobile apps and online profiling, (2) multinational interoperability and enforcement, (3) pending EU data protection regulation and alternatives, and (4) repercussions of NSA surveillance activities.

On September 30, 2013, Hunton & Williams LLP hosted representatives from the U.S. Department of Commerce for a timely discussion of the Safe Harbor Framework, the Asia-Pacific Economic Cooperation (“APEC”) Cross-Border Privacy Rules System (“CBPRs”), and the Transatlantic Trade and Investment Partnership (“TTIP”) negotiations. The panel also addressed the development of privacy codes of conduct and privacy legislation being developed by the Department of Commerce.

On September 23 and 24, 2013, a declaration and eight resolutions were adopted by the closed session of the 35th International Conference of Data Protection and Privacy Commissioners and have been published on the conference website. This blog post provides an overview of the declaration and the most significant resolutions.

On September 26, 2013, the UK Information Commissioner’s Office (“ICO”) published new breach notification guidance (the “Guidance”), applicable to telecom operators, Internet service providers (“ISPs”) and other public electronic communications service (“ECS”) providers.

On September 6, 2013, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding traveled to Berlin where she commented on the status of the negotiations on the proposed EU General Data Protection Regulation (the “Proposed Regulation”). Commissioner Reding indicated that she was looking for Germany to become involved in the discussions about the Proposed Regulation at the highest level, and she argued in favor of stricter regulations given recent revelations about surveillance programs such as PRISM. Because the vote on the Proposed Regulation only requires a majority to pass, she also emphasized that it would not be necessary to obtain the agreement of all of the EU Member States (for example, the UK or Ireland).

On September 19, 2013, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the first webcast in its new Hunton Global Privacy Update series. The program focused on the latest updates regarding the EU General Data Protection Regulation, recent Safe Harbor issues from both European and American perspectives, and cybersecurity developments on both sides of the Atlantic.

Hunton Global Privacy Update sessions are 30-minutes in length and are scheduled to take place every two months.

On September 9, 2013, the Organization for Economic Cooperation and Development (“OECD”) published its revised guidelines governing the protection of privacy and transborder flows of personal data (the “Revised Guidelines”), updating the OECD’s original guidelines from 1980 that became the first set of accepted international privacy principles.

On September 5, 2013, the 16 German state data protection authorities and the Federal Commissioner for Data Protection and Freedom of Information (the “DPAs”) passed a resolution concerning recent revelations about the PRISM, Tempora and XKeyscore surveillance programs.

On September 10, 2013, the UK Information Commissioner’s Office (“ICO”) published guidance for companies receiving unwanted marketing (the “Guidance”). This Guidance was published as part of a broader focus on unwanted marketing in the UK.

On September 10, 2013, the UK Information Commissioner’s Office (“ICO”) published new guidance on direct marketing (the “Guidance”). The Guidance explains the application of the two principal legislative instruments that affect direct marketing in the UK: (1) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), which relates specifically to direct marketing; and (2) the Data Protection Act 1998 (the “DPA”), which governs data protection issues generally. The Guidance is not legally binding, but it reflects the ICO’s interpretation of the requirements and indicates how the ICO is likely to enforce them.

On August 28, 2013, on the UK Information Commissioner’s Office’s (“ICO’s”) blog, Simon Rice, Technology Group Manager for the ICO, discussed the importance of encryption as a data security measure. He stated that storing any personal information is “inherently risky” but encryption can be a “simple and effective means” to safeguard personal information and reduce the risk of security breaches.

As always, the privacy team at Hunton & Williams continues to closely monitor the latest global developments in data protection, privacy and cybersecurity, including progress on the proposed EU General Data Protection Regulation. To keep you informed, we will be hosting regular, 30-minute webcasts to provide brief updates on the most pressing issues. These Hunton Global Privacy Update sessions will take place every two months. Please join us on September 19, 2013, at 11:00 a.m. EDT, for the first Hunton Global Privacy Update webcast.

This week a new breach notification regulation takes effect across the EU. The Regulation on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC (the “Regulation”) specifies the technical measures of how Internet service providers, telecommunications providers and other public electronic communications service (“ECS”) providers must notify of data breaches.

On September 30, 2013, Hunton & Williams LLP will host a panel discussion with the U.S. Department of Commerce on The Latest International Data Privacy Developments. The panel will take place in Hunton & Williams’ New York office from 5:30 – 7:00 p.m. EDT, with a cocktail reception following the presentation. The Department of Commerce’s International Trade Administration (“ITA”) will brief participants on important international data privacy issues, including:

On August 9, 2013 the UK Information Commissioner’s Office (“ICO”) published a new code of practice providing guidance to organizations on how to respond to subject access requests (the “Code”). The Code follows a public consultation on a draft code during 2012 and 2013.

On August 6, 2013, the UK Information Commissioner’s Office (“ICO”) opened a new consultation on a draft code of practice on conducting privacy impact assessments (the “Code”).

As reported by Bloomberg BNA, the Irish Office of the Data Protection Commissioner (“ODPC”) has stated that it will not investigate complaints relating to the alleged involvement of Facebook Ireland Inc. (“Facebook”) and Apple Distribution International (“Apple”) in the PRISM surveillance program.

On July 22-23, 2013, the APEC E-Commerce Business Alliance and the China International Electronic Commerce Center, a subsidiary organization of the Ministry of Commerce of the People’s Republic of China, held a seminar in Beijing entitled Workshop on the Online Data Privacy Protection in APEC Region. In addition to delegates from Mainland China, representatives from numerous other jurisdictions were in attendance, including the United States, the United Kingdom, Malaysia, Vietnam, South Korea, Hong Kong and Taiwan.

On July 24, 2013, the Conference of the German Data Protection Commissioners at both the Federal and State levels issued a press release stating that surveillance activities by foreign intelligence and security agencies threaten international data traffic between Germany and countries outside the EEA.

On July 18-19, 2013, the European Union Justice and Home Affairs Council held an informal meeting in Vilnius, Lithuania, where Viviane Reding, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, openly criticized the U.S.-EU Safe Harbor Framework.

On June 25, 2013, the Belgian Data Protection Authority (the “Privacy Commission”) and the Belgian Ministry of Justice agreed on a Protocol establishing new rules for the approval of international data transfer agreements.

Senior Attorney Rosemary Jay reports from London:

On June 25, 2013, Advocate-General Jääskinen of the European Court of Justice (“ECJ”) delivered his Opinion in Google Spain S.L. and Google Inc. v Agencia Española de Protección de Datos (Case C-131/12, “Google v AEPD” or the “case”).

The case concerns Google Search results, and whether individuals have a right to erasure of search result links about them. The Opinion concludes that under current law, individuals have no such right. The European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”) would introduce a right to be forgotten. However, this Opinion appears to demonstrate unease with the basic concept of such a right.

In a recording prepared for the Centre for Information Policy Leadership at Hunton & Williams LLP’s (“Centre’s”) annual retreat, former UK Information Commissioner and Centre Global Strategy Advisor Richard Thomas discussed some of the challenges facing Big Data with respect to the purpose limitation principle set out in Article 6(1)(b) of the current EU Data Protection Directive 95/46/EC. In April 2013, the Article 29 Working Party adopted an Opinion on this topic, focusing on how to apply the purpose limitation principle in the Big Data context. Richard Thomas ...

On June 28, 2013, the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) issued its 20th annual Report of Activities (the “Report”), highlighting the FDPIC’s main activities during the period from April 2012 to March 2013. The Report is available in French and in German, and the FDPIC also has prepared a summary of the Report in English.

On July 4, 2013, the European Parliament adopted new EU legislation to fight cyber crime. The Directive on attacks against information systems (the “Directive”) (see the Committee on Civil Liberties, Justice and Home Affairs’ report tabled for plenary), together with the launch of the European Cybercrime Centre and the adoption of the EU cybersecurity strategy, will strengthen the EU’s overall response to cyber crime and contribute to improving cybersecurity for all EU citizens.

The U.S. Department of Commerce’s International Trade Administration (“ITA”) will host a data privacy seminar in Providence, Rhode Island, on Thursday, July 18 from 8:30 – 11:00 a.m. EDT. Seminar participants will hear from Commerce privacy experts who will discuss the Obama Administration’s privacy blueprint and provide updates on significant international developments, including the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks and the Asia-Pacific Economic Cooperation (“APEC”) group’s work to implement the Cross-Border Privacy Rules System. These privacy developments could have a significant impact on how companies comply with laws and privacy regulations in the United States, Asia and Europe. A representative from the Safe Harbor-certified company Textron Inc. (“Textron”) also will discuss the company’s experience developing and implementing a privacy compliance program.

On July 3, 2013, the French Data Protection Authority (“CNIL”) released its decision in a case against PS Consulting, imposing a fine of €10,000 on the information systems consulting company for violations related to the operation of its CCTV system.

On July 1, 2013, the Republic of Croatia joined the European Union, increasing the number of EU Member States to 28. As of the day of its accession, Croatia must implement the acquis communautaire (the complete body of the EU legislation), which includes the EU Data Protection Directive 95/46/EC (“Data Protection Directive”).

In recent months, the Belgian media has reported on a significant increase in data breaches. In December 2012, the National Belgian Railway Company inadvertently published 1.46 million sets of customer data online. The rise in data security incidents has caught the attention of the Belgian Privacy Commission, which has the authority to make recommendations on any matter relating to the application of the fundamental data protection principles in the Belgian Data Protection Act of December 8, 1992. In a May 2013 article published in Bloomberg BNA’s World Data Protection Report

The Bavarian data protection authority recently updated its compliance initiative regarding online tracking tools to include Adobe’s online tracking product (Adobe Analytics (Omniture)). As with previous initiatives of this nature, the underlying analyses were carried out in an automated manner, using a program specifically developed by the Bavarian data protection authority to verify compliance.

On June 24, 2013, the European Commission announced new technical implementing measures that address the EU data breach notification requirement for telecom operators and internet service providers (“ISPs”). Based on a Commission Regulation, these companies must:

• notify the competent national authority of the incident (or at least provide an initial description thereof) within 24 hours after detection of the breach;
• outline which data are affected and what measures have been or will be taken by the company;
• pay attention to the type of data compromised when assessing whether to notify subscribers (i.e. evaluating whether the breach is likely to have an adverse effect on personal data or privacy); and
• use a standardized format for notifying the competent national authority (e.g. an online form which is the same for all EU Member States).

On July 1, 2013, Practising Law Institute (“PLI”) hosts its first symposium on Cybersecurity 2013: Managing the Risk in New York. Hunton & Williams partner Lisa J. Sotto is the Chair of the event. The program features timely cybersecurity topics, including the threat landscape, the legal environment (such as the Obama Administration’s Executive Order on Cybersecurity), and how companies can manage cybersecurity incidents when they occur and seek to prevent cyber attacks before they occur. Hunton & Williams partner Paul M. Tiao and Centre for Information Policy Leadership ...

On June 20, 2013, the UK Information Commissioner’s Office (“ICO”) launched its Annual Report and Financial Statements for 2012/13 (the “Report”). Introducing the Report, Information Commissioner Christopher Graham strongly emphasized that, as consumers become increasingly aware of their information rights, good privacy practices will become a commercial benefit and a business differentiator. He outlined the seven key “e”s of the ICO’s role: enforce, educate, empower, enable, engage, and to be effective and efficient.

On June 14, 2013, the European Data Protection Supervisor (the “EDPS”) issued an Opinion regarding a joint communication by the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy, Cyber Security Strategy of the European Union: an Open, Safe and Secure Cyberspace (the “Strategy”), as well as the European Commission’s proposed draft directive to ensure uniformly high security measures for network and information security across the EU (the “NIS Directive”). The EDPS welcomes recognizing privacy and data protection as core values of a robust cybersecurity policy, as opposed to separating out security and privacy, but draws attention to several deficiencies, stating that “the ambitions of the strategy are not reflected in how it will be implemented.”