Privacy & Information Security Law Blog

On August 8, 2014, a court in Shanghai found a foreign couple guilty of illegal collection of personal information. British national Peter Humphrey was sentenced to two and a half years of imprisonment and a fine of RMB 200,000, and his wife was sentenced to two years of imprisonment and a fine of RMB 150,000. In addition, Humphrey will be deported after serving his term.

On July 30, 2014, the European Commission announced two new EU standards to help users of Radio Frequency Identification (“RFID”) smart chips and systems comply with both EU data protection requirements and the European Commission’s 2009 Recommendation on RFID. Among other suggestions, the Recommendation discussed the development of a common European symbol or logo to indicate whether a product uses a smart chip. One of the new standards will provide companies with a framework for the design and display of such a logo. The logo will inform consumers of the presence of RFID chips (for example, when using electronic travel passes or purchasing items with RFID tags). The Commission reiterated that such smart chips should be deactivated by default immediately, and free of charge, at the point of sale.

The EU Sub-Committee on Home Affairs, Health and Education of the UK House of Lords has published its Second Report for 2013-14, entitled EU Data Protection Law: A 'Right to Be Forgotten'? (the “Report”). The Report summarizes the findings of the Sub-Committee’s investigation into the right to be forgotten, and was triggered in large part by the European Court of Justice’s (“ECJ’s”) decision in Google v. Costeja (Case C-131/12, “Costeja”). In Costeja, the ECJ held that individuals have a right to request that their personal data no longer be displayed by online search engines in the results for searches made on the basis of the individual’s name, particularly if the information is inadequate, irrelevant or excessive (commonly referred to as the “right to be forgotten”).

On July 22, 2014, the Data Security Council of India (“DSCI”) announced that it has deemed Vodafone India Limited (“Vodafone”) a “DSCI Privacy Certified” organization. The certification, which is designed to help companies “demonstrate the privacy practices to relevant stakeholders and enhance trust,” is the first for a telecommunications company in India.

On July 15, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program covered a number of privacy and data protection topics, including the recent judgment in the Costeja case, the Centre for Information Policy Leadership’s work on a risk-based approach to privacy, the new Canadian anti-spam legislation that went into effect on July 1, and other developments in the U.S. and EU.

On July 17, 2014, the Belgian government announced that it has finalized its Royal Decree on the establishment of a Cybersecurity Center (Centrum Cyber Security België or Centre Cyber Security Belgique). The Cybersecurity Center’s tasks would be to monitor the country’s cybersecurity and manage cyber incidents. It also would oversee various cybersecurity projects, formulate legislative proposals relating to cybersecurity, and issue standards and guidelines for securing public sector IT systems. The Cybersecurity Center is expected to be operational by the end of ...

On July 15, 2014, the UK Information Commissioner’s Office (“ICO”) released its Annual Report for 2013/14 (the “Report”). Entitled Effective, Efficient - and Busier than Ever, the Report illustrates the rapid growth of data protection and freedom of information issues in the UK in the past year. It highlights the fact that the ICO has received increasing numbers of questions and complaints from members of the public, processed record numbers of cases, and issued its highest ever level of fines, totaling almost £1.97 million. The Report also emphasizes the fact that the ICO’s resources are stretched and, in a direct appeal to both the UK Parliament and the Ministry of Justice, calls for “stronger powers, a more sustainable funding system, and a clearer guarantee of independence.”

On July 10, 2014, the UK government announced plans to introduce emergency data retention rules, publishing the Data Retention and Investigatory Powers Bill (the “Bill”) along with explanatory notes and draft regulations. The publication of the Bill follows the European Court of Justice’s April 2014 declaration that the EU Data Retention Directive (the “Directive”) is invalid. Under the Directive, EU Member States were able to require communications service provides (e.g., ISPs) to retain communications data relating to their subscribers for up to 12 months.

On July 11, 2014, the French Data Protection Authority (the “CNIL”) announced that, starting in October 2014, it will conduct on-site and remote inspections to verify whether companies are complying with its new guidance on the use of cookies and other technologies. These inspections will take place in connection with the European “cookies sweep day” initiative, which will be launched from September 15 – 19, 2014. During that initiative, each EU data protection authority will review how users are informed of, and consent to the use of, cookies.

Hunton & Williams, in collaboration with the U.S. Chamber of Commerce, recently issued Business Without Borders: The Importance of Cross-Border Data Transfers to Global Prosperity, a report which highlights the benefits of cross-border data transfers to businesses in the international marketplace. The report underscores the importance of developing data transfer mechanisms that protect privacy and facilitate the free-flow of data, and also explores opportunities for new data transfer regimes.

Last week, the Russian Parliament adopted a bill amending portions of Russia’s existing legislation on privacy, information technology and data protection. Among other provisions, the law would create a “data localization” obligation for companies engaged in the transmission or recording of electronic communications over the Internet. Such companies would be required to store copies of the data for a minimum of six months in databases that must be located within the Russian Federation. The new bill also would empower the Russian data protection authority to block public Internet access to any service that does not comply with this requirement.

On July 2, 2014, the Privacy and Civil Liberties Oversight Board (“PCLOB”) held a public meeting to finalize the release of a report concluding that the National Security Agency’s (“NSA’s”) collection of electronic communications from targets reasonably believed to be non-U.S. persons located outside the United States has operated lawfully within its statutory limitations.

On June 26, 2014, the European Commission issued guidelines on the standardization of service level agreements for cloud services providers (the “Guidelines”). In the context of the European Cloud Computing Strategy, launched by the European Commission in September 2012, the Guidelines focus on security and data protection in the cloud. They are based on the understanding that standardization will improve the clarity of service level agreements (“SLAs”) for cloud services in the European Union.

On July 1, 2014, the Federal Court of Justice of Germany ruled that website operators cannot be compelled to disclose a user’s personal data to third parties in the context of civil defamation proceedings. The case is notable as it clarifies the limits Germany’s Telemedia Act places on how and when personal data can be disclosed in an online context.

On June 18, 2014, the German state data protection authorities responsible for the private sector (the Düsseldorfer Kreis) issued guidelines concerning the data protection requirements for app developers and app publishers (the “Guidelines”). The Guidelines were prepared by the Bavarian state data protection authority and cover requirements in Germany’s Telemedia Act as well as the Federal Data Protection Act. Topics addressed in the 33-page document include:

On June 23, 2014, the Article 29 Working Party (the “Working Party”) published its Opinion 7/2014 on the protection of personal data in Québec (the “Opinion”). In this Opinion, the Working Party provides its recommendations to the European Commission on whether the relevant provisions of the Civil Code of Québec and the Québec Act on the Protection of Personal Information in the Private Sector (the “Québec Privacy Act”) ensure an adequate level of protection for international data transfers in accordance with the EU Data Protection Directive 95/46/EC (the “Directive”). Under the Directive, strict conditions apply to personal data transfers to countries outside the European Economic Area that are not considered to provide an adequate level of data protection.

On June 19, 2014, the President’s Export Council (“PEC”) held a meeting to discuss nine key issues, including the effects of foreign laws that restrict cross-border data flows. At the meeting, the private sector members of the PEC submitted a recommendation letter to President Obama expressing their concern about the threat to American business from protectionist, cross-border data transfer restrictions imposed by foreign countries. The letter describes how certain governments are implementing “digital protectionism” in the form of laws and policies restricting the cross-border flow of data (for example, by requiring domestic processing and storage of data citing concerns for personal privacy and national security). These foreign laws may limit the ability of American businesses, particularly small- and medium-sized businesses, to expand their business operations to include countries that enact such measures.

On June 2, 2014, the U.S. Department of Justice announced a U.S.-led multinational effort to disrupt the “Gameover Zeus” botnet and the malware known as “Cryptolocker.” The DOJ also unsealed charges filed in Pittsburgh, Pennsylvania and Omaha, Nebraska against an administrator of Gameover Zeus.

In response to increasing interest in a “risk-based” approach among privacy experts, including policymakers working on the proposed EU General Data Protection Regulation, the Article 29 Working Party (the “Working Party”) published a statement on the role of a risk-based approach in data protection legal frameworks (the “Statement”).

On June 6, 2014, Viviane Reding, Vice-President of the European Commission and EU Commissioner for Justice, outlined the progress that has been made with respect to the proposed EU General Data Protection Regulation (the “Proposed Regulation”) in a meeting of the Council of the European Union, acting through the Justice Council (the “Council”). In particular, the Council has agreed on two important aspects of the Proposed Regulation.

On June 3 and 4, 2014, the Article 29 Working Party held a meeting to discuss the consequences of the European Court of Justice’s May 13, 2014 judgment in Costeja, which is widely described as providing a “right to be forgotten.” Google gave effect to the Costeja decision by posting a web form that enables individuals to request the removal of URLs from the results of Google searches that include that individual’s name. The Working Party announced that it welcomed Google’s initiative, but pointed out that it is “too early to comment on whether the form is entirely satisfactory.” The Working Party also announced that it will prepare guidelines to ensure a common approach to the implementation of Costeja by the national data protection authorities. Finally, the Working Party called on search engine operators to implement user-friendly processes that enable users to exercise their right to deletion of search result links containing their personal data.

On May 30, 2014, Google posted a web form that enables individuals to request the removal of URLs from the results of searches that include that individual’s name. The web form acknowledges that this is Google’s “initial effort” to give effect to the recent and controversial decision of the Court of Justice of the European Union in Costeja, widely described as providing a “right to be forgotten.” That Google has moved quickly to offer individuals a formal removal request process will be viewed favorably, but the practicalities of creating a removals process that satisfies all interested parties will remain challenging, and not just for Google.

On May 28, 2014, Canadian Prime Minister Stephen Harper nominated Daniel Therrien as the next Privacy Commissioner of Canada. If approved, Therrien would take over from the interim Privacy Commissioner Chantal Bernier, who has been serving in this role after the previous Commissioner Jennifer Stoddart’s term ended in December 2013.

On May 14, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program provided a global overview of some of the most debated topics in data protection and privacy, including cross-border data flows, global data breach issues and the EU Cybersecurity Directive. In addition, we highlighted the latest information regarding the GPEN enforcement sweep.

On May 13, 2014, the European Court of Justice (the “CJEU”) rendered its judgment in Google Spain S.L. and Google Inc. v Agencia Española de Protección de Datos (Case C-131/12, “Google v. AEPD” or the “case”). The case concerns a request made by a Spanish individual, Mr. Costeja, to the Spanish Data Protection Authority (Agencia Española de Protección de Datos or “AEPD”) to order the removal of certain links from Google’s search results. The links relate to an announcement in an online newspaper of a real estate auction for the recovery of Mr. Costeja’s social security debts. The information was lawfully published in 1998, but Mr. Costeja argued that the information had become irrelevant as the proceedings concerning him had been fully resolved for a number of years. The AEPD upheld the complaint and ordered Google Spain S.L. and Google Inc. (“Google”) to remove the links from their search results. Google appealed this decision before the Spanish High Court, which referred a series of questions to the ECJ for a preliminary ruling. The ECJ ruled as follows:

On May 19, 2014, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2013 (the “Report”) highlighting its main accomplishments in 2013 and outlining some of its priorities for the upcoming year.

On May 16, 2014, the Singapore Personal Data Protection Commission (the “Commission”) published advisory guidelines for the implementation of its Personal Data Protection Act (the “PDPA”) for two industry sectors. The guidelines were published on the same day on which the Commission held its well-attended Personal Data Protection Seminar focusing on international perspectives on data governance. The advisory guidelines generally have the following content:

Hunton & Williams LLP, in coordination with the U.S. Chamber of Commerce, recently issued a report entitled Business Without Borders: The Importance of Cross-Border Data Transfers to Global Prosperity, highlighting the benefits of cross-border data transfers to businesses in the international marketplace. The report underscores the importance of developing data transfer mechanisms that protect privacy and facilitate the free-flow of data, and also explores opportunities for new data transfer regimes.

On May 13, 2014, the French data protection authority (“CNIL”) decided to examine 100 mobile apps most commonly used in France.

On May 12, 2014, the U.S. Chamber of Commerce released a report highlighting the benefits of cross-border data transfers across all sectors of the economy. Hunton & Williams LLP’s Global Privacy and Cybersecurity team developed the report with the Chamber of Commerce. The report, Business Without Borders: The Importance of Cross-Border Data Transfers to Global Prosperity, presents pragmatic solutions for developing international mechanisms that both protect privacy and facilitate cross-border data flows.

On May 9, 2014, the Federal Trade Commission announced a settlement with clothing manufacturer American Apparel related to charges that the company falsely claimed to comply with the U.S.-EU Safe Harbor Framework. According to the FTC’s complaint, the company violated Section 5 of the FTC Act by deceptively representing, through statements in its privacy policy, that it held a current Safe Harbor certification even though it had allowed the certification to expire.

Hunton & Williams LLP’s Centre for Information Policy Leadership president, Bojana Bellamy, has been selected to participate in the “Privacy Bridge Project,” a new transatlantic initiative that seeks to develop practical solutions to bridge the gap between European and U.S. privacy regimes. Bellamy joins a distinguished group of approximately 20 privacy experts from the EU and U.S., convened by Jacob Kohnstamm, Chairman of the Dutch Data Protection Authority and former Chairman of the Article 29 Working Party.

On May 6, 2014, the Office of the Privacy Commissioner of Canada announced the Global Privacy Enforcement Network’s (“GPEN’s”) second annual enforcement sweep. The sweep will focus on mobile app privacy and how mobile apps collect and use personal data.

On February 18, 2014, the Frankfurt am Main Regional Court issued a ruling addressing the use of opt-out notices for web analytics tools. The case concerned Piwik web analytics software and its “AnonymizeIP” function. The court held that website users must be informed clearly about their right to object to the creation of pseudonymized usage profiles. This information must be provided when a user first visits the website (e.g., via a pop-up or highlighted/linked wording on the first page) and must be accessible at all times (e.g., via a privacy notice).

On April 24, 2014, the Belgian Data Protection Authority (the “Privacy Commission”) published a Draft Recommendation regarding cookie usage, inviting all stakeholders to provide their input on the text. The Draft Recommendation clarifies the Belgian legal framework for the use of cookies and similar technologies, examining in detail the different purposes for which cookies and similar technologies may be used (e.g., authentication, storage of preferences) and explaining the steps to be taken to ensure compliance for each type of cookie use.

On April 30, 2014, the Asia-Pacific Economic Cooperation (“APEC”) released the Findings Report of the Joint Oversight Panel of the APEC Cross-Border Privacy Rules (“CPBR”) system, confirming that Japan has met the conditions for participation in the CBPRs. Accordingly, Japan has now joined the U.S. and Mexico as a participant in the APEC CBPRs. Canada recently expressed its intent to join the system soon, and other APEC economies are in the process determining how and when they may join.

On April 29, 2014, the French Data Protection Authority (“CNIL”) disclosed its annual inspections program, providing an overview of its inspections in 2013 and a list of the inspections it plans to conduct in 2014. Under French data protection law, the CNIL is authorized to collect any useful information in connection with its investigations and access data controllers’ electronic data and data processing programs. Since March 2014, the CNIL also is permitted to collect such information online through remote investigations.

On April 25, 2014, a judge in the U.S. District Court for the Southern District of New York ruled that Microsoft must release user data to U.S. law enforcement when issued a search warrant, even if the data is stored outside of the U.S.

On April 16, 2014, the Article 29 Working Party (the “Working Party”) sent a letter (the “Letter”) to Lilian Mitrou, Chair of the Working Group on Information Exchange and Data Protection (the “DAPIX”) of the Council of the European Union, to support a compromise position on the one-stop-shop mechanism within the proposed EU General Data Protection Regulation (the “Proposed Regulation”).

On April 23, 2014, Brazilian President Dilma Rousseff enacted the Marco Civil da Internet (“Marco Civil”), Brazil’s first set of Internet regulations. The Marco Civil was approved by the Brazilian Senate on April 22, 2014. President Rousseff signed the law at the NETMundial Internet Governance conference in São Paulo, a global multistakeholder event on the future of Internet governance.

On April 9, 2014, the Article 29 Working Party (the “Working Party”) issued an Opinion on using the “legitimate interests” ground listed in Article 7 of the EU Data Protection Directive 95/46/EC as the basis for lawful processing of personal data. Citing “legitimate interests” as a ground for data processing requires a balancing test, and it may be relied on only if (1) the data processing is necessary for the legitimate interests of the controller (or third parties), and (2) such interests are not overridden by the interests or fundamental rights and freedoms of the data subject. With the Opinion, the Working Party aims to ensure a common understanding of this concept.

On April 10, 2014, the Article 29 Working Party (the “Working Party”) adopted Opinion 04/2014. The Opinion analyzes the implications of electronic surveillance programs on the right to privacy and provides several recommendations for protecting EU personal data in the surveillance context.

On April 10, 2014, the Article 29 Working Party (the “Working Party”) issued a letter (the “Letter”) to Viviane Reding, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, expressing its views on the European Commission’s ongoing revision of the EU-U.S. Safe Harbor Framework.

In March 2014, the State Postal Bureau of the People’s Republic of China (the “SPBC”) formally issued three rules (the “Rules”) establishing significant requirements regarding the protection of personal information: (1) Provisions on the Management of the Security of Personal Information of Postal and Delivery Service Users (the “Security Provisions”); (2) Provisions on the Reporting and Handling of Security Information in the Postal Sector (the “Reporting and Handling Provisions”); and (3) Provisions on the Management of Undeliverable Express Mail Items (the “Management Provisions”). The Rules, each of which became effective on its date of promulgation, were issued in draft form in November 2013 along with a request for public comment.

On March 21, 2014, the Article 29 Working Party (the “Working Party”) issued a Working Document containing draft ad-hoc contractual clauses for transfers of personal data from data processors in the EU to data sub-processors outside the EU (the “Working Document”).

On April 8, 2014, the European Court of Justice ruled that the EU Data Retention Directive is invalid because it disproportionally interferes with the European citizens’ rights to private life and protection of personal data. The Court’s ruling applies retroactively to the day the Directive entered into force.

On April 3, 2014, Markus Heyder published an opinion piece on global privacy interoperability in the International Association of Privacy Professionals’ Privacy Perspectives blog, entitled Getting Practical and Thinking Ahead: ‘Interoperability’ is Gaining Momentum. Heyder recently left the Federal Trade Commission to join the Centre for Information Policy Leadership at Hunton & Williams as Vice President and Senior Policy Counselor. During his tenure at the FTC, Heyder spent a significant amount of time working on EU-U.S. Safe Harbor and APEC Cross-Border Privacy Rules (“CBPRs”) issues.

On March 28, 2014, the 87th Conference of the German Data Protection Commissioners concluded in Hamburg. This biannual conference provides a private forum for the 17 German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information, Andrea Voßhoff, to share their views on current issues, discuss relevant cases and adopt Resolutions aimed at harmonizing how data protection law is applied across Germany.

On March 25, 2014, the Article 29 Working Party adopted Opinion 03/2014 (the “Opinion”) providing guidance on whether individuals should be notified in case of a data breach.

The Opinion goes beyond considering the notification obligations contained in the e-Privacy Directive 2002/58/EC, which requires telecommunications service providers to notify the competent national authority of all data breaches. The Directive also requires notification (without undue delay) to the affected individuals when the data breach is likely to adversely affect the personal data or privacy of individuals, unless the service provider has satisfactorily demonstrated that it has implemented appropriate technological safeguards that render the relevant data unintelligible to unauthorized parties and that these measures were applied to the data concerned by the security breach.

On March 20, 2014, Australia’s Privacy Amendment (Privacy Alerts) Bill 2014 was re-introduced in the Senate for a first read. The bill, which was subject to a second reading debate on March 27, 2014, originally was introduced on May 29, 2013, but it lapsed on November 12, 2013 at the end of the session.

On March 18, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program focused on some of the recent developments in privacy, including observations from the International Association of Privacy Professionals’ Global Privacy Summit in Washington, D.C., earlier this month, the National Institute of Standards and Technology final Cybersecurity Framework and the Article 29 Working Party’s recent Opinion on Binding Corporate Rules and Cross-Border Privacy Rules.

On March 18, 2014, Brazilian lawmakers announced the withdrawal of a provision in pending legislation that would have required Internet companies to store Brazilian users’ data within the country.

On March 18, 2014, a new French consumer law (Law No. 2014-344) was published in the Journal Officiel de la République Franҫaise. The new law strengthens the investigative powers of the French Data Protection Authority (the “CNIL”) by giving the CNIL the ability to conduct online inspections.

On March 13, 2014, the European Parliament voted to adopt the draft directive on measures to ensure a uniform level of network and information security (“NIS Directive”). The NIS Directive was proposed by the European Commission on February 7, 2013 as part of its cybersecurity strategy for the European Union. The NIS Directive aims to ensure a uniform level of cybersecurity across the EU. The European Parliament will next negotiate with the Council of the European Union to reach an agreement on the final text of the NIS Directive.

View the European Commission’s press release.

On March 12, 2014, the European Parliament formally adopted the compromise text of the proposed EU General Data Protection Regulation (the “Regulation”). The text now adopted by the Parliament is unchanged and had already been approved by the Parliament’s Committee on Civil Liberties, Justice and Home Affairs in October of last year. The Parliament voted with 621 votes in favor, 10 against and 22 abstentions for the Regulation.

On March 10, 2014, the German Federal Commissioner for Data Protection and Freedom of Information and all 16 German state data protection authorities responsible for the private sector issued guidelines on the use of closed-circuit television (“CCTV”) by private companies. The guidelines provide information regarding the conditions under which CCTV may be used and outline the requirements for legal compliance. The guidelines feature:

On March 6, 2014 the Article 29 Working Party (the “Working Party”) published a comprehensive Opinion: Opinion 02/2014 on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in the EU and Cross-Border Privacy Rules submitted to APEC CBPR Accountability Agents. This blog post provides an overview of the Opinion.

On March 6, 2014, the U.S. Federal Trade Commission (“FTC”) and UK Information Commissioner’s Office (“ICO”) signed a memorandum of understanding (“MOU”) to promote increased cooperation and information sharing between the two enforcement agencies.

On March 5, 2014, the French Data Protection Authority (the “CNIL”) issued new guidelines in the form of five practical information sheets that address online purchases, direct marketing, contests and sweepstakes, and consumer tracking (the “Guidelines”).

Join us at the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C., March 5-7, 2014. Hunton & Williams privacy professionals will be featured speakers in the following sessions:

On February 25, 2014, the UK Information Commissioner’s Office (“ICO”) published an updated code of practice on conducting privacy impact assessments (“PIAs”) (the “Code”). The updated Code takes into account the ICO’s consultation and research project on the conduct of PIAs, and reflects the increased use of PIAs in practice.

On February 27, 2014, Chairwoman of the French Data Protection Authority (the “CNIL”) Isabelle Falque-Pierrotin was elected Chairwoman of the Article 29 Working Party effective immediately. Ms. Falque-Pierrotin succeeds Jacob Kohnstamm, Chairman of the Dutch Data Protection Authority, who chaired the Article 29 Working Party for four years. The Working Party also elected two new Vice-Chairs: Wojciech Rafal Wiewiórowski of the Polish Data Protection Authority, and Gérard Lommel of the Luxembourg Data Protection Authority.

On February 21, 2014, Peter Hustinx, the European Data Protection Supervisor (“EDPS”), highlighted the need to enforce existing EU data protection law and swiftly adopt EU data protection law reforms as an essential part of rebuilding trust in EU-U.S. data flows.

On January 31, 2014, the Greek Presidency of the Council of the European Union issued four notes regarding the proposed EU Data Protection Regulation. These notes, discussed below, address the following topics: (1) one-stop-shop mechanism; (2) data portability; (3) data protection impact assessments and prior checks; and (4) rules applicable to data processors.

On January 24, 2014, the Chamber Court of Berlin rejected Facebook’s appeal of an earlier judgment by the Regional Court of Berlin in cases brought by a German consumer rights organization. In particular, the court: 

In a decision published on February 11, 2014, the French Data Protection Authority (“CNIL”) adopted several amendments to its Single Authorization AU-004 regarding the processing of personal data in the context of whistleblowing schemes (the “Single Authorization”).

On February 11, 2014, Germany’s Federal Minister of Justice and Consumer Protection announced that consumer rights organizations will soon be able to sue businesses directly for breaches of German data protection law. Such additional powers had already been contemplated by the German governing coalition’s agreement and the Minister now expects to present a draft law in April of this year to implement them.

On February 5, 2014, the Member States of the EU and European Free Trade Association (“EFTA”) as well as the European Network and Information Security Agency (“ENISA”) issued Standard Operational Procedures (“SOPs”) to provide guidance on how to manage cyber incidents that could escalate to a cyber crisis.

On January 28, 2014, the Federal Court of Justice of Germany clarified the scope of a data subject’s right of access to personal data in the context of credit scoring. Germany’s Federal Data Protection Act contains detailed and expansive provisions on the right of access where personal data are processed and shared to determine a data subject’s future behavior.

On January 28, 2014, Data Protection Day, Vice-President of the European Commission and Commissioner for Justice Fundamental Rights and Citizenship Viviane Reding gave a speech in Brussels proposing a new data protection compact for Europe. She focused on three key themes: (1) the need to rebuild trust in data processing, (2) the current state of data protection in the EU, and (3) a new data protection compact for Europe.

On January 23, 2014, the Privacy and Civil Liberties Oversight Board (“PCLOB”) released a report (the “Report”) concluding that the National Security Agency (“NSA”) does not have a valid legal basis for its bulk telephone records collection program. The NSA’s bulk collection of consumer telephone records has been under increased scrutiny since Edward Snowden leaked information about the program in June 2013, and recently has faced legal challenges. According to the Report, the NSA’s program exceeded its statutory parameters.

On January 22, 2014, at the World Economic Forum in Davos-Klosters, Switzerland, Sweden’s Minister for Foreign Affairs Carl Bildt announced the creation of a new independent commission that will examine the future of Internet governance. The Global Commission on Internet Governance (the “Commission”) is being launched by think tanks Chatham House and The Centre for International Governance Innovation (“CIGI”). The Commission will be chaired by Bildt, Sweden’s former Prime Minister, and supported by expert members representing business, government, academia and civil society. In announcing the initiative, Bildt stated that “[n]et freedom is as fundamental as freedom of information and freedom of speech in our societies.”

On January 21, 2014, the Federal Trade Commission announced settlements with twelve companies that allegedly falsely claimed that they complied with the U.S.-EU Safe Harbor Framework. The settlements stem from allegations that the companies violated Section 5 of the FTC Act by falsely representing that they held current Safe Harbor certifications despite having allowed their certifications to expire. The companies involved represent a variety of industries, ranging from technology and accounting to consumer products and National Football League teams.

On January 21, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program highlighted some of the key privacy developments that companies will encounter in 2014, including cybersecurity issues in the U.S., California’s Do Not Track legislation, Safe Harbor, the EU General Data Protection Regulation and the CNIL’s new cookie guidance.

In January 2014, the Department of Commerce’s International Trade Administration (“ITA”) posted a Key Points document to provide additional information about the benefits, oversight and enforcement of the U.S.-European Union and U.S.-Swiss Safe Harbor Frameworks. The Key Points document supplements information about the Safe Harbor Frameworks already available on the Department of Commerce website. For example, in the Key Points, the ITA notes that: 

On January 16, 2014 the High Court in London rejected submissions made on behalf of Google Inc. (“Google”) that the case brought against it by three UK-based users of Apple’s Safari browser should be heard in the U.S., rather than before an English court. The decision means that the case could be heard before a court in England, although media reports suggest Google will appeal the decision.

As reported by Bloomberg BNA, on January 13, 2014, Ukrainian Parliament Commissioner for Human Rights Valeriya Lutkovska (the “Ombudsman”) announced the adoption of new data protection regulations. The Ombudsman became the new data protection authority in Ukraine as of January 1, 2014, when amendments to abolish the previous data protection authority became effective. As we previously reported, Ukraine first passed personal data protection legislation in June 2010.

The EU-U.S. Safe Harbor Framework is an important cross-border data transfer mechanism that enables certified organizations to move personal data from the European Union to the United States in compliance with European data protection laws. Recently, however, the Safe Harbor’s future has been thrown into doubt. In an article published on October 30, 2013 by Practical Law, Lisa J. Sotto, partner and head of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP, partner Bridget Treacy and associate Naomi McBride, examine the Safe Harbor Framework and its future ...

On December 18, 2013, the UK Information Commissioner’s Office (“ICO”) published its proposed strategy for handling complaints, stating that, beginning in April 2014, it will focus its efforts on the investigation of serious and repeat violations of data protection laws. The ICO also intends to publish regular reports highlighting the number of complaints it receives about organizations and enforcement actions it has taken. The ICO is seeking comments on the proposed strategy, which is explained in a public consultation document, before January 31, 2014.

In December 2013, the UK Information Commissioner’s Office (“ICO”) issued non-binding guidance aimed at app developers (the “Guidance”). The Guidance applies to all types of mobile devices, including smart TVs and video game consoles.

On December 10, 2013, a German data protection working group on advertising and address trading published new guidelines on the collection, processing and use of personal data for advertising purposes (the “Guidelines”). The working group was established by the committee of German data protection authorities (“DPAs”) and is chaired by the Bavarian DPA. The first set of guidelines were published in November 2012.

In recent months, the Chinese government has devoted attention to the protection of personal information with, as we previously reported, the promulgation of a number of new data protection regulations. This focus is also illustrated by recent actions related to crimes involving personal information.

On November 27, 2013, the State Post Bureau of the People’s Republic of China (the “SPBC”) released five draft normative rules for solicitation of public comment. Three of these rules, respectively entitled Provisions on the Management of the Security of Personal Information of Postal and Delivery Service Users (the “Draft Provisions”), Provisions on the Reporting and Handling of Security Information in the Postal Sector (the “Reporting and Handling Provisions”), and Provisions on the Management of Undeliverable Express Mail Items (the “Management Provisions”) contain significant requirements regarding the protection of personal information. The deadline for submitting comments on the rules is December 27, 2013.

On December 16, 2013, the French Data Protection Authority (“CNIL”) released a set of practical FAQs (plus technical tools and relevant source code) providing guidance on how to obtain consent for the use of cookies and similar technologies in compliance with EU and French data protection requirements (the “CNIL’s Guidance”). Article 5.3 of the revised e-Privacy Directive 2002/58/EC imposes an obligation to obtain prior consent before placing or accessing cookies and similar technologies on web users’ devices. Article 32-II of the French Data Protection Act transposes this obligation into French law.

On December 12, 2013, Advocate-General Cruz Villalón of the European Court of Justice (“ECJ”) issued his Opinion on the compatibility of the EU Data Retention Directive 2006/24/EC (the “Data Retention Directive”) with the Charter of Fundamental Rights of the European Union (the “EU Charter”).

As we previously reported, on October 21, 2013, the European Parliament approved its Compromise Text of the proposed EU General Data Protection Regulation (the “Proposed Regulation”). Hunton & Williams has now published an analysis of these proposals.

On November 15, 2013, the People’s Bank of China (the “PBOC”) issued its Administrative Measures for Credit Reference Agencies (the “Measures”) – eight months after the Administrative Regulations on the Credit Information Collection Sector (the “Regulations”) became effective on March 15, 2013. The Measures, which will take effect on December 20, 2013, were formulated to enhance the supervision and regulation of credit reference agencies and to promote positive developments in the credit information services sector.

On November 21, 2013, the Supreme People’s Court of China passed the Provisions on the Online Issuance of Judgment Documents by People’s Courts (the “Provisions”), which will take effect on January 1, 2014. The Provisions replace earlier rules (of the same title) enacted by the Supreme People’s Court on November 8, 2010, and generally focus on improved implementation of the principles of standardizing the online issuance of judgment documents, promoting judicial justice and enhancing the public credibility of the judiciary.

On November 28, 2013, the UK government published a paper in response to its March 2013 consultation on cybersecurity standards (“Response Paper”), and announced that it will create a new cybersecurity standard. The original consultation concluded in October 2013.

On November 19, 2013, the National Health and Family Planning Commission of the People’s Republic of China published a draft of its proposed new Administrative Measures on Personal Health Information (the “Draft Measures”) and solicited public comments by December 20, 2013.

On November 27, 2013, the European Commission published an analysis of the EU-U.S. Safe Harbor Framework, as well as other EU-U.S. data transfer agreements. The analysis includes the following documents:

Brazilian lawmakers, including José Eduardo Cardozo, the Minister of Justice of Brazil, and Ideli Salvatti, the Secretariat of Institutional Relations, held several consensus-building meetings with party leaders over the past two weeks to reach a voting agreement on the Marco Civil da Internet (“Marco Civil”), a draft bill introduced in the Brazilian Congress in 2011. The Marco Civil would establish Brazil’s first set of Internet regulations, including requirements regarding personal data protection and net neutrality.

As reported by Bloomberg BNA, Mexico’s Federal Institute for Access to Information and Data Protection (“IFAI”) recently issued data security guidelines that implement the security provisions of the Federal Law for the Protection of Personal Data Held by Private Parties (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares).

On November 15, 2013, the Supreme Court of Canada declared the Alberta Personal Information Protection Act (“PIPA”) invalid because the legislation interfered with the right to freedom of expression in the labor context under Section 2(b) of the Canadian Charter of Rights and Freedoms (the “Canadian Charter”). The case arose in the context of a labor union representing employees of a casino in Alberta. During a lawful strike, the union recorded and photographed individuals crossing the union’s picket line near the main entrance of the casino. The union had posted a sign that the images of persons crossing the picket line might be placed on a website. A number of individuals who were recorded crossing the picket line filed complaints under PIPA with the Alberta Information and Privacy Commissioner, who appointed an adjudicator to determine whether the union had contravened PIPA by collecting and disclosing personal information about individuals without their consent. Under PIPA, organizations cannot collect, use or disclose personal information without the individual’s consent, unless an exception applies.

On November 4, 2013, the China Insurance Regulatory Commission, which is the Chinese regulatory and administrative authority for the insurance sector, issued the Interim Measures for the Management of the Authenticity of Information of Life Insurance Customers (the “Measures”). The Measures require life insurance companies and their agents to ensure the authenticity of personal data of life insurance policy holders. To help achieve this objective, the Measures impose rules for the collection, recording, management and use of the personal data of policy holders.

On November 19, 2013, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the second webcast in its Hunton Global Privacy Update series. The program focused on the latest updates regarding the EU General Data Protection Regulation (“Proposed Regulation”), including a discussion of the European Parliament’s recent approval of its Compromise Text for the Proposed Regulation.

The Luxembourg data protection authority (Commission nationale pour la protection des donées, “CNPD”) has stated that it will not investigate complaints relating to the alleged involvement of Microsoft Luxembourg (“Microsoft”) and Skype Software S.a.r.l. and Skype Communications S.a.r.l. (collectively, “Skype”) in the PRISM surveillance program. The PRISM surveillance program involves the transfer of EU citizens’ data to the U.S. National Security Agency (the “NSA”).

On November 14, 2013, the Minister of the Malaysian Communications and Multimedia Commission (the “Minister”) announced that Malaysia’s Personal Data Protection Act 2010 (the “Act”) would be going into effect as of November 15, marking the end of years of postponements. The following features of the law are of particular significance:

On November 4, 2013, the data protection authority (“DPA”) of the German state of Rhineland-Palatinate announced two sets of recommendations for mobile payment systems, including contactless payments. The recommendations were prepared in conjunction with the state consumer protection agency, the Ministry of Justice for Rhineland-Palatinate, the mobile payment industry and research organizations.

On October 27, 2013, the South Korean Ministry of Security and Public Administration indicated that the government will issue certifications to private and public organizations that meet certain requirements of the Personal Information Protection Act. According to The Korea Times, organizations will be able to apply for the certification with the National Information Society Agency (“NISA”) beginning on November 28, 2013. The number of requirements that an organization will be assessed against will depend on the size of the organization. The Korea Times reports ...