Tag archives: data protection

Hamburg DPA’s Safe Harbor Fines Spell Further Uncertainty and Risk for Global Companies

By Christoph Ritzer (DE) on June 8, 2016 Posted in Compliance and risk management, Regulatory response

Data Protection Report - Norton Rose Fulbright

On June 6, 2016, Johannes Caspar – the Hamburg Commissioner for Data Protection – announced that the Hamburg Data Protection Authority (“DPA”) fined three companies for relying on the invalidated Safe Harbor framework to transfer data from the European Union to the companies’ operations in the United States. The DPA imposed the fines on Adobe, Punica and Unilever, in the amounts of 8,000, 9,000 and 11,000 Euro, respectively.

Since the invalidation of the Safe Harbor framework by the Court of Justice of the European Union (“CJEU”) in October 2015, German DPAs have taken an active role in questioning cross-border data … Continue Reading

Big data: French and German authorities explore antitrust issues

By Jay Modrall (BE) on May 12, 2016 Posted in Compliance and risk management, Data breach, General

On May 10, 2016, the French and German antitrust authorities published a joint study on competition law and the collection and use of data, particularly so-called big data (the Big Data Study). Data protection as such is outside the scope of EU competition laws, but antitrust authorities have considered the significance of data on a number of occasions, often in the context of merger reviews such as the EU Commission’s Facebook/WhatsApp case.… Continue Reading

Germany court held that Facebook’s “Like” button violates privacy laws

By on April 24, 2016 Posted in Compliance and risk management

Our sister blog, Social Media Law Bulletin, just analyzed Germany’s latest ruling on retail web site Peek & Cloppenburg’s integration of Facebook’s “like” button into its site.

Our readers will be interested to learn how this rapidly growing social marketing tool is tracking users’ IP addresses, browser strings and more. The usually conservative German court predictably held that the “like” button violated users’ privacy rights.

Visit the Social Media Law Bulletin blog

Written by our South African colleagues, Nerushka Deosaran and Tatum Govender, read the Social Media Law Bulletin post, ”Facebook ‘like’ button violates privacy laws” to learn … Continue Reading

EU Article 29 Working Party prepares for General Data Protection Regulation and responsibilities as European Data Protection Board

By Marcus Evans (UK) and Jay Modrall (BE) on February 15, 2016 Posted in Compliance and risk management, Data breach, General, Regulatory response

On February 11, 2016, the Article 29 Working Party (WP29) issued a statement setting out its 2016 action plan for implementation of the General Data Protection Regulation (GDPR) and its work programme for 2016-2018. WP29 will have 8 working groups leading the implementation of the 2016-2018 work programme.

The statement highlights the following points:

WP29 will develop guidelines, tools and procedures for the GDPR framework to be effective for the first semester of 2018.
The GDPR will have a distributed governance model with three key pillars (i) “a higher role” for national data protection authorities (

Political agreement on EU Data protection reforms: the real count-down to compliance has started

By Marcus Evans (UK) and Jay Modrall (BE) on December 17, 2015 Posted in Data breach, Regulatory response

On December 15, the Civil Liberties Committee (LIBE) of the European Parliament issued a press release announcing a provisional political agreement between the European Parliament and Council negotiators on the texts of both the General Data Protection Regulation and the Police & Judicial Cooperation Data Protection Directive. Formal approval by the Council is expected shortly and by the European Parliament in early 2016, after which the legislation will be published in the Official Journal. The new provisions will apply two years later, in the first quarter of 2018.… Continue Reading

Council and European Parliament reach agreement on NIS Directive

By Jay Modrall (BE) and Marcus Evans (UK) on December 10, 2015 Posted in Cybercrime, Regulatory response

On December 7, 2015, the Council of the European Union (the Council) reached an informal agreement with the European Parliament on a new EU directive on network and information security (NISD).

The agreement marks the conclusion of two years of work, since the European Commission (the Commission) and the High Representative of the European Union for Foreign Affairs and Security Policy published a strategy for ‘An Open, Safe and Secure Cyberspace’ and proposed a directive in 2013. Once adopted, likely in early 2016, EU Member States will have 21 months to adopt the necessary national provisions to comply with the … Continue Reading

Belgian court orders Facebook to stop tracking non-members, rejects FB’s assertion of lack of jurisdiction

By Marcus Evans (UK) and Jay Modrall (BE) on November 23, 2015 Posted in Compliance and risk management, Dispute resolution and litigation

On November 9, 2015, the President of the Brussels Court of First Instance ordered Facebook to stop tracking non-members in Belgium without their consent. The court imposed a penalty of EUR 250,000 per day for non-compliance.

The proceeding is the result of a formal recommendation that the Belgian Privacy Commission (BPC) issued in May 2015 requesting Facebook to cease the tracking of non-users. The BPC alleged that Facebook collected information about the web browsing behavior of users who were not Facebook members by using social plug-ins and cookies, which the BPC alleged Facebook placed on users’ computers when they visited … Continue Reading

Reports suggest US-EU agreement on cross-border data transfers near, but will it stick?

By on October 29, 2015 Posted in Regulatory response

It is being reported that the EU and the US have reached an agreement in principle on the revised cross-border data transfer framework, commonly referred to as Safe Harbor 2.0. Both sides expect further progress on the specifics in November of this year. Some of the thornier issues, however,regarding US surveillance activities, that are critical to addressing the concerns the ECJ raised in Schrems, are yet to be firmed up with verifiable compliance commitments.… Continue Reading

WP29 Issues Post-Safe Harbor Guidance

By Marcus Evans (UK), Jamie Nowak (DE) and Jay Modrall (BE) on October 16, 2015 Posted in General

The following is the statement of WP29 on the Schrems decision. It is a short opinion that we replicated here in full. We note that WP29 appears to suggest that model clauses and BCRs remain viable through at least January 2016, which is when WP29 would like to see the US and EU agree to a legal, political and technical solution on data transfers. The opinion suggests coordinated enforcement by DPAs after January 2016, but it is unclear whether such enforcement will focus on Safe Harbor-certified companies alone, or will also undermine model clauses and BCRs. We are continuing to … Continue Reading

A German data protection authority questions model clauses

By Christoph Ritzer (DE) on October 15, 2015 Posted in Regulatory response

The German data protection authority from the northern state Schleswig-Holstein has released guidance in connection with the ECJ’s decision on Safe Harbor.… Continue Reading

Schrems: ECJ invalidates the Commission’s Safe Harbor Decision

By Marcus Evans (UK), Jay Modrall (BE) and Jamie Nowak (DE) on October 6, 2015 Posted in Compliance and risk management

The European Court of Justice (ECJ) ruled on Case C-362/14 (the Schrems case) earlier today, 6 October 2015. In its ruling, the ECJ – among other things – held that the EU Commission’s “US Safe Harbor” decision is invalid.… Continue Reading

Schrems Counterpoint: ECJ has good reasons to reject Safe Harbor invalidation

By Jay Modrall (BE) and Marcus Evans (UK) on October 1, 2015 Posted in Regulatory response

The European Court of Justice (ECJ) is expected to rule on Case C-362/14 (the “Schrems” case) on October 6, 2015. In deciding whether to reject or adopt its Advocate General’s recommendation to invalidate the US-EU Safe Harbor, the ECJ finds itself between the proverbial rock and a hard place. Rejecting the Safe Harbor would lead to uncertainty in the ongoing negotiations to update the Safe Harbor framework, and raise questions about the interpretation of the proposed General Data Protection Regulation, which is currently being finalized in trialogue negotiations among the EU’s Council, Parliament and Commission. If the … Continue Reading

European Court of Justice Advocate General’s Advisory Opinion in Schrems case questions validity of personal data transfers under EU/US Safe Harbor framework

By Marcus Evans (UK) on September 24, 2015 Posted in Compliance and risk management, General

On September 22, 2015, the European Court of Justice (“ECJ”) Advocate General issued an advisory Opinion in Case C-362/14 (the “Schrems” case). A key recommendation was for the ECJ to declare the EU/US Safe Harbor Agreement invalid. It remains to be seen whether the ECJ will follow this recommendation. The controversial nature of the Safe Harbor recommendation makes predicting whether the ECJ will follow the Opinion virtually impossible. A possible mitigation of the massive impact on trans-Atlantic trade such a finding would have may be that any invalidity that the ECJ identifies in its ultimate decision is met … Continue Reading

Dutch Data Protection Authority publishes consultation version of guidelines on breach notice law

By Floortje Nagelkerke (NL) and Nikolai de Koning (NL) on September 24, 2015 Posted in Compliance and risk management, Data breach

On the heels of the enactment of the Dutch breach notice law, the Dutch Data Protection Authority (CBP) published a consultation document with draft guidelines on the breach notice obligation of data controllers in the Netherlands. Under the law, data controllers are required to provide notice of data breaches to the CBP and, under certain circumstances, to the affected individuals. This obligation will take effect on January 1, 2016. The guidelines define a data breach as a security incident that has, or poses a significant risk of having, serious adverse consequences for the protection of personal data.… Continue Reading

Former Privacy Commissioner of Canada Jennifer Stoddard to headline a privacy event at Norton Rose Fulbright’s Montreal office

By on September 23, 2015 Posted in General

On September 25, 2015, Jennifer Stoddard will visit Norton Rose Fulbright in Montreal to discuss the proposed sweeping reforms to Quebec’s legislation governing access to information and protection of personal information in the public sector. These reforms include proactive publication of government information at all levels, including studies and statistics in health and education and statistics on members of professional orders. They also include proposals to publish anonymized personal information provided that re-identification risk is contained. The proposed reforms of the Quebec legislation align with calls for reform to federal legislation on the same topic. While Quebec is moving to … Continue Reading

European Union data protection regime reform: What should businesses be doing now to get ready? – web seminar

By on July 7, 2015 Posted in Regulatory response

On Wednesday, July 29, 2015, Norton Rose Fulbright partners Boris Segalis and Marcus Evans will present a web seminar on European Union (EU) General Data Protection Regulation reform.… Continue Reading

NLRB asserts employers must bargain with unions on breach response

By on April 29, 2015 Posted in Compliance and risk management, Data breach, General, Regulatory response

The U.S. National Labor Relations Board (NLRB) recently filed complaints against the United States Postal Service (USPS), alleging that the USPS violated the National Labor Relations Act (NLRA) by failing to collectively bargain with its employees’ union regarding the postal service’s response to a 2014 data breach that reportedly affected over 800,000 current and former postal employees. Specifically, in one of its complaints, the NLRB alleged that the postal service’s unilateral decision to provide credit monitoring and fraud insurance to affected employees without engaging in collective bargaining with the union on these issues violated Sections 8(a)(1) and (5) of … Continue Reading

NAIC adopts cybersecurity guidance for insurance regulators and the insurance industry

By Alex Altman (US) on April 24, 2015 Posted in Regulatory response

The National Association of Insurance Commissioners (“NAIC”), a standards-setting organization comprised of insurance regulators from across all U.S. jurisdictions, has recently adopted twelve Principles for Effective Cybersecurity Insurance Regulatory Guidance (the “Principles”). The Principles arrive in in the wake of the prominent Anthem data breach, highlighting the importance of protecting sensitive personal data in the insurance sector. Addressing this challenge, the NAIC established the Principles to provide state insurance regulators and industry participants guidance regarding the protection of sensitive personal, financial, and healthcare data. The Principles broadly lay out the practices, guidelines, and measures that both regulators and the … Continue Reading

Dispute resolution mechanisms for SAs and individuals are key part of proposed EU regulation

By Marcus Evans (UK) on April 21, 2015 Posted in Regulatory response

This is Part 5 — the final part — of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation. In Part 1 we examined why there is a need for a One Stop Shop, and what it is. In Part 2 we examined the concept of main establishment and the position of entities without an EU establishment. In Part 3 we considered the competency of supervisory authorities (SAs), the cooperation obligations in relation to SAs and the functions of the European Data Protection Board (EDPB). In Part 4 we discussed the consistency … Continue Reading

EU regulation proposal seeks to encourage consistency in data protection enforcement

By Marcus Evans (UK) on April 16, 2015 Posted in Regulatory response

This is Part 4 of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation. In Part 1 we examined why there is a need for a One Stop Shop, and what it is. In Part 2 we examined the concept of main establishment and the position of entities without an EU establishment. In Part 3 we considered the competency of supervisory authorities (SAs), the cooperation obligations in relation to SAs and the functions of the European Data Protection Board (EDPB). In this Part we consider the consistency mechanism applicable to SAs.

Consistency … Continue Reading

EU focuses on authority of SAs to enforce “One Stop Shop,” proposes a replacement for WP29

By Marcus Evans (UK) on April 16, 2015 Posted in Regulatory response

This is Part 3 of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation. In Part 1 we examined why there is a need for a One Stop Shop, and what it is. In Part 2 we examined the concept of main establishment and the position of entities without an EU establishment. In this Part we consider the scope of authority (i.e., “competency”) of supervisory authorities (SAs), the cooperation obligations in relation to SAs and the functions of the European Data Protection Board (EDPB).

Competency of supervisory authorities

Please note that the … Continue Reading

EU’s “One Stop Shop” Proposal Focuses on “Main Establishment” as Nexus of DPA Enforcement Authority

By Marcus Evans (UK) on April 14, 2015 Posted in Regulatory response

This is Part 2 of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation. In Part 1 we examined why there is a need for a One Stop Shop, and what it is. In this Part we examine the concept of main establishment and the position of entities without an EU establishment.

Main Establishment

The operation of the One Stop Shop depends on being able to determine the ‘main establishment’ of a business. This dictates which supervisory authority (SA) will be the lead SA where the controller or processor processes … Continue Reading

UK Court of Appeal Establishes Data Protection Rights in Privacy Case

By Jane Berry (UK), Ffion Flockhart (UK) and Marcus Evans (UK) on April 9, 2015 Posted in Dispute resolution and litigation

A recent English Court of Appeal judgment could significantly broaden the circumstances in which data protection litigation can be brought – and damages can be awarded – under English law.

Background

Vidal-Hall et al v Google ([2015] EWCA Civ 311) involves claims brought by three individual users against Google. The users alleged that Google collected private information about their internet usage (“Browser-Generated Information”) via their web browser, Apple Safari, without their knowledge or consent.

The users argued that, by the automatic use of cookies in a work-around to the default privacy setting, Google was able to obtain and record Browser-Generated … Continue Reading

Ontario Court of Appeal finds patients’ common law privacy rights not preempted by statute; allows class action to proceed

By on February 25, 2015 Posted in Dispute resolution and litigation, General

In a recent case involving a breach of patients’ privacy rights — Hopkins v Kay,^[i] — the Ontario Court of Appeal ruled that a proposed class action could proceed based on allegations of violation of patients’ common law privacy rights, concluding that those rights were not preempted by the Personal Health Information Protection Act (PHIPA). Specifically, the court determined that PHIPA is not a “complete code” and therefore did not “oust” the plaintiff’s common law tort claim for breach of privacy (the tort of intrusion upon seclusion). Hopkins provides important guidance in the fields of privacy law and class … Continue Reading