On May 10, 2016, the French and German antitrust authorities published a joint study on competition law and the collection and use of data, particularly so-called big data (the Big Data Study). Data protection as such is outside the scope of EU competition laws, but antitrust authorities have considered the significance of data on a number of occasions, often in the context of merger reviews such as the EU Commission’s Facebook/WhatsApp case.… Continue Reading
On February 29, 2016, the European Commission published the documents comprising the new EU-U.S. Privacy Shield, the adoption of which we previously covered on our blog. In the Commission’s opinion, the new framework reflects the requirements set forth by the European Court of Justice in the Schrems ruling, which invalidated the U.S.-EU Safe Harbor framework. The Commission’s proposed adequacy decision holds that “the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in the United States under the EU-US Privacy Shield”.… Continue Reading
Posted in Regulatory response
On February 3, 2016, the Article 29 Working Party (WP29) released a statement on the consequences of the Schrems judgment, following an assessment of the legal framework and the practices of US intelligence services. The WP29 expressed continuing concerns about the US framework for processing personal data for intelligence purposes, in spite of recent reforms.… Continue Reading
Posted in Regulatory responseOn February 2, 2016, the European Commission and the United States reached an agreement on a new framework to permit transatlantic transfers of personal data. The new framework — named “EU-US Privacy Shield” — is slated to replace the US-EU Safe Harbor framework that was invalidated by the Court of Justice for the European Union.… Continue Reading
Posted in Regulatory response
The Russian data protection authority, Roscomnadzor, has given major U.S. technology companies extra time to comply with the Russian data localization law.
The law, which went into effect on September 1, 2015, requires companies to store and process all personal data of Russian citizens using databases located in Russia. The law imposes a variety of penalties for violations, including the authority to prevent offending companies from operating in Russia by blocking their access to local hosting and telecommunications infrastructure.
It is being reported that Russian regulators told certain U.S. companies such as Facebook, Google and Twitter that … Continue Reading
The hackers behind the Ashley Madison attack, who call themselves the “Impact Team,” have continued to release user and internal data on the dark web.… Continue Reading
In January, we commented on the release of a consultation paper by Abu Dhabi Global Market (ADGM) relating to proposed employment regulations. At the time, ADGM indicated that it would not be introducing more general legislation to regulate the handling and processing of personal data in the new free zone.
The Board of Directors of ADGM has subsequently reconsidered the issue and issued a consultation paper inviting public comment on a proposed set of standalone data protection regulations. This would be an alternative to the individual provisions currently legislating for a limited level of data protection on the … Continue Reading
Posted in Regulatory response
Russia’s data protection authority, Roscomnadzor, has held a number of meetings with business associations to respond to the wave of questions that have arisen about the interpretation and application of Russia’s personal data localization law.
The law, which enters into force on September 1, 2015, requires that an operator, while collecting personal data, ensures the recording, systematization, accumulation, storage, rectification (update, change) and extraction of Russian citizens’ personal data using databases located in Russia. The meetings sought to address at least two key concerns — whether data stored locally could also be transferred outside of Russia, and the reach … Continue Reading
Posted in Compliance and risk management
In a recent blog post, reflecting on Google’s ongoing dispute with France’s CNIL about the scope of the “right to be forgotten,” Peter Fleisher, Google’s Global Privacy Counsel, announced that Google will maintain its position that that company would not comply with the CNIL’s formal notice dated May 21, 2015 to implement individuals’ requests to exercise their “right to be forgotten” on the company’s sites worldwide.… Continue Reading
Posted in Regulatory response
On July 6, 2015, China’s top legislative body – the National People’s Congress – published a draft Cyber Security Law that, if enacted in its current form, will have far-reaching consequences for businesses operating in China.
The draft expressly provides that the law will apply equally to both Chinese and international businesses.… Continue Reading
Posted in Dispute resolution and litigation
A recent English Court of Appeal judgment could significantly broaden the circumstances in which data protection litigation can be brought – and damages can be awarded – under English law.
Background
Vidal-Hall et al v Google ([2015] EWCA Civ 311) involves claims brought by three individual users against Google. The users alleged that Google collected private information about their internet usage (“Browser-Generated Information”) via their web browser, Apple Safari, without their knowledge or consent.
The users argued that, by the automatic use of cookies in a work-around to the default privacy setting, Google was able to obtain and record Browser-Generated … Continue Reading
