International Privacy Law

Today the European Court of Justice (“ECJ”) issued its Judgment in the Schrems case, and in doing so, added another tremor to the ongoing seismic shift related to cross-border privacy law. The two major elements of today’s Judgment are: 1) that Commission Decision 2000/520/EC  of 26 July 2000 of the adequacy of the protection provided by the US Safe Harbor Framework (the “Safe Harbor Decision”) is invalid, and 2) even if the Safe Harbor Decision were otherwise valid, no decision of the Commission can reduce the authority of a national data protection authority to enforce data protection rights as granted by Article 28 of Directive 95/46/EC (the “DP Directive”).

Clearly, the first element brings a more immediate concern for all the companies participating in the Safe Harbor framework. However, the second element will have much longer term consequences for the stability of US-EU commerce and privacy law.
Continue Reading

On July 21, 2014, Russia adopted Federal Law No. 242-FZ, “On Amendments to Certain Legislative Acts of the Russian Federation for Clarification of the Procedure of Personal Data Processing in Information and Telecommunication Networks” (“Federal Law No. 242-FZ”), which introduces a number of changes to existing Russian data protection laws. Specifically, it amends Federal Law No. 152-FZ, “On personal data,” by establishing a localization requirement for personal data processing.

Effective Date

What makes Federal Law No. 242-FZ important is its effective date. It was initially scheduled to come into force on September 1, 2016. However, on December 31, 2014, Federal Law No. 526-FZ was enacted, which changed the effective date of Russia’s Data Localization Law to September 1, 2015.
Continue Reading

Under section 56 of the Data Protection Act 1998 (DPA), it is now a criminal offence for any person or organisation to require an individual to submit a ‘subject access request’ (i.e. the right for an individual to access any of their personal data held by third parties on payment of a fee, provided certain requirements are met) in order to obtain and provide a copy of their criminal record. This will not prevent employers and others from obtaining access to criminal records through legitimate means (for example, seeking disclosure officially through the Disclosure and Barring Service). The offence was created over a decade and a half ago but has only been brought into force on 10 March 2015.
Continue Reading

The French Answer to Flexible Working

Ever since the first laws on the 35-hour week were enacted over fifteen years ago, monitoring working time has been a headache for employers in France. With the introduction of new technology and mobile devices, the situation has worsened. The French approach to flexible working is to reaffirm that employees have the right to privacy and in some sectors the obligation to disconnect, as recently shown by the CNIL, the French Data Privacy Watchdog and the SYNTEC Federation.
Continue Reading

The CJEU’s judgment against Google has been hailed as a “Landmark Ruling“. I agree that this judgment is a landmark ruling – however, not for the reason everyone else is making it out to be. As noted earlier, the “Right to be Forgotten” isn’t really in the holding of the judgment. Further, the “long-arm” application of EU law isn’t something new (at least to US attorneys). What is new is the reason for allowing a right of deletion against a search engine and not the underlying publisher of the original facts.
Continue Reading

The Court of Justice for the European Union (“CJEU”) issued a judgment in the case Google v. AEPD which has garnered a significant amount of attention. The two primary reasons for this attention (besides it is a case against Google – which usually is newsworthy) are 1) the seeming expansion of EU law into extra-territorial reach, and 2) the recognition of the “Right to be Forgotten”. Several authors have taken it upon themselves to spill quite a bit of ink on this judgment. And, there is some trepidation that business will be negatively impacted in a new and significant way under this judgment. A careful reading of both the Advocate General’s Opinion as well as the CJEU’s judgment in this matter does show how the EU is progressing in the matter of cross-border privacy protections. However, this judgment may not be as far reaching as some commentators have thought.
Continue Reading

To continue my prior post on the Article 29 Working Party’s Opinion 6/2014, it is important to take a closer look at the specifics of the notion of a Controller’s “Legitimate Interests”

Unlike all the other criteria for lawful processing, Article 7(f) is the only one which specifically articulates the idea that commercial interests should have weight in the calculus of “fair and lawful” processing. In each of the other criteria, if the criteria is met, the grounds for processing are considered a priori legitimate. In Article 7(f), each purpose for processing will need to have the balancing test engaged. This is going to require a bit more analysis than the other criteria. However, because of the fact that this analysis is internal to the business, it may well be less onerous than other options would be (e.g. having the DPA opine as to the legitimacy of the processing).
Continue Reading

When talking about EU privacy law many businesses bemoan the lack of a “commercially reasonable” basis for collecting and using personal information. Europe is usually seen as a consumer-protective regime which focuses on prohibiting business from doing anything with data unless the consumer has affirmatively agreed to the processing before the processing begins (e.g. the “cookie directive”). However, the Article 29 Working Party (“WP”) has just released an Opinion which signals a change in the winds. The rarely used “legitimate interest of the data controller” basis for processing now has a new importance in the realm of fair and legal criteria for processing personal information.
Continue Reading

A recurring criticism of Australian privacy law has been that the Privacy Act 1988 (Cth) (the Act) lacked any real bite – the enforcement powers of the privacy watchdog, the Information Commissioner, were limited. However, recent amendments to the Act, which introduced a new set of privacy principles, have increased the Commissioner’s enforcement powers. Employers should familiarise themselves with the changes in order to ensure they are compliant with the new regime.

Background

On 12 March 2014, significant amendments to the Act came into operation. The changes affect all private sector organisations and government agencies covered by the Act, which will include most Australian employers except for “small businesses” with less than $3 million in annual turnover.

In brief, the Act deals with how organisations are to manage “personal information”. The scheme of the Act works by subjecting organisations that it covers to a series of “privacy principles” that govern how personal information is to be collected, stored, handled and used.
Continue Reading

In recognition of the need for the world’s two largest economic blocks to coordinate data protection efforts, The Article 29 Working Party of the EU released a “Referential” to map the EU requirements for Binding Corporate Rules (“BCRs”) and the APEC Cross Border Privacy Rules System (“CBPRs”). This Referential is a tool for the two systems to determine common ground. Ultimately, it will be used by the EU in the process of determining what level of cross-recognition may exist between BCRs and CBPRs, in terms of the “adequacy” necessary to move data between the EU and Asia.
Continue Reading