The U.S. Financial Crimes Enforcement Network (FinCEN) and the China Anti-Money Laundering Monitoring and Analysis Center (CAMLMAC) recently signed a Memorandum of Understanding (MOU) to create a “framework to facilitate expanded U.S.-China collaboration, communication, and cooperation” between each agency’s financial intelligence units (FIUs). News Release (December 11, 2015).
In announcing the MOU, FinCEN Director Jennifer…
Last week, the government of Australia released an “Exposure Draft” of a bill that, if passed into law, would amend Australia’s Privacy Act to require notification to the government and affected individuals in the event of a data breach. Currently, although Australian law requires government agencies and businesses subject to the Privacy Act to take reasonable steps to protect personal information, it does not mandate notification following a data breach. The proposed Australian law requires notification only in the event of a “serious data breach,” which is defined as unauthorized access to, or disclosure/loss of, personal and certain other information that results in a “real risk of serious harm” to any of the individuals to whom the information relates. …
Continue Reading Australia’s Proposed Data Breach Notification Law: What’s The Harm In A “Real Risk of Serious Harm” Standard?
The annual conference of the world’s data protection regulators is a three day exercise, with half of the conference being “closed door” for the regulators only, and the other half being a series of side meetings and presentations, which report out to interested attendees the results of the closed door meetings. This is a good meeting to gain insight in the next year’s trends in data protection regulation and enforcement across the globe. While this conference happens every year, the events in the European Court of Justice and the impending completion of the new General Data Protection Regulation (“GDPR”) made this year’s conference particularly interesting. Here are some of the insights which were developed during the conference:…
Continue Reading The 37th International Conference of Data Protection & Privacy Commissioners – Some Observations
Today the European Court of Justice (“ECJ”) issued its Judgment in the Schrems case, and in doing so, added another tremor to the ongoing seismic shift related to cross-border privacy law. The two major elements of today’s Judgment are: 1) that Commission Decision 2000/520/EC of 26 July 2000 of the adequacy of the protection provided by the US Safe Harbor Framework (the “Safe Harbor Decision”) is invalid, and 2) even if the Safe Harbor Decision were otherwise valid, no decision of the Commission can reduce the authority of a national data protection authority to enforce data protection rights as granted by Article 28 of Directive 95/46/EC (the “DP Directive”).
Clearly, the first element brings a more immediate concern for all the companies participating in the Safe Harbor framework. However, the second element will have much longer term consequences for the stability of US-EU commerce and privacy law.
Continue Reading Safe Harbor – Not so Safe After Schrems
On July 21, 2014, Russia adopted Federal Law No. 242-FZ, “On Amendments to Certain Legislative Acts of the Russian Federation for Clarification of the Procedure of Personal Data Processing in Information and Telecommunication Networks” (“Federal Law No. 242-FZ”), which introduces a number of changes to existing Russian data protection laws. Specifically, it amends Federal Law No. 152-FZ, “On personal data,” by establishing a localization requirement for personal data processing.
Effective Date
What makes Federal Law No. 242-FZ important is its effective date. It was initially scheduled to come into force on September 1, 2016. However, on December 31, 2014, Federal Law No. 526-FZ was enacted, which changed the effective date of Russia’s Data Localization Law to September 1, 2015.
Continue Reading Fortress Russia – The Russian Data Localization Law
Under section 56 of the Data Protection Act 1998 (DPA), it is now a criminal offence for any person or organisation to require an individual to submit a ‘subject access request’ (i.e. the right for an individual to access any of their personal data held by third parties on payment of a fee, provided certain requirements are met) in order to obtain and provide a copy of their criminal record. This will not prevent employers and others from obtaining access to criminal records through legitimate means (for example, seeking disclosure officially through the Disclosure and Barring Service). The offence was created over a decade and a half ago but has only been brought into force on 10 March 2015.
Continue Reading Crackdown on ‘Back-door’ Criminal Record Checks
The French Answer to Flexible Working
Ever since the first laws on the 35-hour week were enacted over fifteen years ago, monitoring working time has been a headache for employers in France. With the introduction of new technology and mobile devices, the situation has worsened. The French approach to flexible working is to reaffirm that employees have the right to privacy and in some sectors the obligation to disconnect, as recently shown by the CNIL, the French Data Privacy Watchdog and the SYNTEC Federation.
Continue Reading The French Answer To Flexible Working: The Right To Privacy and To Limit Work After Business Hours
The CJEU’s judgment against Google has been hailed as a “Landmark Ruling“. I agree that this judgment is a landmark ruling – however, not for the reason everyone else is making it out to be. As noted earlier, the “Right to be Forgotten” isn’t really in the holding of the judgment. Further, the “long-arm” application of EU law isn’t something new (at least to US attorneys). What is new is the reason for allowing a right of deletion against a search engine and not the underlying publisher of the original facts.
Continue Reading The CJEU’s Judgement Against Google: What It Does Mean
The Court of Justice for the European Union (“CJEU”) issued a judgment in the case Google v. AEPD which has garnered a significant amount of attention. The two primary reasons for this attention (besides it is a case against Google – which usually is newsworthy) are 1) the seeming expansion of EU law into extra-territorial reach, and 2) the recognition of the “Right to be Forgotten”. Several authors have taken it upon themselves to spill quite a bit of ink on this judgment. And, there is some trepidation that business will be negatively impacted in a new and significant way under this judgment. A careful reading of both the Advocate General’s Opinion as well as the CJEU’s judgment in this matter does show how the EU is progressing in the matter of cross-border privacy protections. However, this judgment may not be as far reaching as some commentators have thought.
Continue Reading The CJEU’s Judgment Against Google: What It Doesn’t Mean
To continue my prior post on the Article 29 Working Party’s Opinion 6/2014, it is important to take a closer look at the specifics of the notion of a Controller’s “Legitimate Interests”
Unlike all the other criteria for lawful processing, Article 7(f) is the only one which specifically articulates the idea that commercial interests should have weight in the calculus of “fair and lawful” processing. In each of the other criteria, if the criteria is met, the grounds for processing are considered a priori legitimate. In Article 7(f), each purpose for processing will need to have the balancing test engaged. This is going to require a bit more analysis than the other criteria. However, because of the fact that this analysis is internal to the business, it may well be less onerous than other options would be (e.g. having the DPA opine as to the legitimacy of the processing).
Continue Reading Legitimate Interests – Alternative to Notice & Choice?
