Sent to subscribers May 2012

I am pleased to enclose our Supplement #8 to the two-volume treatise Global Privacy and Security Law. A new chapter was added to provide an analysis of the Proposed EU Data Protection Regulation, which is intended to replace the seminal Directive 95/46/EC, also known as the EU Data Protection Directive. We are also providing updates to 12 of the existing chapters. The most significant changes are described below.

Chapter 6A—Proposed EU Data Protection Regulation. On January 25, 2012, the European Commission published important legislative documents designed to create a new data protection framework in the European Union. One of these texts, which is intended to supersede Directive 95/46/EC, is the proposed General Data Protection Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The new chapter focuses on the provisions of this proposed regulation.
European Union

Chapter 5—Introduction to the European Union Data Directives. This chapter is supplemented with a brief description of the Data Protection Reform package; which was issued on January 25, 2012 by the European Commission and which contains a proposed Data Protection Regulation and a proposed Directive issued on January 25, 2012 by the European Commission.


Chapter 45—Mexico. On December 21, 2011, Mexico’s Ministry of Economy published in the Official Journal of the Federation, the first set of Regulations under the Federal Law on the Protection of Personal Data Possessed by Private Persons (Regulations). The Mexico chapter has been updated to take into account any clarifications made by the Regulations. For example, the Regulations provide guidance on the specific measures required from data controllers to ensure the security and protection of personal data. The Regulations also specifically address Cloud Computing.

Chapter 65—United States of America. In the United States, despite periodic efforts of the legislators at drafting bills that would create a form of federal law of privacy, the United States continues to enjoy or suffer from its very diverse set of data protection laws. The recent attempts at reforming the current regime include a proposal by the Federal Trade Commission to revise the Regulations under the Children Online Privacy Protection Act (COPPA) and a proposal from the White House to adopt a Consumer Privacy Bill of Rights. The settlements between the Federal Trade Commission and two major Silicon Valley companies, Google and Facebook, are discussed. In these two cases, the emphasis is on the protection of privacy—as opposed to security—and both cases outline the FTC’s specific recommendations with respect to companies’ internal privacy programs.


Chapter 19—China. A new section discusses the issuance of Informatization Regulations by local governments in China. The more recent Jiangsu Regulations, published on September 23, 2011, are considered to be paving the way for more local governments to issue information protection regulations since most of the informatization regulations previously published by other local governments have been mainly related to prohibiting the abuse of information obtained from the Internet.

Chapter 38—Japan. The enforcement status section has been supplemented with new or revised guidelines issued by the competent ministers.


Chapter 28—France. The France chapter updates comments on several cases concerning the protection of personal data. One case involves the unfair collection of data by a web crawler on an online social networking site; another case involves commercial communications in which the CNIL fined a real estate company for sending unsolicited commercial messages to home owners; and the last case involves the suspension of a whistleblowing system set up by a U.S. company inside a French-based subsidiary. In addition, the CNIL provided an English version of its Guide on Security of Personal Data. The Employee Information section provides new information on the use of geo-location and biometric devices by employers.

Chapter 32—Hungary. The updates to the Hungary chapter include information on specific circumstances when transfers of personal data out of the country do not require an adequate level of protection to be guaranteed. Also, the contact information of the Data Protection and Freedom of Information Agency has been provided, as well as additional footnotes throughout the chapter.

Chapter 35—Ireland. The entire Ireland chapter has been edited and updated. The update discusses a very important case involving an Internet service provider and a management company responsible for authorizing the use by third parties of copyrighted musical works, in which the European court held granted the Internet service provider’s appeal on the grounds that IP addresses were protected personal data because they allow users to be identified. The section on whistleblowing has also been updated with recent information regarding the passing of statutes increasing whistleblower protection.

Chapter 42—Luxembourg. The Luxembourg chapter discusses a recent Court of Appeals decision involving the expectation of privacy by employees in the workplace. The court considered that under certain circumstances this right may be restricted by employers.

Chapter 44—Malta. The Malta updates include a decision of the Court of Appeals on June 14, 2011, which ruled in favor of disclosing sensitive data in a court case involving a land dispute. In addition, the Office of the Information and Data Protection Commissioner issued a note with respect to the use of biometric devices at the workplace.

Chapter 58—Spain. The updates to the Spain chapter discusses the recent amendments to the Spanish Data Protection Law, which resulted in a modification of the provisions relating to infringements and penalties.