Sent to subscribers in Sept 2013

I am pleased to announce that our Supplement #12 to the two-volume treatise Global Privacy and Security Law is now available.

Supplement 12 provides updates for twenty-nine of the existing chapters. On the European front, a number of the country chapters have been updated to illustrate how the respective countries are implementing the 2009 Directive with respect to cookies. The Netherlands chapter has been significantly updated and it contains useful comments on the notion of what constitutes “personal information” and the recent Article 29 opinion on the concept of “purpose limitation” and “use limitation”.

In the United States two major laws have been updated by the adoption of significant new regulations. The updated chapter on the United States includes analysis of the new Health Information Rules, which will come into force at the end of September 2013, and the new Children’s Online Information Protection Rule that became effective in July 2013.

The most significant updates included in Supplement 12 are outlined below.

Americas

Chapter 17 – Canada: The Federal Privacy Commissioner of Canada has been extremely active this year; she has issued several reports, for example reports requesting amendments to PIPEDA, among others. Many sections in the chapter have been updated with information relating to these reports. The chapter has also been updated with information regarding several court cases and decisions that affect data privacy and security.

Chapter 24 – Dominican Republic: A minor update has been provided for the Dominican Republic chapter regarding a recent Constitutional court decision on publishing criminal records in public access registers.

Chapter 65 – United States of America: In the United States two major laws were updated through the adoption of significant new regulations. Thus, the chapter includes an analysis of the new Health Information Rules (developed under HIPAA and the HITECH Act), which comes into force at the end of September 2013, and the new Children’s Online Information Protection Rule (developed under COPPA), which came into effect on July 1, 2013. In addition, the chapter has been significantly reorganized and supplemented to take into account the significant evolution of the American legal and regulatory landscape, the driving role played by the Federal Trade Commission, and the recent interest in the laws and regulations that defines the conditions for US government access to data.

Asia

Chapter 19 – China: In March 2012, China’s Ministry of Industry and Information Technology issued “Several Provisions” that regulate the telecommunications market, these provisions supersede the Administrative Provisions on Internet Information Services for soliciting public opinions (issued on July 2011). The chapter has been updated with information regarding definitions, rules, and regulations for ISP’s under “Several Provisions.” The section on the GP Guidance has also been updated to provide clarification regarding the principles for dealing with personal information under the GB Guidance.

Chapter 38 – Japan: We have included the Asia-Pacific Economic Cooperation in the list of International Treaties and Agreements for which Japan is a member. A status of enforcement of the Data Protection Law is also provided.

Chapter 10 – APEC: Asia continues its progress in the development of a privacy framework that is less stringent than the one currently in effect in the European Union. In the recent months, the concept of Crossborder Privacy Rules, an initiative intended to reduce barriers to information flows, has made progress. The United States has already been approved to participate in the CBPR System, and the Federal Trade Commission as its first enforcement authority. Mexico recently obtained its approval and in June 2013, Japan applied to participate.

Europe

Chapter 26 – Estonia: The Employee Information section has been updated to include information on recording telephone calls. Clarification has also been provided regarding the rules for employee consent.

Chapter 28 – France: This chapter has been updated with information regarding recent developments with respect to the CNIL, including a brief summary of its 33rd activity report for 2012. The section on video surveillance is supplemented with information about a recent case in Paris. A new section has also been added regarding Illegal Downloading, which describes the requirements for employers to monitor Internet usage of their employees.

Chapter 29 – Germany: The chapter has undergone a change in contributors. Gerald Graefe will no longer be contributing to the updates. He has been replaced by Christian Rein.

Chapter 32 – Hungary: On January 30, 2013 the Hungarian Data Protection and Freedom of Information Agency issued a recommendation on video surveillance in the workplace. The Hungary chapter has been updated with a summary of the Agency’s recommendation. The chapter has also been updated with other developments regarding the ability for data processors to subcontract work to other processors and the Agency’s new function as auditors for data controllers.

Chapter 33 – Iceland: Two new sections have been added regarding International Treaties and Agreements to which Iceland is party and about data protection guaranties found in the Constitution of the Republic of Iceland. The chapter has also been supplemented with information regarding the status of implementation of Article 5(3) of the 2009 Directive regarding the use of cookies.

Chapter 40 – Liechtenstein: The chapter has been supplemented with information regarding International Treaties and Agreements to which Liechtenstein is party and information regarding data protection in its Constitution. The chapter has also been updated with information regarding the status of implementation of Article 5(3) of the 2009 Directive.

Chapter 41 – Lithuania: Several clarifications are provided throughout the chapter. Two new subsections on the exchange of personal data for evaluation of solvency and debt management and on video surveillance have been added to the Data Protection Law section.

Chapter 42 – Luxembourg: The Luxembourg chapter is supplemented to include the most up to date URL links provided in footnotes.

Chapter 46 – Netherlands: The new version of the Netherlands chapters provides useful comments on the notion of what constitutes “personal information” and the recent Article 29 opinion on the concept of “purpose limitation” and “use limitation”. The Netherlands Data Protection Commissioner has published guidelines for the security of personal data, which provide a clear checklist of appropriate measures. The chapter also provides and update on the status of the 2009 cookie directive implementation. Netherlands appears to be leaning towards a less strict interpretation of the 2009 provisions. Finally, the chapter provides an in depth analysis of whistle blowing provisions that apply to civil servants.

Chapter 47 – Norway: The 2009 Directive has not yet been implemented but the Norwegian Parliament has submitted a plan on its implementation, which is described briefly in this update. A new section on health information has been added to the Norway chapter and the section on electronic communications has been supplemented with information regarding traffic data. Also described in this updated is the Supreme Court’s ruling on a case involving the collection of GPS location data of its employees by a waste company.

Chapter 50 – Portugal: An update on the implementation of the 2009 Directive with respect to cookies and security breach disclosure requirements is included in this supplement.

Chapter 51 – Romania: The update to the Romania chapter focuses on the implementation in Law No. 506/2004 of Article 5(3) of the 2009 amendment to the 2002 e-Privacy Directive regarding the use of cookies.

Chapter 54 – Slovakia: The chapter includes updates regarding the reports of the Office for Personal Data Protection regarding the processing of biometric data and its investigation of e-shops in Slovakia, and the requirements for giving notice to data subjects with performing video surveillance.

Chapter 55 – Slovenia: On January 15, 2013 the Electronic Communications Act came into force, implementing Article 5(3) of the 2009 Directive. The chapter is updated with some minor information regarding restrictions on the use of cookies.

Chapter 59 – Sweden: The Sweden chapter is supplemented with information regarding a case in 2012 involving surveillance cameras in a high school. An update on the ePhone case is also included in this supplement.

Miscellaneous Chapters:  In addition to the above, several chapters are slightly modified to take into account the arrival in the European Union of its 28th members state:  Croatia. The next supplement to Global Privacy and Security Law will provide a new chapter, which will address the data protection laws of Croatia in the same way as the other laws of other EU Member States have been described and analyzed.

Middle East

Chapter 56 – South Africa: The South Africa chapter is extensively updated with an in-depth analysis of the proposed POPI bill, which would create the country’s first national data protection law. The adoption of the POPI bill, still currently being evaluated by different branches of state and local government would also affect the rule that governs unsolicited commercial messages. In both cases, the changes would bring South Africa closer to the standards established in the 1995 EU Data Protection Directive.