Sent to subscribers in May 2014

This Supplement #14 is dedicated to Professor George Anastaplo who passed away on February 14, 2013, as we were completing our updates of the Global Privacy and Security Law treatise. Professor Anastaplo was my Constitutional Law Professor while I was attending Law School in Chicago. He served in the United States Army Air Corps during World War II as a navigator of B-17s and B-29s. He earned his BA, JD, and PhD from the University of Chicago. He was the author of numerous books, articles, op-eds, and hundreds of essays.

Professor Anastaplo has become famous for having conducted his own bar admission litigation after he was denied admission to the Illinois Bar. The denial of his admission became a Supreme Court case, In re Anastaplo, in which he insisted that the First Amendment of the U.S. Constitution protects the privacy of political affiliations. Specifically, in the questionnaire that is completed as part of an application to become licensed as an attorney by the State Bar of Illinois, he refused to answer questions about membership in the Communist Party. George’s stand was based on Constitutional principles and consequent rejection of McCarthyism. The Supreme Court’s majority upheld the lower courts’ ruling in favor of the Illinois Bar, although Justice Hugo Black dissented.

In the aftermath of the case, George Anastaplo was often described as the “Socrates of Chicago.” He was subsequently nominated annually for the Nobel Peace Prize between 1980 and 1992. George’s distinguished academic career included serving as a lecturer in the University of Chicago’s Basic Program of Liberal Education for Adults and as professor of political science and philosophy at Dominican University.



  • Chapter 15 – Brazil: Brazil is on the few countries of South America that has not yet adopted a national data protection law. In the recent months, there has been significant movement, inching slowly toward the adoption of a personal privacy regime. Bill of Law 2.126/2011 (Marco Civil da Internet), which contains important implications for the protection of the right to privacy of Internet users, has been processed under constitutional urgency since October 2013. This means that all other bills-of-law that are not under this urgency regime are on hold until the Marco Civil da Internet is voted by the Brazilian Congress.
  • Chapter 17 – Canada: In 2012, a Charter challenge by a union to Alberta privacy legislation resulted in a finding that key elements of the Alberta Personal Information Protection Act, SA 2003, c P-6.5 unconstitutionally impaired the Section 2 right of freedom of expression. In November 2013, the Supreme Court of Canada upheld this decision, finding that the law impermissibly imposed restrictions on a union’s ability to communicate and persuade the public of its cause, impairing its ability to use one of its most effective bargaining strategies in the course of a lawful strike. Accordingly, it struck down the law in its entirety, but suspended the declaration of invalidity for one year to permit the Alberta government to amend the law to make it compliant with freedom of expression rights.
  • Chapter 20 – Colombia: Decree 1377/13 clarifies an aspect of the Colombia Data Protection Law, and adds into the concept of “authorization”, the need for the purposes for which the treatment is authorized to be “specific.” This means the consent must be limited by the purposes of the processing/treatment, prohibiting a broad purpose for data processing, and requiring prior specific authorization to each one of the objectives pursued with the data processing.
  • Chapter 65 – United States: In the United States, the Federal Trade Commission continues its enforcement actions using its powers under Section 5 of the FTC Act, to prosecute unfair and deceptive practices. Recent actions reported in this Supplement have included an action against a healthcare services billing services which lost thousands of patient records which were stored on a laptop in unencrypted form, and an action against the developer of a mobile application which collected location information of its customers without prior notice and consent.  In addition the FTC conducted Safe Harbor based enforcement actions against 12 American companies who had let their Safe Harbor self certification expire but failed to remove a statement in their privacy notice claiming that they complied with the Safe Harbor principles.


Asia Pacific

  • Chapter 10 – The Asia-Pacific Region: We welcome a new contributor, Jeff Rohlmeier, who, for many years has followed very closely the evolution of the APEC. The most recent activities at APEC revolve around the CBPR System, which is a loose equivalent of the European Binding Corporate Rules. To date, private sector participation in the CBPR System has been minimal. In June 2013, TRUSTe, a U.S.-based, for profit company, became the first recognized Accountability Agent under the CBPR System. In 2013, TRUSTe certified the first two companies as having met the requirements under the APEC Privacy Framework – IBM and Merck & Co.
  • Chapter 19 – China: The amended Provisions Regarding Administration of Medical History Records by a Medical Organization is now effective. It requires that medical organizations keep and protect the medical history records of relevant patients. The provisions also include specific and strict requirements and procedures for reviewing, borrowing, or copying medical history records.



  • Chapter 6A – Proposed EU Data Protection Regulation. Two years after its publication, the proposed EU Data Protection Regulation, which would supersede the 1995 EU Data Protection Directive, has still not been voted. In the meantime, the EU Parliament has issued a Report, prepared by its Committee on Civil Liberties, Justice and Home Affairs, which contains 196 amendments to the proposed Regulation. The Report is currently being analyzed and evaluated, but no formal action has been taken to adopt or reject the amendments suggested in the Report.
  • Chapter 28 – France: CNIL has amended its Single Authorization related to data processing in relation to Whistleblowing to take account of business practices and extend the cases in which whistleblowing systems may be used. CNIL has also fined Google for breach of the French Data Protection Law in the context of the changes made by Google to its website privacy Notice.
  • Chapter 29 – Germany: The Federal Data Protection Act prohibits a data controller from making the conclusion of a contract dependent upon the data subject´s consent to the use of its personal data for advertising, if access to equivalent contractual benefits without providing consent is impossible or unreasonable. This prohibition applies under the Federal Data Protection Act as a general rule according to German legal literature and court decisions, even if the consent is provided in another context than advertising. A violation of this principle may lead to invalidity of the consent.
  • Chapter 32 – Hungary: As of March 15, 2014, the data subject may claim exemplary damages, i.e., lump sum damages that can be awarded by the court as compensation for harm sustained from the infringement of personal rights by the data controller, as a result of unlawful data processing or a breach of data security requirements. Regarding the claim for exemplary damages, the data subject as a claimant does not need to provide evidence the harm beyond the breach of data protection laws.
  • Chapter 41 – Lithuania: A new section, which provides examples of recent personal data protection cases that were brought to the attention of the Lithuanian authority, has been added.
  • Chapter 44 – Malta: A new guideline provides that the capturing and recording of images by means of CCTV camera that leads to the identification of a natural person, constitutes processing of personal data, and therefore must satisfy the requirement under the Act. The data controller is required to notify the Commissioner of the processing before installing the CCTV cameras. In addition, it must identify a clear and specific purpose to ensure proportionality with the privacy right of the individuals.
  • Chapter 47 – Norway: One of the most recent cases was related to an insurance company, Gjensidige Forsikring ASA, and how the company process personal data, especially when they investigate circumstances regarding individuals to uncover fraud or attempted fraud. According to the Data Inspectorate, the company’s internal control was not sufficient. Gjensidige Forsikring ASA was fined NOK 600,000 in September 2013. The insurance company also submitted a complaint to the Privacy Appeals Board. The Privacy Appeals Board has not yet rules on the complaint.
  • Chapter 50 – Portugal: In a recent opinion, the National Data Protection Commission has stated that the data protection laws apply to the private use of electronic communications means (fixed and mobile phones, e-mail and Internet) in an employment context. The National Data Protection Commission’s starting point is that, currently, it is not viable to set aside the private use of such communication means by employees and, as such, rules should be defined for the matter of personal data processing.
  • Chapter 59 – Sweden: Sweden has adopted a temporary measure, applicable between December 1, 2013 and January 1, 2016, to allow the processing of data for the purpose of creating and using registers for different research projects concerning the influence of heredity and environment on health and diseases. The law requires consent from the data subjects, however, it makes it possible to process personal data for purposes that are not detailed as required by Section 9(c) in the Personal Data Act, to the extent that such processing is conducted within the specific area stated in the law.

Middle East


  • Chapter 21 – Cyprus: A 2012 law has approved the addition of a new section concerning the processing of personal data for the purposes of political communication. This new section provides that political parties, electoral combinations, and candidates for election may use the names and addresses of the persons registered in electoral or telephone lists may use the names and addresses of the persons registered in electoral or telephone lists for the purposes of political communication and may send communications by post for the promotion of their political ideas or candidacy. There is an exception for persons who are registered in a list of persons who do not wish to receive such political communications.