Sent to subscribers in May 2016

Given the developments over the last number of months regarding the EU-US Privacy Shield and the EU General Data Protection Regulation, it is not surprising that the updates for this Supplement are heavily concentrated on our European chapters.

In December 2015, agreement was reached between the European Commission, the European Parliament, and the Council on a compromised text of the General Data Protection Regulation. Although this was the last major obstacle in the drafting and negotiation process, the text of the Regulation may still undergo some further changes. Consequently, we have taken the decision not to update the content of Chapter 6A Proposed EU Data Protection Regulation until the Regulation has been formally adopted. The main provisions of the General Data Protection Regulation, in addition to the formal adequacy decision that will be adopted by the EU Commission giving effect to the EU-US Privacy Shield, will be analyzed in detail in the next few supplements of Global Privacy and Security Law.

An overview of the other updates in Supplement 20 is provided below.

Americas

  • Chapter 20A—Costa Rica: References to the EU-US Safe Harbor have been amended or deleted.

Asia Pacific

  • Chapter 38—Japan: A bill to amend the Act on the Protection of Personal Information was approved by the Diet in September 2015. The update for this chapter provides an overview of the main aspects of the amending bill, such as the establishment of an independent data protection authority and restrictions on data transfers to third countries where there is an insufficient level of protection for personal data. The update also examines the Act on the Use of Numbers to Identify Specific Individuals in Administrative Procedures and the Basic Act on Cyber Security.

Europe

  • Chapter 09—Transferring Personal Data: This chapter has been updated to provide an overview of the main elements of the EU Commission’s draft “adequacy decision,” which once formally adopted will give effect to the EU-US Data Privacy Shield.
  • Chapter 13—Austria: References to the EU-US Safe Harbor have been amended or deleted.
  • Chapter 14—Belgium: References to the EU-US Safe Harbor have been amended or deleted.
  • Chapter 22—Czech Republic: References to the EU-US Safe Harbor have been amended or deleted.
  • Chapter 26—Estonia: The Estonia chapter has been updated with information pertaining to the instructions for employers issued by the Data Protection Inspectorate.
  • Chapter 27—Finland: The Finnish update discusses a recent order to Google, by the Data Protection Ombudsman, to remove specific search results from its search facility. Both orders, concerning two separate cases, were related to the past criminal activities of the individuals concerned.
  • Chapter 29—Germany: References to the EU-US Safe Harbor have been amended or deleted.
  • Chapter 35—Ireland: References to the EU-US Safe Harbor have been amended or deleted.
  • Chapter 35A—Isle of Man: References to the EU-US Safe Harbor have been amended or deleted.
  • Chapter 37—Italy: References to the EU-US Safe Harbor have been amended or deleted. The updated chapter also provides a brief overview of two recent cases—one considered by the Court of Milano and the other by the Italian Supreme Court—that dealt with employee’s use of Facebook while at work.
  • Chapter 41—Lithuania: The update to Lithuania examines a case considered by the Supreme Court regarding the installation and use of video surveillance in a property co-owned by two individuals where one of the owners requested the removal of the video cameras from the property. It also discusses another case examined by the Supreme Court where it found that the defendant had breached the Data Protection Law by sending an open letter by fax to the workplace of a debtor.
  • Chapter 42—Luxembourg: References to the EU-US Safe Harbor have been amended or deleted. The updated chapter also contains information on the use of contractual clauses and binding corporate rules for the international transfer of personal information.
  • Chapter 44—Malta: References to the EU-US Safe Harbor have been amended or deleted.
  • Chapter 47—Norway: References to the EU-US Safe Harbor have been amended or deleted. Further information on the use of standard contractual clauses for international data transfers and on the notification of their use to the Data Inspectorate is included in the Norway update.
  • Chapter 50—Portugal: References to the EU-US Safe Harbor have been amended or deleted.
  • Chapter 54—Slovakia: References to the EU-US Safe Harbor have been amended or deleted. The update also examines an inspection conducted by the Office for Personal Data Protection wherein it was noted that obtaining personal data via misuse of the right to information was against good morals and as such also a violation of the Data Protection Act.
  • Chapter 58—Spain: References to the EU-US Safe Harbor have been amended or deleted.
  • Chapter 60—Switzerland: References to the EU-US Safe Harbor have been amended or deleted.