Updates

Supplement #22

Sent to subscribers in January 2017

The first half of 2016 focused primarily on the finalization and final approval of the EU General Data Protection Regulation (GDPR), which replaces Directive 95/46/EC. The GDPR will apply and enforcement will commence as of May 26, 2018. Now, most of the European Union and European Economic Area (EU/EEA) is focusing on the preparation of the transition to the new data protection regime. Member States are working on guidelines and on provisions supplementing the GDPR. We will hear more details in the next supplement.

The early days of July 2016 also saw the approval of the EU-US Privacy Shield, which replaces the Safe Harbor, invalidated in October 2015. U.S.-based companies doing business with EU/EEA-based entities are now recovering from the whirlwind of activities and the uncertainties of the first part of 2016. Many of them are preparing for, or may already have filed for, self-certification under the Privacy Shield, ensuring that they are better prepared for further attacks to crossborder data transfer structures.

The second half of 2016 has been much quieter than the first half. As a result, Supplement 22 does not bring as many sensational developments as did the prior ones published in 2016.

The most significant development occurred in France, as we were completing our set of updates for Supplement 22.

In early October 2016, France passed Loi No. 2016-1321 Pour Une République Numérique. The law introduces new provisions that will regulate the digital economy as a whole, such as open data, online cooperative economy, revenge porn, and access to the Internet. It also introduces key amendments to the existing 1978 Loi Informatique et Libertes (the current    national data protection law) ahead of the May 2018 enforcement date of the EU GDPR.

Among the key points of the Law 2016-1321 you should note higher fines (up to EUR 3 million), removal of data residency rules, and enhanced rights for individuals, including right to be forgotten and the right to data portability.

Best wishes for 2017. It will be a very interesting year for data privacy and cybersecurity.

Read More

Supplement #21

Sent to subscribers in September 2016

After a lengthy drafting process, the EU General Data Protection Regulation, which replaces Directive 95/46/EC, was formally approved by the EU Parliament in April 2016. It was published in the EU Official Journal in May 2016. Following a two-year transition period, the General Data Protection Regulation will apply and enforcement will commence through the European Union from late May 2018.

The General Data Protection Regulation is not just simply an update of a 20-year-old directive that was drafted at the dawn of the Internet era. The approval of the General Data Protection Regulation is a seminal development in the shaping of the data protection law throughout the EU Member States as a cohesive, homogenous whole, where one single law becomes the primary vehicle governing the activities of very diverse countries. The General Data Protection Regulation attempts in different ways to increase the consistency among the legal regimes of the EU Member States in order to reduce several of the current obstacles that companies face when they carry out business in numerous countries in the European Union.

Although the General Data Protection Regulation is intended to bring uniformity, we should not lose sight of the fact that a number of its provisions give leeway to Member States to enact additional measures beyond those stipulated in the Regulation.

Over the next two years, companies that fall under the jurisdiction of the General Data Protection Regulation are expected to modify their practices to ensure compliance. This is a significant task, not only for the companies impacted, but also for the Member State’s respective data protection regulators and governments as they seek to integrate and enforce a uniform law within their own legal frameworks. The next two years are going to be a very interesting time, requiring close collaboration between private companies and public institutions, both at the Member State and at European levels, in order to successfully implement the General Data Protection Regulation.

An overview of the other updates in Supplement 21 is provided below.

(more…)

Read More

Supplement #20

Sent to subscribers in May 2016

Given the developments over the last number of months regarding the EU-US Privacy Shield and the EU General Data Protection Regulation, it is not surprising that the updates for this Supplement are heavily concentrated on our European chapters.

In December 2015, agreement was reached between the European Commission, the European Parliament, and the Council on a compromised text of the General Data Protection Regulation. Although this was the last major obstacle in the drafting and negotiation process, the text of the Regulation may still undergo some further changes. Consequently, we have taken the decision not to update the content of Chapter 6A Proposed EU Data Protection Regulation until the Regulation has been formally adopted. The main provisions of the General Data Protection Regulation, in addition to the formal adequacy decision that will be adopted by the EU Commission giving effect to the EU-US Privacy Shield, will be analyzed in detail in the next few supplements of Global Privacy and Security Law.

An overview of the other updates in Supplement 20 is provided below.

(more…)

Read More

Supplement #19

Sent to subscribers in January 2016

What a whirlwind the last number of months has been!

On a personal note, I am delighted to announce that I have joined Greenberg Traurig LLP as a Shareholder/Partner in its Silicon Valley Office.

The invalidation of the EU-US Safe Harbor Framework by the CJEU shocked many in the privacy community. As a result of the CJEU October 6, 2015, decision and the associated fall-out, all data transfers from the EEA, Switzerland, Israel, and DIFD to companies located in the United States that have self-certified that they adhere to the Safe Harbor principles are illegal. The ruling affects approximately 4,600 US companies and their respective trading partners. It is also important to recognize that the consequences of the ruling are much broader and deeper than just the mere invalidation of the Safe Harbor program and the immediate need to identify and implement alternative means of exchanging data with foreign customers, business partners or affiliated entities.

In addition to the short-term immediate need to find quick-fix alternatives to the Safe Harbor for day-to-day exchanges, there are significant long-term issues regarding cross-border transfers. In its 35-page analysis, the CJEU repeatedly asserts that personal data when on the US territory are subject to massive surveillance, and that the current legal regime in the United States requires companies to “disregard …without limitation” the prospective rules laid down by Safe Harbor when they conflict with US national security and public interest. The CJEU opinion also points at other deficiencies in the US legal regime, such as a lack of access and correction rights. The CJEU decision, in conjunction with some of the advice issued by data protection authorities in the aftermath of that decision, seems to undermine the entire framework of model clauses, binding corporate rules and other methods that are currently used to address the “adequate protection” requirement under EU Member State data protection laws.

However, at the time of the printing of this supplement it is not clear how many of these issues are going to be addressed. Work is currently underway on finalizing the negotiations on Safe Harbor 2.0, and it is hoped that this revised agreement will address many of the issues raised by the CJEU. In addition to developments on the Safe-Harbor issue, negotiations on the EU General Data Protection Regulation are drawing to a close and it is anticipated that the Regulation will be published toward the end of 2015. All of these developments will be covered in detail in the next few supplements of Global Privacy and Security Law.

Suffice to say that we are in for a very interesting couple of months in the data protection and privacy world. An overview of the other updates in Supplement 19 is provided below.

(more…)

Read More

Supplement #18

Sent to subscribers in September 2015

This Supplement is dedicated to the memories of Antonio Millé and Santiago Jaramillo-Caro, both of whom were contributors to Global Privacy and Security Law. Both Antonio and Santiago were highly accomplished and distinguished attorneys, and were involved with Global Privacy and Security Law from the early days of its creation.

We would like to offer our heart felt condolences to their family, friends, and colleagues. They will be missed.

An overview of the updates in Supplement 18 is provided below.

(more…)

Read More

Supplement #17

Sent to subscribers in May 2015

We are pleased to announce that Supplement 17 of Global Privacy and Security Law is now available. We would also like to welcome Rahul Matthan as our new contributor for the chapter on India privacy and security laws. The India chapter has been rewritten in its entirety for this Supplement.

In total, Supplement 17 contains updates to 18 chapters. Following on from developments detailed in recent supplements, Russia enacted legislation, in December 2014, to bring forward the effective date of the legal obligation for companies doing business in Russia to process and store the personal data of Russian citizens on servers located within the Russian Federation.

A number of European countries have introduced legislation that impacts on data protection matters. The updated Slovakia Chapter provides an overview of its new “Whistleblowing” legislation while updates to the chapter on Turkey examine the main provisions of the new E-Commerce Code, which addresses the issue of unsolicited commercial communications. A new Cybernetic Security Law came into force in Lithuania in January 2015, the main elements of this piece of legislation are addressed in the updates to the Lithuania chapter.

An overview of the other updates in Supplement 17 is provided below.

(more…)

Read More

Supplement #16

Sent to subscribers in January 2015.

In September 2014, we celebrated the fifth anniversary of Global Privacy and Security Law. In the past five years the numbers of laws, regulations, standards and guidelines, and cases regarding the protection of personal data around the world have increased dramatically. As a result, Global Privacy and Security Law has almost doubled in size, growing from about 2000 pages to more than 3500 pages.

Supplement 16 contains updates to twenty one chapters. A new chapter on Indonesia has been added. This chapter examines the unique legal data protection regime in Indonesia. The chapter on Russia has been updated to examine the interesting legislative development whereby those companies conducting business in Russia will be, once the legislation is enacted, legally obliged to process and store the data of the citizens of the Russian Federation on servers located within the Russian Federation.

The other significant updates in Supplement 16 are highlighted below.

(more…)

Read More

Supplement #15

Sent to subscribers in September 2014

We are pleased to announce that Supplement 15 to Global Privacy and Security Law is now available. Supplement 15 contains updates to seventeen chapters.

The chapter on the Dominican Republic has been completely revised, for this supplement, due to the enactment of Data Protection Law No. 172-13. This is the Dominican Republic’s first national data protection law and the updated chapter includes an overview of the objectives and main provisions of the law.

On the European front, in April 2014 the CJEU in joined cases C293/12 and C-594/12 declared that Directive 2006/24/EC on the Retention of Data Generated or Processed by Electronic Communication Service was invalid. This decision calls into question the continued validity of the national laws that have implemented the 2006 Directive. Chapter 8, on the EU Data Retention Directive, examines these issues in more detail.

The other significant updates in Supplement 15 are detailed below. (more…)

Read More

Supplement #14

Sent to subscribers in May 2014

This Supplement #14 is dedicated to Professor George Anastaplo who passed away on February 14, 2013, as we were completing our updates of the Global Privacy and Security Law treatise. Professor Anastaplo was my Constitutional Law Professor while I was attending Law School in Chicago. He served in the United States Army Air Corps during World War II as a navigator of B-17s and B-29s. He earned his BA, JD, and PhD from the University of Chicago. He was the author of numerous books, articles, op-eds, and hundreds of essays.

Professor Anastaplo has become famous for having conducted his own bar admission litigation after he was denied admission to the Illinois Bar. The denial of his admission became a Supreme Court case, In re Anastaplo, in which he insisted that the First Amendment of the U.S. Constitution protects the privacy of political affiliations. Specifically, in the questionnaire that is completed as part of an application to become licensed as an attorney by the State Bar of Illinois, he refused to answer questions about membership in the Communist Party. George’s stand was based on Constitutional principles and consequent rejection of McCarthyism. The Supreme Court’s majority upheld the lower courts’ ruling in favor of the Illinois Bar, although Justice Hugo Black dissented.

In the aftermath of the case, George Anastaplo was often described as the “Socrates of Chicago.” He was subsequently nominated annually for the Nobel Peace Prize between 1980 and 1992. George’s distinguished academic career included serving as a lecturer in the University of Chicago’s Basic Program of Liberal Education for Adults and as professor of political science and philosophy at Dominican University.

 

(more…)

Read More

Supplement #13

Sent to subscribers in Jan 2014

We are pleased to announce that Supplement #13 to the two-volume treatise Global Privacy and Security Law is now available.

Supplement 13 contains updates to twenty-two of the existing chapters. In addition a new chapter, Chapter 20B, on Croatia has been added. This new chapter examines the data protection laws of Croatia, the newest member of the European Union, and it becomes the 66th country featured in our analysis of data protection regimes throughout the world.

The number of laws on data protection throughout the world continue to grow and develop. Slovakia enacted a new data protection law in July 2013. The updates to the Slovakia chapter examine Act No. 122/2013 coll. on Protection of Personal Data. Meanwhile Australia has made some significant amendments to its Data Protection Act, which will become effective from March 2014.

The other significant updates in Supplement #13 are detailed below.

 

(more…)

Read More