Blog

Peru Adopts New Data Protection Law

Francoise Gilbert

On July 2, 2011, Peru adopted its first “Law on the Protection of Personal Data.” The law was published in the country’s official gazette of July 3, 2011 as Law No. 29733. Inspired from the Spanish data protection law and the APEC Privacy Framework, this new law is intended to bring Peru to a level of data protection that would be satisfactory to the European Union member states and other countries that have adopted similar data protection regimes. (more…)

Read More

Israel Found to Provide Adequate Level for Data Transfers!

Alain Bensoussan

Last April 4, 2011, the EU Article 29 Data Protection Working Party issued an Opinion on the level of protection of personal data in New Zealand. This is the occasion to make a recap on the EU legal rules for transborder flows of personal data, with a focus on the latest country found to provide an adequate level —Israel.

Today, with globalization, it’s common practice for businesses to transfer personal data around the globe. This of course raises issues on the security of such data. The European Union does not allow businesses to send personal data outside its boundaries unless the recipient country provides an adequate level of protection. The last country to join the club of countries with an adequate level: Israel! (more…)

Read More

France: CNIL Concerned About the New SWIFT Agreement

Alain Bensoussan

The French data protection authority, the CNIL, expressed its concerns, in a press release on July 27, 2010, on the agreement, known as “Swift Agreement”, concluded on June 28, 2010, between the European Union and the USA to regulate the transfer of banking data between the EU and the US for the purposes of the Terrorist Finance Tracking Program (TFTP). 

Despite the additional guarantees supplied, the CNIL “is in doubt as to the effectiveness of the measures taken and considers that several matters of concern remain“.

Read More

France: Proposed Legislation to Better Protect the Right to Privacy in the Digital Age

Alain Bensoussan

The European Union is planning to overhaul its data protection regime, notably because of rapid technological developments (social networking sites, blogs, cloud computing, geo-location devices, biometric devices, RFID applications, video surveillance…) and globalization have brought new challenges for the protection of personal data. A French bill has decided to take up these challenges.

Know your rights & Be your own privacy watchdog!

The French data protection framework could be changed by a French bill to better protect the right to privacy in the digital age. The bill was proposed to the Senate on November 6, 2009, and filed for first reading in the National Assembly on March 24, 2010.

This proposed legislation is mainly based on an information report on “privacy in the age of digital memories” issued in May 2009, and which recommended, among other things to enable citizens to become the actors of their own protection. To meet the new challenges of the digital era, the report calls for an increased involvement of individuals in the protection of their own privacy.

How is that to be achieved? The report suggested to educate and raise citizen awareness of their right to privacy and privacy threats from an early age, and to update the Data Protection Act of January 6, 1978 to provide stronger guarantees. 

The bill thus amends the Data Protection Act to reflect the recommendations made in the report, as explained at the time by the then-current Digital Economy Secretary of State Nathalie Kosciusko-Morizet during the “Right to be forgotten” workshop in November 2009.

(more…)

Read More

United Kingdom: New Rule for the Use of Cookies

Francoise Gilbert

On May 9, 2011, the United Kingdom’s Information Commissioner’s Office (ICO) published an “advice” explaining the new rule for the use of cookie technologies for websites that are subject to the UK laws. This rule results from the implementation of the 2009 Amendment to the 2002 EU ePrivacy Directive into the UK laws. It will amend Regulation 6 of the Privacy and Electronic Communication Regulations 2003 (PECR).

There are two basic requirements. Businesses and other entities are permitted to use cookie technologies only if the user of the site or application:

  • has received clear and comprehensive information about the purpose for the cookie in question; and
  • has given his or her consent to the use of the cookie. (more…)
Read More

Failure to Protect Against SQL Injection Attack Deemed an “Unfair Practice”

Francoise Gilbert

A proposed Federal Trade Commission consent order applicable to Ceridian Corporation, establishes that failure to protect against potential SQL injection attacks is an “unfair practice” actionable under Section 5 of the FTC Act. Despite representations that it maintained “worry-free safety and reliability” and that it had a security program designed in accordance with the ISO 27000 standard, the company’s security system had several flaws. Among other things, Ceridian failed to use readily available defenses to SQL attacks. When a successful SQL attack caused the exposure of sensitive personal information of nearly 28,000 individuals, the FTC initiated an enforcement action.  This action lead to the development of the proposed FTC consent order, which was published on May 3, 2011. (more…)

Read More

More Changes in the EU Data Protection Regime – 2006 Data Retention Directive to be Amended

Francoise Gilbert

The European Commission has announced that it plans to amend the 2006 Data Retention Directive, Directive 2006/24/EC. This Directive states that the national laws of the EU Member States must require providers of publicly available electronic communications services and public communications networks to retain traffic and location data for a period between six months and two years, in order to allow for the investigation, detection and prosecution of serious crime.

According to the Report of the EU Commission, while it is clear that rules on data retention remain necessary as a tool for law enforcement, the protection of victims, and the criminal justice systems, the current regime has many flaws. The report, published in mid April 2011, provides an initial analysis of the problems raised by the current draft of the 2006 Data Retention Directive and explains that the Commission intends to develop a better legal framework that balances the needs of governments, the rights of data subjects, and the financial constraints of the operators. (more…)

Read More

Proposed Overhaul of the 2006 Data Retention Directive

Francoise Gilbert

While the Data Protection regime of the European Union is going through a facelift and amendments are expected to be published by 2012, the European Commission has announced that it is embarking onto another major project that focuses on the protection of personal data and privacy rights. This time, the target is the 2006 Data Retention Directive, Directive 2006/24/EC1. In its Evaluation Report on the Data Retention Directive (Directive 2006/24/EC), COM (2011) 225 (Communication 225), published in April 2011, the European Communication has announced its plan intent to revise the 2006 Directive with a view to proposing an improved legal framework that balances the needs of governments, the rights of data subjects, and the financial constraints of the operators.
 
Communication 225 analyses how the 2006 Data Retention Directive has been implemented (or not) in the national laws of the Member States, with a view to determining whether the 2006 Directive should be amended, in particular with regard to its data coverage and retention periods. The report points to the lack of uniformity and discrepancies in these implementations, identifies deficiencies, and analyses the impact of the retention requirements on economic operators and consumers. It also evaluates the implications of the Directive on the protection of fundamental rights, in view of the criticisms that have been made with respect to the retention of personal data for national security reasons. The report concludes that the provisions set forth in the 2006 Data Retention Directive need improvement and indicates how the European Commission plans to drive the preparation of an amendment. 

(more…)

Read More

New Draft Privacy Guidance in China

Marissa Xiao Dong 

In April 2011, the Ministry of Industry and Information Technology (MIIT), jointly with the State General Administration of for Quality Supervision and Inspection and Quarantine (AQSIQ), released a draft of “Information Security Technology – Guide of Personal Information Protection (Guidance)” for public comments. The Guidance is a further effort by MIIT to adopt and promote regulations for the protection of personal data after its release of a draft Guidance for Personal Information Protection for public comments in 2010. 

Compared with the previous draft, this new draft is prepared together with AQSIQ, and is prepared as GB/Z, which means China’s “national standard” but not compulsory standard. According to our communication with officials at MIIT, they have not yet decided how to proceed with the formal issuance of such Guidance, whether by MIIT itself as the 2010 draft, or together with AQSIQ as GB/Z as such new draft. Nevertheless, such efforts by MIIT and AQSIQ have revealed that personal data protection has become as more and more important issue in China, and different governmental authorities are attempting to use their separate and joint efforts to facilitate legislation in this area.

A detailed analysis of the proposed guidelines will be published as part of Supplement #6 of the Global Privacy & Security Law treatise.

Read More