Blog

New Draft Privacy Guidance in China

Marissa Xiao Dong 

In April 2011, the Ministry of Industry and Information Technology (MIIT), jointly with the State General Administration of for Quality Supervision and Inspection and Quarantine (AQSIQ), released a draft of “Information Security Technology – Guide of Personal Information Protection (Guidance)” for public comments. The Guidance is a further effort by MIIT to adopt and promote regulations for the protection of personal data after its release of a draft Guidance for Personal Information Protection for public comments in 2010. 

Compared with the previous draft, this new draft is prepared together with AQSIQ, and is prepared as GB/Z, which means China’s “national standard” but not compulsory standard. According to our communication with officials at MIIT, they have not yet decided how to proceed with the formal issuance of such Guidance, whether by MIIT itself as the 2010 draft, or together with AQSIQ as GB/Z as such new draft. Nevertheless, such efforts by MIIT and AQSIQ have revealed that personal data protection has become as more and more important issue in China, and different governmental authorities are attempting to use their separate and joint efforts to facilitate legislation in this area.

A detailed analysis of the proposed guidelines will be published as part of Supplement #6 of the Global Privacy & Security Law treatise.

Read More

Privacy Laws may be a Barrier to the Taking of Evidence Abroad

Francoise Gilbert

Litigation and trials are handled in the United States in a manner that is significantly different from that which prevails in other countries. While broad discovery is available here, the gathering and use of evidence is much more limited abroad. For years, there have been disputes between US litigants and the foreign parties who were requested to produce information and documents for use in US courts.  While the 1970 Hague Convention on the Taking of Evidence in Civil and Commercial Matters has provided rules for the regulated taking of evidence, there are still many barriers to the gathering of evidence from foreign parties.  One of them is the data protection laws of many countries, especially those in the European Union and the European Economic Area.  (more…)

Read More

Server Location: A Significant Factor in Cloud Computing Services

Francoise Gilbert

In a cloud computing environment, data and applications are hosted “in the cloud.” What that cloud is made of, and where its components are located, matters. However, ask a cloud service vendor where your data will be stored or processed, the typical answers will likely range from “well… hum … in the cloud” to “we have servers everywhere, data moves around constantly” or “we cannot tell you for security reasons.”

As the custodian of confidential and valuable data — personal or company information — you need to know where data will be located at all times. In the cloud environment, location matters, especially from a legal standpoint. (more…)
Read More

How to Conquer Cloud Computing Contracts – Part 2

Francoise Gilbert

Cloud service relationships are very complex. Numerous important issues are at stake. In many cases, the use of cloud services may jeopardize an entity’s ability to comply with the numerous laws to which it is subject. In addition, even if there are no specific legal compliance requirements, sensitive data and significant intangible assets might be at risk. Thus, before venturing in the cloud, it is of utmost importance for an entity to understand the scope and limitations of the service that it will receive, and the terms under which these services will be provided.

In part 1 of this article we discussed the preliminary planning and due diligence involved with choosing a cloud service provider.

In this part 2, we review critical steps for developing, maintaining and terminating cloud computing contracts. (more…)

Read More

How to Conquer Cloud Computing Contracts – Part 1

Francoise Gilbert

The characteristics of cloud computing — on-demand self-service, elasticity, metered service or ubiquitous access — make it look like a simple and casual operation. Easy to get in, easy to get out, easy to augment, and easy to shrink; Just pay with your credit card. Attractive pricing structures are often justified by presenting cloud solutions as a “one-size-fits-all” product where standardization is key to reduced cost.

(more…)

Read More

CNIL Exempts Foreign Based Companies from Filing Notifications with Respect to Certain Processing

Francoise Gilbert

A “Deliberation” of the CNIL (French Data Protection Authority) published in the February 16, 2011 Official Journal of the Republic of France as “Deliberation No. 2011-023” should ease the burden on companies that have no operations in France, and engage France-based subcontractors (or cloud service providers) in order to process their data on the French territory. This is the case, for example for US based companies that hire French service providers to process their payroll or manage databases of client information, where the concerned individuals (employees or customers) are located outside of France. (more…)

Read More

Israel Data Protection Law Found to Provide “Adequate Protection”

In a decision made public on February 1, 2011, the European Commission has determined that the data protection regime in Israel is adequate under the 1995 EU Data Protection Directive. The adequacy determination applies to only to data in automated databases. The data protection law of Israel Data does not apply to data in manual databases. Thus, for these data, the data protection law of Israel will be deemed adequate only to the extent that data in manual databases are transferred to automated databases in Israel.

The Commission decision is available at (pdf download):
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2011:027:0039:0042:EN:PDF

Read More

Department of Commerce Publishes Green Paper on Privacy

Francoise Gilbert

On December 16, 2010, the Department of Commerce released its Internet Policy Task Force Privacy Green Paper, which details recommendations on the protection of consumer privacy online.  Titled “Commercial Data Privacy and Innovation in the Internet Economy:  A Dynamic Policy Framework”, the Report provides a set of recommendations to strengthen data privacy while protecting innovation, job creation, and economic growth.

The Report recognizes that more than self-regulation is needed.  It acknowledges the economic and social importance of preserving consumer trust in the Internet, and the need to keep pace with changes in technology, online services and Internet usage.  To do so, consumers need more transparency and control over the use of their personal information.  The new framework must help increase protection of consumers’ commercial data while supporting innovation and evolving technology. (more…)

Read More

FTC’s Proposed Privacy Framework: More Obligations for US Businesses?

Francoise Gilbert

In its long awaited report on privacy protection, which was published on December 1, 2010, the Federal Trade Commission outlines a Proposed Privacy Framework for businesses and policy makers. The Proposed Framework would focus on the collection, maintenance, sharing, or use by commercial entities of consumer personally identifiable information, online and offline. “Personally identifiable information” is defined as data that can be reasonably linked to an individual, computer, or device.

The proposed Framework does not promote the adoption of legislation, but it identifies three areas of focus:

  • Promoting privacy throughout the organization, and at every stage of the development of products and services;
  • Simplifying choices for consumers; and
  • Providing greater transparency of data practices.

The FTC staff has requested that comments on each component of the Privacy Framework and how it might apply in the real world be filed by January 31, 2011. The Commission will issue a final report in 2011. (more…)

Read More

FTC’s Privacy Framework: Similarities with EU Privacy Directives

Francoise Gilbert

On December 1, the FTC issued its long awaited report in which it outlines a Proposed Framework for businesses and policy makers for the protection of personal data. The Proposed Framework would reach a broad range of commercial entities, both online and offline, that collect, maintain, share, or use consumer data. The protection would apply not only to what has traditionally been named “personally identifiable information” that can be reasonably linked to an individual, as this has been done in the past, but also to data that can be reasonably linked to a specific computer or device. (FTC Report, p. 42).

(more…)

Read More