personal data
Subscribe to personal data's Posts

Does GDPR Regulate My Research Studies in the United States?

The General Data Protection Regulation (GDPR) establishes protections for the privacy and security of personal data (Personal Data) about individuals in the European Union (EU) single market countries, and potentially affects the clinical and other scientific research activities of academic medical centers and other research organizations in the United States.

This On the Subject includes frequently asked questions that discuss the extent to which United States research organizations must comply with GDPR when conducting research. Future coverage will address the impact of GDPR on other aspects of the United States health care sector.

Continue reading.




ECJ Confirms Dynamic IP Address May Constitute Personal Data But Can Be Logged to Combat Cyberattacks

On 19 October 2016, the European Court of Justice (ECJ) held (Case C-582/14 – Breyer v Federal Republic of Germany) that dynamic IP addresses may constitute personal data. The ECJ also held that a website operator may collect and process IP addresses for the purpose of protecting itself against cyberattacks, because in the view of the Court, preventing cyberattacks may be a legitimate interest of a website operator in its effort to continue the operability of its website.

The ECJ’s ruling was based on two questions referred to it by the German Federal Court of Justice (BGH). In the underlying German proceedings, a member of the German Pirate Party challenged the German Federal Government’s logging and subsequent use of his dynamic Internet Protocol (IP) address when visiting their websites. While the government is a public authority, the case was argued on the basis of German provisions that address both public and private website operators, and is therefore directly relevant for commercial companies.

(more…)




The German Perspective: EU and U.S. Data Protection “Umbrella Agreement”

After over four years of negotiations, the European Union and the United States have agreed on a framework data protection agreement on 8 September 2015 (Umbrella Agreement). The Umbrella Agreement covers all personal data exchanged between the European Union and the United States for the purpose of prevention, detection, investigation and prosecution of criminal offences, including terrorism. According to the Q&A’s posted on the EU Commission’s website, the Umbrella Agreement shall “provide safeguards and guarantees of lawfulness for data transfers.”

During the negotiations, the Umbrella Agreement was widely criticized throughout the EU because EU citizens could not file lawsuits in the United States to enforce their data protection rights. The U.S. Privacy Act allows only U.S. residents to obtain redress for data privacy and protection violations. As part of the Umbrella Agreement, the U.S. Congress introduced an amendment to the U.S. Privacy Act known as the “Judicial Redress Bill.”   If adopted, the Judicial Redress Bill will permit an EU citizen to use U.S. courts to (for example) have his or her name deleted from U.S. blacklists if the name was mistakenly included.

In Germany, first reactions by political commentators on the agreement are moderately optimistic and an important step to rebuild trust after the National Security Agency (NSA) spying revelations.  More importantly, the Umbrella Agreement includes many of the   same general data privacy and protection principles followed in Germany and other EU countries, including:

  • Limitations on data use – Personal data may only be used for the purpose of preventing, investigating, detecting or prosecuting criminal offences.
  • Onward transfer – Any onward transfer to a non-U.S., non-EU country or international organisation requires the prior consent of the competent data protection authority of the country from which the personal data was originally transferred.
  • Retention periods – Personal data may not be retained for longer than necessary or appropriate. The decision on what is an acceptable duration must take into account the impact on people’s rights and interests.  Retention periods must be published or otherwise made publicly available.
  • Right to access and rectification – Any individual will be entitled to access their personal data – subject to certain conditions, given the law enforcement context – and to request corrections.

While the increased data protection and proposed Judicial Redress Bill are positive developments, some commentators in Germany criticize the Umbrella Agreement’s lack of a clear and easy process for data protection enforcement in the United States for EU citizens.   The critics claim that most individuals will not even know when and if their data protection rights are violated.

The U.S. Congress and the EU Parliament and Council still must ratify the Umbrella Agreement, the full text of which is not yet available, but we expect that the Umbrella Agreement will unite the European Union and the United States on an increased level of data protection.   We will report on the Umbrella Agreement again once its full text is made public.




Argentina Adopts New Data Protection Regulations for the Use of Do Not Call Registry and CCTV

The Argentinian Data Protection Authority (DPA) beefs up penalties to fight robocalls and unconsented-to video surveillance by enacting Do Not Call and CCTV regulations.

Because robocalls are cheap and efficient, they have become a quite popular form of advertising in Argentina. In order to curb the variety of abuses that can come from robocalling–such as deceptive and abusive marketing–Argentina is injecting into their regulatory regime penalty-driven regulations that will address the problems presented by robocalls. This will preserve their beneficial use while still complying with Argentina’s privacy law requirements. Specifically, the February 2015 sanctions regulation addresses the recently adopted national Do Not Call registry that was implemented at the start of this year.

To comply with the Do Not Call regulations, companies need to register and download the database of individuals who do not want to be called. If companies fail to do so, they can be subject to various serious fines of up to USD $12,000. Examples of serious breaches include the processing of personal data without the DPA registration or breach of the Do Not Call regulation in marketing campaigns (even if the caller is located abroad). Any international transfers in breach of the Data Protection Act and its regulations would be considered a more serious breach. Indeed, the DPA has already issued 60 enforcement notices based on this new sanctions regulation.

In February, the DPA also enacted a law regulating the use of closed-circuit television (CCTV) cameras for video surveillance in the private and public sphere. The new CCTV regulation requires data controllers to apply, if possible, notice and consent provisions to CCTV-related data processing. It also requires that a conspicuous sign be included for the purpose of informing the data subject of the name and domicile of the data controller, as well as where to exercise the data protection rights. Additionally, CCTV databases must be registered and the personal data collected shall not be used for any purpose incompatible with that which gives rise to their collection. It is important to note that some CCTV processing is exempted from consent, such as public government databases and processing data within private property for private purposes.

These regulations were enacted in an effort to round out and complete Argentina’s privacy legal framework.




A Simplified Norm to Represent an Expanding Power: the Right to Listen in on Employees’ Phone Calls and the Standardization of French Privacy Law

Since 2001, the French Court of Cassation has made a continuous effort to refine and, in some circumstances, narrow the scope of the right to privacy in the workplace with a view to reaching a fair and balanced approach. The January 6, 2015 declaration of the French Data Protection Authority (CNIL) further highlights this trend towards the standardization of information collection at work, and serves to clarify and expand the right of employers to listen in on employees’ phone calls at work.

Background

In the landmark 2001 “Nikon Case,” the Court of Cassation ruled that “an employee has the right to the respect of his private life – including the right to the secrecy of correspondence – on the work premises and during working hours.” This announcement was qualified, however, and the court further refined that unless marked by the employee as “private,” the documents and files created by an employee on a company-computer for work purposes are presumed to be professional, which means that the company can access those documents and files without the employee’s presence. This can lead to an employer using such emails against an employee in the case of employment termination. Nonetheless, employers have an obligation under privacy and labor laws to inform employees about the collection and use of their personal data.

Building off of this decision, in October 2014, the French Social Supreme Court held that evidence gathered against an employee from data that had not previously been declared to and registered with CNIL was de facto illegal.

The French Labor Code and the French Data Protection Act both stipulate rules for the use of monitoring software by employers in the event that an employer wishes to establish such mechanisms. In particular, the employer must submit information to and engage in consultation with the works council, provide information to employees impacted by the software and make a formal declaration of the proposed monitoring activities to CNIL.

CNIL Declaration: Movement Toward a Simplified Norm

Continuing this trend, the declaration issued by the CNIL on January 6, 2015, further demonstrates not only how important the CNIL is, but also how the area of data protection is evolving and become more standardized in France.
This recent declaration established that employers wishing to record their employee’s telephone communications must first declare such information by filling out a simplified declaration form in lieu of a normal declaration form. After effectuating this simplified declaration, an employer will have the ability to listen to and record employee conversations for the purpose of employee training, evaluation and betterment of the quality of service.

While this declaration serves to grant employers permission to monitor employees, it also imposes upon them a number of restrictions: (i) the employee must be notified and informed of his or her right to refuse such recordings and (ii) the employee may only keep recordings for a period of six months. The information gathered from such recordings, however, may be kept for a [...]

Continue Reading




Article 29 Working Party Adopts Procedure on Approval of Model Clauses

On 26 November 2014, the Article 29 Working Party adopted a working document on establishing a cooperation procedure for issuing common opinions on whether contractual clauses are compliant with the European Commission’s Model Clauses (Model Clauses).

The working document establishes the procedure in which companies wishing to use identical contractual clauses in different Member States for transfers of personal data outside the European Economic Area (EEA) are able to obtain a coordinated position from the relevant Data Protection Authorities (DPA) on the proposed contracts, without the need to approach each relevant DPA individually for approval.

Background

Model Clauses represent one of the ways that a data controller can overcome the general prohibition contained in the EU Data Protection Directive (95/46/EC) on cross-border transfers of personal data to countries outside the EEA that do not offer adequate levels of data protection.  The Model Clauses are intended to be used without amendment – although some divergence, e.g., through the use of additional clauses having no impact on the overall compliance of the Model clauses adopted, may be acceptable.

Company groups in Europe often use identical contractual clauses in different jurisdictions for the purposes of transfers out of the EEA.  However, differing implementation of the Data Protection Directive between Member States has resulted in the situation whereby some jurisdictions require DPA approval of the Model Clauses used (such as Austria, Denmark, France and Spain), whether used with or without amendment, whereas other jurisdictions do not require such DPA approval where the Model Clauses are used without amendment.  The result of the above is that it may be possible that identical contracts using the Model Clauses with only minor amendment are considered compliant by a DPA in one jurisdiction but not in others.

According to the Working Party, the purpose of this working document is to create a procedure allowing companies to obtain a coordinated position from the relevant DPAs when using identical contractual clauses based on the Model Clauses with minor amendment, in particular as to whether the contractual clauses are compliant with the Model Clauses.

The Process

Should a company wish to know whether its contract is compliant with the Model Clauses, under the proposed cooperation procedure, it will first need to ask the DPA it believes is entitled to act as the lead DPA to launch the EU cooperation procedure.

The company will then need to provide the lead DPA a copy of the contract, indicating the references to the Model Clauses together with any divergences and additional clauses, as well a list of EEA countries from which the company will be carrying out the transfers.

The Lead DPA

The Working Party has suggested that the company should choose the lead DPA from a Member State in which the transfers will take place and it will be for the company to justify why the DPA should be considered the lead.  According to the Working Party, the following criteria should be considered by the company:

  1. The location from which the contractual [...]

    Continue Reading



Is There an End in Sight for EU Data Protection Reform?

On 5 November 2014, Peter Hustinx, the European Data Protection Supervisor (EDPS), together with Germany’s Federal Data Protection Commissioner, Andrea Voβhoff, held a panel discussion in respect of the state of play and perspectives on EU data protection reform.

Although participants identified a number of key outstanding issues to be resolved prior to the conclusion of the reform process, there was some optimism that such issues could be overcome, and the process completed, before the end of 2015.

Background

The EDPS is an independent supervisory authority whose members are elected by the European Parliament and the Council in order to protect personal information and privacy, in addition to promoting and supervising data protection in the European Union’s institutions and bodies.  The role of the EDPS includes inter alia advising on privacy legislation and policies to the European Commission, the European Parliament and the Council and working with other data protection authorities (DPA) to promote consistent data protection throughout Europe.

The proposed data protection regulation is intended to replace the 1995 Data Protection Directive (95/46/EC) (the Directive) and aims not only to give individuals more control over their personal data, but also make it easier for companies to work across borders by harmonising laws between all EU Member States.  The European Parliament and the Civil Liberties, Justice and Home Affairs (LIBE) Committee have driven the progress on new data protection laws, but there has been frustration aimed at the Council of Ministers for their slow progress.  Following the vote by the European Parliament in March 2014 in favour of the new data protection laws, the next steps include the full Ordinary Legislative Procedure (co-decision procedure), which requires the European Parliament and the Council to reach agreement together.

The panel discussion attendees were made up of institutional representatives and key figures involved in the EU Data Protection Reform Package, including: Stefano Mura (Head of the Department for International Affairs at Italy’s Ministry of Justice); Jan Albrecht MEP (Vice-Chair and Rapporteur of the European Parliament LIBE Committee); and Isabelle Falque-Pierrotin (President of CNIL and Chair of the Article 29 Working Party).  The purpose of the panel discussion was to consider the outstanding issues and next steps to finalise proposals on EU data protection reform, particularly in the context of the recent CJEU rulings on data retention and the right to be forgotten.

Key Messages

The key points raised during the panel discussion included:

  • There is optimism that the reform process will be completed in the next year subject to resolving outstanding issues, such as:
    • Whether public authority processing should be included in the proposed data protection regulation – Andrea Voshoff commented that this issue was being considered by the Council of Ministers Committee in relation to the introduction of a clause preventing the lowering of standards by national laws.  Stefano Mura added that while there is a desire for both a uniform approach between the EU Member States and a right for Member States to regulate their own public sectors, a [...]

      Continue Reading



Processing Personal Data in Russia? Consider These Changes to Russian Law and How They May Impact Your Business

Changes Impacting Businesses that Process Personal Data in Russia

On July 21, 2014, a new law Federal Law № 242-FZ was adopted in Russia (Database Law) introducing amendments to the existing Federal Law “On personal data” and to the existing Federal Law “On information, information technologies and protection of information.”  The new Database Law requires companies to store and process personal data of Russian nationals in databases located in Russia.  At a minimum, the practical effect of this new Database Law is that companies operating in Russia that collect, receive, store or transmit (“process”) personal data of natural persons in Russia will be required to place servers in Russia if they plan to continue doing business in that market.  This would include, for example, retailers, restaurants, cloud service providers, social networks and those companies operating in the transportation, banking and health care spheres.  Importantly, while Database Law is not scheduled to come into force until September 1, 2016, a new bill was just introduced on September 1, 2014 to move up that date to January 1, 2015.  The transition period is designed to give companies time to adjust to the new Database Law and decide whether to build up local infrastructure in Russia, find a partner having such infrastructure in Russia, or cease processing information of Russian nationals.  If the bill filed on September 1 becomes law, however, that transition period will be substantially shortened and businesses operating in Russia will need to act fast to comply by January 1.

Some mass media in Russia have interpreted provisions of the Database Law as banning the processing of Russian nationals’ personal data abroad.  However, this is not written explicitly into the law and until such opinion is confirmed by the competent Russian authorities, this will continue to be an open question.  There is hope that the lawmakers’ intent was to give a much needed boost to the Russian IT and telecom industry, rather than to prohibit the processing of personal data abroad.  If this hope is confirmed, then so long as companies operating in Russia ensure that they process personal data of Russian nationals in databases physically located in Russia, they also should be able to process this information abroad, subject to compliance with cross-border transfer requirements.  

The other novelty of this new Database Law is that it grants the Russian data protection authority (DPA) the power to block access to information resources that are processing information in breach of Russian laws.  Importantly, the Database Law provides that the blocking authority applies irrespective of the location of the offending company or whether they are registered in Russia.  However, the DPA can initiate the procedure to block access only if there is a respective court judgment.  Based on the court judgment the DPA then will be able to require a hosting provider to undertake steps to eliminate the infringements.  For example, the hosting provider must inform the owner of the information resource that it must eliminate the infringement, or the hosting [...]

Continue Reading




STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021