Hunton & Williams Tops Privacy Rankings

Posted on July 13, 2010 by Hunton & Williams LLP

Hunton & Williams is pleased to announce its 2010 rankings from Chambers and Partners and The Legal 500 United States.  The firm was ranked #1 in both surveys for its Privacy and Information Management practice.

Once again, the firm was ranked in "Band 1" for Privacy and Data Security by both the Chambers USA and Chambers Global guides.  Chambers notes, "the team is particularly praised for its international expertise, especially in matters involving the European Union, such as cross-border data transfers."  Clients note that the firm "is a major competitor, especially on data breaches."  In addition, Lisa J. Sotto, partner and head of the firm's Privacy and Information Management practice, was ranked in "Band 1."  Clients note that she is "doing top-quality work and has a superb level of knowledge."  Read the full news release.

Tags: , , , ,

Hunton & Williams LLP Expands Global Privacy Practice Adding Counsel Wim Nauwelaerts in Brussels

Posted on June 14, 2010 by Hunton & Williams LLP

Hunton & Williams LLP announces the expansion of its leading Global Privacy and Information Management practice with the addition on August 1, 2010, of Wim Nauwelaerts as Counsel in the Brussels office.  Formerly counsel in Hogan Lovells' Brussels office, Mr. Nauwelaerts brings 15 years of experience in international privacy, data protection and information security law.  He has a broad range of experience in the area of European data protection, and focuses specifically on data privacy issues for healthcare and life sciences clients.  Read the press release.

Tags: , , ,

Hague Conference Adopts Paper on Privacy and Data Protection

Posted on May 18, 2010 by Hunton & Williams LLP

At a meeting held April 7-9, 2010, the Council on General Affairs and Policy of the Hague Conference on Private International Law adopted a document entitled 'Cross-Border Data Flows and Protection of Privacy' that outlines the organization's possible future work in the area of privacy and data protection law.  The document contains an overview of international data protection initiatives of the last few years, and addresses various cross-border cooperation issues, including problems created by the difficulty of determining applicable law and jurisdiction in cross-border data flows.  In this regard, the Conference refers to the writings of Hunton & Williams partner Christopher Kuner, which it calls "the most relevant research conducted to date" (see page 9).

The paper concludes by identifying three areas where the Hague Conference could play a role, namely (1) identifying possible uncertainties on the applicable law to cross-border data flows necessary to the application of Hague Conventions, (2) assessing the feasibility of tools already successfully implemented by the Hague Conference on transnational co-operation and co-ordination in other contexts as models for cross-border data flow questions, and (3) contributing to the ongoing debate whether additional multilateral efforts are feasible and/or desirable and whether it would bring added advantages with respect to existing instruments.

The Hague Conference on Private International Law is a global inter-governmental organization working in the area of private international law.  It is based in The Hague, Netherlands and has 69 members (68 countries plus the European Union) representing a variety of legal traditions.
Tags: , , , , ,

Christopher Kuner of Hunton & Williams Wins 2010 Burton Award for Legal Achievement

Posted on April 26, 2010 by Hunton & Williams LLP

Hunton & Williams is pleased to announce that Christopher Kuner, a partner in the firm’s Brussels office, was named a recipient of the 2010 Burton Award for Legal Achievement.  He was honored for his article “Onward Transfers of Personal Data Under the U.S. Safe Harbor Framework,” originally published in the August 17, 2009, issue of BNA’s Privacy & Security Law Report.

Each year, The Burton Foundation, in association with the U.S. Library of Congress and its Law Library, recognizes excellence in legal writing.  This year, 30 individuals were selected as winners of the Burton Award from among entries submitted by the nation’s 1,000 largest and most prestigious law firms.  Mr. Kuner’s article examines the rules relating to so-called “onward transfers” of personal data under the U.S.-EU Safe Harbor Framework.  Onward transfers of personal data typically involve outsourcing and IT maintenance situations, which have become widespread and are highly relevant to companies around the world.  View Mr. Kuner’s article.

Tags: , , , , , , , , ,

EU Approves New Standard Contractual Clauses for Transfers to Data Processors

Posted on February 5, 2010 by Hunton & Williams LLP

On February 5, 2010, the European Commission adopted a new set of standard contractual clauses (“SCCs”) for transfers of personal data from data controllers in the EU to data processors outside the EU.  View the European Commission press release.  The clauses were negotiated over several years between the European Commission and a group of business associations led by Brussels-based Hunton & Williams partner Christopher Kuner, who is chair of the Task Force on Privacy and Data Protection of the International Chamber of Commerce.

Despite the growing popularity of other mechanisms that provide a legal basis for complying with the EU legal restrictions for transferring personal data outside the EU (such as binding corporate rules), the use of SCCs remains indispensable.  In many situations SCCs are the only “off the shelf” data transfer solution that can be used and implemented on short notice.  The Commission already published a set of SCCs for transfers to data processors that were approved in 2001, but companies have found that they do not always take business realities into account.  The SCCs can be burdensome to use in practice, in particular for the following reasons:

  • The existing SCCs do not contemplate the possibility that a data processor outside the EU may need to transfer personal data to another data processor, which happens very often in practice.
  • The SCCs can require the application of data security requirements from multiple EU Member States.
  • Many Member States impose bureaucratic formalities (notarization of signatures, annual updates, etc.) on use of the clauses.
  • There can be practical problems when using the clauses with multiple parties.
  • The SCCs contain a mandatory arbitration clause to which many companies have objected.

Although the Commission did not adopt many of the suggestions made by the business associations, thus diluting the value of the new clauses, the new SCCs do have some important advantages over the existing controller-to-processor clauses.  For example:

  • For the first time in EU data protection law, the new clauses provide a legal basis for processor-to-processor transfers.  Under the clauses, such transfers may be carried out when (1) the original data controller consents in writing, and (2) the same data protection obligations are imposed on the subprocessor as are imposed on the original data importer.  The original data importer remains liable for any data protection violations by the subprocessor.
  • The arbitration clause has been deleted.

There are two further important points with regard to the new clauses:

  • The new clauses must be used for new or changed transfers to data processors; i.e., the existing SCCs for controller-to-processor transfers may no longer be used for such transfers (but existing SCCs remain in effect).
  • The SCCs cover transfers from the EU to a data processor outside the EU, but not transfers from a data processor in the EU to a subprocessor outside the EU, although data protection authorities “may” allow use of the new clauses in such situations as well.

The full text of the new SCCs has been published in the Official Journal of the European Union.  Hunton & Williams has prepared a redline version showing the changes from the previous SCCs. Christopher Kuner will provide a detailed analysis in the near future. 
Tags: , , , , , , , , ,

Hunton & Williams Prepares Study for the European Commission on the Interaction between Data Protection Law and Copyright Enforcement

Posted on February 3, 2010 by Hunton & Williams LLP

On February 3, 2010, Christopher Kuner, a partner in Hunton & Williams’ Brussels office and head of the firm’s EU Privacy Practice, presented to the “Stakeholders’ Dialogue on Illegal Uploading and Downloading,” organized by DG Internal Market and Services of the European Commission.  Mr. Kuner presented a study which the Hunton & Williams Brussels team prepared for the Commission on the interaction of data protection law and copyright enforcement.  The study covers both the legal framework under EU law and the situation in six selected EU Member States (Austria, Belgium, France, Germany, Spain and Sweden).  The relationship between data protection and copyright enforcement was a point of contention in the recent amendment of the EU Directive on Privacy and Electronic Communications. 

The following are the major findings of the study:

At the European level:

At the Member State level:

  • IP addresses are generally considered by DPAs and courts to be personal data, although courts in some countries (e.g., France) have taken conflicting positions on this issue.
  • IP addresses are generally considered to be traffic data, which means that they may only be processed in a limited number of circumstances and for specific purposes (such as billing and invoicing), and that consent is generally required to process them for other purposes (such as online copyright enforcement).
  • IP addresses processed in the context of online copyright enforcement may be considered to be sensitive data (judicial data), except in Spain.
  • ISPs cannot store IP addresses for the specific purpose of online copyright enforcement (except in France, where retention for the purpose of making information available to certain governmental authorities is allowed).
  • The processing of IP addresses by ISPs to pass on infringement warning notices is generally prohibited or subject to strict restrictions.
  • The general monitoring of P2P networks by right holders resulting in the creation of a database of potential copyright infringers is usually prohibited.
  • The disclosure of P2P users’ identities by ISPs to judicial authorities in the context of criminal proceedings is generally authorized.
  • The disclosure of P2P users’ identities by ISPs to right holders for civil enforcement is generally restricted by data protection law.  In particular, ISPs generally may not disclose P2P users’ identities to right holders outside the context of judicial (administrative) proceedings.
  • In most Member States, it seems that little consideration was given to the interaction between data protection rules and implementation of the IP Enforcement Directive.

As the study demonstrates, the relationship between data protection law and online copyright enforcement is far from being settled.  This issue will certainly be discussed in the coming months during the ongoing debate on the review of the General Data Protection Directive at the European level, and in the context of the debate around possible graduated response mechanisms at the national level.
Tags: , , , , , , ,

International Conference of Data Protection and Privacy Commissioners

Posted on October 29, 2009 by Hunton & Williams LLP

On November 4, join our privacy professionals at the 31st International Conference of Data Protection and Privacy Commissioners in Madrid, Spain.  Participate in various presentations on ways to manage the most challenging data protection issues in today’s global environment.  In addition, the International Association of Privacy Professionals (“IAPP”) will host a Data Protection and Privacy Workshop in conjunction with the conference.

Our privacy professionals will speak on the following panels:

  • Society under Surveillance? Striving for a Balance between Security and Privacy Roundtable with speakers Juan Fernando López Aguilar, President of the Committee on Civil Liberties, Justice and Home Affairs (LIBE), European Parliament; Karim Benyekhlef, Professor of Public Law of University of Montreal; Fred H. Cate, Director of the Center for Applied Cybersecurity Research, Indiana University; and Simon Davies, Director, Privacy International.
  • Companies, Privacy and International Data Flows with speakers Damon C. Greer,  Department of Commerce, International Trade Administration; Jacob Kohnstamm,  President of the Data Protection Authority, Netherlands; Michael Donohue, Policy Analyst, Directorate for Science, Technology and Industry, of the Organization for Economic Co-operation and Development; Christopher Kuner, Partner of Hunton & Williams and Chair of the Data Protection Task Force, International Chamber of Commerce; and Kamlesh Bajaj, CEO of the Data Security Council of India.
  • Privacy and Corporate Responsibility with speakers Bojana Bellamy, Global Data Privacy Compliance Lead of Accenture; Sandra Hughes, Global Privacy Executive of Procter & Gamble; Martin Abrams, Executive Director of the Centre for Information Policy Leadership, Hunton & Williams; Fran Maier, Executive Director and President of TRUSTe; and Willemien Bax, Deputy Director General of European Consumers’ Organization.
Tags: , , , , , , , ,

Draft Recommendation on Online Profiling in the Private Sector

Posted on October 5, 2009 by Hunton & Williams LLP

On October 2, the Council of Europe's Consultative Committee of the Convention 108 on Data Protection ("T-PD") for the first time made publicly available its "Draft Recommendation on the Protection of Individuals with regard to Automatic Processing of Personal Data in the Framework of Profiling."  When it is finalized, the Draft Recommendation will be one of the first documents dealing with online profiling in the private sector issued by an international organization.  The International Chamber of Commerce ("ICC"), which has observer status in the T-PD, has been working to obtain increased private-sector input during drafting, via its chairman Christopher Kuner of Hunton & Williams.  The Council of Europe is now soliciting comments on the draft from the private sector, which should be submitted by the end of October.   

Comments on the Draft Recommendation should be sent to Kateryna Gayevska of the Council of Europe Secretariat at Kateryna.GAYEVSKA@coe.int.

Tags: , , ,

Landmark Conference Considers Future of EU Data Protection Directive

Posted on May 26, 2009 by Hunton & Williams LLP

On May 19 and 20 the European Commission held a conference which was perhaps the most important data protection event in Brussels since the Commission conference on evaluation of the EU Data Protection Directive 95/46/EC held in 2002. The conference was part of the Commission's current evaluation of the Directive, and was designed to explore both the current status of data protection in the EU and where it is headed in the coming years. Speakers included Jacques Barrot, the European Commissioner in charge of justice, freedom and security; Alex Türk, chairman of the CNIL (French Data Protection Authority) and the Article 29 Working Party; European Data Protection Supervisor Peter Hustinx; and representatives of European academia, business and non-governmental organizations. Christopher Kuner of Hunton & Williams was among the speakers. The entire event was webcast live; video coverage will shortly be available here.

Several major themes emerged from the conference:

  • While many are calling for amendment of the Directive in areas such as notifications to data protection authorities and international data transfers, there is little consensus on what those changes should be, or how far they should go. There is also apprehension that attempts to amend the Directive may lead to unforeseen changes that could worsen the current situation. These fears may act as a kind of inertia, lessening the likelihood that the Directive will be amended.
  • Several data protection authorities made the point that they are now putting much greater effort into enforcement than they were in the past, and that they are finally being given greater enforcement powers. Thus, companies need to be aware that the data protection enforcement risk in Europe is increasing.
  • There is great interest in the increased harmonization of data protection rules, including on a global basis. The Spanish Data Protection Authority is currently leading an initiative to draft global data protection standards, with the possible goal of having the UN adopt a global convention on data protection. Additional information about that initiative is available here.

The conference will be followed by an "open consultation," which will likely take the form of the European Commission requesting that interested parties submit papers on various data protection topics. The Commission is also currently preparing a legal study on Member States' implementation of the Directive, and will make proposals on possible amendments in 2010. Possible changes to the Directive will also be influenced by whether the EU's Lisbon Treaty comes into effect early next year. In any event, the next two years will be crucial to determining the EU's future legal framework for data protection.
Tags: , , , , , ,

Hunton & Williams LLP Voted Top Privacy Advisers for Third Year in Computerworld Poll

Posted on December 10, 2008 by Hunton & Williams LLP

For the third year in a row, Hunton & Williams LLP has been named the top firm for privacy by Computerworld magazine. In its third annual report on top privacy advisers, the poll surveyed corporate privacy leaders in North America and Europe. The firm was ranked #1 by the respondents overall and by those in the Fortune 1000. When respondents were broken out by industry, Hunton & Williams topped the list as “providing the best privacy advice” in every industry category, including the financial, technology, consumer products and retail, healthcare, media and entertainment, and manufacturing sectors.

In addition to the practice listing, seven privacy professionals at the firm are listed as “top global experts on data privacy and protection.” Lisa Sotto, head of Hunton & Williams’ Privacy and Information Management practice, and Christopher Kuner, who heads the firm’s privacy practice in Europe, were ranked first and second, respectively, by the Fortune 1000 respondents. Sotto also received the top ranking by respondents overall. Marty Abrams of the firm’s Centre for Information Policy Leadership and Bridget Treacy of the firm’s London office are both ranked in the top 10 by overall respondents. Fred Cate, Aaron Simpson and Elizabeth Johnson are also listed among the top privacy professionals.

“Our privacy practice is known throughout the world for its deep experience, breadth of knowledge and outstanding client service,” said Wally Martinez, managing partner of Hunton & Williams. “It is particularly rewarding to see this reinforced by being recognized as a leader for three years in a row and to see so many of our attorneys listed.”

Overbrook Research, an independent public opinion consulting firm, conducted the survey this year, sending it to more than 2,000 corporate leaders around the world responsible for data protection in their organizations. The criteria used to rank firms included a firm’s experience, practical advice, global staff, timely and thorough work, and interdisciplinary perspective.

“We’ve made a clean sweep three years in a row,” said Sotto. “We rank at the top in the U.S., Europe and Asia and across most subject categories. This is due to our superb team of privacy attorneys and professionals, and it is gratifying that our clients have honored us this way.”

To view the article, please click here

Tags: , , , , ,