Ukraine Adopts a New Data Protection Law

Posted on July 20, 2010 by Hunton & Williams LLP

On June 1, 2010, Ukraine’s parliament adopted a bill on the protection of personal data which introduces a comprehensive regulatory regime for data processing in the country.  The bill was signed by the President of Ukraine on June 24, 2010, and will come into force on January 1, 2011.

Currently, data protection in Ukraine is governed by several laws, including the Ukrainian Constitution, the Civil Code and the Law on Information.  Some highlights of the new Data Protection Law include:

  • Personal data is defined as “any information about an identified or identifiable individual or a summary of such information”
  • Processing activities involving sensitive data (which is defined as any information that reveals (i) racial or ethnic origins; (ii) political, philosophical or religious opinions; (iii) political-party or trade union membership; (iv) health; or (v) sexual life) are prohibited unless the individual’s prior consent is obtained or a legal exemption applies
  • An independent data protection authority must be created (the “State Register of the Personal Data Databases”), and any data processing involving personal data will be subject to registration before this authority
  • Transfer of personal data abroad is possible, however, the wording of the law is unclear and seems to require further explanation

In addition, on July 6, 2010, Ukraine’s parliament adopted the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) and its additional protocol to the convention regarding supervisory authorities and transborder data flows (ETS No. 181).
Tags: , , , , ,

Addition to Washington Breach Law Imposes Retailer Liability in Payment Card Breaches

Posted on March 24, 2010 by Hunton & Williams LLP

Under a Washington law effective July 1, 2010, certain entities involved in payment card transactions may be liable to financial institutions for costs associated with reissuing payment cards after security breaches.  Designed to encourage the reissuance of payment cards as a means of mitigating harm caused by security breaches, Washington H.B. 1149 applies to three types of entities:  businesses, processors and vendors.  Under the law, a business is an entity that “processes more than six million credit card and debit card transactions annually, and who provides, offers, or sells goods or services to . . . residents of Washington.” A processor is any entity, other than a business, that “directly processes or transmits [payment card] account information for or on behalf of another person as part of a payment processing service.” A vendor is any “entity that manufactures and sells software or equipment that is designed to process, transmit, or store [payment card] account information or that maintains account information that it does not own.”

The new law, an addition to the state’s breach notification statute, provides that if a processor or business fails to take reasonable care to guard against unauthorized access to payment card account information in its possession or control, and that failure is the cause of the breach, the processor or business is liable to the relevant financial institution for reasonable actual costs related to the reissuance of payment cards to Washington residents to mitigate “potential current or future damages” to them.  Similarly, a vendor will be liable to the financial institution for these costs to the extent the damages were caused by the vendor’s negligence.

The law contains a number of safe harbors.  For example, there is no liability if the account information was encrypted at the time of the breach.  Also, an entity is not liable if its compliance with the Payment Card Industry Data Security Standard  (“PCI DSS”) was validated by an annual security assessment that took place no more than one year prior to the breach, even if that security assessment is subsequently revoked.
Tags: , , , , , ,

New UK Information Commissioner Sets His Agenda

Posted on October 9, 2009 by Hunton & Williams LLP

The new UK Information Commissioner, Christopher Graham, shared his vision for data protection regulation at his first conference speech in London yesterday.  As the keynote speaker at the 8th Annual Privacy and Data Protection Conference, chaired by Hunton & Williams partner, Bridget Treacy, Christopher Graham positioned himself as a fair, but tough, regulator who will not be afraid to use his strengthened enforcement powers.

The Commissioner noted that his vision for the Information Commissioner’s Office (“ICO”) is that of a well-funded regulator working to assist organizations with their data protection compliance activities and deal with any perceived non-compliance as early as possible.  However, he made it clear that sanctions will follow for those organizations that choose not to comply with data protection laws.

Specifically, Christopher Graham noted that the recent increase in data protection registration fees in the UK will greatly improve his office’s funding and enable him to expand its focus on compliance and enforcement.  He envisions a greater number of inspections or audits of data processing activities.  Further, the Commissioner’s power to impose monetary penalties is expected to come into force in April 2010, and Christopher Graham expects that 20 or so organizations are likely to be fined within the first 12 months.

Overall, there was a sense that change is afoot at the ICO.
Tags: , , , , , , ,