Mexico's Data Protection Law Now in Effect

Posted on July 8, 2010 by Hunton & Williams LLP

On July 6, 2010, Mexico’s Ley Federal de Protección de Datos Personales en Posesión de los Particulares came into force.  As we previously reported, on April 27, 2010, the Mexican Senate unanimously approved this landmark federal data protection law governing the collection, processing and disclosure of personal data by the private sector.  Pursuant to the adoption of the new law, the Mexican Federal Institute of Access to Public Information has changed its name to the Federal Institute of Access to Information and Data Protection.

As reported by the IAPP, the Institute’s oversight powers will now include regulation of the private sector in addition to having authority with respect to government entities.  The new law contemplates the rights of existing regulatory authorities to issue regulations in conjunction with the Institute, with non-compliance by a data controller being addressed first by the relevant industry regulator.
 

Tags: , , , ,

Russia Considers Improving its Data Protection Law

Posted on May 21, 2010 by Hunton & Williams LLP

The Russian Federation is considering amending the country’s data protection law, according to BNA’s Privacy Law Watch.  Businesses have long complained that the law contains restrictions on data processing that are extremely difficult to meet.  For example, the law requires affirmative written consent for most types of data processing.  In the online context, this provision has been interpreted to require a consumer’s digital signature.  A check box, which is an acceptable mechanism for expressing consent in the EU, for example, is deemed unacceptable in Russia.  In practice, this and other requirements of the data protection law have been widely ignored, even by Russia’s biggest Internet businesses.  Not surprisingly, Russia’s data protection regulator – the Russian Federal Service for Oversight of Communications, Information Technology and Mass Media (“Roscomnadzor”) – has found the rate of noncompliance with the law to be high.  Roscomnadzor has reported that over 400 audits conducted in 2009 revealed 86 incidents of noncompliance.  In connection with the proposed amendments to the law, the regulator already has received over 100 recommendations from businesses and data protection professionals aimed at improving the law and implementing regulations.

Tags: , ,

Hague Conference Adopts Paper on Privacy and Data Protection

Posted on May 18, 2010 by Hunton & Williams LLP

At a meeting held April 7-9, 2010, the Council on General Affairs and Policy of the Hague Conference on Private International Law adopted a document entitled 'Cross-Border Data Flows and Protection of Privacy' that outlines the organization's possible future work in the area of privacy and data protection law.  The document contains an overview of international data protection initiatives of the last few years, and addresses various cross-border cooperation issues, including problems created by the difficulty of determining applicable law and jurisdiction in cross-border data flows.  In this regard, the Conference refers to the writings of Hunton & Williams partner Christopher Kuner, which it calls "the most relevant research conducted to date" (see page 9).

The paper concludes by identifying three areas where the Hague Conference could play a role, namely (1) identifying possible uncertainties on the applicable law to cross-border data flows necessary to the application of Hague Conventions, (2) assessing the feasibility of tools already successfully implemented by the Hague Conference on transnational co-operation and co-ordination in other contexts as models for cross-border data flow questions, and (3) contributing to the ongoing debate whether additional multilateral efforts are feasible and/or desirable and whether it would bring added advantages with respect to existing instruments.

The Hague Conference on Private International Law is a global inter-governmental organization working in the area of private international law.  It is based in The Hague, Netherlands and has 69 members (68 countries plus the European Union) representing a variety of legal traditions.
Tags: , , , , ,

Mexican Senate Approves Data Protection Bill

Posted on April 29, 2010 by Hunton & Williams LLP

The Mexican Senate has unanimously approved a landmark data protection law governing information use in the private sector, la Ley Federal de Protección de Datos Personales en posesión de los particulares (full text in Spanish).  We provided information on the bill last week when the Chamber of Deputies voted to approve it.  The legislation has been forwarded to the president for signature.  We will provide further details as this story develops. 

Mason Weisz, an associate at Hunton & Williams, provided an overview of the new legislation during the Centre for Information Policy Leadership’s First Friday Call on June 11, 2010.

Tags: , , , , ,

Mexico on the Verge of Amending its Data Protection Law

Posted on April 14, 2010 by Hunton & Williams LLP

According to Mr. M. Jorge Yanez V., a partner at the law firm of Barrera, Siqueiros y Torres Landa, S.C. in Mexico City, on April 13, 2010, the Mexican Chamber of Deputies passed a bill that, when ratified by the Senate, will become the country’s new Federal Law of Protection of Personal Information.  The Senate is expected to pass the bill shortly and without revisions.  When the bill is enacted into law, Mexico’s Federal Institute of Access to Information, the agency that currently oversees the disclosure of and access to government information, will be renamed the Federal Institute of Access to Information and Data Protection.  The agency’s jurisdiction will expand to include the protection of personal information of private individuals and entities.  We will provide additional details about the new bill as it becomes available.

Tags: , , , ,

French Senate Issues Amended Bill on the Right to Privacy in the Digital Age

Posted on March 2, 2010 by Hunton & Williams LLP

On February 24, 2010, the French Senate’s Committee of Laws published an amended bill on the right to privacy in the digital age (“Proposition de loi visant à garantir le droit à la vie privée à l’heure du numérique”) (the “Bill”).  Following the initial draft presented by Senators Yves Détraigne and Anne-Marie Escoffier, this revised version is based on a second Senate Report in which concrete proposals are made to amend the Data Protection Act.

Among the many amendments, organizations with more than 50 employees accessing or processing personal data would be required to appoint a data protection officer (“DPO”).  This obligation also applies to organizations whose data processing activities, such as the processing of sensitive data, biometric or genetic data or judicial data, require prior authorization from the French data protection authority (the “CNIL”).  The Bill also makes the DPO the central figure in the data compliance process, thereby strengthening the DPO’s role within an organization.  Acting in an independent manner, a DPO must inform and advise any person working on behalf of the data controller on issues relating to data protection, as well as maintain and regularly update a list of all the data processing activities carried out by the data controller.

The DPO also would play a central role in the handling of data security breaches.  In the event of a data security breach, the data controller must inform the DPO without delay or, in the absence of a DPO, the CNIL must be informed.  Upon learning of a breach, the DPO must immediately take all the necessary measures to (i) restore the integrity and confidentiality of the data, and (ii) notify the CNIL of the incident.  The DPO also must maintain an inventory of all data security breaches suffered by the organization.

The Committee’s Bill will be put to a vote before the general assembly of senators on March 23, 2010.  Olivier Proust, an attorney in Hunton & Williams’ Brussels office and a member of the Paris Bar, was among the legal experts who were consulted by the Senate in the course of drafting the amended Bill.

The Bill and the second Report are available (in French) on French Senate’s website.
Tags: , , , , , , , , , , , ,

New EU Fundamental Rights Commissioner Reveals Privacy and Data Protection Priorities in the European Union

Posted on January 14, 2010 by Hunton & Williams LLP

On January 12, 2010, Ms. Viviane Reding, Commissioner-designate for Justice, Fundamental Rights and Citizenship, was questioned during a public hearing before the European Parliament.  During this hearing, Ms. Reding revealed her priorities in the field of privacy and data protection.  “Fundamental rights and data protection will be top of the line” said Ms. Reding, who explained that she intends to incorporate the EU’s data protection rules into a modern and comprehensive legal instrument.

Ms. Reding promised that all proposed EU legislation will comply with the European Charter of Fundamental Rights (which entered into force on December 1, 2009), including the right to privacy.  Ms. Reding also announced that she would work closely with the Council of Europe on fundamental rights issues and would soon be presenting a proposal for the EU’s accession to the European Convention for the Protection of Human Rights.

When asked about the protection of personal data in international agreements (with regard to issues such as banking data, air passenger name records and body scanners), Ms. Reding replied that “our need for security cannot justify any violation of privacy” and that she would not let anyone dictate “rules that go against fundamental rights on anti-terrorism grounds.”

View the EU press release

View Ms. Viviane Reding’s answers to the European Parliament’s questionnaire.
Tags: , , , , , , ,

Article 29 Working Party Issues Contribution to Consultation on the EU Data Protection Framework

Posted on January 5, 2010 by Hunton & Williams LLP

On December 1, 2009, the Article 29 Working Party adopted a contribution (the “Contribution”) to the Consultation of the European Commission on the legal framework for the fundamental right to the protection of personal data (the “Consultation”).  View the full text of the Contribution, which was published today.  The Consultation was launched on July 9, 2009, to explore the challenges to personal data protection presented by new technologies and globalization.  The Consultation was also motivated by the recent adoption by the EU of the Lisbon Treaty, which will necessitate a reworking of structure of the EU legal framework for data protection.  The Contribution’s thoughtful examination of several important data protection issues makes it one of the most significant documents that the Working Party has issued in recent years.

The Contribution maintains that the fundamental principles of European data protection law remain valid.  However, it also notes that both improvements in implementation of the existing data protection framework and changes to it should be considered, in particular regarding the following points:

  • implementation of the legal framework for data protection in the EU Member States should be improved;
  • the system for issuing “adequacy decisions” by the European Commission regarding the level of data protection in third countries should be made more efficient;
  • a provision on binding corporate rules should be introduced;
  • the position of “privacy by design” in the legal framework should be strengthened;
  • a general security breach notification regime (i.e., one not limited to telecom service providers and ISPs as is now the case) should be introduced;
  • requirements to notify data processing with national data protection authorities should be simplified or even eliminated in some cases;
  • the responsibilities of data controllers should be increased by introducing an accountability principle into the new legal framework (in this regard, the Contribution explicitly mentions the work of the Centre for Information Policy Leadership at Hunton & Williams);
  • the use of consent as a legal basis for data processing should be made more restrictive;
  • the role of the data protection authorities should be strengthened and clarified, and cooperation between the DPAs should be reinforced, particularly through improvements to the Article 29 Working Party’s working methods.

The European Commission will now evaluate all the contributions received under the Consultation and consider whether changes to the EU legal framework should be proposed.  It should be noted that any changes to the framework would likely take a minimum of five years to be enacted.
Tags: , , , , , , ,

Viviane Reding Appointed New EU Commissioner for Fundamental Rights

Posted on December 1, 2009 by Hunton & Williams LLP

Commissioner Viviane Reding has been chosen as Commissioner for Justice, Fundamental Rights, and Citizenship in the new European Commission that is set to take office in early 2010 (assuming approval by the European Parliament).  Ms. Reding's responsibilities will thus include data protection, including the Commission's ongoing review of the EU framework for data protection.  She is currently EU Commissioner for Information Society & Media, where she oversaw review of the e-Privacy Directive and the EU legislative framework for telecommunications.  Commission President Barroso appointed a separate commissioner for fundamental rights as part of a commitment he made to the European Parliament to give greater profile to such issues.  Commissioner Reding will share a Directorate-General with Commissioner Cecilia Malmström, who is in charge of Home Affairs (i.e., law enforcement).  It remains to be seen how appointing a separate commissioner in charge of fundamental rights (rather than having a single commissioner in charge of both law enforcement and fundamental rights, as is the case in the current DG Justice, Liberty and Security) will affect the data protection portfolio.

Tags: , , , , , , ,

Federation of German Consumer Organisations Successful against Social Networks - Providers Intend to Discontinue Use of Certain Data Protection Provisions

Posted on November 25, 2009 by Hunton & Williams LLP

On November 12, 2009, the Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband e.V., “vzbv”), a non-governmental organization acting as an umbrella for 41 German consumer associations announced that the social networks Xing, MySpace, Facebook, Lokalisten, Wer-kennt-Wen and StudiVZ signed undertakings that they would discontinue use of certain terms and conditions and data protection provisions.  The vzbv sent warning notices to the six leading social network providers regarding a number of clauses.

The main criticism from vzbv referred to general terms and conditions and data protection provisions that disadvantaged users and gave wide-ranging rights to the providers.  The provisions regarding comprehensive use of data and data processing have been a primary subject of the proceedings.  These uses and processing often took place without the user’s consent and exceeded the original purpose for which the data were collected.  These practices are supposed to be changed in the future.  The providers promised to implement amendments to the provisions by January 2010 the latest.

The vzbv also has published a position paper that outlines what providers need to be doing from a user perspective.  This guidance includes for example, that the providers should ensure restrictive pre-settings for user profiles to more fully protect new users.  In addition, the providers should assess implications for data protection and consumer protection in case of new technical developments.

For more information please see the press release by vzbv (in German).

Tags: , , , , , , , ,

French Senate Issues New Legislation to Amend Data Protection Act: Provisions Include Breach Notice Obligation and Consent for Use of Cookies

Posted on November 17, 2009 by Hunton & Williams LLP

On November 6, 2009, the French Senate proposed a new draft law to reinforce the right to privacy in the digital age (“Proposition de loi visant à garantir le droit à la vie privée à l’heure du numérique”) (the “Draft Law”).  Following a Report on the same topic issued last spring, the Senate made concrete proposals with this Draft Law to amend the Data Protection Act.

The Draft Law requires that data controllers provide information on their data processing activities to their data subjects in a clear, specific and easily accessible manner.  The data subjects would be able to exercise their right of access more easily, including by email.  The Draft Law also distinguishes between the data subject’s right to object to the use of his/her personal data for commercial purposes and his/her right to delete his personal data after it has been processed.

The Draft Law also proposes an increase in the obligations of data controllers.  Organizations with more than fifty employees that either access or process the personal data are required to appoint a data protection officer.  In addition to his obligation to inform the data subjects about a data processing activity, a data controller would have to obtain a data subject’s consent to process data (including for the use of cookies), except if a legal exception applies.  Data controllers would also have to implement stronger security measures to preserve the security and confidentiality of personal data.  In particular, in case of a data security breach, a data controller would have to notify the French data protection authority (“CNIL”), which would then decide whether to inform the data subjects concerned by this breach.

Finally, passage of the law would increase the CNIL’s enforcement authority.  Fines imposed by the CNIL for violations of the law would be increased to a maximum €600,000 (instead of the current €300,000).  The CNIL’s decisions to sanction data controllers would be published more frequently.  The CNIL would further gain the right to produce written observations or to be heard in any civil, criminal or administrative court hearing.

This Draft Law will now be examined by a Committee of the Senate before it is discussed and submitted for a general vote.  Olivier Proust, an attorney in Hunton & Williams’ Brussels office and a member of the Paris Bar, was among the legal experts who were consulted by the Senate in the course of drafting the new law.  View the Draft Law in French.
Tags: , , , , , ,

UK Regulator Approves Hyatt Hotels BCR - First Approval under the Mutual Recognition Procedure

Posted on September 25, 2009 by Hunton & Williams LLP

On September 23, 2009, the Information Commissioner's Office (the "ICO"), the UK's data protection regulator, issued a press release announcing the approval of the Hyatt Hotels Corporation's binding corporate rules ("BCR") under the new mutual recognition procedure. Hyatt is the first UK applicant to receive approval under the mutual recognition procedure.

Mutual recognition was devised to speed up the process of BCR approval by EU Data Protection Authorities ("DPAs"). Under "mutual recognition," one EU Member State's DPA acts as the lead authority on a company's BCR application. Once approved by the lead authority, the other participating members of the procedure automatically approve the BCR application.

A total of 17 DPAs have now agreed to participate in the mutual recognition procedure. Members of the European Economic Area that participate include France, Germany, Ireland, Italy, Latvia, Luxembourg, Spain, The Netherlands, the UK, Cyprus, Iceland, Liechtenstein and Norway.

BCRs are a set of contractual arrangements and internal policies that allow an organization's personal data to be transferred legitimately to other entities within that organization's global corporate group. The approval, given on September 15, 2009 by the ICO, is the fifth BCR approval issued by the ICO. However, as mentioned above, this approval is the ICO's first under the mutual recognition procedure.

Read more on the BCR Authorization.

The Article 29 Working Party has issued various guidance to assist organizations with the BCR process, such as the BCR FAQs which were revised on April 8, 2009.
Tags: , , , , , , ,

German Data Protection Authority Issues € 36,000 Fine Against Lidl for Collection of Employee Health Data

Posted on August 31, 2009 by Hunton & Williams LLP

On August 19, 2009, the state DPA in North Rhine-Westphalia fined a subsidiary of the discount supermarket chain Lidl €36,000 (approximately $51,000) for illegally keeping records of employee health data. 

The case was triggered by a report in the German news magazine Der Spiegel.  A Bochum resident found papers and forms containing Lidl employees' health data in a trash bin at a car wash and forwarded them to the magazine.  Subsequent investigations revealed that at least four Lidl branches in North Rhine-Westphalia were using a form to record data about employees' medical conditions, partly without their knowledge.  This activity was found to violate data protection law in many cases. 

Click here for a press release issued by the German Data Protection Authority (in German).

Tags: , , , , , ,

Deutsche Telekom Issues First Data Protection Report

Posted on May 15, 2009 by Hunton & Williams LLP

As a consequence of the data protection scandals at Deutsche Telekom AG over the last few years, the company is committed to reviewing these incidents by publishing an annual data protection report.  On April 28, 2009, the first data protection report for year-end 2008 was issued and is intended to show the public that Deutsche Telekom is focused on the transparency of its data protection practice.  The first chapter of the report contains an overview of the crucial incidents relating to data protection issues in 2008.  The following chapters present the operative focal points of the company's data protection practices.  After the conclusion and outlook sections, an annex is included that describes Deutsche Telekom’s data protection organizational structure and provides a framework for data protection activities at the operational level.  The company's "Privacy Code of Conduct" also is included in the report.  The full text of the report and press release (in German) can be found here.

Tags: , , , ,

RAND Report Commissioned by the UK Information Commissioner's Office

Posted on May 13, 2009 by Hunton & Williams LLP

The UK Information Commissioner's Office has published a review of the strengths and weaknesses of the EU Data Protection Directive, commissioned from RAND Europe.

The concept of such a review was highly radical when first proposed. It provoked the promise of a similar study from the European Commission and generated much debate as to whether, and if so when, the Directive itself might be reviewed. The conclusions of the RAND study are much less radical than anticipated but more likely, as a consequence, to stimulate constructive debate within Europe as to the future shape of data protection law. Whilst not endorsing the RAND study, in April 2009, the European Privacy and Data Protection Commissioners' Conference discussed the themes raised by RAND and issued a declaration committing to contribute to the ongoing debate concerning the future of data protection law, including better implementation and enforcement of the existing legal framework.

The RAND study concludes that the "widely applauded" principles contained in the Directive remain the touchstone for good data protection regulation. However, the implementation and enforcement of these principles require fresh thinking. Excessive bureaucracy and prescriptive criteria for data protection compliance, at the expense of a flexible, harms-based, approach, is one example of how out of date local implementation of the Directive has become.

The study includes a number of recommendations for improvement, working within the framework of the existing Directive, but leading ultimately to an outcomes based regulatory model for the future.

It may be less radical than many had hoped, but there is much within RAND which will stimulate debate. It represents merely the starting point for future discussion.

To access the RAND study, please click here.  To read the summary of the study, which includes a forward by Richard Thomas and the EU Commissioners' Declaration, please click here.
Tags: , , , , , , ,

Data Breach: Identity Theft Risk Insufficient to Support Claims

Posted on April 13, 2009 by Hunton & Williams LLP

The mere increased risk of identity theft following a data breach is sufficient to give the data subjects standing to bring a lawsuit in federal court but, absent actual identity theft or other actual harm, claims against the data owner and its service provider for negligence and breach of contract cannot survive, a federal judge ruled this month.  Ruiz v. Gap, Inc., et al., No. 07-5739 SC (N.D. Cal. April 6, 2009).

Plaintiff Joel Ruiz brought a putative class action against Gap, Inc. and its service provider Vangent, Inc. after a thief stole a laptop computer from Vangent containing unencrypted Social Security numbers and other personal information of Ruiz and approximately 750,000 other Gap job applicants.  Shortly after the theft, Gap notified Ruiz and the other applicants of the breach and offered them 12 months of free credit monitoring and fraud assistance.  Ruiz sought damages under various theories, including negligence (failure to exercise due care to protect the data) and breach of contract (breach of the security provisions of Gap’s contract with Vangent, under the theory that Ruiz was a third-party beneficiary of the contract).

Ruiz did not experience identity theft, but he claimed that the increased risk of identity theft supported his claims.  With respect to the negligence claim, the Complaint stated, “Plaintiff and the Class have suffered damages; they have spent and will continue to spend time and/or money in the future to protect themselves as a result of Defendants' conduct,” and the contract claim was supported with nearly identical language.  Defendants moved for summary judgment.

On the issue of standing, the court held that the increased risk of identity theft indeed constituted “an invasion of a legally protected interest which is (a) concrete and particularized ... and (b) actual or imminent, not conjectural or hypothetical” and that Ruiz met the basic threshold to bring a case in federal court.  Unfortunately for the plaintiff, merely stepping through the proverbial courthouse door is not enough to win a case, and he did not get much further than that.

Dismissing the negligence claim, the court noted that Gap had already offered one year of credit monitoring and that any potential risk not mitigated by that monitoring did not amount to the sort of “appreciable, nonspeculative, present harm [that] is an essential element of a negligence cause of action” under California law.

The contract claim suffered the same fate, as the Court explained that “a breach of contract claim requires a showing of appreciable and actual damage,” and “[b]ecause Ruiz has not been a victim of identity theft, he can present no evidence of appreciable and actual damage as a result of the theft … .”  Ruiz argued that the costs he independently paid for credit monitoring are compensable because they constitute his attempt to mitigate damages, but the court held that “Ruiz has no actual damages to mitigate since he has never been a victim of identity theft.”

Judgment was entered for the defendants.
 
Tags: , , , , , , , , , , ,

Online Behavioral Advertising Attracts Attention in Europe

Posted on April 7, 2009 by Hunton & Williams LLP

Various authorities, both at a European and a national level, are currently addressing the issue of online behavioral advertising. On March 31, 2009, Meglena Kuneva, the European Commissioner for Consumer Affairs, gave a keynote address in Brussels in which she raised the issue of online behavioral advertising and addressed the need to enhance consumer protection related to the practice. While recognizing the numerous beneficial applications for consumers made possible by the Internet, Kuneva expressed her concern that the World Wide Web could become the “world wide west” and called for a better balance between the interests of businesses and consumers. The full text of Ms. Kuneva’s address is available here.

This issue has also attracted attention at the national level and is currently being addressed in some Member States. On March 26, 2009, the French Data Protection Authority (CNIL) issued a report on online behavioral advertising stating that current business models are, in many aspects, a threat to privacy and do not comply with the French Data Protection Act. The CNIL called for more transparency, clear and user-friendly privacy notices, and more wide-spread collection of explicit consumer consent to behavioral advertising. The CNIL also encouraged businesses to adopt a code of conduct and to develop more effective tools that would allow Internet users to have control over information about them. The full report is available (in French) here.

Finally, the French Senate recently completed a study on online tracking and tracing devices and their impact on people’s privacy. The Senate organized a hearing with various stakeholders in which it addressed the question of existing and future tracking technologies and how these technologies can be better addressed in the context of the French Data Protection Act. The Senate is expected to issue a public report in the near future, which may contain legislative proposals to amend the French Data Protection Act.
Tags: , , , , , , , , , ,

US-Swiss Safe Harbor Framework in Force

Posted on March 16, 2009 by Hunton & Williams LLP

On February 16, 2009, the US-Swiss Safe Harbor Framework, which is comparable to the EU-US Safe Harbor Framework, was adopted. The US-Swiss framework is intended to simplify the transfer of personal data by Swiss companies to American companies that are self-certified with the US Department of Commerce (DOC). Self-certified US companies are bound by the principles contained in the framework. They will automatically be considered as providing an adequate level of data protection under Swiss law. To read more and for more EU data protection updates, please click here.

Tags: , , , ,

Belgian Criminal Court Fines Yahoo for Non-Disclosure of Personal Data to Public Prosecutor

Posted on March 16, 2009 by Hunton & Williams LLP

On 2 March 2009, a Belgian Criminal court (Tribunal correctionnel de Termonde, No. DE 20.95.16/08/25) fined Yahoo! Inc., €55,000 ($71,745) for refusing to disclose to a Belgian Public Prosecutor the personal data of its e-mail users who were under criminal investigation for fraud. The Criminal court also imposed a daily penalty fee of €10,000 ($13,045) in a case of non-compliance with the judgment.  This decision was reached despite Yahoo!’s argument that Belgian law did not apply because the company does not maintain a legal entity in Belgium and does not store any customer data in Belgium.

In the context of a criminal investigation for fraud, the Belgian Public Prosecutor of Termonde had requested the disclosure of detailed account information to identify e-mail users using pseudonyms on their Yahoo! email accounts.  Yahoo! refused to disclose such information. The Belgian Criminal court held that Yahoo! had violated Article 46bis of Belgian Code of Criminal Procedure (Code d’instruction criminelle), which imposes on electronic communication service providers a duty to cooperate with a Public Prosecutor and to provide the identity of their users when requested by a Public Prosecutor in the course of a criminal investigation.

As mentioned above, Yahoo! argued that Belgian law did not apply because there is not a Yahoo! legal entity in Belgium and Yahoo! does not store any customer data in Belgium. Furthermore, Yahoo! argued that the Belgian Public Prosecutor had failed to issue a formal request in accordance with the procedures established by the Treaty on Mutual Legal Assistance on Criminal Matters, signed between the United States and Belgium on 1 January 2000. Following the ruling, Yahoo! appealed the judgment of the Criminal court on 3 March 2009.
 
Tags: , , , , , , ,

ECHR Rules on Disclosure of Web Users' Identity

Posted on February 10, 2009 by Hunton & Williams LLP

On December 2, 2008, the European Court of Human Rights (ECHR) ruled in K.U. v. Finland that Article 8 of the European Convention on Human Rights requires national laws to protect individuals from serious online privacy infringements, but also that the national legal framework must allow for the identification and prosecution of offenders. This case involved an advertisement of a sexual nature, which was placed on an Internet dating site on behalf of the applicant, who was twelve years old at the time, without his knowledge.  To read more on this and for additional EU data protection updates, please click here.

Tags: , , , , , ,

EU: Article 29 Working Party Issues Toolkit on Binding Corporate Rules

Posted on December 12, 2008 by Hunton & Williams LLP

On October 1, 2008, the Article 29 Working Party issued a toolkit on Binding Corporate Rules (BCRs) aimed at promoting them as a mechanism for transferring data to countries without an adequate level of data protection. The toolkit includes: (1) a table highlighting the elements and principles to be found in BCRs (WP 153); (2) a document setting up a framework for the structure of BCRs (WP 154); and (3) a revised version of the FAQs on BCRs (WP 155). The toolkit also announced the creation of a mutual recognition procedure between nine national data protection authorities. For more EU data protection updates, please click here.

Tags: , , , ,