Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

Category Archives: International Privacy Law

Subscribe to International Privacy Law RSS Feed

Canada Moves Forward with Mandatory Federal Security Breach Notification Law

Posted in Data Breach Notification Laws, International Privacy Law
On June 18, 2015, the Canadian Minister of Industry announced that the Digital Privacy Act, which amends Canada’s foundational Personal Information Protection and Electronic Documents Act (PIPEDA), has received royal assent and is now law. Although the Act contains a number of provisions that are likely to impact organizations doing business in Canada, certain key… Continue Reading

A Deeper Dive: Risk Assessments Are a Necessary Step in Creating Layered Cyber Defenses

Posted in Cybersecurity, Incident Response, International Privacy Law
We have released the inaugural BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our attorneys advised on in 2014. Tens of thousands of cyber attackers employed by Chinese People’s Liberation Army and other employees and contractors of the Chinese Ministry of State Security work… Continue Reading

Social Media’s Not For You—It’s About You: Risks for Organizations in a New Age of Sharing

Posted in Data Breaches, Information Governance, International Privacy Law, Mobile Privacy, Privacy Litigation, Social Media, Workplace Privacy
Social media and social networking, including websites and applications that allow users to create and share content, have become ubiquitous. Joining the social networking revolution may be very easy for individuals, but establishing best practices for organizations that want or need to be actively engaged with social media is not. Initial considerations tend to focus… Continue Reading

Bring Your Own Device (Everywhere): Legal and Practical Considerations for International BYOD Programs

Posted in Information Governance, International Privacy Law, Mobile Privacy, Privacy Litigation, Workplace Privacy
The cross-use of mobile devices for personal and professional purposes, commonly referred to as “Bring Your Own Device” or “BYOD”, is a relatively recent phenomenon that has created a host of legal and practical challenges for organizations of all sizes. Implementing a BYOD program is especially complex for companies that have employees who regularly travel… Continue Reading

Privacy or Politics? – Russia Seeks More Control Over its Citizens’ Personal Data

Posted in International Privacy Law
Back in July, President Vladimir Putin signed a law (Federal Law No. 242-FZ) that compels “data operators” to store Russian citizens’ personal data only inside Russia. Previously, Russian law allowed the storage of data relating to Russian citizens to be located on servers in foreign countries. Under the new law, companies that collect personal data… Continue Reading

Privacy Law in a Nutshell

Posted in Cybersecurity, Federal Legislation, Information Security, International Privacy Law, Marketing
BakerHostetler Privacy and Data Protection Partner Erica Gann Kitaev is a co-author of the recently published Privacy Law in a Nutshell, Second Edition, through West Academic Publishing. Legal issues related to privacy are exploding in the U.S., and virtually all businesses face privacy considerations, particularly as technology and the law evolves.  The Privacy Nutshell is… Continue Reading

Moving Towards a Global Harmonized Approach to Cross-Border Data Transfers?

Posted in Information Governance, Information Security, International Privacy Law, Online Privacy
Today, data can be transferred around the world instantaneously, making the global marketplace seem almost borderless.  As any multinational company knows, however, compliance with each country’s data transfer and privacy laws can be onerous.  As the U.S. contemplates data protection legislation, the FTC last week announced a joint initiative with agency officials from the European… Continue Reading

Proposed $6.8M Fine Related to Puerto Rico Breach Incident

Posted in Data Breaches, HIPAA/HITECH, International Privacy Law, Medical Privacy
Triple-S Salud, Inc. (“Triple-S”), a Puerto Rico Health Insurance Administration (“PRHIA”) contractor, filed a Form 8-K indicating that the PRHIA intended to impose a civil monetary penalty of $6,768,000 and other administrative sanctions stemming from a breach incident affecting 13,336 Dual Eligible Medicare beneficiaries.  The breach incident occurred in September 2013 when Triple-S mailed to… Continue Reading

International Privacy – 2013 Year in Review – Africa

Posted in International Privacy Law
Authors: Gonzalo Zeballos, James Sherer, and Alan Pate South Africa On August 22, 2013, after four years of deliberation, the South African Parliament passed the first comprehensive data protection legislation in South Africa, the Protection of Personal Information (POPI) Bill. This Bill supports the existing right to privacy found in section 14 of the Constitution… Continue Reading

International Privacy – 2013 Year in Review – Asia

Posted in International Privacy Law
Authors: Gonzalo Zeballos, James Sherer, and Alan Pate Asian Data Privacy Updates  1.         China China’s Personal Information Protection Law Proposal was submitted to the State Council in 2008, which was followed by the Ministry of Industry and Information Technology’s non-binding Internet Information Services Market Order Provisions of 2011. However, little direct progress was made until… Continue Reading

International Privacy – 2013 Year in Review – Central and South America

Posted in International Privacy Law
Authors: Gonzalo Zeballos, James Sherer, and Alan Pate Central American Data Privacy Updates  1.         Costa Rica  On March 5, 2013, Costa Rica’s data protection law, originally passed in 2011, came into force. The law, the Ley Protección de la Persona frente al tratamiento de sus datos personales, Law 8968, requires explicit data subject consent for… Continue Reading

International Privacy – 2013 Year in Review – Canada

Posted in International Privacy Law
Authors: Gonzalo Zeballos, James Sherer, and Alan Pate This fall, Canadian Parliament failed to pass proposed amendments to its federal privacy law that would impose a mandatory breach notification requirement. Bill C-12, originally introduced in 2010 and reintroduced in 2011, seeks to amend Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) to include breach… Continue Reading

International Privacy – 2013 Year in Review – Ukraine

Posted in International Privacy Law
Authors: Gonzalo Zeballos, James Sherer, and Alan Pate Ukraine privacy law is undergoing a dramatic shift with its introduction of new legislation, “On Amending Certain Legislative Acts of Ukraine Regarding Improving the System of Personal Data Protection,” enacted on July 3, 2013, with an enter-into-force date of January 1, 2014. This legislation abolishes the current… Continue Reading

International Privacy – 2013 Year in Review – European Union

Posted in International Privacy Law
Authors: Gonzalo Zeballos, James Sherer, and Alan Pate Fighting the war on two fronts: External Outside of the EU, concerns continue after the former NSA contractor Edward Snowden leaks demonstrated issues related to U.S. handling of European data. Beginning in July, 2013, the ongoing Transatlantic Trade and Investment Partnership (TTIP) talks were seen as a… Continue Reading

International Privacy – 2013 Year in Review

Posted in International Privacy Law
Authors: Gonzalo Zeballos, James Sherer, and Alan Pate 2013 was a year in contrasts within data privacy. To begin with the “normal” course, Canada sought (but failed) to pass a mandatory breach notification amendment to its federal privacy law, and Uruguay acceded to the European Convention regarding personal data processing. China introduced its Decision on… Continue Reading

Proposed Amendment to EU Privacy Regulations May Force Choice Between Violating US and EU Law

Posted in International Privacy Law
Authored by Gerald Ferguson and Alan M. Pate On Monday, October 21, 2013, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) voted to approve an amended version of the proposed EU General Data Protection Regulations.  Included in the compromise package is Article 43a, a provision that restricts controllers or processors of… Continue Reading

The Lessons of the “Street View” Imbroglio: Know What Data You Collect and Don’t Collect Data You Don’t Need

Posted in International Privacy Law
The unintended capture of personal data by Google Street View has resulted in a German Data Commissioner imposing a $189,000 fine on Google this Monday. As anyone who has used Google Maps at the street view level knows, Google Street View is a valuable service that captures roads, landscapes, landmarks, buildings—and other activity that happens… Continue Reading

Poland Adopts Heavy Penalties for Telcos Using Cookies without Obtaining “Opt-In” Consent

Posted in International Privacy Law
Poland’s Act amending its Telecommunications Law and Certain Other Laws of November 16, 2012, came into effect on March 22, 2013.  The law relates specifically to telecommunications companies, and therefore other sectors such as service providers and third-party advertisers are not affected by the amendment.  With respect to cookies, it implements the EU Cookie Directive… Continue Reading

South Korea Court Opens the Door for Unintentional Data Breach Collective Actions

Posted in Data Breaches, International Privacy Law, Privacy Class Actions, Privacy Litigation
Authorship Credit:  Nathan A. Schacht This is a cross blog post with BakerHostetler’s class action blog.  For the latest in class action developments, visit classactionlawsuitdefense.com.  On February 15, 2013, the Seoul Western District Court in South Korea issued a judgment in a collective consumer action against a South Korean company for a data breach involving… Continue Reading

China Adopts Privacy Legislation Strengthening Online Personal Data Protection

Posted in International Privacy Law, Online Privacy
Authorship Credit:  Tina Amin   China’s top legislature, the Standing Committee of the National People’s Congress, closed out 2012 with the approval of rules to enhance the protection of online personal information.  The “Decision of the Standing Committee of the National People’s Congress to Strengthen the Protection of Internet Data” (“Decision”), which took effect upon… Continue Reading

Recent Updates in International Data Privacy Law

Posted in International Privacy Law
EU Information Security Agency Recommends Clear and Broad Interpretation of Data Breach Requirements On August 27, 2012, the European Network and Information Security Agency (ENISA) issued a paper, “Cyber Incident Reporting in the EU,” which analyzes the current state of EU legislation covering data breaches. It observes that many breaches remain undetected and, even if… Continue Reading

Vote on Ground-Breaking Brazilian Internet Bill of Rights Postponed

Posted in International Privacy Law
Internet-rights pundits had been waiting with baited breath for the Brazilian Congress’s vote on a proposed internet bill of rights—the so-called “Marca Civil da Internet.” That vote, which was scheduled for August 8, 2012, was canceled at the last minute without explanation. The proposed bill represents a unique, collaborative effort with the public—whose input was… Continue Reading

CAUTIOUSLY, EUROPE EMBRACES GOVERNMENT & ENTERPRISE CLOUD COMPUTING

Posted in International Privacy Law
Last week the European Commission's panel on privacy, commonly known as the Article 29 Working Party, provided long-awaited clarity (in the form of an "Opinion") on whether and how European governments and private enterprise can utilize cloud computing technology in their operations, including processing personal information and other protected data. Cloud computing is a broad term that varies in context and has been subject to hype, but generally refers to technologies and service models allowing the sharing of on-demand scalable computer resources over the internet, including software programs, computer storage space and elastic computing power. Implementing IaaS systems has allowed companies and governments to significantly reduce capital expenditures by eliminating the need for purchase and maintenance of computer infrastructure equipment. Cloud services also allow for rapid remote deployment of software and network solutions. Additionally, cloud services enable organizations to decrease reliance on developing sophisticated in-house staff since major cloud providers have trained experts monitoring the computing environment. But, because cloud computing leverages the internet and computing resources in geographically disparate locations, the technologies present serious privacy and data security risks. In addressing this fundamental concern the Opinion indicates that the principal risks are a potential lack of control over data and limited transparency into its processing. A cloud provider's infrastructure can seem opaque and lacking information ensuring the "availability, integrity, confidentiality, transparency, isolation, intervenability and portability of the data". Additionally, due to the collaborative nature of cloud computing, customers may not be aware of subcontractors in the supply chain handling their data. With due respect to the data security risk, many observers consider this to be the great triumph of cloud compuing - that is that is simply "works" without its users having to worry about the back-end.… Continue Reading