January 31, 2017
In honor of Data Privacy Day–an international effort to raise awareness and promote privacy and data protection best practices–we offer Gibson Dunn’s annual Cybersecurity and Data Privacy Outlook and Review. This year, we offer both aU.S. Outlook and Review and this separate International Outlook and Review.
2016 saw major developments in the evolution of the data protection and cybersecurity landscape outside the United States:
We cover these topics and many more in this year’s International Cybersecurity and Data Privacy Outlook and Review. As the pace and volume of international data transfers continue to increase, and the international legal privacy landscape continues to expand and evolve, these issues will be as important as ever, in 2017 and beyond.
On July 12, 2016, the European Commission formally approved the EU-U.S. Privacy Shield (“Privacy Shield”), a framework for navigating the transatlantic transfer of data from the EU to the U.S. The Privacy Shield replaces the EU-U.S. Safe Harbor framework, which was invalidated by the Court of Justice of the European Union (“CJEU”) on October 6, 2015 in Maximilian Schrems v. Data Protection Commissioner (the “Schrems” decision). We provided an in-depth discussion of the Schrems decision in our Outlook and Review last year.
The privacy framework of the European Union rests in part on the Charter of the Fundamental Rights of the European Union (the “Charter”), which includes such fundamental rights as the right to respect for private life and the right to protection of personal data. As a component of EU privacy and human rights law, the European Union also adopted Directive 95/46/EC (“EU Data Protection Directive”) in 1995, governing the protection of individuals with regard to the processing of their personal data within the EU. Article 28(1) of the EU Data Protection Directive requires Member States to set up one or more public authorities responsible for independent monitoring of compliance with EU rules on the protection of individuals and processing of personal data. Article 25(1) of the EU Data Protection Directive also specifies a principle that transfers of personal data from the Member States to third countries may take place only if the third country ensures an “adequate level of protection.”
To facilitate international commerce and compliance with the EU data protection laws on the transfer of personal data between EU Member States and the United States, the U.S. Department of Commerce issued the Safe Harbor Privacy Principles (“Safe Harbor”) in 2000. The Safe Harbor was intended for use by U.S. organizations receiving personal data from the EU and included a number of principles on protection of personal data to which U.S. companies could subscribe voluntarily. Companies pledged adherence to the Safe Harbor principles through a process of self-certification. Importantly, in Commission Decision 2000/520/EC in July 2000 (“Commission Decision 2000/520”), the European Commission declared that the Safe Harbor regime, as implemented in accordance with the Department of Commerce guidance, was considered to ensure “an adequate level of protection” for personal data transferred from the European Community to organizations in the United States, as required by Article 25 of the EU Data Protection Directive.
The Safe Harbor framework became increasingly attacked, however, in the aftermath of the Snowden revelations of U.S. intelligence services’ extensive collection of personal data, with EU policymakers calling for an overhaul of the system. On October 6, 2015, the CJEU’s Schrems decision addressed the fundamental right to the protection of personal data, as enshrined in the Charter of the Fundamental Rights of the European Union, and invalidated the Safe Harbor framework for failure to offer an “adequate level of protection” for the transfer of personal data. Specifically, the CJEU held that the Safe Harbor approved in Commission Decision 2000/520 did not meet the requisite “adequate level of protection” because U.S. public agencies could access personal data on the basis of a national security exception to the Safe Harbor, and the affected persons had no judicial or administrative recourse to oppose such access.
In the aftermath of the Schrems decision, EU and U.S. policymakers stepped up their negotiation efforts with respect to a more robust framework to replace the Safe Harbor. The European Commission and the U.S. Government reached a political agreement on the new Privacy Shield framework on February 2, 2016, and published the first draft provisions on February 29, 2016.
Some of the elements of the draft Privacy Shield included the following:
On April 13, 2016, however, the Article 29 Working Party (“WP29”), an independent advisory body consisting of representatives of national data privacy enforcement agencies, the EU Commission, and other EU institutions, issued an opinion identifying strong concerns with the initial version of the Privacy Shield as it was propagated by the European Commission and the U.S. authorities (the “Opinion” or “WP29 Opinion”). The WP29 Opinion generally focused on alleged deficiencies in (a) the fundamental European data protection principles, such as the data retention principle and the purpose limitation principle, (b) the limitations with respect to onward transfers, and (c) the redress mechanism offered to individuals to exercise their rights, in particular, the establishment of the ombudsperson for national intelligence activities. Though its recommendations were not binding on the European Commission, the WP29 requested amendments to the Privacy Shield to remedy its expressed concerns.
In view of the objections raised by the WP29, representatives from the European Commission returned to negotiations with their U.S. counterparts. The final draft of the Privacy Shield was submitted to the Article 31 Committee, composed of representatives of all EU Member States, and approved by that committee on July 8, 2016. On July 12, 2016, the European Commission issued an Adequacy Decision formally finalizing the Privacy Shield, and it became fully operational on August 1, 2016. While the elements of the draft Privacy Shield enumerated above remain unchanged, the European Commission drew on the opinions of the WP29 and other comments submitted on the first draft of the Privacy Shield to include a number of “additional clarifications and improvements,” including an agreement between the European Commission and the United States on additional clarifications on bulk collection of data, a strengthened commitment to creating an independent Ombudsperson mechanism, and more explicit obligations for companies with respect to limiting retention and onward transfers of data.
Specifically, with respect to the onward transfers of data, under the new arrangement, the final draft clarifies that accountability for onward transfers applies to onward transfers of data to any parties, regardless of whether they are located in the United States or elsewhere. In order for a certified Privacy Shield organization to make an onward transfer to a third party, the third party must agree to notify the certified entity if it is no longer able to meet its contractual data protection obligations. The final draft also clarifies that the accountability for onward transfers must be read in light of the purpose limitation principle, meaning that U.S. organizations should ensure that any onward transfers of EU-originated personal data to third parties are carried out within the scope of the purpose for which the data was originally collected.
With respect to redress and remedies, companies self-certifying under the Privacy Shield must still provide a response to privacy complaints made by EU individuals within a period of 45 days. However, they also have to provide EU data subjects with independent mechanisms by which complaints and disputes can be investigated and resolved free of charge. EU data subjects may file complaints directly with a U.S. self-certified company, with a free-of-charge independent dispute resolution body (as designated by the company), with European national data protection authorities, or with the Federal Trade Commission (“FTC”).
In response to the final form of the Adequacy Decision, WP29 released a statement that “the national representatives of the WP29 will not only assess if the remaining issues have been solved but also if the safeguards provided under the EU-U.S. Privacy Shield are workable and effective,” during the first joint annual review of the Privacy Shield mechanism.
Companies can sign up for the Privacy Shield with the U.S. Department of Commerce, which is responsible for verifying that company standards are in compliance with the Privacy Shield. A total of 1,510 organizations have signed up thus far, including such companies as Workday, 23andMe, and Google. Notably, only U.S. organizations subject to the jurisdiction of the FTC or the U.S. Department of Transportation that have committed to enforcing the Privacy Shield in the United States may participate in the Privacy Shield framework. This excludes much of the banking, insurance, and telecommunication sectors, which are responsible for a substantial part of the transatlantic trade and data flow.
Advocacy groups have already filed challenges to the Privacy Shield. Specifically, in October 2016, Digital Rights Ireland filed a challenge with a Luxembourg-based General Court, a lower court of the CJEU, to annul the European Commission’s July 12, 2016 Adequacy Decision, which approved and adopted the Privacy Shield. A French privacy advocacy group has also challenged the Adequacy Decision in a legal action to the CJEU alleging that the U.S. Ombudsman redress mechanism is not sufficiently independent and effective and therefore that the Adequacy Decision must be annulled.
On December 15, 2015, the European Commission, the European Parliament, and the European Council agreed to an EU data protection reform to boost the EU Digital Single Market. The bill was adopted by the European Council and the European Parliament in early April 2016 and came into force on May 24, 2016 as the EU General Data Protection Regulation (the “GDPR”). However, the GDPR provides for a two-year “grace period,” and will take effect as of May 25, 2018. The GDPR replaces the EU Data Protection Directive and constitutes a set of data protection rules that are directly applicable to the processing of personal data across EU Member States.
The core substantive elements of the agreed regulation include the following:
With the adoption of the GDPR, a complex set of rules has been established to govern the enforcement of the GDPR vis-à-vis data controllers that have cross-border processing practices.
The WP29 has issued Guidelines that aim to assist controllers and processors in the identification of their lead DPA.
These requirements will be supplemented by a much more rigid regime of fines for violations. DPAs will be able to fine companies that do not comply with EU rules up to EUR 20 million or 4% of their global annual turnover, whichever is the highest amount. These fine levels exceed by far the maximum fines currently available to DPAs under their respective national laws. Given the current absence of any guidance from the European Commission and the WP29 on the setting of fines, and the complex mechanisms foreseen by the GDPR for the adoption of decisions by DPAs in cross-border situations (including cooperation among the DPAs concerned), it is unclear how fines will be calculated and set by DPAs in any given circumstance.
The GDPR also contains more detailed rules on the liability of controllers and the remedies and relief that can be sought by individuals from infringers. Remarkably, the GDPR sets out the possibility that individuals mandate non-for-profit organizations to act before the DPAs and before the courts on their behalf, including to obtain the suspension of an infringement and to claim damages. Although class actions are not as widespread and popular in Europe as they are in the U.S., this framework contributes to a wider use of class actions in data protection matters in the EU (albeit through specialized organizations and further to users’ acceptance).
In light of the extraterritorial application of the law, companies located outside the EU should take into account the additional obligations to which their data processing practices may be subject in order to avoid the imposition of significant fines.
As indicated in our client alert published earlier this year, on July 6, 2016, the European Parliament officially adopted the Network and Information Security Directive (“NIS Directive”) which is expected to be fully applicable (via national regulations) as of May 2018. The NIS Directive is the first set of cybersecurity rules to be adopted on the EU level, adding to an already complex array of laws which companies have to comply with when implementing security and breach response plans. It aims to set a minimum level of cybersecurity standards and to streamline cooperation between EU Member States at a time of growing cybersecurity breaches.
The final text sets out separate cybersecurity obligations for essential service and digital service providers:
In terms of geographic scope, the NIS Directive aims to address the potential incidents taking place “within the [European] Union“ and will apply to all entities providing the above services within the EU territory or to EU residents, regardless of their physical location. U.S. companies found in this situation are therefore likely to be subject to the NIS Directive, even if they do not have any presence in the EU. Digital service providers that are not established in the EU, but offer services covered by the NIS Directive within the EU, are required to designate an EU-based representative.
Companies covered by the NIS Directive will have to ensure that their digital infrastructure is robust enough to withstand cyber-attacks and may need to report major security incidents to the national authorities. For many organizations, the NIS Directive constitutes the first breach reporting requirement in the EU. Businesses will also be required to apply procedures that demonstrate effective use of security policies and measures.
Digital service providers will be obliged to report all incidents that have a “substantial impact” on their services (in terms of the duration, geographic spread and the number of users affected by the incident). It will be up to regulators to decide whether to inform the public about these incidents after consulting the company involved. The European Commission will have until August 2017 to clarify the EU-wide security and reporting obligations for digital service providers, including on which occasions they must notify cyber incidents to national watchdogs. Digital service providers will surely watch this space with particular interest.
As a practical matter, the NIS Directive states that jurisdiction over a digital service provider should be attributed to the Member State in which it has its main EU establishment, which in principle corresponds to the place where the provider has its head office in the EU. Digital service providers not established in the EU will be deemed to be under the primary jurisdiction of the Member State where their EU representative has been appointed.
Notably, where an incident involves personal data, there may be an additional requirement to report to DPAs under the GDPR, which will come into effect on May 25, 2018. As indicated above, the GDPR will also have a reporting provision for data breaches, although the notification obligation will focus on the protection of personal information, in contrast to the NIS Directive’s data reporting requirement which is aimed at improving computer and information technology systems overall. Thus, it is possible that a single cybersecurity breach will need to be notified to more than one authority in each EU Member State affected.
The NIS Directive itself is not directly applicable. It will first have to be transposed and implemented into national law by the Member States within 21 months from August 2016 (i.e., until May 2018). During this period, Member States will need to, e.g., designate the competent national authorities, identify operators of essential services, indicate which types of incidents they must report and establish sanctions for failure to notify. National procedural rules (for both administrative and court proceedings) will govern the application of the NIS Directive and the relevant national laws to affected entities.
In addition, each Member State is to adopt a national strategy to maintain the security of network and information systems and will designate one or more competent national authorities to monitor the application of the NIS Directive. They are also to designate one or more Computer Security Incident Response Teams (CSIRTs) responsible for monitoring and responding to incidents, and providing early warnings about risks.
The clear aim of the NIS Directive is to harmonize the EU Member State rules applicable to the security levels of network and information systems across the EU. However, given the strategic character of certain services covered by the NIS Directive, the NIS Directive gives some powers and margin of discretion to Member States with regard to this type of services. For example, the NIS Directive mandates each EU Member State to adopt a national strategy on the security of network and information systems, defining objectives, policies and measures envisaged with a view to achieving the aims of the NIS Directive. Thus, despite the ability of Member States to seek the assistance of the EU Agency for Network and Information Security (ENISA), the development of a strategy will remain a national competence. Furthermore, as far as operators of essential services are concerned, EU Member States will identify the relevant operators subject to the NIS Directive and may impose stricter requirements than those laid down in the NIS Directive (in particular with regard to matters affecting national security).
In contrast, Member States should not identify digital service providers (as the NIS Directive applies to all digital service providers within its scope) and, in principle, may not impose any further obligations on such entities. The European Commission retains powers to adopt implementing rules regarding the application of the security and notification requirements rules applicable to digital service providers. It is expected that these rules will be developed in cooperation with the ENISA and stakeholders, and will enable uniform treatment of digital service providers across the EU. In addition, the competent authorities will be able to exercise supervisory activities only when provided with evidence that a digital service provider is not complying with its obligations under the NIS Directive.
Another tool for coordination among authorities will be the envisaged “Cooperation Group,” similar to the WP29 operating currently under the 1995 Data Privacy Directive. The Cooperation Group will bring together the regulators of all EU Member States, who have different legal cultures and hold different approaches to IT and security matters (e.g., affecting national security). It is therefore expected that the European Commission will play an active role in building trust and consensus among the Cooperation Group’s members with a view to providing meaningful and clear guidance to businesses.
The year 2016 has seen the initiation of the procedures for the reform of the EU’s main set of rules on ePrivacy, the ePrivacy Directive. In this context, further to a public consultation held by the European Commission, a draft of the future EU ePrivacy Regulation (the “draft ePrivacy Regulation”) was leaked in December 2016.
In the EU, ePrivacy rules address the right to privacy and confidentiality with respect to the processing of personal data in the field of electronic communications (e.g., relating to cookie usage, unsolicited communications, and calling line identification). The current EU rules on privacy in relation to electronic communications are set out in the ePrivacy Directive. It contains a series of provisions that are relevant to providers of public electronic communication networks, services and companies that use such networks or services (e.g., websites), such as an obligation to ensure the security of its services and the confidentiality of communications. The ePrivacy Directive was last updated in 2009 to provide clearer rules on users’ rights to privacy. In particular, new requirements were introduced, such as for “cookies” and personal data breaches.
The conception of the draft ePrivacy Regulation constitutes a milestone in a process that was initiated earlier in 2016, and which will take months to materialize into the enactment of the new Regulation. In April 2016, the European Commission announced the review of the ePrivacy Directive and held a public consultation to seek stakeholders’ views on the effectiveness of the ePrivacy Directive to face new digital challenges. The European Commission’s review and proposed reform also aims to ensure consistency with the GDPR.
On July 19, 2016, the WP29 published an Opinion which contained the joint comments and proposed revisions of the DPAs of the EU Member States to the ePrivacy Directive. Among other changes, the WP29 suggested that the new draft ePrivacy Regulation provides for specific exceptions for the consent requirement applicable to the setting and reading of cookies certain cookies by websites (e.g., aggregated and anonymized first party analytic cookies, security).
The draft ePrivacy Regulation leaked in December 2016 seeks to accommodate the reform of the ePrivacy regime to the feedback received from stakeholders and from the WP29, albeit in a “measured” and “simplified” way. In summary, the draft ePrivacy Regulation prepared by the European Commission constitutes a more comprehensive piece of legislation that aims to fix and close certain loopholes identified in the application of the ePrivacy Directive:
The recitals of the draft ePrivacy Regulation suggest that the circumstances in which consent is not required can be interpreted more broadly than under the current ePrivacy Directive. For example, first-party analytics cookies, cookies used to give effect to users’ website preferences and cookies required to fill out online forms could be understood to be exempt from the consent requirement.
The ePrivacy Regulation contains a new set of seemingly more stringent rules applicable to the “collection of data emitted by terminal equipment to enable it to connect to another device and/or network equipment.” Under the current draft, this collection may only occur “if it is done exclusively in order and for the time necessary to establish a possible connection,” and is subject to significant information and consent requirements. It remains to be seen the extent to which these provisions will be reformed by the European Parliament and the Council during the legislative process, as well as the interpretation that the supervisory authorities will make of these provisions.
The year 2016 has also witnessed the delivery of several important rulings by the CJEU, touching upon important issues regarding the application of the EU Data Protection Directive.
On July 28, 2016, the CJEU delivered a preliminary ruling requested by the Supreme Court of Austria in relation to, among other issues, the question of which Member State law is applicable to data processing carried out by a company engaged in electronic commerce.
The national proceedings in front of the Supreme Court of Austria concerned an injunction to prohibit a leading international online retail store from using certain clauses in its general terms and conditions, including clauses relating to the processing of personal customer data. As the defendant was located in Luxembourg and did not have an establishment within Austria, the question arose whether the data protection laws of Austria or Luxembourg applied.
Under the EU Data Protection Directive, the applicability of the data protection laws of a Member State relies primarily on existence of a relevant “establishment” in that Member State. In its ruling, the CJEU repeated its findings in its Weltimmo judgment of October 1, 2015 where it defined broadly the concept of “establishment” contained in Article 4(1)(a) of the EU Data Protection Directive. While the CJEU indicated that the absence of “a branch or subsidiary in a Member State does not preclude [the controller] from having an establishment there within the meaning of Article 4(1)(a)” (e.g., through the existence of other stable arrangements, like an office), such an establishment cannot be presumed to exist “merely […] because the undertaking’s website is accessible there.”
In 2017, it is expected that the CJEU will deliver important rulings that will cast more light into the interpretation of Article 4(1)(a) of the EU Data Protection Directive.
On October 19, 2016, the CJEU delivered an important preliminary ruling concerning the characterization of dynamic IP addresses as personal data of internet users under the EU Data Protection Directive.
The German Federal Court of Justice had referred two questions to the CJEU which arose in a national dispute between Mr. Breyer and Germany.
Mr. Breyer had brought an action before the German courts seeking a cease-and-desist order against the Federal Republic of Germany not to store, or arrange for third parties to store, the IP address of his host system after the user session on publicly available German federal institutions’ websites had ended, except where this was necessary to provide the service.
In its preliminary ruling the CJEU found that dynamic IP addresses may constitute personal data within the meaning of the EU Data Protection Directive. Although IP addresses do not constitute information relating to an “identified natural person” (they do not directly reveal the person’s identity), it is sufficient that the person may be identified indirectly (i.e., is “identifiable”). Thus, in order for information to be qualified as personal data, it is not necessary that this information alone allows natural persons to be identified, or that all the data necessary to identify the data subject lies in the hands of one person.
Against this backdrop, the CJEU concluded that dynamic IP addresses may constitute personal data if its combination with the access service provider’s additional information is a means likely reasonably to be used to identify the data subject. According to the CJEU, this is the case when a data controller has the legal means (e.g., assistance of competent national authorities, filing for court orders) to enable it to receive additional data in order to identify the data subject.
The CJEU’s interpretation of dynamic IP addresses as personal data thus supports an intermediate view between the two academic opinions regarding the term “identifiable.” It is insufficient that someone would be able to identify the data subject through any means (i.e., unreasonable means). On the other hand, it is not necessary that the data controller is by itself able to identify the data subject. It is also not necessary that the data subject is actually identified by the data controller – it is sufficient that he has the ability (legal means) to do so.
Although the Breyer ruling seems to limit the characterization of dynamic IP addresses to specific situations, the legal framework against which the question was assessed by the CJEU (Germany) is similar to that found in other EU Member States. Therefore, in practice, the CJEU has backed the long-standing position of the WP29 with regard to those Member States whose legal framework enables the identification of individuals through dynamic IP addresses. In these circumstances, the processing of dynamic IP addresses is considered personal data that should be subject to the data processing grounds and principles laid down in the EU Data Protection Directive and in the GDPR.
On December 21, 2016 the CJEU delivered a preliminary ruling on questions arising out of a Swedish and a British dispute in relation to the ePrivacy Directive.
The case concerned the compatibility of national legislation with Article 15(1) of the ePrivacy Directive, which enables Member States to adopt intrusive measures that are necessary, appropriate and proportionate within a democratic society to safeguard, inter alia, national security, defense, public security, and the prevention, investigation, detection and prosecution of criminal offences.
In its judgment, the CJEU concluded that the ePrivacy Directive precludes national legislation which allows the general and indiscriminate retention of all traffic and location data of all subscribers and registered users in relation to all means of communication for the purpose of fighting crime, and which grants general and unlimited access to such data (e.g., without the prior review of a court or an independent administrative authority).
With the repeal of the EU Data Protection Directive, the Tele2 Sverige judgment will provide capital for the interpretation and application of Directive 2016/680.
As an outlook to the mid-term future, it is widely expected that the CJEU will also have to rule on the lawfulness of international data transfers under the newly established EU-US Privacy Shield and/or under the European Commission’s existing standard contractual clauses.
As indicated above, the WP29 has issued opinions and statements related to the adoption of the EU-U.S. Privacy Shield and to the review of the ePrivacy Directive. The WP29 has also issued three Guidelines and FQA documents concerning the application of the GDPR with regard to the right to data portability, the appointment and duties of DPOs, and the identification of lead DPAs, as explained above.
In addition to the abovementioned topics, on December 16, 2015 the WP29 issued an update on its 2010 opinion on applicable law. The update was made in light of the CJEU judgment in Google Spain in May 2014, and concludes that an additional element of “inextricable link” has to be included to the criteria set forth in its 2010 opinion on applicable law for the interpretation of Article 4(1)(a) of the EU Data Protection Directive. As a result, the current position of the WP29 is that (multiple) national laws may apply to the same data processing activity where the company’s activities in a given Member State are inextricably linked to the data processing at issue. Notwithstanding this, the question on the interpretation of Article 4(1)(a) of the EU Data Protection Directive is being litigated at national and at EU level, as indicated above.
The UK Information Commissioner’s Office (“ICO”) has been particularly active in enforcing the UK Data Protection Act against multiple companies and organizations. In October 2016, the recently appointed Commissioner, Elizabeth Denham, issued a record fine of GBP 400,000 (the highest monetary penalty to date for UK data protection breaches) against TalkTalk for failing to prevent a cybersecurity attack. Other noteworthy investigations closed by the ICO in 2016 include the fining of the UK National Health System (NHS) for (i) revealing the addressees of its HIV newsletter (considered as a data breach, sanctioned with a GBP 180,000 fine); and (ii) publishing online the details of thousands of its staff members (sanctioned with a GBP 185,000 fine). The ICO also issued substantial fines of over GBP 1 million in total against cold call companies for making nuisance calls.
The announcement of the “Brexit” referendum has raised a myriad of questions regarding the interpretation of the UK’s current legal framework and the path that will be followed by the UK legislature and policymakers going forward. The Secretary of State for Culture, Media and Sport, Karen Bradley MP, has confirmed that the UK will be implementing the GDPR in May 2018. However, it remains unclear what amendments will be made to data protection laws once the UK has left the EU. For example, it is unclear how data transfers will be regulated in the future. Once the UK exits the EU, it would cease to belong to the EU “safe data” zone and may need to apply for an “Adequacy Decision” from the European Commission confirming that the UK provides “adequate protection.” If the UK chooses to liberalize UK national data protection law with respect to data exports, this would make it more difficult to meet the requirements necessary to obtain an Adequacy Decision. On April 19, 2016 the UK ICO sought to alleviate Brexit-related concerns through a statement where it clarified that “[t]he UK has a history of providing legal protection to consumers around their personal data,” that “[the UK’s] data protection laws precede EU legislation by more than a decade, and go beyond the current requirements set out by the EU,” and that “[t]he UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU.”
On May 31, 2016, the Irish Data Protection Commissioner (“Irish DPC”) commenced proceedings in the Irish High Court in order to obtain declaratory relief regarding the validity of standard contract clauses (“SCCs”) adopted by the European Commission. The ultimate purpose of the proceedings is to seek a reference to the CJEU in relation to the SCCs under which personal data may be transferred from the EU to the U.S.
The case stems from a complaint filed by Austrian national Maximilian Schrems (who was at the origin of the case that led to the annulment of the U.S. Safe Harbor) against a U.S. corporation for the transfer of EU resident data to the U.S. using SCCs. The High Court proceedings follow the preliminary findings made by the Irish DPC on May 24, 2016, where it was indicated that Mr. Schrems complaint seemed well founded. Further to the anticipated referral of the legal questions to the CJEU, the EU’s supreme court will determine whether or not Mr. Schrems and the Irish DPC’s concerns stand and the SCCs should be repealed.
The proceedings initiated by the Irish DPC put in jeopardy SCCs specifically, and worldwide data transfers more generally. Indeed, the request for declaratory relief from the Irish High Court comes at a point in time where SCCs have been adopted on a widespread basis by businesses worldwide (following recommendations of, inter alia, the European Commission), and while the EU-U.S. Privacy Shield is in the midst of its implementation. Thus, while any ultimate decision of the CJEU might only be adopted in 2019, a ruling of the CJEU against the SCCs would again cast doubt on the EU legal framework regarding data transfers, hampering the global operations of companies.
While companies may still resort to alternatives to cover their data flows outside the EU (e.g., the newly adopted EU-U.S. Privacy Shield), the Irish High Court proceedings also anticipate the close scrutiny that the EU-U.S. Privacy Shield will have to face from advocates in the EU.
As the DPA acting in the jurisdiction where multiple international corporations have their main European headquarters, the Irish DPC is often the first DPA to be informed of identified violations of national regulations. Throughout 2016, international corporations have continued to cooperate with the Irish DPC in matters that concerned data subjects residing in Ireland specifically, and in the EU more generally.
In the course of 2016, the French DPA (Commission nationale de l’informatique et des libertés, the “CNIL”) has been particularly active with regard to the substantive application of the French Data Protection Act. For example, on January 26, 2016, the CNIL urged a social network service to conform its cookie practices with the requirements of the IT and Freedoms Act. On March 10, 2016, the CNIL imposed a EUR 100,000 fine on a search engine operator for its failure to respect the right to be forgotten (or right to “oblivion”) of individuals regarding information available on a search engine. On June 30, 2016, the CNIL urged a renowned software provider to prevent the excessive collection of data (including browsing data) from users of its operating system without their consent, as well as to fix other aspects of its operating systems related to the personal identification number offered to users.
During 2016, the CNIL also closed a number of investigations that it had opened in 2015 into eight different online dating websites for their failure to offer and manage appropriate data protection and privacy settings and options. This step was adopted further to additional safeguards undertaken by the investigated companies to ensure the privacy of its users. Eventually, only two companies were imposed fines of EUR 10,000 and EUR 20,000 for their failure to adopt “opt-in” consent mechanisms for the processing of users’ personal data.
On October 7, 2016, the French President enacted the Law for a Digital Republic, which grants additional and extended powers to the CNIL, including the following:
The French Law for a Digital Republic also foresees the creation of a specific “right to be forgotten” opposable by minors, and buttresses the right of users to manage the use of their respective personal data by companies. Data controllers are also required to complete information notices to data subjects with (i) the data retention limitation period, and (ii) data subjects’ rights to give instructions regarding the further processing of their personal data after their deaths.
On October 18, 2016, the French President also signed the new Law for the Modernization of Justice in the 21st Century. Among its modifications of the French legal framework, Article 91 introduces the possibility of class actions for violations of data protection rules. Data protection associations, consumer associations and trade unions will therefore be entitled to act before French courts against data controllers and processors, but only in order to bring their infringements to an end.
In May 2018, the GDPR will come into force. Although European regulations have direct effect in EU Member States, the GDPR provides for an unusually high number of open provisions granting Member States the liberty to address certain data protection issues which the GDPR does not explicitly regulate.
The German legislature is currently preparing a comprehensive reform of the German Federal Data Protection Act (“FDPA”), in which it will make use of several of the abovementioned open clauses and which aims to ensure that the FDPA complies with the GDPR and the new Directive 2016/680. Insofar as there is a discrepancy between the provisions of the Draft FDPA and the GDPR, the former will apply where a data processing activity does not fall under the scope of the GDPR (i.e., data processing activities carried out in Germany and without an EU cross-border component).
The government submitted a first draft of the FDPA on September 5, 2016, but it was eventually withdrawn due to extensive criticism. A new draft was subsequently submitted by the Federal Ministry of the Interior and published by the German Association for Data Protection and Data Security on November 11, 2016 (the “Draft FDPA”).
Section 24 of the Draft FDPA concerns the processing of employee data and basically corresponds to the current Section 32 of the FDPA. However, Section 24 of the Draft FDPA concerns the admissibility of processing employee data, and it seems to go beyond Article 88(2) of the GDPR, which stipulates that national rules shall include specific measures to safeguard certain employee interests.
Further, Sections 30 to 35 of the Draft FDPA reduce the information obligations of the data controller provided by Article 13 and 14 of the GDPR. These provisions also limit the data subject’s rights as laid down in Article 14 et seq. of the GDPR. Some of these restrictions have not been foreseen by the EU legislator.
Finally, although Article 83(1) GDPR requires that fines be “effective, proportionate and dissuasive,” Section 40 of the Draft FDPA sets an upper limit of EUR 300,000 for administrative fines imposed on natural persons exercising their duties for the data processor or controller. These amounts contrast with the much larger fines available under Articles 83(4) and (5) of the GDPR, which establish fines of up to EUR 10,000,000 / EUR 20,000,000 or, in case of an undertaking, 2% / 4% of the undertaking’s total worldwide annual turnover in the preceding financial year, depending on the type of infringement.
In 2016, the DPA in Hamburg imposed fines of EUR 8,000 (approximately USD 8,500) on a U.S. software company, EUR 9,000 (approximately USD 9,500) on a beverage producer and of EUR 11,000 (approximately USD 11,700) on the world’s largest producer of consumer goods, for the continuing transfer of personal data based on the invalidated Safe Harbor framework instead of reverting to available legal alternatives.
Although these fines are modest, they were the first of their kind and are intended to send a signal to other companies that German DPAs will pursue investigations and sanction data transfers based on the Safe Harbor regime with fines and – more importantly – prohibition orders.
The German legislature has adopted an act amending the German Act Governing Collective Actions for Injunctions (Unterlassungsklagengesetz, or UKlaG) which entered into force in February 2016. The main achievement of this amendment is that, in addition to the federal and state DPAs, consumer organizations and the chamber of commerce and competition now have legal standing to bring collective injunction proceedings for infringements of data protection law on behalf of consumers.
China is the world’s largest Internet market, with 721 million Internet users as of September 2016. It is no wonder that the Chinese government has increasingly focused on both developing and controlling the Internet and telecommunications sector. The dual focus is reflected in the country’s current five-year plan, released on March 16, 2016, which includes chapters on “developing a modern Internet industry system” as well as “strengthening information security protections.” Where the development of a robust and open Internet conflicts with the government’s interest in maintaining control over cyberspace, however, Beijing tends to favor control. For example, in its recently released National Cyberspace Security Strategy, Cyberspace Administration of China emphasized “cyberspace sovereignty,” and proclaimed that cyberspace development shall proceed under the guidance of “an overall view of national security.”
This control-centric perspective is reflected in China’s sweeping Network Security Law (“NSL,” a/k/a “Cybersecurity Law”), promulgated by the National People’s Congress on November 7, 2016, and set to take effect on June 1, 2017, which cites “maintaining cyberspace sovereignty and national security” among its purposes. The NSL applies to the development, operation, maintenance and use of “networks” in China. “Network” is broadly defined to include any system consisting of “computers or other information terminals and related equipment,” that collects, stores, transmits, exchanges, or processes information. This means that the NSL’s applicability may cover not only Internet and mobile telecommunication networks, but also Internet of Things or even company intranets or local networks not connected to the Internet.
The NSL contains both cybersecurity and personal data privacy provisions and subjects network operators to liability for violating these provisions. On the cybersecurity end, the law sets forth a “tiered” cybersecurity framework, subjecting the operators of “key information infrastructure equipment” (“KIIE”) to more onerous requirements and regulatory control than ordinary network operators. Under the NSL, all network operators are required to establish internal network security management policies and procedures, designate persons responsible for network security, back up and encrypt important data, monitor and document network operations, establish network security incident emergency plans, and take immediate remedial action and notify the authorities in the event of a cybersecurity incident. Network operators are also required to provide support and assistance to the authorities in criminal investigations or activities concerning national security. KIIE operators are additionally required to store personal information and important data collected and created from its China operations onshore unless cross-border transmission is truly necessary and passes a security assessment by government regulators. KIIE operators must establish dedicated security management departments and personnel, enter into security and confidentiality agreements with IT vendors, and submit to security reviews by Chinese authorities when procuring products and services that “may affect national security.” Further, KIIE operators must conduct network security and risk assessments at least annually and are subject to random security risk inspections by the government. The NSL defines KIIE generally as equipment used in important industries and areas, such as communications, utilities, transportation and finance, the compromise, disabling, or breach of which may “seriously damage” national security, government operations, civilian life, or public interest. What exactly qualifies as KIIE and which network operators will be subject to heightened cybersecurity requirements remain to be clarified in forthcoming regulations.
On the data privacy end, the NSL codifies, and broadens the applicability of, many personal information protection principles and requirements that already exist in various laws, industry-specific regulations, and non-compulsory national standards. “Personal information” (“PI”) is defined as information, recorded electronically or through other means, that can be used on its own or in combination with other information to identify the individual identity of natural persons. Network operators are required to keep PI confidential, limit the scope of PI collection, give notice and obtain consent for PI collection, and obtain consent before providing PI to third parties. The NSL requires network operators to take remedial measures and timely notify users and authorities in the event of a PI breach, marking the first time China imposed universal breach notification requirements. But the NSL also goes beyond protecting personal data privacy and requires network operators to monitor user activities and censor content transmitted on their networks, or face penalties for failing to do so.
The NSL’s data privacy provisions are meant to dovetail with other laws, regulations, and standards, which continue to be developed and refined. On December 20, 2016, China released a draft amendment to Information Security Technology: Guidelines for Personal Information Protection (“MIIT Guidelines”) for public comment. Promulgated in 2013, the MIIT Guidelines is a set of non-compulsory national standards that, until now, represented the most detailed set of data privacy guidelines endorsed by the Chinese government. The draft amendment provides more detailed guidelines on topics such as the definition of PI versus sensitive PI, the timing and format required for notice and consent, data privacy risk assessments and audits, and breach notification procedures. The draft also includes useful appendices, such as a sample privacy notice/policy document. Given the clear trend toward more robust government regulations in these areas, companies operating in China would be well-advised to establish and implement cybersecurity and data privacy policies and procedures in accordance with the NSL, the draft MIIT Guidelines, and similar laws, regulations, and standards.
In India, data protection is principally governed by provisions of the Information Technology Act, 2000 (“Indian IT Act”) read in conjunction with subsidiary legislation to the Indian IT Act. Pursuant to Section 43A of the Indian IT Act, entities are liable to pay compensation in the event of any negligence in implementing and maintaining reasonable security practices and procedures in relation to sensitive personal data. The Indian IT Act also contains sanctions for unauthorized disclosure of personal information by any person receiving such information pursuant to a lawful contract.
The recent roll-out of unique identification numbers (“UID”) for Indian citizens has heightened privacy concerns in India. The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (“Aadhaar Act”), specifies that all biometric information collected for the purposes of UID is to be treated as sensitive personal data or information and is subject to the protections specified under the Indian IT Act. The Aadhaar Act also contains restrictions on the use and disclosure of UID information by entities (including private organizations) that gain access to such information. While it has been reported that the Government of India is in the process of drafting a comprehensive data privacy law, it is unclear when the law will be enacted.
Data protection has received renewed attention in India as a result of recent high profile news stories involving personal data. For example, a large-scale data breach involving an estimated 3.2 million debit cards issued by Indian banks was brought to light in September 2016. At this juncture, it is not clear if banks and other intermediaries involved will be subject to enforcement actions by Indian regulators.
The Japanese data privacy framework continues to evolve, with several updates to important events reported in our previous reviews. In September 2015, following a data privacy breach caused by hackers that compromised the Japan Pension Service, Japan passed amendments to its Act on the Protection of Personal Information (“APPI“). These amendments are scheduled to come into effect no later than September 2017. In addition, in October 2015, Japanese residents received a personal identification number, widely known as “My Number.” Japanese officials implemented this system in an effort to simplify the administration of tax, pension, health care, and other official services. Prior to the implementation of “My Number,” critics of the system expressed data privacy concerns. Their fears seem to have been realized, as there have already been reports of numerous leaks of personal information under the My Number system.
Despite these legislative efforts, Japan continued to experience large-scale data security breaches. In June 2016, the Japan Tourism Agency, a major travel agency in Japan, announced that it feared personal information was compromised as a result of unauthorized access to its server. The information leaked included personal information of nearly eight million people, including customers’ names, addresses, email addresses, and passport numbers.
South Korea had another eventful year on the data privacy front. According to the South Korean police, North Korean intelligence agencies stole the personal data of more than 10 million customers of a South Korean online shopping mall. The stolen data included shoppers’ names, email addresses, and telephone numbers. The data breach is said to have occurred in May 2016, but the online mall did not uncover it for nearly two months. According to the South Korean government, this development is the latest in a string of online attacks on banks, government websites, and media companies attributable to North Korea. South Korea is reportedly pushing back against these attacks by training its own “cyber army” to combat future attacks from the North.
South Korea also took additional steps to strengthen the country’s privacy-related laws and regulations during the past year. On March 29, 2016, the Personal Information Protection Act (“PIPA”), already among the most stringent data privacy laws in Asia, underwent additional amendments that became effective on September 30, 2016. The main PIPA amendments include: (1) circumstances where the subject of the personal information should be notified and/or their consent obtained when their personal information is processed; (2) imposing an obligation on the person handling any personal information to take necessary measures to safeguard such information; (3) applying a general restriction on the ability to share resident registration numbers (limited exceptions apply); and (4) increased statutory and punitive damages for data breach and unauthorized transfer of personal information.
South Korea’s Act on the Promotion of Information Communication Network Utilization and Information Protection, which regulates and protects the personal information of individuals that is collected and used by communications providers, also underwent further amendments. The amended Act became effective on September 23, 2016 though certain provisions will not come into effect until early 2017. The main amendments include: (1) reinforced consent from, and notification requirements, to the data subject regarding their user information; (2) improved governance of personal information entrustment relationships between the service provider and data subject; (3) increased responsibilities of chief privacy officers or trustees of user information; (4) requirement to provide the data subject with easier access to their user information that is being processed, including a more transparent data processing policy; (5) introduction of ability of the court to award up to three times the value of the damages where the service provider was intentionally or materially negligent; (6) enhanced restrictions on type of information that can be distributed by a service provider; (7) those who commit certain crimes relating to personal information may have their monetary assets or other profits confiscated and/or have to forfeit their financial gains; and (8) administrative fines for non-compliance with corrective orders.
Enforcement of Singapore’s Personal Data Protection Act (“PDPA“) is implemented by the Personal Data Protection Commission (“PDPC“). Since the PDPA took effect in 2014, the PDPC has received 667 complaints, however, the vast majority of the complaints were resolved between the companies and the consumers involved. Beginning in 2016, for the first time since the PDPA was implemented, the PDPC began publishing it enforcement decisions. Twenty-four decisions have been published to date on the PDPC‘s website. Ten of the actions resulted in warnings, one instance resulted in directions being issued to the company, but no financial penalty was imposed, and financial penalties were issued on twelve occasions. The financial penalties ranged from SGD 500 (~USD 357) up to SGD 50,000 (~USD 35,726). The case involving the highest fine concerned a data security breach that involved the unauthorized disclosure of the personal data of 317,000 individuals. The PDPC chairman indicated that the fines are meant to encourage companies to use personal data responsibly. In one of the twenty-four published decisions, the PDPC found that there was no violation.
Additionally, on April 21, 2016, the PDPC issued “Advisory Guidelines on Enforcement of the Data Protection Provisions.” The Guidelines are not binding, but are meant to provide additional insight as to how the PDPC handles the review, investigation, and resolution of complaints relating to data protection under the PDPA. The Guidelines outline the two main objectives of the PDPC which are first to resolve complaints and second to ensure compliance with the PDPA. The Guidelines also outlined certain aggravating and mitigating factors that the Commission may consider when deciding whether to impose financial penalties, however, the list is not exhaustive. The PDPC has also announced that it will revise the anonymization chapter of its advisory guidelines to provide clarity on the definition of anonymized data and the responsibilities of organizations in using such data.
Singapore is also working on a new Cyber Security Bill. The bill is expected to go before Parliament in 2017 and is intended to “ensure that operators take proactive steps to secure critical information infrastructure, as well as report incidents.” The proposed Cyber Security Bill will complement the existing Computer Misuse and Cybersecurity Act which grants powers for law enforcement agencies to investigate and apprehend individuals or entities behind cybercrime. In line with enhancing cybersecurity in Singapore, Prime Minister Lee Hsien Loong also unveiled Singapore’s Cybersecurity Strategy which seeks, among other things, to create a safer cyberspace, strengthen international partnerships, and develop a more resilient infrastructure in Singapore.
In 2016, Canada tried to balance individual privacy protection against competing interests of facilitating government investigations and protecting businesses. Bill C-13, the “Protecting Canadians from Online Crime Act,” reduced requirements for police to obtain electronic surveillance warrants for metadata under the assumption that it contains “less sensitive” information than original content. The police have used these warrants to collect metadata from journalists not personally suspected of criminal activity. This has led to government inquiries into the protection of freedom of the press; however, the federal government has suggested loosening warrant restrictions for obtaining metadata even further in the future.
Additionally, on November 17, 2016 the Canadian Supreme Court in Royal Bank of Canada v. Trang held that the Personal Information Protection and Electronic Documents Act’s (“PIPEDA”) protection of consumers must be balanced to allow businesses to collect, use, and disclose personal information. In this case, the Royal Bank of Canada sought a mortgage discharge statement in order to move forward with a sheriff’s sale of the debtor defendants’ property. The Court of Appeal dismissed a motion to compel the Bank of Nova Scotia to compel the mortgage discharge statement. However, the Supreme Court ordered Scotiabank to produce the document. The Supreme Court explained that PIPEDA “acknowledges that consent to disclosure for the purposes of the statute can be implied when the information is ‘less sensitive,'” and the question of sensitivity “must be assessed in the context of the related financial information already in the public domain.” The Court went on to find that the mortgage discharge statement is not “merely a private matter between the mortgagee and mortgagor,” and the Royal Bank of Canada had a legitimate business interest as a creditor to obtain this information which informed the “reasonable expectations of the mortgagor.”
Finally, although Bill S-4, the “Digital Privacy Act,” passed into law in 2015, anticipated legally requiring private companies to report any breach in information security that posed a “real risk of significant harm,” additional regulations specifying these requirements and placing them in force were not adopted in 2016. Earlier in the year, the Trudeau government had planned on passing these regulations. However, there does not seem to be a current timeline for when these regulations will actually be passed.
In March 2016, the Inter-American Development Bank (IDB) and the Organization of American States (OAS), with the help of Oxford University, released a new report that shows that the Latin American region is highly vulnerable to cyber-attacks. Four in five countries in the region do not have plans to protect critical infrastructure against cyber-threats. And a majority of countries have neither a command and control center for cybersecurity, nor prosecutorial capacity to punish cybercrimes. The IDB and OAS urged countries in the region to step up their efforts, especially with regard to strategies for protecting critical infrastructure. While the region may lag behind much of the world in its cyber sophistication and capabilities, in 2016, a number of countries made efforts to close the gap.
Argentina’s data protection authority is the National Directorate of Personal Data Protection (DNPDP), an arm of the Ministry of Justice and Human Rights. The country is currently in the process of articulating a cybersecurity strategy, led by the National Program for Critical Information and Cybersecurity, in conjunction with agencies, academic institutions, and the private sector. Until its new cybersecurity strategy is implemented, enforcement is primarily through Personal Data Protection Law 25.326, which imposes a number of requirements, including obtaining consent to collect personal data, to register databases before collecting data, and to obtain consent before transferring data internationally, among others.
In 2016, the DNPDP issued a new regulation on international transfers of personal data–bringing it more into line with EU standards. The new regulation should aid multinational companies by simplifying legal compliance to transfer data out of the country. For example, Argentina’s privacy office has issued contractual provisions that companies may use to be in compliance with the country’s privacy law when collecting and processing data.
The government also began inspections of databases inside the country to ensure compliance with data protection laws, such as the requirements imposed by Law 25.326. The DNPDP stated that the inspections were important not just to enforce compliance, but to make databases aware of their responsibilities and the possibility of sanctions for non-compliance.
Brazil lacks a specific law on personal data protection, but has been moving a bill through the lawmaking pipeline for years that “is aimed at creating general rules and guidelines for what public, government and private entities can and cannot do with any citizen’s personal data.” The bill sets rules for collecting and processing data, and tries to balance the right to privacy against needs of companies to store personal data. Although the bill has been subject to legislative action since its filing, it has yet to be enacted.
With regard to enforcement, then-President of Brazil Dilma Rousseff signed an executive order on May 11, 2016, which states that a provider shall inform authorities if it does not collect user enrollment information, and by doing so, it will be released from the obligation to provide such information in response to a government request.
Colombia’s substantive law is largely in line with the Convention on Cybercrime (the Budapest Convention), which requires, for example, the criminalization of illegal access, illegal interception, data interference, and computer-related fraud. Two governmental authorities are designated as data protection authorities–the Superintendency of Finance (SFC), which oversees data administrators that perform financial or credit activities, and the Superintendency of Industry and Commerce (SIC), which serves as the data protection authority for all other companies.
In 2015, the SIC required Colombian data controllers (generally, government-related or Colombia-incorporated databases processing personal data) to register their databases by November 8, 2016. Registration requires the databases to report their names and purposes, locations, types of information stored, and security measures, among other requirements, and failing to register could result in administrative sanctions, including fines up to COP 1,288,000,000 (approximately USD 450,000). The deadline for companies to register their databases with the Colombian Government was subsequently extended from November 8, 2016 to June 30, 2017.
Mexico is developing a strategy for information security, which “considers cyber defense to be under the Armed Forces.” Currently, data protection is enforced by the Federal Institute for Access of Information and Data Protection and the Ministry of Economy, although it remains to be seen whether Mexico’s evolving cybersecurity strategy will change that. At a forum for Latin American data protection authorities in June 2016, Mexico proposed the creation of a Regional Agreement and a Case Law Platform, which would set minimum cybersecurity standards and increase cooperation between Andorra, Argentina, Chile, Colombia, Costa Rica, Spain, Mexico, Peru, Portugal, and Uruguay in the fight against cyber-threats.
Early in 2016, staffers of a Mexican political party accidentally uploaded roughly 87 million Mexican voters’ registration data to an unsecured database, making it publicly available. Shortly after the breach was discovered and the database secured, Mexico’s election authority launched a criminal probe.
A number of other countries enacted or took significant steps toward enacting more modern data protection laws this year.
Bermuda passed the Personal Information Protection Act, which “outlines the requirements for organisations that use personal information, as well as the rights that individuals have regarding the use of their personal information by organisations[,]” and “follows international best practice, applies to all organisations, businesses and the government . . . .” However, implementation is expected to be delayed two years to give organizations time to come into compliance.
Chile has faced international pressure to bring its data protection laws into line with global standards, and its legislature has begun discussing improvements to the country’s inadequate scheme. International complaints include that the current Chilean law does not establish a data protection authority to oversee compliance, enforce security standards, and impose sanctions, among others. Unless the new law provides adequate protection, “Chile will be unable to effectively compete for Spanish language services outsourced from the EU, such as customer call centers for Spanish banks.”
Costa Rica amended its data protection laws to simplify database registration, introduce new conditions for data transfers, and suppress the “super user” requirement, which required databases to provide the country’s data protection authority with an unrestricted access profile.
On January 13, 2016, the Russian Data Protection Authority (Roscommandzor) released its 2016 audit plan to assess compliance with Russia’s Data Localization Law (Federal Law No. 242-FZ). The law, which went into effect on September 1, 2015, requires that data operators collect, store, and process Russian citizens’ personal data using databases located within Russian territory. The audit plan indicated that the Roscommandzor would audit large, multinational companies doing business in numerous jurisdictions. On November 10, 2016, in a landmark ruling on a case brought by the Roscommandzor, the Moscow court upheld a lower court’s decision to ban a professional networking website in Russia for violating the Data Localization Law. The lower court held in August that the website had violated the law on two counts: by not storing information about Russians on servers inside the country, and by processing information about third parties who are not registered with the website and have not signed its user agreement. The Moscow court decision meant that, starting on November 18, the website is blocked from operating across the country.
On June 25, 2016, Russia’s parliament passed the “Yarovaya law,” an anti-terrorism measure that criminalizes the failure to provide authorities with reliable information about planned terrorist attacks and certain other crimes. The legislation requires internet and telephone providers to store all communication records for six months and all metadata for three years, as well as to assist intelligence agencies decode encrypted messaging services. Telecom companies have complained that users rather than providers typically possess the encryption keys, and that storing such huge amounts of information would require expensive new infrastructure. Russia has turned to China to obtain the technology necessary to handle the vast amounts of data that must be stored under this law. In April 2016, top Russian and Chinese officials gathered in Moscow for their first cybersecurity forum. Delegates included Lu Wei, the head of China’s state internet information office, Fang Binxing, the so-called father of the Great Firewall and Igor Shchyogolev, Russian President Vladimir Putin’s assistant on internet issues and former minister of communications. In August 2016, the Russian telecoms equipment manufacturer Bulat conducted negotiations with Huawei, a Chinese telecom company, to buy technologies for data storage and build servers to implement Yarovaya’s law.
Later in the year, Russian representatives reacted to Vice President Joe Biden’s remarks that the United States would respond to Russian hacking attacks aimed at interfering in U.S. elections. On November 5, 2016, after reports that U.S. military hackers had penetrated Russia’s electric grid, Kremlin spokesman Dmitry Peskov said that “[m]easures for ensuring cybersecurity and information security are being taken corresponding to the current moment as well as to the threats made toward [Russia] by other states on the official level.” On December 6, 2016, President Putin signed a decree approving Russia’s new information security doctrine, replacing the one he issued during his first year in power in 2000. The doctrine represents a system of official views on ensuring Russia’s security in the information sphere. One of its main directives is to ensure strategic deterrence and prevent military conflicts that may arise during the use of information technologies. The doctrine also notes a growth in cybercrimes in Russia, particularly in the credit and financial sphere.
On December 29, President Barak Obama took retaliatory measures against Russia for hacking senior Democratic officials with the intention of influencing U.S. elections. The administration ordered the expulsion of 35 Russian diplomatic personnel, who it said were spies posing as diplomats and other officials, as well as the closure of Russian estates in Maryland and New York that were used for Russian intelligence activities. The announcement also included sanctions on Russian intelligence agencies, top Russian intelligence officials, and three companies and organizations allegedly involved in the hacking. We discuss the sanctions in more detail in a client alert published shortly after their announcement.
The following day, President Putin announced that he would not retaliate against Obama’s decision, and instead proceed from the policies of the Trump administration. This was in direct contravention to Russia’s foreign minister Sergey V. Lavrov’s recommendation that Russia impose punitive measures mirroring the ones imposed by the Obama administration. Further Russian breaches of U.S. cyber security were discovered on December 31, when U.S. officials said a computer code linked to Russian-sponsored hackers had been detected in a computer at a Vermont electric utility. Although no information released publicly shows that the Russians actively used the code to disrupt operations, U.S. officials said the discovery underscores the vulnerability of the electric grid. The DHS and FBI stated that this “is part of an ongoing campaign of cyber-enabled operations directed at the U.S. government and its citizens.”
In 2016, the U.S. government publicly blamed Russia for a July cyberattack on the Democratic National Committee. The DNC hack resulted in thousands of internal emails being publicly posted online, including through the website WikiLeaks. In October, emails from Hillary Clinton’s campaign chairman John Podesta began appearing online, and a private security firm attributed the hack to Russian foreign intelligence. Subsequently, the FBI concluded that government-sponsored Russian hackers were responsible for the Podesta hack. U.S. intelligence agencies also concluded that the Russian government additionally attempted to hack the Republican National Committee.
Switzerland’s Federal Council proposed in December 2016 a revision to the Swiss Federal Data Protection Act, with particular focus on individual data protection and an increase in the investigative powers of the Federal Data Protection and Information Commissioner. The revision will require companies that process data to provide comprehensive information to the Commissioner’s office about their data processing, and increases Swiss citizens’ rights to review that information. It will also raise sanctions for privacy violations to a new maximum of CHF 500,000 Swiss francs (€465,773/$493,096), from its current maximum of CHF 10,000 (€9,315/$9,862). Of equal importance, the revision would bring Switzerland in line with the Automatic Processing of Personal Data of the Council of Europe (Convention 108), making Swiss data privacy regulations more in sync with the EU, while maintaining Switzerland’s generally more-protective position regarding an individual’s data. The revision, if enacted, would not be binding until 2018.
In 2016, Australia’s Parliament continued to try to pass a law regarding mandatory data breach reporting. The most recent legislation, proposed in 2015, was left on the table at the conclusion of Parliament’s term in 2016. This is now the third attempt to pass the legislation in the past five years. The reporting regime would have applied to entities subject to the Australian Privacy Principles (which affects mostly businesses bringing in more than $3MM Australian (€2.1MM/$2.2MM) in revenue a year). If it had passed, the entity would have been required to comply with specific notification obligations as soon as it is practical upon knowledge of the breach of personal information.
The Australian federal government is considering whether to reverse course on a currently proposed prohibition on allowing metadata collected by telecommunication providers pursuant to its data retention laws to be used in civil suits. This metadata is collected by ISPs under a scheme introduced in 2015 requiring the storage of such data for all customers for up to two years. The proposed prohibition would prevent civil litigants from subpoenaing this metadata, and, absent any changes, will go into effect on April 13, 2017. Those opposed to the prohibition believe that access to the data will be useful in violence and international child abduction cases, but those who are happy with the prohibition believe rescinding it would open up individuals to piracy litigation by copyright holders. If it were to go into effect, the prohibition would improve Australian’s privacy over their browsing habits, and also lower subpoena compliance burdens for the ISPs.
Finally, in a widely-publicized incident, a Medicare database available on a federal government website and containing a database of anonymized personal information, was de-anonymized. In response, the federal government proposed a bill with criminal and civil penalties for re-identifying personal information in such databases. The provision, which would cover government agencies, individuals, and businesses of all sizes, includes criminal penalties for the intentional re-identification of such information, among other penalties.
New Zealand’s proposed data privacy bill, which has been in the works since 2011, remains a “work in progress,” according to the New Zealand Privacy Commissioner. The proposed bill would bring New Zealand’s bill, last updated more than five years ago, closer in line to privacy laws across OECD countries. Like Australia, it would include a mandatory breach notification provision. It would also give greater powers to the Privacy Commissioner’s office to issue compliance notices and compel agencies to give people access to their own information. The bill is currently sitting with the Australian Senate.
The year 2016 saw slow but steady developments in the Middle East in privacy and cybersecurity laws and regulations.
The Israeli parliament, the Knesset, recommended the creation of a national cyber-authority to consolidate all of its cybersecurity matters under a central regulator. Such a change was hoped to bring focus, among others, to small and medium enterprises. This attempt by Israel was generally well-received although some commentators were unimpressed with the idea of bringing all cybersecurity organs under one roof. In other news, Israeli courts rejected challenges to Israel’s compliance with U.S. tax data sharing pacts under the Foreign Account Tax Compliance Act (FATCA), brought, in part, as violation of Israeli citizens’ rights to privacy. An attorney for the challengers suggested that the result was politically motivated; however, a detailed statement of the court’s reasoning and basis for its holding is forthcoming. Also the Justice Minister of Israel, Ayelet Shaked, weighed in on the proper punishment for web content, indicating that websites must be held accountable for criminal content, and stating that legislation was being drafted to curb illegal online activities like incitement and child pornography. In particular, Shaked’s spokeswoman mentioned that the legislation would focus on anti-terrorism, with emphasis on cooperation between content providers.
The Dubai International Finance Center (DIFC) passed a new electronic transactions law (“DIFC Law No. 2”) to ease barriers to electronic transactions and, in part, “to help to establish uniformity of rules, regulations and standards in DIFC regarding the authentication and integrity of electronic records.” For example, DIFC Law No. 2 provided that electronic signatures are enforceable to the same extent as physical signatures, with no distinction drawn between secure and non-secure electronic signatures.
The Communications and Information Technology Commission (CITC), Saudi Arabia’s telecommunications regulator, announced the solicitation of comments on its proposed regulation of cloud computing, suggesting forthcoming regulations in the area.
A new data protection law, that included provisions on international transfer of data, came into effect in Turkey on April 7, 2016 at least partly in response to a data breach that led to information on the private details of 50 million Turkish citizens being leaked. The law will be implemented in a two-year transitional period and includes regulations regarding processing of personal data and transfer of such data to third parties and internationally. Barring some exceptions, personal data may be processed only with the consent of the subject. Failure to comply with the law may result in fines and/or imprisonment.
There have been very few major developments in data privacy and cybersecurity law and regulation since the adoption of the African Union Convention on Cybersecurity and Personal Data Protection in June 2014. The Convention aimed to establish regional and national frameworks for cybersecurity, data privacy, and electronic transactions, but its entry into force depends on the independent ratification of the laws in the 54 Member States–none of which have yet adopted the model laws.
In a regional effort, the Central African Economic Community (“ECCAS”) member states, with support from the Economic Commission of Africa (ECA) and the International Telecommunications Union (ITU), agreed in December 2016 to the adoption of model laws on telecommunications, cybersecurity, and a regulatory framework to govern cross-border interactions. This effort started in 2010 when the ECCAS Secretary General was asked to draft model laws and regulations relating to electronic transactions, protection of personal data, and cybersecurity. In 2011, a framework was drafted and in 2012, 2013, and 2014, meetings were held to refine the model laws. The laws, agreed upon in December 2016, are meant to increase consumer’s confidence in using telecommunications while attracting investors and capital to grow the economy of member states. Whether or not the member states will adopt and enforce the model laws is yet to be seen. In the same declaration setting forth the model rules, the Secretary General was tasked with creating a mechanism to monitor and evaluate countries’ participation.
In South Africa, Pansy Tlakula was nominated and confirmed to serve as the country’s first chief privacy regulator in the role of chairwoman of the Information Regulator. The National Assembly voted in September 2016 in favor of the nomination of Pansy Tlakula, and in October 2016, the President confirmed her appointment. The Protection of Personal Information Act 2013 (POPI), was enacted “to promote the protection of personal information processed by public and private bodies” and the law created the post of Information Regulator to enforce the act. Specifically, the Information Regulator will monitor and enforce compliance with the law as well as handle complaints and facilitate cross-border cooperation.
 Gibson Dunn Client Alert: U.S. Cybersecurity and Data Privacy Outlook and Review: 2017 (Jan. 27, 2017), available at https://www.gibsondunn.com/publications/Pages/US-Cybersecurity-and-Data-Privacy-Outlook-and-Review–2017.aspx.
 For a detailed analysis of the Schrems decision, please see Gibson Dunn Client Alert: Cybersecurity and Data Privacy Outlook and Review: 2016 (Jan. 28, 2016), available at https://www.gibsondunn.com/publications/Pages/Cybersecurity-and-Data-Privacy-Outlook-and-Review–2016.aspx.
 See Charter of Fundamental Rights of the European Union, 2000/C 364/01, 2000 O.J. (C 364), 1-22, available at http://www.europarl.europa.eu/charter/pdf/text_en.pdf.
 See Directive 95/46/EC of the European Parliament and of the Council of 24 Oct. 1995 on the Protection Of Individuals With Regard To The Processing Of Personal Data And On The Free Movement Of Such Data, 1995 O.J. (L281) 31-50, available at http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31995L0046&from=EN.
 See Schrems, 2015 E.C.R. I-11.
 See European Commission Press Release IP/16/216, EU Commission and United States Agree on New Framework for Transatlantic Data Flows: EU-US Privacy Shield (Feb. 2, 2016), available at http://europa.eu/rapid/press-release_IP-16-216_en.htm.
 See European Commission Press Release IP/16/433, Restoring Trust in Transatlantic Data Flows Through Strong Safeguards: European Commission Presents EU-U.S. Privacy Shield (Feb. 29. 2016), available at http://europa.eu/rapid/press-release_IP-16-433_en.htm.
 See Statement of the Article 29 Working Party on the Opinion on the EU-U.S. Privacy Shield (Apr. 13, 2016), available at http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/press_release_shield_en.pdf.
 See European Commission Press Release IP/16/2461, European Commission Launches EU-U.S. Privacy Shield: Stronger Protection for Transatlantic Data Flows (July 12, 2016), available at http://europa.eu/rapid/press-release_IP-16-2461_en.htm.
 See Statement of the Article 29 Working On the Decision of the European Commission on the EU-U.S. Privacy Shield (July 26, 2016), available at http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/20160726_wp29_wp_statement_eu_us_privacy_shield_en.pdf.
 U.S. Dep’t of Commerce, Privacy Shield Program Overview, https://www.privacyshield.gov/Program-Overview (last visited Jan. 25, 2017).
 See U.S. Dep’t of Commerce, How to Join Privacy Shield, https://www.privacyshield.gov/article?id=How-to-Join-Privacy-Shield-part-1 (last visited Jan. 25, 2017).
 Application, Digital Rights Ireland Ltd v. Commission, Case T-670/16, 2016 O.J. (C 410) (Sept. 16, 2016), available at http://curia.europa.eu/juris/document/document.jsf?text=&docid=185146&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=510210.
 Application, La Quadrature du Net and Others v. Commission, Case T-738/16, 2017 O.J. (C 6) (Oct. 25, 2016), available at http://curia.europa.eu/juris/fiche.jsf?id=T%3B738%3B16%3BRD%3B1%3BP%3B1%3BT2016%2F0738%2FP.
 See Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, pp. 1-88, available at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679.
 See Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995, pp. 31-50.
 See WP29, Guidelines on the right to data portability (WP 242; December 13, 2016), available at http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp242_en_40852.pdf.
 See WP29, Guidelines for identifying a controller or processor’s lead supervisory authority (WP 244; December 13, 2016), available at http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp244_en_40857.pdf.
 See WP29, Guidelines on Data Protection Officers (‘DPOs’) (WP 243; December 13, 2016), available at http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_en_40855.pdf.
 See Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, OJ L 194, 19.7.2016, pp. 1-30, available at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194:TOC. See European Commission Press Release, July 6, 2016, available at http://europa.eu/rapid/press-release_STATEMENT-16-2424_en.htm.
 With regard to essential services, the NIS Directive will apply to all entities identified by the respective national authorities as “essential” providers of such services in that Member State, see NIS Directive, at Article 5(2).
 Member States will have an additional 6 months after the transposition into national law to identify operators of essential services (i.e., a total of 27 months). See NIS Directive, at Article 5(1).
 See Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and personal data in electronic communications and repealing Directive 2002/58/EC (‘Privacy and Electronic Communications Regulation’), available at http://www.politico.eu/wp-content/uploads/2016/12/POLITICO-e-privacy-directive-review-draft-december.pdf.
 See Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201 31.7.2002, pp. 37-42, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML.
 See Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws, OJ L 337, 18.12.2009, pp. 11-36.
 See Opinion 03/2016 on the evaluation and review of the ePrivacy Directive (2002/58/EC) (WP 240), adopted on July 19, 2016, available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2016/wp240_en.pdf. Since the adoption of the ePrivacy Directive, some of its provisions had been subject to constructive criticism from the WP29, e.g., in the Opinion 04/2012 on Cookie Consent Exemption (WP 194; June 7, 2012), available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf.
 See draft ePrivacy Regulation, available at http://www.politico.eu/wp-content/uploads/2016/12/POLITICO-e-privacy-directive-review-draft-december.pdf.
 See, e.g., Proposal for a Directive of the European Parliament and of the Council establishing the European Electronic Communications Code (Recast), COM/2016/0590, available at http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=comnat:COM_2016_0590_FIN.
 However, in practice, the WP29 had already expressed the possibility that operators do not obtain consent for the setting and receipt of cookies in some of the circumstances now covered in the draft ePrivacy Regulation, provided that certain conditions are met. See WP29, Opinion 04/2012 on Cookie Consent Exemption (WP 194; June 7, 2012), available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf.
 See WP29, Opinion 1/2008 on data protection issues related to search engines (WP 148; April 4, 2008), available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2008/wp148_en.pdf.
 See Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.5.2016, pp. 89-131, available at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016L0680.
 See Irish DPC, Update On Litigation Involving Facebook and Maximilian Schrems – Explanatory Memo (September 28, 2016), available at https://www.dataprotection.ie/docs/28-9-2016-Explanatory-memo-on-litigation-involving-Facebook-and-Maximilian-Schrems/1598.htm.
 See WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain (WP 179 update; December 16, 2015), available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2015/wp179_en_update.pdf.
 See UK ICO, TalkTalk gets record £400,000 fine for failing to prevent October 2015 attack (October 5, 2016), available at https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record-400-000-fine-for-failing-to-prevent-october-2015-attack.
 See UK ICO, London NHS trust fined for HIV newsletter data breach (May 9, 2016), available at https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/05/london-nhs-trust-fined-for-hiv-newsletter-data-breach/.
 See UK ICO, ICO fines NHS trust £185,000 for publishing details of thousands of staff online (May 4, 2016), available at https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/05/ico-fines-nhs-trust-185-000-for-publishing-details-of-thousands-of-staff-online/.
 See UK ICO, Statement on the implications of Brexit for data protection (April 19, 2016), available at https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/04/statement-on-the-implications-of-brexit-for-data-protection/.
 See Irish DPC, Update on Litigation Involving Facebook and Maximilian Schrems – Explanatory Memo (September 28, 2016), available at https://www.dataprotection.ie/docs/28-9-2016-Explanatory-memo-on-litigation-involving-Facebook-and-Maximilian-Schrems/1598.htm.
 See Communication from the Commission to the European Parliament and the Council on the Transfer of Personal Data from the EU to the United States of America under Directive 95/46/EC following the Judgment by the Court of Justice in Case C-362/14 (Schrems), COM(2015)566 final (November 6, 2015), available at http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/files/eu-us_data_flows_communication_final.pdf.
 See Press Release, European Commission, European Commission launches EU-U.S. Privacy Shield: stronger protection for transatlantic data flows (July 12, 2016), available at http://europa.eu/rapid/press-release_IP-16-2461_en.htm.
 See Press Release, CNIL, La CNIL met publiquement en demeure FACEBOOK de se conformer, dans un délai de trois mois, à la loi Informatique et Libertés (February 9, 2016), available (only in French) at https://www.cnil.fr/fr/la-cnil-met-publiquement-en-demeure-facebook-de-se-conformer-dans-un-delai-de-trois-mois-la-loi.
 See Press Release, CNIL, Droit au déréférencement : la formation restreinte de la CNIL prononce une sanction de 100.000 € à l’encontre de Google (March 24, 2016), available (only in French) at https://www.cnil.fr/fr/droit-au-dereferencement-la-formation-restreinte-de-la-cnil-prononce-une-sanction-de-100000-eu.
 See Press Release, CNIL, Windows 10 : la CNIL met publiquement en demeure MICROSOFT CORPORATION de se conformer, dans un délai de trois mois, à la loi Informatique et Libertés (July 20, 2016), available (only in French) at https://www.cnil.fr/fr/windows-10-la-cnil-met-publiquement-en-demeure-microsoft-corporation-de-se-conformer-dans-un-delai.
 See, e.g., Press Release, CNIL, Sites de rencontres : clôture de la mise en demeure à l’encontre de la société NESS INTERACTIVE (April 18, 2016), available (only in French) at https://www.cnil.fr/fr/sites-de-rencontres-cloture-de-la-mise-en-demeure-lencontre-de-la-societe-ness-interactive.
 See Press Release, CNIL, Sites de rencontre : deux sociétés sanctionnées pour défaut de consentement exprès (December 29, 2016), available (only in French) at https://www.cnil.fr/fr/sites-de-rencontre-deux-societes-sanctionnees-pour-defaut-de-consentement-expres.
 See Reuters, German privacy regulator fines three firms over U.S. data transfers (June 6, 2016), available at http://www.reuters.com/article/us-germany-dataprotection-usa-idUSKCN0YS23H.
 Press Release, International Telecommunication Union, China, India Now World’s Largest Internet Markets (Sept. 15, 2016), available at http://www.itu.int/en/mediacentre/Pages/2016-PR35.aspx.
 Zhonghua Renmin Gongheguo Guomin Jingji He Shehui Fazhan Di Shisan Ge Wunian Guihua Gangyao (中华人民共和国国民经济和社会发展第十三个五年规划纲要) [PRC 13th Give-Year Plan on National Economic and Social Development] (promulgated by the Nat’l Prople’s Cong., Mar. 16, 2016), chaps. 26, 28, available at http://www.gov.cn/xinwen/2016-03/17/content_5054992.htm
 See Guojia Wangluo Kongjian Anquan Zhanlue (国家网络空间安全战略) [National Cyberspace Security Strategy] (promulgated by the Cyberspace Administration of China Dec. 27, 2016), available at http://www.cac.gov.cn/2016-12/27/c_1120195926.htm; see also Paul Mozur, China’s Cybersecurity Efforts Could Pose New Challenge for Foreign Firms, N.Y. Times, Dec. 27, 2016, available at https://www.nytimes.com/2016/12/27/business/china-technology-security-review.html?_r=0.
 Zhonghua Renmin Gongheguo Wangluo Anquan Fa (中华人民共和国网络安全法) [PRC Network Security Law] (promulgated by the Standing Comm. Nat’l People’s Cong., Nov. 7, 2016). Art. 1, available at http://www.npc.gov.cn/npc/xinwen/2016-11/07/content_2001605.htm.
 Xinxi Anquan Jishu Geren Xinxi Anquan Guifan Zhengqiu Yijian Gao (《信息安全技术 个人信息安全规范》征求意见稿) [Information Security Technology: Guidelines for Personal Information Security Draft for Public Comment] (released for public comment by Nat’l Info. Sec. Standardization Tech. Comm., Dec. 20, 2016), available at http://www.tc260.org.cn/file/20161215130459745639.doc.
 The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, available at https://uidai.gov.in/images/targeted_delivery_of_financial_and_other_subsidies_benefits_and_services
 Vishwanath Nair & Gopika Gopakumar, India’s largest data breach involving debit cards went undetected for 3 months, Livemint, (October 21, 2016), http://www.livemint.com/Industry/Ope7B0jpjoLkemwz6QXirN/SBI-Yes-Bank-MasterCard-deny-data-breach-of-own-systems.html.
 Jiji, 83 leaks, other My Number ID-related problems logged since system’s launch, The Japan Times, (May 25, 2016), http://www.japantimes.co.jp/news/2016/05/25/national/83-leaks-number-id-related-problems-logged-since-systems-launch/#.WCIMzOQVAfs.
 Kyodo, Japan travel agency ordered to probe data hack affecting 7.93 million people, The Japan Times, (June 15, 2016), http://www.japantimes.co.jp/news/2016/06/15/business/corporate-business/personal-info-7-93-million-people-may-leaked-japans-biggest-travel-agency/#.WCICg-QVAfs.
 Choe Sang-Hun, North Korea Stole Data of Millions of Online Consumers, South Says, The New York Times, (July 28, 2016), http://www.nytimes.com/2016/07/29/world/asia/north-korea-hacking-interpark.html?_r=0.
 Andrew Blake, North Korea blamed for massive data breach affecting 10 million internet shoppers, The Washington Times, (July 28, 2016), http://www.washingtontimes.com/news/2016/jul/28/north-korean-spies-accused-massive-data-breach-aff/.
 Jurica Dujmovic, This is South Korea’s elite cyber army that fights North Korea, MarketWatch, (June 30, 2016), http://www.marketwatch.com/story/this-is-south-koreas-elite-cyber-army-that-fights-north-korea-2016-06-30.
 Personal Information Protection Act, as amended on March 29, 2016 and effective on September 30, 2016, available at www.law.go.kr.
 Irene Tham & Tiffany Fumiko Tay, Singapore privacy watchdog fines and warns 11 organisations for data breaches, The Straits Times, (April 21, 2016), http://www.straitstimes.com/singapore/singapore-privacy-watchdog-fines-and-warns-11-organisations-for-data-breaches.
 Decision of the Personal Data Protection Commission (April 20, 2016), available at https://www.pdpc.gov.sg/docs/default-source/enforcement-data-protection-cases/grounds-of-decision—k-box-entertainment-(210416).pdf?sfvrsn=4.
 Decision of the Personal Data Protection Commission (September 23, 2016), available at https://www.pdpc.gov.sg/docs/default-source/enforcement-data-protection-cases/grounds-of-decisions—comfort-and-citycab—230916.pdf?sfvrsn=0.
 Personal Data Protection Commission, Advisory Guidelines on enforcement of the Data Protection Provisions (April 21, 2016), available at https://www.pdpc.gov.sg/docs/default-source/advisory-guidelines-on-enforcement/advisory-guidelines-on-enforcement-of-dp-provisions-(210416).pdf?sfvrsn=2.
 Zafar Anjum, New cyber security law in the offing for Singapore, ComputerWeekly.com, (June 23, 2016), http://www.computerweekly.com/news/450298922/New-cyber-security-law-in-the-offing-for-Singapore.
 Daniel Therrien, Media surveillance highlights privacy risk to all Canadians, Office of the Privacy Commissioner of Canada (Nov. 9, 2016), available at https://www.priv.gc.ca/en/opc-news/news-and-announcements/2016/oped_161109/.
 Royal Bank of Canada v. Trang, 2016 SCC 50.
 See Greg Meckbach, Mandatory Breach Notification in Canada has ‘Potential to Effectively Cause’ Class-Action Lawsuits: PCUC speaker, Canadian Underwriter (Nov. 25, 2016), available at http://www.canadianunderwriter.ca/insurance/mandatory-breach-notification-canada-potential-effectively-cause-class-action-lawsuits-pcuc-speaker-1004104574/.
 See Jim Bronskill, Companies Must Directly Notify Customers of Privacy Breaches that Risk ‘Significant Harm’: Watchdog, National Post (July 12, 2016), available at http://news.nationalpost.com/news/canada/companies-must-directly-notify-customers-of-privacy-breaches-that-risk-significant-harm-watchdog.
 Meckbach, supra note 146.
 Press Release, Inter-American Development Bank, IDB and OAS urge Latin America and the Caribbean to strengthen cybersecurity (Mar. 14, 2016), http://www.iadb.org/en/news/news-releases/2016-03-14/cybersecurity-in-latin-america-and-the-caribbean,11420.html.
 See Argentina, EDRM (Mar. 2013), http://www.edrm.net/resources/data-privacy-protection/bakerhostetler-data-privacy-laws/argentina#note-15675-1.
 Argentina issues new regulation on data transfers, Daily Dashboard (Nov. 21, 2016), https://iapp.org/news/a/argentina-issues-new-regulation-on-data-transfers/.
 David Haskel, Argentina Privacy Changes Should Aid Multinationals, Bloomberg BNA (Dec. 27, 2016), https://www.bna.com/argentina-privacy-changes-n73014449080/.
 Press Release, Ministerio de Justicia y Derechos Humanos, Control a Bases de Datos en Todo el País (Dec. 16, 2016), http://www.jus.gob.ar/datos-personales/comunicados/2016/12/16/control-a-bases-de-datos-en-todo-el-pais.aspx (indicating Argentina’s data protection authority, La Direccion Nacional de Proteccion de Datos Personales (DNPDP) has begun inspections in three cities).
 Pedro Ozores, Personal data protection bill starts moving in Brazilian congress http://www.bnamericas.com/en/news/technology/personal-data-protection-bill-starts-moving-in-brazilian-congress.
 Pablo Palazzi, Data Protection Bill in Brazil is now in Congress, Data Privacy Laws (May 16, 2016), http://www.dataprivacylaws.com.ar/2016/05/16/data-protection-bill-in-brazil-is-now-in-congress/; see PL 5276/2016, Camara Dos Deputados, http://www.camara.gov.br/proposicoesWeb/fichadetramitacao?idProposicao=2084378 (last visited Jan. 3, 2017).
 Brazil Internet Decree Aimed at Clarifying 2014 Law, Bloomberg BNA (May 17, 2016), https://www.bna.com/brazil-internet-decree-n57982072502/.
 Organization of American States & Inter-American Development Bank, Cybersecurity: Are We Prepared in Latin America and the Caribbean: 2016 Cybersecurity Report, at 21.
 See Colombia, EDRM (Mar. 2013), http://www.edrm.net/resources/data-privacy-protection/data-protection-laws-2013/colombia.
 Press Release, Industria y Comercio Superintendencia, Gobierno Amplía Hasta el 30 de Junio de 2017 el Plazo para que las Empresas Registren Sus Bases de Datos (Nov. 16, 2016), http://www.sic.gov.co/noticias/gobierno-amplia-hasta-el-30-de-junio-de-2017-el-plazo-para-que-las-empresas-registren-sus-bases-de-datos.
 Mexico, EDRM (Mar. 2012), http://www.edrm.net/resources/data-privacy-protection/data-protection-laws/mexico.
 Press Release, Instituto Nacional de Transparencia, Acceso a la Informacion y Proteccion de Datos Personales, INAI Propone Acuerdo Regional Iberoamericano en Proteccion de Datos Personales http://inicio.ifai.org.mx/Comunicados/Comunicado%20INAI-162-16.pdf (Mexican data protection authority press release, in Spanish, title translated to “INAI Proposes Ibero-American Regional Agreement in Personal Data Protection”).
 Dell Cameron, Mexico launches criminal probe into theft of 87 million voter records, Daily Dot (Apr. 23, 2016, 2:15 PM), http://www.dailydot.com/layer8/mexico-voter-database-theft-investigation-chris-vickery/.
 Privacy – Personal Information Protection Act (PIPA), Government of Bermuda, https://www.gov.bm/privacy (last visited Jan. 5, 2017).
 Chile Should Amend Privacy Law to Meet EU Standards, Bloomberg BNA (June 3, 2016), https://www.bna.com/chile-amend-privacy-n57982074211/.
 Costa Rica: Data protection amendments reflect country’s “digital maturity”, DataGuidance (Dec. 15, 2016), https://www.dataguidance.com/1947-2/.
 See Pablo Palazzi, Ecuador is debating a data protection Bill, Data Privacy Laws (July 30, 2016), http://www.dataprivacylaws.com.ar/2016/07/30/ecuador-is-debating-a-data-protection-bill/.
 See Pedro Ozores, Personal data protection bill starts moving in Brazilian congress http://www.bnamericas.com/en/news/technology/personal-data-protection-bill-starts-moving-in-brazilian-congress (“In Latin America, Panama’s national innovation authority (AIG) held a public consultation from July to August to discuss a personal data protection law.”).
 Sergei Blagov, Russia’s 2016 Data Localization Audit Plan Released, Bloomberg Law: Privacy & Data Security (Jan. 15, 2016), available at https://www.bna.com/russias-2016-data-n57982066291.
 Olga Razumovskaya and Laura Mills, Russia to Block LinkedIn Over Data Privacy Dispute, The Wall Street Journal (Nov. 10, 2016), available at http://www.wsj.com/articles/russia-may-block-linkedin-if-company-loses-court-case-on-personal-data-law-1478775414.
 Reuters, The U.S. Is ‘Deeply Concerned’ with Russia’s Decision to Block LinkedIn, Fortune (Nov. 18, 2015), available at http://fortune.com/2016/11/18/linkedin-russia-us-government/.
 Alec Luhn, Russia Passes ‘Big Brother’ Anti-Terror Laws, The Guardian (June 26, 2016), available at https://www.theguardian.com/world/2016/jun/26/russia-passes-big-brother-anti-terror-laws.
 Andrei Soldatov and Irina Borogan, Putin Brings China’s Great Firewall to Russia in Cybersecurity Pact, The Guardian (Nov. 29 2016), available at https://www.theguardian.com/world/2016/nov/29/putin-china-internet-great-firewall-russia-cybersecurity-pact.
 Russia Takes Measures on Cybersecurity to Deter Current Threats, Sputnik News (Nov. 5, 2016), available at https://sputniknews.com/russia/201611051047093586-russia-cybersecurity-peskov-threat/.
 Danila Galperovich, Putin Signs New Information Security Doctrine, VOA News (Dec. 8, 2016), available at http://www.voanews.com/a/russia-new-information-security-doctrine/3628197.html.
 Putin Approves Russia’s Information Security Doctrine, Russia Beyond the Headlines (Dec. 6, 2016), available at http://rbth.com/news/2016/12/06/putin-approves-russias-information-security-doctrine_653955.
 David Sanger, Obama Strikes Back at Russia for Election Hacking, The New York Times (Dec. 29, 2016), available at http://www.nytimes.com/2016/12/29/us/politics/russia-election-hacking-sanctions.html.
 Gibson Dunn Client Alert: President Obama Announces New Russian Sanctions in Response to Election-Related Hacking (Dec. 30, 2016), available at https://www.gibsondunn.com/publications/Pages/President-Obama-Announces-New-Russian-Sanctions-in-Response-to-Election-Related-Hacking.aspx.
 Neil McFarquhar, Vladimir Putin Won’t Expel U.S. Diplomats as Russian Foreign Minister Urged, The New York Times (Dec. 30, 2016), available at http://www.nytimes.com/2016/12/30/world/europe/russia-diplomats-us-hacking.html.
 David Sanger and Scott Shane, Russian hackers Acted to Aid Trump in Election, U.S. Says, The New York Times (Dec. 9, 2016), available at https://www.nytimes.com/2016/12/09/us/obama-russia-election-hack.html?_r=0.
 Luke Harding, Top Democrat’s Emails Hacked by Russia After Aide Made Typo, Investigation Finds, The Guardian (Dec. 14, 2016), available at https://www.theguardian.com/us-news/2016/dec/14/dnc-hillary-clinton-emails-hacked-russia-aide-typo-investigation-finds.
 Sanger and Shane, supra note 208.
 Press Release, Swiss Federal Council, More Transparency and Greater Control over Your Own Data (Dec. 21, 2016), translated from German and available at https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.ejpd.admin.ch%2Fejpd%2Fde%2Fhome%2Faktuell%2Fnews%2F2016%2F2016-12-21.html&edit-text=&act=url; see also PwC, New Swiss Federal Data Protection Act (Dec. 2016), available at http://news.pwc.ch/wp-content/uploads/2016/12/Legal-Communication-Data-Protection_en.pdf.
 PwC, supra note 213.
 See id.
 Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (Cth), available at https://www.ag.gov.au/Consultations/Documents/data-breach-notification/Privacy-Amendment-Notification-of-Serious-Data-Breaches-Bill-2015-December-2015-exposure-draft.pdf (last visited Jan. 25, 2017).
 See Chris Duckett, Another Australian Parliamentary Year Ends without Data Breach Notification Laws, ZDNet (Dec. 2, 2016), available at http://www.zdnet.com/article/another-australian-parliamentary-year-ends-without-data-breach-notification-laws/.
 Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (Cth), available at https://www.ag.gov.au/Consultations/Documents/data-breach-notification/Privacy-Amendment-Notification-of-Serious-Data-Breaches-Bill-2015-December-2015-exposure-draft.pdf (last visited Jan. 25, 2017).
 Attorney-General’s Department, Access to Telecommunications Data in Civil Proceedings, Australian Government, available at https://www.ag.gov.au/Consultations/Pages/Access-to-telecommunications-data-in-civil-proceedings.aspx(last visited Jan. 25, 2017).
 A. Coyne, “The Govt is Considering Opening up Metadata to Civil Lawsuits,” ITNews (Dec. 20, 2016), available at http://www.itnews.com.au/news/the-govt-is-considering-opening-up-metadata-to-civil-lawsuits-445476
 See Stephanie Anderson, Medicare Dataset Pulled after Academics Find Breach of Doctor Details Possible, Australian Broadcast Company (Sept. 29, 2016, 9:51 PM), available at http://www.abc.net.au/news/2016-09-29/medicare-pbs-dataset-pulled-over-encryption-concerns/7888686.
 Privacy Amendment (Re-Identification Offence) Bill 2016 (Cth), available at http://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=s1047.
 John Edwards, Presentation to the International Association of Privacy Professionals (Nov. 14, 2016), available at https://www.privacy.org.nz/assets/Uploads/2016-11-14-iappANZ-speech-notes.pdf.
 Israeli parliament recommends creation of national cyberauthority, Lexology (October 31, 2016), available at http://www.lexology.com/library/detail.aspx?g=5dd13489-999d-4757-98a9-70be8702dd75
 Israeli Court Rejects Challenge Of US Tax DataSharing Pact, Law360 (September 14, 2016), available at http://www.law360.com/articles/839893/israeli-court-rejects-challenge-of-us-tax-data-sharing-pact
 Google, Facebook must be held accountable for criminal content, The Times of Israel (June 20, 2016), available at http://www.timesofisrael.com/hold-google-facebook-accountable-for-content-justice-minister/
 Dubai International Finance Center Electronic Transactions Law, DIFC Law No. 2 of 2016, available at https://www.difc.ae/files/5214/6814/7862/Legislative_Proposal_-_DIFC_Electronic_Transactions_Law.pdf
 Saudi Arabia’s Telecom Regulator Proposes Regulating Cloud Computing, CITC Press Release (July 24, 2016), available at http://www.citc.gov.sa/en/mediacenter/pressreleases/Pages/20160724001.aspx
 How the data protection law will affect companies, Hurriyet Daily News (April 14, 2016), available at http://www.hurriyetdailynews.com/how-the-data-protection-law-will-affect-companies.aspx?pageID=238&nid=97770. See also, Turkey passes long-awaited data protection law, Yahoo Tech ( April 7, 2016), available at https://www.yahoo.com/tech/turkey-passes-long-awaited-data-protection-law-171736298.html
 Turkey’s First Comprehensive Data Protection Law Comes Into Force, Inside Privacy (April 8, 2016), available at https://www.insideprivacy.com/data-security/turkeys-first-comprehensive-data-protection-law-comes-into-force/
 U.N. Conference on Trade and Development, Data protection regulations and international data flows: Implications for trade and development, U.N. Doc. UNCTAD/DTL/STRICT/2016/1, at 35 (2016).
 Cyber Security – Central African States Adopt Model Cross-Border Laws, allAfrica (Dec. 6, 2016), http://allafrica.com/stories/201612070962.html; Cyber security: Central African States adopt model cross-border laws, African Business Mag. (Dec. 5, 2016), http://africanbusinessmagazine.com/latest/cyber-security-central-african-states-adopt-model-cross-border-laws/.
 Cyber Security – Central African States Adopt Model Cross-Border Laws, allAfrica (Dec. 6, 2016), http://allafrica.com/stories/201612070962.html.
 Edwin Naidu, South Africa Privacy Chief Nominee Sets Sights on Text Spam, Bloomberg BNA (Sept. 26, 2016), https://www.bna.com/south-africa-privacy-n57982077539/.
 Genevieve Quintal, Top information watchdog post for former IEC chairwoman Pansy Tlakula, Business Live (Oct. 24, 2016), https://www.businesslive.co.za/news/latest-news/2016-10-26-top-information-watchdog-post-for-former-iec-chairwoman-pansy-tlakula/.
 Protection of Personal Information Act No. 4 of 2013 s. 39.
 Id. at s. 40.
The following Gibson Dunn lawyers assisted in the preparation of this client alert: Alexander Southwell, Ahmed Baladi, Patrick Doris, Michael Walther, Eric Vandevelde, Kai Gesing, Ryan Bergsieker, Jeana Bisnar Maute, Emmanuelle Bartoli and Alejandro Guerrero Perez, with additional contributions from Abbey Barrera, Reid Rector, Kamola Kobildjanova, Chelsea Thomas, Christian Hudson, Eric Cohen, Sheli Chabon, Arjun Rangarajan, Sarah Wazen, Oliver Welch, Tzung-Lin Fu, Julia Langer, Renee Lizarraga, Karthik Thiagarajan, Grace Chow, and Xiang Li.
Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues. For further information, please contact the Gibson Dunn lawyer with whom you usually work or any of the following leaders and members of the firm’s Privacy, Cybersecurity and Consumer Protection Group. In addition, Gibson Dunn is pleased to announce that our EU expertise has been substantially augmented with the arrival of four technology lawyers, anchored by partner Ahmed Baladi, to our Paris Office. Mr. Baladi and his team bring additional expertise with EU data privacy and cybersecurity, information technology and digital transactions, and outsourcing.
Ahmed Baladi – Paris (+33 (0)1 56 43 13 00, [email protected])
James A. Cox – London (+44 (0)20 7071 4250, [email protected])
Patrick Doris – London (+44 (0)20 7071 4276, [email protected])
Andrés Font Galarza – Brussels (+32 2 554 7230, [email protected])
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, [email protected])
Penny Madden – London (+44 (0)20 7071 4226, [email protected])
Jean-Philippe Robé – Paris (+33 (0)1 56 43 13 00, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Nicolas Autet – Paris (+33 (0)1 56 43 13 00, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Sarah Wazen – London (+44 (0)20 7071 4203, [email protected])
Emmanuelle Bartoli – Paris (+33 (0)1 56 43 13 57, [email protected])
Eryk L. Dziadykiewicz – Brussels (+32 2 554 72 03, [email protected])
Alejandro Guerrero Perez – Brussels (+32 2 554 7218, [email protected])
Alexander H. Southwell – Chair, New York (+1 212-351-3981, [email protected])
M. Sean Royall – Dallas (+1 214-698-3256, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, [email protected])
Shaalu Mehra – Palo Alto (+1 650-849-5282, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
Richard H. Cunningham – Denver (+1 303-298-5752, [email protected])
Jeana Bisnar Maute – Palo Alto (+1 650-849-5348, [email protected])
© 2017 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.