UK confirms reciprocal requirements for digital services providers to appoint UK representatives for NIS purposes, following Brexit.

By Gail E. Crawford, Fiona Maclean, and Amy Smyth

Following a consultation process, the UK government has now confirmed that it will put forward legislation to require non-UK-based digital services providers — larger cloud providers, search engines, and online marketplaces — that provide services into the UK to nominate a UK representative following Brexit. The representative will also have to be registered with the UK Information Commissioner’s Office (ICO).

Non-UK-based digital services providers will remain liable for breaches, notwithstanding the appointment of a representative. A representative will be required to act on behalf of a provider, but it is not currently clear whether a representative maybe be liable for a provider’s breach; whether the updated UK NIS Regulations will address this point explicitly remains to be seen.

This week the Court of Justice of the European Union (‘CJEU’) heard a case that could destabilise data flows between the US and EU under the EU-US Safe Harbor Decision. In Schrems v Data Protection Commissioner(C-362/14), the same court that last year approved the “right to be forgotten” online heard evidence about the adequacy of US data protection regulations for EU citizens’ data and considered whether recent revelations about the NSA and PRISM programmes should affect determinations

A Stored Communications Act (SCA) search warrant case arising out of a New York federal  narcotics trafficking investigation is being closely watched by EU data protection authorities, privacy advocates, multinational internet service providers, and law enforcement, among others, as the  parties pursue an expedited appeal to the Second Circuit Court of Appeals. Captioned In re Search Warrant, No. 13 Mag. 2814, M9-150, the case involves  a U.S. law enforcement request for the contents of an Outlook.com email box,

By Gail Crawford and Amy Taylor

It seems somewhat fitting to blog about the USA Patriot Act on this Fourth of July. On the second day of the annual Privacy Laws & Business conference in Cambridge, Peter McLaughlin, senior counsel at Foley & Lardner, took to the floor with the aim of “distinguishing fact and fiction about the scope of the law and its impact on companies outside the United States” for a predominantly European audience.

In the last slot of the

The French Data Protection Authority (CNIL) has issued a working document setting out its recommendations to companies contemplating the use of cloud computing services. This is in part the result of a public consultation carried out by the CNIL from October to December 2011. The guidance includes a checklist applicable to both private and public clouds with seven key steps, summarized below, to be followed by cloud customers:

1. Identify the types of data and the data processing that could

Spokeo Consent Decree Serves as Important Caution to Buyers and Sellers of Social Media Reports on Consumers to Understand and Comply with FCRA

By Jennifer Archie, Kevin Boyle and Kelsey McPherson

As part of a settlement announced Monday, the FTC sends a reminder that the requirements of the Fair Credit Reporting Act (“FCRA”) apply to a service that aggregates data made publicly available on social media sites and then markets the data to businesses for use in hiring decisions. Web

In a decision published on February 16, 2011 (Deliberation No. 2011-023), the French data protection authority (CNIL) exempted non EU-based companies from any prior notification obligation with regard to their payroll, customer and prospects data processed in France.  This exemption will be of particular interest for non EU companies engaging cloud service providers with processing facilities in France.

Under the French Data Protection Act (Act No. 78-17), data controllers not established in the EU are nevertheless subject to

The processing of personal data in the context of evolving technology and globalisation of commerce has prompted the Article 29 Working Party to take a hard look at the applicable law provisions under the European Data Protection Directive and its implementation by the Member States in its most recent Opinion.

The Working Party believes that the increase in the number of multi-jurisdictional businesses and changes in technology, together with the current inconsistency in approach to the applicable law provisions seen across the Member States, make this a pressing area for review.

Whilst the guidance provides some helpful clarification on the current rules that apply national laws to controllers either (i) “established” in an European country or (ii) that use equipment located in a European country where the controller is not established in any EU territory; what is more interesting is some of the more fundamental changes which are being considered as part of the proposed overhaul of the Data Protection Directive (and how the approach has changed since the views of the Working Party issued in 2002).

There is a suggestion that Europe should return to a country of origin principle, where all establishments of a controller within Europe will apply the law of the territory of the controller’s head quarters or “main” establishment (as opposed to different national laws applying to each establishment that carries out processing depending on the territory in which it is situated). Given the marked differences in implementation of the Directive, enforcement activity and imposition of penalties throughout Europe, without a major harmonisation exercise such an approach could only result in forum shopping and confusion for individuals as to what rights apply.