The pressure on companies to adapt to stronger privacy regulation and enforcement in the EU increased this week, following the release of a letter to Google on behalf of 30 European data-protection commissioners.

On October 16, 2012, the Article 29 Data Protection Working Party publicly disclosed the correspondence it sent simultaneously to Google following the investigation into Google’s new privacy policy that started in February this year. In the correspondence (letter and appendix), the European data protection

Do we need to regulate generally accepted, low risk forms of data processing that individuals are now comfortable with as part of daily life (e.g. on-line orders, payroll processing and employment contract administration) to the same standard as types of processing that intrude more clearly on an individual’s privacy (e.g. tracking user preferences, monitoring communications etc.)? Should the draft European Data Protection Regulation impose differing standards depending on the risk to the individual from the processing in question, rather than

An August 2 webcast on Compliance and Enforcement in the Hospitality Industry  looked at the FTC proceedings in the Wyndham Hotels matter and identified some key takeaways, while considering how similar issues might play out in the European Union. (For those unable to follow the live webcast, the full presentation is now available online.)

Some of the key points covered in the discussion include:

  • While attackers can be persistent and use sophisticated tools, most breaches result from the failure

ICO_Image1.JPGWith data breaches and the new cookies rules never far from the press or industry agendas, and with a new European framework on the horizon, the past year has been a busy one for the Information Commissioner’s Office (ICO). Its Annual Report for 2011/12, along with a companion webcast, reflect this changing privacy landscape. Both offer useful insights into the ICO’s priorities for the coming year.

In terms of enforcement action (perhaps one of the most

By Gail Crawford and Amy Taylor

It seems somewhat fitting to blog about the USA Patriot Act on this Fourth of July. On the second day of the annual Privacy Laws & Business conference in Cambridge, Peter McLaughlin, senior counsel at Foley & Lardner, took to the floor with the aim of “distinguishing fact and fiction about the scope of the law and its impact on companies outside the United States” for a predominantly European audience.

In the last slot of the

The French Data Protection Authority (CNIL) has issued a working document setting out its recommendations to companies contemplating the use of cloud computing services. This is in part the result of a public consultation carried out by the CNIL from October to December 2011. The guidance includes a checklist applicable to both private and public clouds with seven key steps, summarized below, to be followed by cloud customers:

1. Identify the types of data and the data processing that could

By Gail Crawford, Amy Taylor, and Ben Wright

The UK Information Commissioner’s Office (ICO) 12-month grace period for enforcing compliance with the new cookie consent rules has now expired. If you are not yet compliant, you need to take action.

Over the course of the 12-month grace period, we have seen guidance released from, amongst others, the ICO, setting out its interpretation of the new rules; the International Chamber of Commerce (ICC), working with industry to publish a

The European Commission adopted a proposal to reform European privacy law on 25 January 2012. According to the Commission the reform will “strengthen online privacy rights and boost Europe’s digital economy.” Time will tell whether the former is compatible with the latter.

The proposal now moves to the European Parliament and to the Council representing the member state Governments for discussion. Since the first draft leaked in November, a number of amendments have been made to make the proposal less

The Directorate General for Justice of the European Commission has in recent weeks worked to overcome criticism from other Directorates on its draft proposal to reform Europe’s privacy law. It now appears possible that the proposal for the reform is back on track for adoption at the Commissioner’s Meeting scheduled for 25 January 2012. From there, the proposal would move into the legislative process, requiring approval by the European Parliament and the national Governments via their representatives in the

Viviane Reding, the European Commission Vice President in charge of the reform of the European privacy law, has received negative opinions from a handful of Directorates-General in the European Commission on an internal draft of the General Data Protection Regulation. As a consequence, the draft will not be ready for the official publication that was originally scheduled for the end of January 2012. Instead, Commissioner Reding is said to be working on a communication outlining reconsidered objectives for the