The 2014 Year End Newsletter looks at: I. Article 29 Working Party publishes Opinion on "Internet of Things" II. Data protection and competition law - statement by the Federal and State Commissioners for Data Protection III. Are IP-addresses personal data? - German Federal Court of Justice ask ECJ IV. Data processing for marketing: new guidelines V. Outlook on current draft laws and recommended reading   A brief summary of each point is below - to read the full newsletter, please click here.   I. Article 29 Working Party publishes Opinion on "Internet of Things" The WP29 considers IoT as generally permitted, but clearly states that any stakeholder is responsible for data protection. Despite of consent requirements and transparency obligations, personal data should be aggregated to the greatest extent possible and the principles of privacy by default and privacy by design shall be applied by the stakeholders. II. Data protection and competition law - statement by the Federal and State Commissioners for Data Protection While … Continue Reading ››
Just what IS the state of play on the draft Regulation? This was the hot topic at the recent IAPP conference in Brussels. The Datonomy Team has been taking stock of progress and has produced a guide to the Top 12 issues and their practical impact for business. Two weeks ago, members of the Datonomy Team attended the IAPP conference in Brussels. Despite the fact that the draft Regulation didn’t feature heavily on the draft agenda, it was the main topic of conversation between in house privacy counsel, regulators and private practice lawyers during the networking breaks. As Datonomy readers will be aware, the new Commission President has tasked the new EU Commissioners who now share responsibility for the data protection portfolio with steering inter-institutional negotiations on the text to agreement by May 2015. That would mean the Regulation would take direct effect in Member States by 2017. Over recent weeks, various sources … Continue Reading ››
Datonomy takes a look at the recent recommendations in the Article 29 Working Party Opinion on the Internet of Things, and what these mean for players in the value chain. Consumers’ fear of potentially intrusive new technologies is often cited as one of the main barriers to the adoption of the Internet of Things. Regulators in the US and Europe are starting to get to grips with the issue. As Datonomy readers will be aware, the Article 29 Working Party recently issued an Opinion on the topic, with recommendations on how to embed privacy compliance at every stage of the IoT value chain. In this paper on the Olswang website here I consider the key privacy and security challenges posed by a connected world, and analyse the latest best practice for suppliers – from device manufacturers, through to app developers and providers of operating systems. Stakeholders who can demonstrate privacy compliance and … Continue Reading ››
As Datonomy readers may know October is Cybersecurity Month - a good time to read the second edition of Olswang's Cyber Alert. There is no doubt that cyber security is rising up the international as well as the business agenda. NATO recently adopted an amendment to its charter to put cyber attacks on the same footing as armed attacks – see paragraph 72 of NATO’s Declaration. In this edition:
A small selection of the cyber threats and statistics that have made recent headlines.
  • Sources including censorship watch dog GreatFire have alleged that the Chinese authorities are staging a “man-in-the-middle” attack on Apple’s iCloud, just days after the iPhone went on sale in China. The attack is designed to intercept user’s iCloud account usernames and passwords, using a fake login site that looks exactly like the Apple iCloud login site. Read more from The WHIR and ITProPortal.
  • A new bug, which could be affecting hundreds of millions of computers, servers and devices using Linux and Apple’s Mac operating system, has been discovered. System administrators have been urged to apply patches to combat the bug, which has been dubbed “Shellshock”. Read more from the BBC.
  • US companies Home Depot, Supervalu and JPMorgan Chase & Co have all been hit by high profile cyber attacks.
  • Mark … Continue Reading ››
As  reported  in our first edition, there are two proposals making their way through the Brussels legislature which will change the legal landscape for the reporting of cyber attacks. These are the draft Network and Information Security Directive, which will impose reporting obligations on providers of critical infrastructure, and the draft General Data Protection Regulation which will impose data breach reporting requirements on all data controllers. The summer has seen much institutional change in the EU, first with the European Parliament elections in May, the start of Italy’s Council Presidency in July and now with the reorganisation of the European Commission and appointment of a new Commission President and Commissioners with effect from 1 November.  The summer has seen little procedural progress, although trilogue negotiations on the NISD have now begun, and on the GDPR the Council (representing the Member States) has, according to this Council press release, … Continue Reading ››
With the text of the draft Network and Information Security Directive (“NISD”) still being negotiated between EU institutions, and the national transposition deadline for the Directive likely to be 18 – 24 months from the date of EU adoption, some Member States are pre-empting the new regime with national legislation of their own. France has already implemented the principles enshrined in the draft Directive via its Military Programming Act, which was published at the end of 2013.  Overview France has already implemented many of the principles enshrined in the Draft NISD into national law. The French Government published its strategy on Information systems and defence in February 2011. This included reviewing and where necessary strengthening cyber laws. As a result, the government passed Article 22 of Act n°2013-1168 dated 18 December 2013 (the “Military Programming Act”) which sets out several obligations applicable to vitally important operators (“VIOs”) which are … Continue Reading ››