You Are Viewing International

NIS Directive Adopted in August 2016 – What’s Next

Posted by fgilbert on August 12th, 2016

Directive (EU) 2016/1148 of the European Parliament and of the Council of July 6, 2016, Concerning Measures for a High Common Level of Security of Network and Information Systems across the Union Network and Information (“NIS Directive” or “Directive”), entered into force in August 2016, outlines plans for establishing a base level of network and information security that is coherent across the European Union (EU) and European Economic Area (EEA). It defines a framework for enabling networks and information systems to be better prepared to respond to actions that compromise the availability, authenticity, integrity, or confidentiality of the data that they process, store, or transmit. In addition, each Member State will be required to adopt a Network Information Security strategy defining its objectives and policy and regulatory measures regarding cybersecurity.

Scope and Affected Entities

The Directive will primarily affect “operators of essential services” and “digital Service providers”. Under the Directive, an entity provides an essential service if the entity provides a service that is essential for the maintenance of critical societal and/or economic activities; the provision of that service depends on network and information systems; and an incident to the network and information systems of that service would have significant disruptive effects on the provision of that service. Examples of such operators of essential services include entities in the following industries: Energy; Transportation; Banking; Financial Markets Infrastructures; Health care; Drinking water supply and distribution; and Digital infrastructure. The second group of companies impacted by the NIS Directive is digital services providers located in the Member States, which includes online market places, such as e-commerce platforms; cloud computing services; and online search engines.

Obligations of Operators of Essential Services

The Directive outlines specific obligations on operators of essential services. For example, they will have to take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems that they use in their operation and to prevent and minimize the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, to facilitate the continuation of those services.

They will be required to notify the competent authority or the CSIRT of incidents having a significant impact on the continuity of the essential services they provide. Notifications must include information enabling the competent authority or the CSIRT to determine any cross-border impact of the incident.

They will also have to provide information necessary to assess the security of their network and information systems including documented security policies.; and provide evidence of the effective implementation of security policies, such as the results of a security audit carried out by the competent authority or a qualified auditor, and, in the latter case, to make the results thereof, including underlying evidence, available to the competent authority.

Obligations of Digital Service Providers

Digital service providers will also be required to identify and take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems use to offer services and to prevent and minimize the impact of security incidents. These measures will have to ensure a level of security and take into account the security of systems and facilities, incident handling, business continuity management, monitoring, auditing and testing, and compliance with international standards.

Digital service providers will have to notify the competent authorities without undue delay of any incident having a substantial impact on the provision of a service that they offer in the EU. Such notification will have to include information to enable the competent authorities to determine the significance of any cross-border impact.

Cooperation Among Member States

The Directive puts in place several structures for ensuring efficient activities within each Member State and cooperation among the Member States. For example, Member States will have to designate a competent national authority responsible for implementation and enforcement of the NIS Directive.  They will also be required to establish Computer Security Incident Response Teams (CSIRTs) which will be responsible for handling cybersecurity incidents and risks.

A network of Computer Security Incident Response Teams (CSIRTs Network), also established by the Directive, will help promote swift and effective operational cooperation on cybersecurity incidents and for sharing information about security risks among Member States. The CSIRTs Network will consist of representatives of the CSIRTs established in the Member States and the Computer Emergency Response Team (CERT-EU).

A “Cooperation Group”, composed of representatives of the EU Member States, representative of ENISA (EU Agency for Network and Information Security) and the European Commission will facilitate strategic cooperation and information exchanges among Member States. It will prepare strategic guidelines for the activities of the CSIRTs Network and discuss the capabilities and preparedness of Member States.

Between Now and May 2018

The NIS Directive entered into force in August 2016. The EU/EEA Member States now have until May 2018 to implement its principles into their national laws. Companies that do business in the EU/EEA and fall within the scope of the NIS Directive should monitor the implementation process in the Member States where they operate, and the further guidance that the competent authorities will issue. They also should be aware that the EU Commission has the power to adopt implementing acts regarding the required formats and procedures to be used for notification and incident assessment.

EU-U.S. Privacy Shield Approved and Signed

Posted by fgilbert on July 14th, 2016

Since October 2015, when the Court of Justice of the European Union invalidated the Safe Harbor Agreement, numerous US and EU companies have struggled to provide a legal basis to the transfer of personal information across the Atlantic. On July 12, representatives of the European Commission and the U.S. Department of Commerce signed the “EU-US Privacy Shield” agreement, which replaces the Safe Harbor agreement. The new EU US Privacy Shield become effective as of August 1, 2016.

The documents that form the executed Privacy Shield agreement are an updated version of those that were published in late February 2016. The signed Shield documents clarify numerous issues that were of concern to Europeans and introduces several new requirements.

The primary changes are found in the Draft Commission Implementing Decision Regarding the Adequacy of the Protection Provided by the EU-U.S. Privacy Shield (“Decision”). The Decision clarifies that the Principles will apply solely to the processing of personal data by a U.S. organization insofar as the processing by such organization does not fall within the scope of EU legislation.


Shield Certified companies will have to require their subcontractors and service providers to delete or de-identify personal data when no longer needed for the identified processing or compatible purposes. This will also have to require recipients of personal data to notify them if the recipient can no longer provide the same level of protection as required by the Privacy Shield Principles (Principles).

Data Quality and Data Uses

The Decision stresses that organizations will have to ensure that personal data is reliable for its intended use, accurate, complete, and current. Special rules will apply to the use of personal data for direct marketing purposes, to allow individuals to opt-out at any time.

Crossborder Transfers

Regarding cross-border transfers, the Decision stresses that the obligation to provide the same level of protection must apply to all parties involved in the processing of the data, irrespective of their location, when the original recipient itself transfers that data to a third party, for example a subprocessor.

Recourse, Enforcement, and Liability

The Decision clarifies that organizations that have failed to deal appropriately with complaints will be subject to oversight and enforcement actions by the Federal Trade Commission, the Department of Transportation or another U.S. authorized statutory body. It provides a lengthy analysis and details the eight levels of redress and the escalation procedure that will be available to EU residents.

Transparency and Oversight

Part of the new measures to ensure transparency and allow for oversight will include the monitoring by the U.S. Department of Commerce whether the self-certified organizations on the Privacy Shield list are current in their obligations.  If an organization is not current in its obligations, the Department of Commerce will enforce the return or deletion of the personal data that the entity received on the basis of the Privacy Shield.

Access by U.S. Public Authorities

The Decision clarifies that the EU Commission has determined that U.S. law contains a number of limitations on the access to, and use of, personal data transferred to the United States for national security purposes, and that sovereign and redress mechanisms provide sufficient safeguards for those data to be effectively protected against unlawful interference and the risk of abuse.

It also confirms that bulk collection will only be authorized exceptionally where targeted collection is not feasible, and will be accompanied by additional safeguards to minimize the amount of data collected and subsequent access (which will have to be targeted and only be allowed for specific purposes).


For a detailed analysis of the updated Shield Documents see article co-authored by Francoise Gilbert and Marie Jose van der Heijden, “Privacy Shiel 2.0 Sighned, Sealed and Delivered, published in the Bloomberg BNA Privacy and Data Security Law Report on July 11, 2016.




Israel Revokes is Acceptance of Safe Harbor

Posted by fgilbert on October 20th, 2015

In early October 2015, the Court of Justice of the European Union (CJEU) in the Schrems and Facebook case, declared the EU-US Safe Harbor invalid. The CJEU ruling stunned many businesses and organizations throughout the world. For the past 15 years, the Safe Harbor Program had made it easy for businesses established in the United States and the European Economic Area (EEA) to exchange personal data in the ordinary course of business. It was the simplest and most business friendly method for addressing the prohibition against cross-border data transfers to countries that do not offer adequate protection of privacy rights and personal data, a prohibition that is common to all data protection laws of EEA member states.

Since the issuance of the ruling, a flurry of activity has occurred. Numerous reactions and comments have been published. Two of the most notable statements issued by the Article 29 Working Party and by the Israeli Law, Information and Technology Authority require that US companies involved in international exchanges of personal data with the EMEA Region react promptly to the invalidation of the Safe Harbor Program, so that they establish alternative measures to address the void left by this invalidation.

On October 15, 2015 the Article 29 Working Party (A29) – the umbrella organization that encompasses the Data Protection Commissioners of the 31 EEA Member States – published its initial reaction to the CJEU ruling. The A29 confirmed that the invalidation of the Safe Harbor Program is effective immediately. In addition, it warned that if, by January 2016, the United States and the European Union have not reached a satisfactory agreement that incorporates certain elements identified in the A29 statement, the EEA Data Protection Authorities will commence enforcement actions against illegal cross border data transfers.

Israel Revokes its Acceptance of the Us EU Safe Harbor

Now, on October 19 2015 the Israeli Law, Information and Technology Authority (ILITA), the country’s data protection authority, announced that, in view of the CJEU ruling invalidating the EU-US Safe Harbor, it would cease treating a US company’s self-certification under the EU–US Safe Harbor as a ground for granting derogations to its own prohibition against crossborder data transfers out of Israel. In other words, Israeli companies that relied on the fact that a US company was listed on the Safe Harbor List of the US Department of Commerce can no longer do so to justify the legality of their transfer of data to the United States.

In a long statement analyzing the CJEU case, the ILITA announced that it revoked its prior authorization permitting the transfer of personal data from Israel to those organizations in the United States that certified under the EU-US Safe Harbor. In keeping with the data protection legislation enacted throughout the EEA, the Israel Privacy Protection Regulations (Transfer of Data to Databases Abroad) 2001 restricts the transfer of personal data outside the country unless the recipient country ensures a level of data protection that is no lesser than that provided under Israeli law, or one of the derogations in Section 2 of the 2001 Regulations applies.

Up until very recently, the ILITA had found that those US organizations certified under the EU-US Safe Harbor provided an adequate level of protection for personal data and, as such, fell under the derogation, provided under Section 2(8)(2) of Israel’s 2001 Privacy Protection Regulations, authorizing data transfers from Israel. However, with the recent CJEU decision in the Schrems case, the position of the ILITA has changed. It has stated that organizations can no longer rely on the aforementioned derogation as the basis for the transfer of personal data between Israel and the United States. The ILITA has advised organizations to assess whether they can legitimize the transfer of personal data between Israel and the United States under one of the other derogations provided in Section 2 of the 2001 Regulations. The ILITA has also advised that it continues to assess the implications of the Schrems decision and that it will publish information and additional clarifications if necessary.

Israel is one of the few counties whose data protection law has been deemed to meet the stringent criteria required under the EU Data Protection Directive 95/46/EC. Under Commission Decision 2011/61/EU, Israel is considered as providing, an adequate level of protection for personal data transferred from the European Union. This adequacy finding ensures that personal data can be transferred from the European Union to Israel, without companies having to rely on other legal methods, such as contractual clauses, to effect the data transfer. It is likely that Israel’s decision to follow the determination in the CJEU ruling invalidating the Safe Harbor Program was prompted by its concern to keep its privileged status vis-à-vis European entities in good standing.

While Israel’s reaction is understandable under the circumstances, it may be a sign that other countries throughout the world that also have the privilege of having been deemed by the European Commission to offer “adequate protection”, countries such as Argentina, Uruguay, Canada or Switzerland, might soon adopt the same approach as Israel. This would isolate further the United States, and create additional pressure for the United States government to modify its course of action and its strategies regarding international commerce

What to do Next?

The activities of US law enforcement agencies remain of great concern to the rest of the world. In its statement, the A29 points out that the question of massive and indiscriminate surveillance is a key element of the CJEU’s analysis. It believes that such surveillance is incompatible with the EU legal framework, and that existing transfer tools are not the solution to this issue.

It is becoming clear that the repeated assertions of the CJEU in its ruling, that personal data when on the US territory is subject to massive surveillance, and that the current legal regime in the United States requires companies to “disregard … without limitation” the prospective rules laid down by the Safe Harbor when they conflict with US national security and public interest are affecting the reasoning of the EEA Data Protection Commissioners and may also be getting traction outside the European Economic Area. The CJEU opinion also points at other deficiencies in the US legal regime, such as a lack of access and correction rights.

The invalidation of the 2000/520 Safe Harbor Decision does not solve these fundamental issues. It is hard to see how data transferred from the EEA to the United States under BCRs or Standard Contractual clauses would not suffer the same fate. The next few months will be very busy and will see extensive activities in the United States, throughout Europe, and probably in other parts of the world. Hopefully the wake-up call provided by the CJEU ruling will pave the way to effective and productive negotiations that find a solution that help revive commerce and exchanges between the affected countries.

In the meantime, US companies must urgently evaluate their situation and take appropriate remedial measures to meet the data protection standards in the countries in which they currently do business. The January 2016 deadline, set by the A29 Working Party, is a very important deadline. US companies should take the time, this Fall, to reshape their crossborder data transfer solutions to address the significant challenges created by the invalidation of the EU-US Safe Harbor, and the associated ramifications such as the Israeli decision.

Safe Harbor Invalidation – Article 29 Working Party Sets January 2016 Deadline

Posted by fgilbert on October 16th, 2015

The long awaited reaction of the Working party to the ruling of the Court of Justice of the European Union (CJEU) in the Schrems and Facebook case in now public. Late on October 15, the Article 29 Working Party published a statement outlining its first response to the landmark ruling. The Working Party’s statement summarizes the group’s evaluation of the first consequences to be drawn at European and national level.

The Working Party point out that the data protection authorities, EU institutions, Member States, and businesses are collectively responsible for finding sustainable solutions to implement the Court’s judgment. It stresses that businesses, in particular, should reflect on the eventual risks they take when transferring data to the United States, and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection principles.

Transfers under Safe Harbor Unlawful

Regarding the practical consequences of the CJEU judgment, the Working Party states that it is clear that transfers from the European Union to the United States can no longer be framed based on Safe Harbor mechanism and “transfers that are still taking place under the Safe Harbor after the CJEU judgment are unlawful.”

Standard Clauses and Binding Corporate Rules

Until the Working Party has completed its analysis of the impact of the CJEU judgment on other transfer tools, data protection authorities will consider that Standard Contractual Clauses and Binding Corporate Rules can still be used. However, during this transition period, the Working Party warns that data protection authorities will continue to exercise their right to investigate particular cases, and to exercise their powers in order to protect individuals.

January 2016 Deadline

The Working Party’s press release sets a January 2016 deadline. If, by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities may start taking all actions that they may deem necessary, including coordinated enforcement actions.

Massive Surveillance an issue

The activities of US law enforcement agencies remain of great concern to the Working Party. The Working Party points out that the question of massive and indiscriminate surveillance is a key element of the CJEU’s analysis. It believes that such surveillance is incompatible with the EU legal framework, and existing transfer tools are not the solution to this issue.

Intergovernmental Agreement Suggested

While progress has been made with the recent signature of the Umbrella Agreement and the ongoing negotiations regarding Safe Harbor 2.0, the Working Party believes that more needs to be done. A new Safe Harbor agreement would only a part of the solution; more is necessary.

The Working Party urges Member States and the European institutions to open discussions with US authorities in order to find political, legal and technical solutions enabling cross Atlantic data transfers that respect fundamental rights. In particular, it suggests that such solutions could be found through the negotiation of an intergovernmental agreement providing stronger guarantees to EU data subjects.

The Working Party identifies key points that should be addressed in these intergovernmental negotiations. In the Working Party’s opinion, these solutions should always be assisted by clear and binding mechanisms and include at least obligations on:

  • Oversight of access by public authorities;
  • Transparency;
  • Proportionality;
  • Redress mechanisms; and
  • Data protection rights.

Shared Responsibility

The Working Party views it as a shared responsibility between data protection authorities, EU institutions, Member States, and businesses to find sustainable solutions to implement the Court’s judgment. It states that, in the context of the CJEU judgment, businesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection laws and principles.

Safe Harbor Invalidation – What Consequences?

Posted by fgilbert on October 16th, 2015


In a 35-page ruling, published on October 6, 2015, the Court of Justice of the European Union has declared the EU-US Safe Harbor invalid. This means that the data transfers between European companies and the 4500+ US companies that have self-certified to their adherence to the EU-US Safe Harbor principles no longer have a legal basis and are exposed to the scrutiny of 31 Data Protection Authorities of the European Economic Area (EEA) Member states.

The CJEU ruling comes after lengthy proceedings initiated by an Austrian law student against Facebook, arguing that the transfer of his personal information from Austria to Facebook’s California servers under the protection of the Safe Harbor violates his rights. The original complaint argued that, based on the information provided by Edward Snowden regarding the mass surveillance powers of US National Security Agency, the United States offers no legal protection against data surveillance, and the powers of the US law enforcement agencies supersede the promises made in a company’s Safe Harbor self-certification.

The CJEU went beyond the specific question that had been raised in the Facebook case. It held that Article 3 of Decision 2000/520 (which allowed for the creation of the Safe Harbor) is invalid. And, because Article 3 of Decision 2000/520 is inseparable from the other provisions of Decision 2000/520, the invalidity of Article 3 invalidates Decision 2000/520 in its entirety.

As put simply and very concisely in the last line of the CJEU 35-page ruling: “Decision 2000/520 is invalid.”

What does this mean for US companies and their subsidiaries and trading partners located in the 31 Members States of the European Economic Area?

It means great uncertainty. There are long term and short term issues:

  • What to do immediately;
  • Whether this means a future with a series of data localization restrictions resulting in countries or regions adopting a silo approach to data storage.

Immediate Consequences

First, the legal basis of the EU-US Safe Harbor on which EEA companies had relied to transfer data to the United States has been declared invalid. However, the decision does not affect the Switzerland-US Safe Harbor. Thus transfers between Switzerland and the United States can continue under the existing Swiss-US Safe Harbor regime.

In the meantime, EEA data protection laws continue to prohibit the transfer of personal data outside the EEA territory unless there is a legal basis to show that the data, when on the US territory will benefit from the same protection as in the EEA.

There may be temporary work around. There are other approved methods to achieve the “adequate protection” required by the EEA data protection laws. For example, EU and EEA companies may decide to enter into contracts based on Standard Contractual Clauses approved by the European Commmission. This might be the fastest and most efficient way to react in the short term. But before this solution may be implemented, significant due diligence must be performed, and many parties must agree to the applicable terms. The terms of the Standard clauses crease stringent restrictions and significant liabilities for which US companies may need additional insurance coverage. Multi-national entities may attempt to obtain approval of BCRs (“Binding Corporate Rules”) for their internal transfers. But there are significant hurdles. For example, currently, only 21 out of the 31 EEA countries recognize Binding Corporate Rules.  Further, the process for approval of a set of BRCs may take one to two years from beginning to end..

Long Term Issues

A much more fundamental question remains. What happens to EEA data when they are stored on US territory? And will the NSA surveillance activities continue to create heartburn for EEA citizens and institutions?

The argument initially raised in the Facebook case was that the Snowden revelations raised concern about whether, in spite of a series of laws regulating government access to data and communicants, the US legal framework offers no actual protection against excessive surveillance by US law enforcement agencies.

In its 35-page analysis, the CJEU repeatedly asserts that personal data when on the US territory is subject to massive surveillance, and that the current legal regime in the United States requires companies to “disregard … without limitation” the prospective rules laid down by the Safe Harbor when they conflict with US national security and public interest. The CJEU opinion also points at other deficiencies in the US legal regime, such as a lack of access and correction rights.

The invalidation of the 2000/520 Safe Harbor Decision does not solve this issue. Data transferred from the EEA to the United States under BCR or Standard Contractual clauses would suffer the same fate.

A world of silos?

The CJEU Decision in the Facebook case raises a much more fundamental question regarding cross border data transfers. It is not just the Safe Harbor program that is at stake.  It is the entire framework of model clauses, binding corporate rules and other methods that are currently used to address the “adequate protection” requirement under EU Member State data protection laws that is at stake.

Will the special powers granted to – or used by – law enforcement agencies in the US create such an obstacle to crossborder data transfers between the EEA and the US that US companies will have no choice but setting up data centers in the EEA, in order to store their EEA customers’ data within the EEA territory in an attempt to reduce the risk of being within the reach of the long arm of US law enforcement agencies?

And will this trend, combined with other data localization laws, such as the one in Russia, create a world of data silos? Will localization laws become the norm?

Is it already too late?

Russia Data Localization Law: an Enigma

Posted by fgilbert on April 6th, 2015

Companies that do business in Russia or with Russia residents have been struggling to understand the Federal Law No. 242-FZ (“Data Localization Law”).  The law, passed in July 2014, contains a series of amendments to Russian laws to “Specify the Procedure for Personal Data Processing by Information and Telecommunications Networks.” The need to understand the requirements of this new Data Localization Law has become even more urgent since its effective date has been advanced to September 1, 2015. While the original draft of the law planned to take effect as September 1, 2016, the Russian President signed an amendment to the law on December 31, 2014 , which advanced its effective date to September 1, 2015.  To date, there is still significant uncertainty regarding the meaning and interpretation of Federal Law 242-FZ


Among other things, the Data Localization Law 242-FZ amends several provisions of the current Russia Data Protection Law. In particular, it amends Article 18 of the Data Protection Law to require all companies holding personal data (with some exceptions) to host their servers on Russian soil. The new Article 18(5) provides:

When collecting personal data, including collection via Internet information and telecommunication network, an operator shall provide a record that the organization, accumulation, storage, update and retrieval of personal data of citizens of the Russian Federation is held on databases located within the Russian Federation.

At the highest level, the direction is simple. Data about Russian residents must be stored in Russia. The affected entities are data operators – i.e. entities performing the functions of data controller or data processor -. These include subsidiaries and representative offices of foreign companies that collect and process personal data of Russian nationals residing on the Russian territory.

Exceptions to this requirement include, for example: the processing of personal data for implementing an international agreement, administration of justice, enforcement of court rulings, and provision of public and municipal service, mass media, or creative work.

The law requires these data operators, to record, organize, store, update or retrieve personal data on servers that are physically located in the Russian Federation. However it is not clear which specific entities are concerned. For example, does a company that does not have operations or a physical presence in Russia but collects data, emails or content from Russia resident have to comply with the law?

There are other significant interpretation questions.  For example, does the fact that a copy of the data is stored in Russia prohibit any form of processing outside Russia? Can data stored in Russia be transferred out of Russia, for further processing outside of Russia? The literal wording of the law does not explicitly require data operators to perform data processing only within the Russian territory. It just requires that a copy of the data be stored in Russia. However, the provision might be interpreted differently when clarifying regulations are issued.


Notification of Server Location

Like most data protection laws throughout Europe, Russia’s current law on the protection of personal data, in its Article 22, requires covered entities to notify Roskomnadzor, the Russian agency in charge of personal data, before proceeding to the processing of personal data. With the enactment of the Data Localization Law, covered entities will have to indicate, in addition, the location of the databases that contain the personal data of Russian citizens in their notification form that are filed with Roskomnadzor.


Violation of the Data Localization Law

The Data Localization Law grants Roskomnadzor significant new powers: the power to block access from the Russian territory to the websites that violate the Data Localization law, and the power to organize a register of infringers. Banned domain names, network addresses, and other details will be recorded in that special state register of law infringers.

In addition to this blocking and black listing, the current sanctions under the Russian Data Protection Law will apply. The current fines are between RUB 5,000 to RUB 10,000. In addition, a responsible data officer may be fined personally, up to RUB 1,000. It is not clear whether the fines will be computed on a per incident basis or according to the number of data record affected.


Interpretation of the Data Localization Law

The provisions of the Data Localization Law are vague and can be construed in different ways. To date, there is little tangible and precise information on the proposed interpretation of the law. Subordinate legislation, for example in the form of regulations or guidelines, is expected to the adopted in 2015 before the new Data Localization Law comes into force.

In the meantime, during first months of 2015, Roskomnadzor held a series of conferences with industry groups to discuss the specifics of data storage in Russia and ways and mechanisms for controlling the physical location of data. These discussions were conducted on an informal basis, and are not intended to provide an official position. The information provided during these meetings is not legally binding. It is only an incomplete preview of the potential interpretation of the law by the Russian regulator.

Key points discussed during these meetings include:

  • The Data Localization Law would only apply to personal data of Russian citizens who are located in Russia at the time of the collection of these data.
  • All data operators would be affected, whether they are Russian or foreign. The key factor would be the collection of personal data from the Russian territory.
  • The law would apply only to the collection the personal data directly from the individual.
  • Any structured set of personal data would be subject to the law, irrespective of the format and means of processing. Thus, electronic databases, archives, and card files would be subject to the law.
  • Organizations would be required to store their primary database in Russia, where all processing should be performed.
  • It would not be sufficient to store a copy of the database that is primarily stored elsewhere.
  • Data stored in Russia would be transferable outside Russia if the transfer complies with the Russian cross-border transfer rules.

It is expected that more specific guidance will be provided in the near future, hopefully before the September 1, 2015 date. We will keep following these developments.

Privacy v. Data Protection. What is the Difference?

Posted by fgilbert on October 1st, 2014

I recently participated in a discussion about the difference between “privacy” and “data protection.” My response was “it depends.” It depends on the country. It may also depend on other factors.

When some countries use the term “privacy,” they may mean the same thing or refer to the same principles as what other countries identify as “data protection.” In other countries, “data protection” may be used to mean “information security” and to overlap only slightly with “privacy.” In this case, the term “data protection” may encompass more than just the protection of personal information (but only through security measures). It may cover as well the protection of confidential or valuable information, trade secrets, know-how, or similar information assets.

In the extensive research I conducted when writing my two-volume treatise, Global Privacy and Security Law, which provides an in-depth analysis of the laws of about 70 countries on all continents, I noticed that the use of the terms “privacy” and “data protection” varies from country to country. It may depend on the language spoken in that particular country. It may depend on the region where the country is located.

While in the United States the term “privacy” seems to prevail when identifying the rules and practices regarding the collection, use and processing of personal information, outside the United States, the term “data protection” tends to be more widely used than “privacy.” Among other things, this might be due to the idiosyncrasies of the languages spoken in the respective countries, as explained below.

— “Data Protection” Outside the United States

Throughout the world, “data protection” is frequently used to designate what American privacy professionals call “privacy”, i.e., the rules and practices regarding the handling of personal information or personal data, such as the concepts of notice, consent, choice, purpose, security, etc.


In Europe, “data protection” is a key term used, among other things, to designate the agencies or individuals supervising the handling of personal information. The 1995 EU Data Protection Directive identifies these agencies as “Data Protection Supervisory Authority.” See, e.g. 1995 EU Data Protection Directive, Article 28 defining the “Data Protection Supervisory Authority,” the agency that regulates and oversees the handling of personal data in an EU Member State. The individuals responsible for the handling of personal information within a company – a role similar to, but different from, that of the American Chief Privacy Officer – are designated as “Data Protection Official.” See, e.g. 1995 EU Data Protection Directive, Article 18(2) and Article 19.


Outside Europe, the term “data protection” is also frequently used to designate activities that Americans would designate as “privacy” centric. In Asia, for example, the laws of Malaysia, Singapore, and Taiwan are named “Personal Data Protection Act.” The law of Japan is called “Act on the Protection of Personal Information.” South Korea’s laws, APICNU and the recent Personal information Protection Act also use the term “data protection.”


African countries also use the concept of “data protection” rather than “privacy.” South Africa named its new law “Protection of Personal Information Act.” Tunisia and Morocco, also named their privacy laws “law relating to the protection of individuals with respect to the processing of personal data.”


In the Americas, Canada’s PIPEDA stands for Personal Information Protection and Electronic Documents Act. The new Mexican law is called “Ley Federal de Protección de Datos Personales.”

—  “Privacy” in Foreign Laws

On the other hand, the term “privacy” is seldom used to identify foreign laws or regimes dealing with the protection of personal information. There are, however, a few example of the use of the term “privacy” outside the United States. APEC used the term “privacy” for its 2004 “APEC Privacy Framework.” The law of the Philippines is called “Data Privacy Act.”

— Translations of “Privacy”

When analyzing which term is used to address the protection of personal data throughout the world, it is also important to keep in mind that the word “privacy” (as understood in the United States) does not exist in some languages.


It is very difficult to translate “privacy” into French. There is no such word in French, even though the French are highly private and very much concerned about the protection of their personal information. If you look for a translation, you will find that “privacy” is translated into French as “intimité,” which is inaccurate, or very narrow. The French “intimité” is actually equivalent to “intimacy” in English and has little to do with the US concept of “privacy” or “information privacy.” Indeed, the French law of 2004 does not refer to “intimacy” but is titled “Act relating to the protection of individuals with regard to the processing of personal data.”


There is a similar disconnect with the translation of “privacy” into Spanish where “privacy” is translated into “privacidad,” which has a meaning closer to intimacy, remoteness, or isolation. Unsurprisingly, the Spanish law regarding data privacy is named “Organic Law data protection law on the Protection of Personal Data.” The term “privacidad” is not used.


 — Data Protection as “Security”

On the other hand, in the US, the term “privacy” seems to prevail. We commonly refer to HIPAA or COPPA as “privacy laws.”

What about “data protection”? I have noticed that, many US information security professional tend to use the term “data protection” to mean protecting the security of information, i.e. the protection of the integrity and accessibility of data. In this case, they do not distinguish the protection of personal data from the protection of company data because from a security standpoint, the same tools may apply to both types of data. In other circles, the terms “information security”, “data security”, “cybersecurity” are frequently used as well.

 — Online Searches

Finally, if you are based in the US, and you run an online search for “data protection”, you will see that the search results either provide links to “security” products (e.g. in my case, a link to McAfee Data Protection product that prevents data loss and leakage) or links to foreign laws dealing with what Americans call “privacy”, (e.g. in my case, a link to Guide to Data Protection from the UK Information Commissioner’s Office).

Review of the Safe Harbor soon?

Posted by fgilbert on March 27th, 2014

In a short statement following the EU-US summit held in Brussels earlier this week, Herman Van Rompuy, President of the European Council, announced on March 27, 2014, that the United States and the European Union have agreed to take steps to address concerns caused by last year’s revelations on the USA NSA surveillance programs, and restore trust.

He indicated that, with respect to commercial use of personal data, the United States “have agreed to a review of the so-called Safe Harbour framework” to ensure transparency and legal certainty. In addition, with respect to government access to personal data, the parties will “negotiate an umbrella agreement on data protection by this summer, based on equal treatment of EU and US citizens.”

The full text of Mr. Van Rampuy’s statement is available at


Draft EU Privacy Regulation Amendments Approved

Posted by fgilbert on October 22nd, 2013


The European Union Committee on Civil Liberties, Justice, and Home Affairs, also known as the “LIBE Committee” approved amendments to the draft of the EU Data Protection Regulation on October 21, 2013.

The good news is that the “right to be forgotten” has been replaced with a “right of erasure” which is more narrowly phrased.

The bad news is … most of the other amendments. The revised draft would define a stronger and more stringent data protection regime, which is likely to create additional hurdles for US companies doing business in the European Union, or in need of transferring data out of the EU/EEA to the United States or to subsidiaries worldwide.

In particular, the revised draft increases significantly the maximum fine that might result from violation of the new law. The 2012 draft regulation set a maximum fine of 1,000,000 Euros or 2% of a company’s worldwide income and adopted a tiered approach. With the revised draft, fines could reach up to 100,000,000 Euros or up to 5% of a company’s annual worldwide income, whichever is greater.  This is a significant jump.

The next step is the review and approval of the amended text by the European Union Council and the European Commission. After that, the final text of the proposed Regulation would be submitted to the European Parliament for a final discussion and vote. This vote is not likely to take place before May 2014. If an agreement is not reached before the Parliament closes down for the election of new MPs, the negotiation over the Regulation could continue in the next session of the EU Parliament. In this case, more delay might be likely if there were a change in the composition of the Parliament.

The text of the approved amendment is available here.

Global Privacy and Security Law treatise, Supplement #12

Posted by fgilbert on October 4th, 2013

Supplement #12 to our two-volume treatise Global Privacy and Security Law has been shipped to our subscribers!!

29 chapters have been updated. The most significant changes are described below.


  • Chapter 17 – Canada: The Federal Privacy Commissioner of Canada has issued several reports, including reports requesting amendments to PIPEDAs. The update also provides information regarding several court cases and decisions that affect data privacy and security.
  • Chapter 24 – Dominican Republic: In the Dominican Republic, the Constitutional Court has issued a decision on the publication of criminal records in public access registers.
  • Chapter 65 – United States of America: The United States chapter has been significantly reorganized and supplemented to take into account the evolution of the American legal and regulatory landscape since the first publication of the Global Privacy and Security Law treatise in 2009, the driving role played by the Federal Trade Commission, and the recent interest in the laws that regulate US government access to data. In addition, the chapter includes an analysis of the new Health Information Rules (developed under HIPAA and the HITECH Act), which came into force at the end of September 2013, and the new Children’s Online Information Protection Rule (developed under COPPA), which came into effect on July 1, 2013.


  • Chapter 19 – China: In March 2012, China’s Ministry of Industry and Information Technology issued “Several Provisions” that regulate the telecommunications market, these provisions supersede the Administrative Provisions on Internet Information Services for soliciting public opinions (issued on July 2011). The chapter has been updated with information regarding definitions, rules, and regulations for ISP’s under “Several Provisions.”
  • Chapter 38 – Japan: The update provides a status of the enforcement of the Data Protection Law.
  • Chapter 10 – APEC: Asia continues its progress in the development of a privacy framework that is less stringent than the one currently in effect in the European Union. In the recent months, the Crossborder Privacy Rules, an initiative intended to reduce barriers to information flows, has made progress. The United States has already been approved to participate in the CBPR System, and the Federal Trade Commission as its first enforcement authority. Mexico recently obtained its approval and in June 2013, Japan applied to participate.


  • Chapter 26 – Estonia: In Estonia, the Employee Information section has been updated to include information on recording telephone calls. Clarification has also been provided regarding the rules for employee consent.
  • Chapter 28 – France: This update provides a brief summary of the CNIL 33rd activity report for 2012. The section on video surveillance is supplemented with information about a recent case in Paris. A new section has also been added regarding Illegal Downloading, which describes the requirements for employers to monitor Internet usage of their employees.
  • Chapter 32 – Hungary: The update describes the recent recommendation by the Hungarian Data Protection and Freedom of Information Agency on video surveillance in the workplace and other developments regarding data processors ability to subcontract work to other processors.  The Agency has also been vested with a new function, that of auditor for data controllers.
  • Chapter 33 – Iceland: Two new sections have been added regarding International Treaties and Agreements to which Iceland is party and about data protection guaranties found in the Constitution of the Republic of Iceland. The chapter has also been supplemented with information regarding the status of implementation of Article 5(3) of the 2009 Directive regarding the use of cookies.
  • Chapter 40 – Liechtenstein: The update includes information regarding International Treaties and Agreements to which Liechtenstein is party and information regarding data protection in the country’s Constitution. The update also provides information regarding the status of implementation of Article 5(3) of the 2009 Directive.
  • Chapter 41 – Lithuania: Two new subsections on the exchange of personal data for evaluation of solvency and debt management and on video surveillance have been added to the Data Protection Law section.
  • Chapter 46 – Netherlands: The update to the Netherlands chapter provides an overview of the Article 29 opinion on the definition of “personal information,” “purpose limitation” and “use limitation.” The chapter also describes the status of the 2009 cookie directive implementation. Netherlands appears to be leaning towards a less strict interpretation of the 2009 provisions. The Netherlands Data Protection Commissioner has published guidelines for the security of personal data, which provides a checklist of appropriate measures. Finally, the chapter provides an in depth analysis of the whistle blowing provisions that apply to civil servants.
  • Chapter 47 – Norway: The 2009 Directive has not yet been implemented but the Norwegian Parliament has submitted a plan on its implementation. A new section on health information has been added, and the section on electronic communications has been supplemented with information regarding traffic data. Also described in this updated is the Supreme Court’s ruling on a case involving the collection of employee GPS location data by a waste company.
  • Chapter 50 – Portugal: An update on the implementation of the 2009 Directive with respect to cookies and security breach disclosure requirements is included in this supplement.
  • Chapter 51 – Romania: The update to the Romania chapter focuses on the implementation of the 2009 amendment to the 2002 e-Privacy Directive into the Data Protection Law regarding the use of cookies.
  • Chapter 54 – Slovakia: The chapter describes recent reports of the Office for Personal Data Protection regarding the processing of biometric data, its investigation of e-shops, and the requirements to notify data subjects when performing video surveillance.
  • Chapter 55 – Slovenia: The Electronic Communications Act came into force, implementing Article 5(3) of the 2009 amendment to the 2002 ePrivacy Directive.
  • Chapter 59 – Sweden: The update to the Sweden chapter describes a 2012 case involving surveillance cameras in a high school. An update on the ePhone case is also included.
  • Croatia: In addition to the above, to take into account the arrival of Croatia in the European Union as its 28th member state, several chapters have been slightly modified.  Supplement # 13 to the Global Privacy and Security Law treatise will contain a new chapter, which will analyze Croatia’s data protection laws in the same way as the other laws of other countries have been described and analyzed.

Middle East – Africa

If you are a subscriber, and you have not yet received your copy please let me know.