In mid-January, the territorial divisions of Russia’s Data Protection Authority, Roskomnadzor, uploaded their 2016 plans for conducting inspections of local companies’ compliance with Russia’s data localization requirements, and there are a number of prominent multi-national companies on the list.
For instance, the inspection plan of Roskomnadzor’s territorial division for the Russian Central Region (in Russian) contains a number of organizations with an online presence directed to Russia, including Microsoft, Samsung, Hewlett-Packard, VKontakte (Russian social network), HeadHunter.ru (online job search service), Ostrovok.Ru (online booking service), Cronwell Hotels, Chrysler, Volkswagen, Amway, Oriflame, UniCredit Bank, and LaModa.ru (online shop). The full list of data operators included in the inspection plan of Roskomnadzor’s territorial division for the Russian Central Region is available here (in Russian).
To what extent are the personal communications sent by an employee from their employer’s computer private? In Europe it has been accepted for some years that employees do not lose their right to privacy in the workplace. However a recent decision from the European Court of Human Rights (ECHR) confirms the rights of the employer to restrict employees from any personal use of the employer’s computer equipment and, consequently, rely on a contravention of the restriction (which is revealed through monitoring) as grounds for dismissal.
What were the facts?
The claimant in Barbulescu v Romania worked for a private company in Romania as a sales engineer. At his employer’s request, he set up a Yahoo Messenger account so that he could respond to clients’ enquiries. Company rules made it clear that using company computers for personal purposes was not permitted – effectively personal use was forbidden.
About three years later, and following another incident involving another employee using the Internet at work for private purposes, the employer asked the claimant whether he used the Yahoo Messenger account for only professional purposes (i.e. in line with the company rules). The claimant confirmed that he only used the account for professional purposes. A few days later, the employer told him that his Yahoo Messenger account had been monitored for a period of just over a week and that the records showed that he had used it for personal purposes on the company’s computer during working hours in direct contradiction to what the claimant had confirmed. When the claimant challenged this, he was presented with a 45 page transcript of messages he had exchanged with his fiancée and brother (some of which were very personal). Accordingly, he was dismissed for breach of the company’s regulations.
Following the announcement by the European Commission of the newly agreed EU-US Privacy Shield, the missing piece of the jigsaw was the Article 29 Working Party’s stance on the adequacy of the existing mechanisms in place—in particular, standard contractual clauses and binding corporate rules (BCR). So after two days of intense discussions, the Working Party has issued a statement with its latest position, which is the follow up to their original reaction to the invalidation of Safe Harbor last October. The bottom line: the Working Party still does not view US government surveillance laws as sufficiently protective of privacy—a position which calls all transfers of personal data to the US in question, regardless of the methods used to legitimise the transfer—but they will reconsider this position in light of the Privacy Shield in the coming months.
The statement starts on a positive note by saying that the Working Party welcomes the conclusion of the negotiations between the EU and the US on the introduction of a new Privacy Shield—although it acknowledges that it has not seen its content.
The Working Party then goes on to say that over the past weeks, it has analysed the robustness of the other existing transfer tools by reference to the criteria of the laid out by the Court of Justice of the European Union (CJEU), namely:
Last week the Commission released a summary of the responses received in two of the three public consultations launched in September 2015, in what was the opening salvo of concrete policy initiatives under the Commission’s Digital Single Market strategy.
The geo-blocking consultation sought evidence on the effect of technical barriers and other unjustified restrictions imposed by websites and online service providers on cross border access to goods and services made available over the internet. It ended on 28 December 2015. The focus of the platforms consultation was to gather evidence on the regulatory environment for online platforms, the liability of intermediaries and cloud and data driven services. It closed on 6 January 2016.
Anyone reading this blog already knows that cybersecurity is a team sport. No longer does the IT security department bear sole responsibility for protecting a company’s data and systems. Today companies are setting up enterprise-wide councils to oversee cybersecurity that include lawyers, risk managers, technical professionals, and other leaders. And if a breach occurs, that team gets even more diverse adding for example highly-specialized forensics professionals and public relations specialists to help manage remediation, investigations, and potentially notification efforts.
That’s why we have formed Hogan Lovells Cyber Risk Services, a dedicated team of cyber technical and risk management professionals. Working side by side with our lawyers, our expanded team enables us to provide more of what our Cybersecurity Solutions practice is already known for: a unique blend of technical knowledge, operational experience, and of course legal and regulatory skills that can help clients manage the increasing variety of cybersecurity issues and situations with which they need help.
More information is available below.
As the second of a series of five, this blog post focuses on the first legislative proposal for European copyright reform: the proposal for a regulation on ensuring the cross-border portability of online content services in the internal market.
The Digital Single Market (DSM) strategy – presented in May 2015 – contains 16 initiatives in a variety of fields such as telecommunication, consumer rights and Big Data, each of which is intended to bring us one step closer to the European digital single market. Our DSM Watch team is a multi-jurisdiction, cross-practice group working together to keep you informed as the initiatives under the DSM strategy roll out.
One of the 16 initiatives focuses on copyright reform. On 9th December 2015, the European Commission presented its action plan “Towards a modern, more European copyright framework” which touches upon four different topics. Additionally, the Commission provided a draft Regulation on cross-border portability of online content services.
Last month we presented the first topic “Widening access to content across the EU” in our blog. Posts on the other three main themes (Exceptions to copyright, Creating a fairer marketplace and Fighting Piracy) will follow over the coming weeks, but this blog focuses on the draft portability Regulation.
EDITOR’S NOTE: We are excited to present this entry in our new TMT2020 series, which reflects the key technology, media, and telecoms legal issues that are expected to impact today’s organizations and tomorrow’s marketplace. It also provides an opportunity to highlight contributions by TMT associates across our global offices and practice areas.
Real-time payments have become an increasingly common way of life in Singapore. Their proliferation has significantly enhanced the ease and efficiency in which banks, businesses and individual consumers alike make payments and manage their everyday affairs. More efficient payment systems have also changed consumer and business expectations on payments, inspiring further evolution of the global payments ecosystem and compelling banks, retailers and credit card companies to innovate.
Modelled after the UK’s Faster Payments Service initiative and backed by Singapore’s central bank (the Monetary Authority of Singapore) and 14 major banks, Singapore’s innovative real-time “FAST” (Fast and Secure Transfers) payments platform was introduced in March 2014. This new platform has propelled Southeast Asia’s leading financial centre to the forefront of cutting-edge “Fintech” real-time technology. The availability of real-time payments is also driving the development of a wider range of services in Singapore, including mobile, digital and other instant person to person (P2P) payments, in line with other developed countries such as the UK, Australia and the Nordic countries with similar nationwide real-time payments infrastructure.
Last Friday, the Federal Communications Commission (the “FCC”) adopted an Order making it easier for telecommunications providers to provide facilities-based services such as undersea submarine cables and satellite services, between the United States and Cuba.
As previously noted, in December 2014 the Obama Administration took executive action to ease trade sanctions and export controls against Cuba, which included efforts to authorize exports of telecommunications products and services to Cuba.
In October 2015, the State Department asked the FCC to remove Cuba from its “Exclusion List for International 214 Authorizations” (the “Exclusion List”). (An International 214 Authorization is required to provide telecommunications services between the U.S. and another country). Under the FCC’s rules, carriers can generally apply for and receive authority to provide international service using any U.S.-licensed facilities without filing separate applications for each new facility or country. The FCC streamlined this process to promote entry into new markets and increase global investment in telecommunications services. But for countries on the Exclusion List, carriers’ applications are processed on a non-streamlined basis, and require coordination with the U.S. Department of State.
In its latest plenary session, the European Parliament (EP) adopted the resolution “Towards a Digital Single Market Act” (see press release). The resolution of 19 January 2016 forms the response to the Commission Digital Single Market Strategy (DSM) as announced in last May and pursued ever since.
When the EU Commission published its DSM Strategy in May 2015, it quite rightly received much attention throughout the European Union. The steps that have been proposed towards a truly functioning digital market across all Member States will change the landscape recognisably. This is why we have been monitoring the development from the first day on. Our DSM Watch team is a multi-jurisdiction, cross-practice group working together to keep you informed as the initiatives under the DSM strategy roll out.
In its resolution, the Parliament does not only welcome the Commission’s DSM Strategy, the parliamentarians also express their concerns with respect to the so far restrained handling of digital development within the European Union. Remarkably, the resolution received the approval of 551 of the 678 Members of the Parliament. The 128 paragraphs in total entail detailed comments on the several of the Commission’s initiatives – to name only a few, topics such as geoblocking, consumer rights, Big Data and online platforms are touched upon.
The EU General Data Protection Regulation (“GDPR”) has been called the most lobbied piece of legislation in the history of the EU. Before Christmas last year, what is likely to be the final text of the GDPR emerged from the EU trilogue negotiations. Victoria Hordern, Senior Associate at Hogan Lovells, explores what the new GDPR will mean for those collecting and handling health data, and examines a number of the provisions and themes that impact the use of health data.
Goodbye to the Directive
First things first: the GDPR is a regulation under EU law. This means that it will have direct effect in all 28 Member States of the EU. Consequently, there will be no need for EU governments to implement the GDPR locally and existing national data protection law will ultimately need to be repealed to make way for the GDPR. Additionally, the Data Protection Directive 95/46/EC (Directive) will be repealed on the day the GDPR becomes law. However, the GDPR provides a limited ability for Member States to legislate locally on certain discrete matters, including the use of health data.