News Archives

Wednesday, March 14, 2018

CNIL Shows Pragmatic Flexibility on GDPR Enforcement

With the EU General Data Protection Regulation coming into full force and effect on May 25, 2108, the French data protection authority has announced its plans for enforcement activity once that date arrives.  Even though the adopted text of the GDPR was released nearly three years ago, in principle giving companies ample time to come into compliance, the CNIL has recognized the reality that many companies are still struggling to understand and execute the many new measures that will be required.  Demonstrating flexibility, the CNIL says that it will distinguish between two types of obligations:  the fundamental principles of data protection found in the current Data Protection Directive, and the new obligations or rights found in the GDPR, such as the right to data portability and privacy impact assessments.  

According to the CNIL, it will continue to “vigorously enforce” the fundamental principles, while focusing on helping companies understand and implement the new rights and obligations. Where companies are making “good faith” efforts to comply with the new rights and obligations, the CNIL states that sanction procedures will normally not be instituted “in the first months.”  The very concept of a “transitional period” during which the potential for significant sanctions will be held in abeyance, while vaguely defined, is both pragmatic and generous.  The February 19 guidance also waives the need for the immediate completion of a privacy impact assessment by companies whose processing was previously approved by the CNIL and addresses issues faced by companies awaiting CNIL response to their registrations. 

Tuesday, March 13, 2018

Update on Data Protection Enforcement in Russia

English-language information on data protection in Russia is hard to come by, thanks to the latest iteration of the Cold War, so an update by Hogan Lovells is worth highlighting.  The Russian DPA, Roskomnadzor, held a recent open house to publicize its 2017 enforcement activities.  If there was ever any doubt that Russian entities were paying attention to DP law, Roskomnadzor reported that over 400,000 data operators had registered with the authority through the end of 2017.  The majority of data subject complaints received by the DPA were directed against banks, housing services providers and debt collection agencies, with general website operators also a significant focus of complaints.  In a uniquely Russian approach to the latter, Roskomnadzor maintains a register of websites that violate data subjects rights.  In 2017, 453 websites were added to the register, with 176 blocked because of the seriousness of their violations, an increase in enforcement activity consistent with Roskomnadzor’s shift to systemic monitoring of entities as opposed in individual inspections.

Of particular note to US-based companies operating in Russia, the Roskomnadzor clarified that data operators should obtain separate written consent for each purpose of processing.  Such guidance is consistent with the GDPR’s requirements around granular consent, although compelling it to be in writing is not.  Finally, in contrast with the weaker protections provided by US law, Roskomnadzor stated that personal data posted by social media users should not be treated as publicly available data and should only be processed on the basis of a lawful ground.

Thursday, March 1, 2018

US Supreme Court Hears Arguments in Microsoft-Ireland Case

On February 27, the US Supreme Court heard oral arguments in United States v. Microsoft Corp., where the issue is court-described as “whether a United States provider of email services must comply with a probable-cause-based warrant…by making disclosure in the United States of electronic communications within that provider's control, even if the provider has decided to store that material abroad.”  Legal proceedings began in 2013 when Microsoft challenged a warrant by law enforcement issued under the 1986 Stored Communications Act to turn over email of a target account that was stored in Ireland, a position that was upheld by the US Court of Appeals for the Second Circuit in 2016.  Dozens of amicus briefs in the case were filed by tech companies, industry associations, advocacy groups, scholars, legislators on both sides of the Atlantic, EU member states, the European Commission and attorney generals in 35 US states.

According to a report by Reuters, Supreme Court justices appeared to be divided during the hearing, with some, like Roberts and Alito, expressing sympathy for the government’s position and others, like Ginsburg and Sotomayor, questioning whether the court should act given that Congress is considering bipartisan legislation to resolve the issue.  A more extended analysis in the Lawfare blog suggests that a decision is unlikely to be made along ideological lines, that current Congressional deliberation on the CLOUD Act may be very influential, and that issues relating to sovereignty of foreign nations and global responses to any definitive ruling were only partially addressed.  A ruling in the case is expected in June.