Worldwide: 环球隐私及网络安全更新,第十期(英文版)


The complicated fabric of privacy and data security regulations in Asia continues to challenge multinational clients. The last few months have seen significant regulatory changes within Asia—strengthened enforcement measures in many countries, a more robust Japanese Personal Information Protection Act, the creation of a Personal Information Protection Commission in Japan, and others. These changes, coupled with developments in Europe and the Americas, compel businesses with a global footprint to constantly monitor and update their compliance practices.

Michiru Takahashi, a partner based in Tokyo, Japan, assists clients on various privacy issues, including cross-border transfers of personal data, internal compliance programs, and data breach response. She regularly advises Japan-based multinational clients on global data protection issues as well as cross-border data transfers from Europe to the Americas to Asian Pacific nations. Her experience in these areas makes her a valuable asset for Jones Day's global Cybersecurity, Privacy & Data Protection team as well for clients situated throughout the world.


Policy, Best Practices, and Standards

FTC Urges FCC to Protect Privacy in New Television Set-Top Box Rulemaking

On April 22, the Federal Trade Commission ("FTC") Bureau of Consumer Protection issued a comment urging the Federal Communications Commission ("FCC"), in its rules expanding commercial availability of television set-top boxes, to require third-party set-top box manufacturers to certify that their products comply with the same privacy regulations applicable to cable and satellite providers. The Director also emphasized the need for third-party set-top box makers to issue consumer-facing statements regarding compliance that would be enforceable by the FTC.

FTC Scrutinizes App Developers' Audio Monitoring Software

On March 17, the FTC issued warning letters to 12 app developers using audio beacon technologies in their apps. The technologies are designed to monitor consumers' television and other video viewing habits for the purpose of facilitating targeted advertising and analytics. The FTC warned companies that obtaining permission to access a device's microphone is not sufficient; apps using these technologies should disclose that audio will be recorded in the background and that viewing habits may be logged.

Critical Infrastructure

NIST Analyzes Feedback from Critical-Infrastructure Leaders

On March 24, the National Institute of Standards and Technology ("NIST") published an analysis of feedback on the voluntary, federally led Cybersecurity Framework received from critical-infrastructure leaders and others. NIST's analysis of the feedback affirms the framework's current uses, recommends refinements, and suggests future directions.

NIST Announces Updates to Guidance on Strengthening Remote-Access Data Security

On March 14, NIST announced upcoming updates to guidance on telework to include the latest technology available to strengthen an organization's remote-access data security. As part of the update, NIST sought comments on two draft publications through April 15.

Financial Services Roundtable Commends NIST Cybersecurity Framework

On February 25, the Financial Services Roundtable ("FSR") issued a press release praising the NIST Cybersecurity Framework as "the 'Rosetta Stone' of Cross-Sector Cyber Defense for U.S. Companies." The FSR stated that the NIST framework allows a diverse set of industries to easily apply common approaches to assess and prevent cyber attacks. The press release warned against regulation schemes that are not aligned with the NIST framework, which can require organizations to comply with multiple regimes that potentially conflict.


District Court Finds Online Retailer Not Authorized to Charge for Kids' In-App Purchases

On April 26, the FTC prevailed on summary judgment against an online retailer in the U.S. District Court for the Western District of Washington, alleging that the retailer billed consumers for unauthorized in-app purchases made by children. The court found the retailer's disclosure about the possibility of in-app purchases within otherwise free apps was insufficient to inform consumers about the charges children could incur within the app. The court order seeks further information from the parties regarding out-of-pocket costs to consumers for the unauthorized purchases.

Defense, National Security, Economic Espionage, and Other Criminal Matters

Presidential Telecommunications Group Suggests "Good Samaritan" Framework to Promote Data Sharing

On May 11, the President's National Security Telecommunications Advisory Committee met in Silicon Valley and suggested a "Good Samaritan" framework to allow both companies and individuals to provide data to the government following a cyber or terrorist attack or natural disaster without fear of subsequent privacy lawsuits. The framework is part of the Advisory Committee's Report on "Big Data Analytics" and was supported by numerous high-ranking defense officials.

FBI Names New Associate Executive Assistant Director for Criminal, Cyber, Response and Services Branch

On April 27, the Federal Bureau of Investigations ("FBI") announced a new associate executive assistant director of the Criminal, Cyber, Response and Services Branch. His responsibilities will include overseeing the development of the FBI's cyber policy and strategy.

SpyEye Malware Hackers Receive Prison Sentences Totaling More Than 24 Years

On April 20, the Department of Justice ("DOJ") announced that the two international hackers who created the SpyEye Trojan malware were sentenced to 15 years and nine-and-a-half years, respectively, in federal prison. From 2010 through 2012, SpyEye was the preeminent banking Trojan that allowed the theft of login information for bank accounts, PINs, and credit card information.

U.S. District Court Sentences Former NRC Employee to 18 Months in Prison for Spear-Phishing Attack

On April 11, the U.S. District Court for the District of Columbia sentenced a former employee of the U.S. Nuclear Regulatory Commission ("NRC") to 18 months in prison after he pleaded guilty to accessing a protected computer without authorization and intentionally damaging it by sending emails to particular Department of Energy employees that would install a virus on their computers upon opening it.

DOJ Announces Indictment of Seven Iranians Accused of Computer Hacking

On March 24, seven Iranian hackers were indicted on computer hacking charges relating to distributed denial of service ("DDoS") attacks directed at 46 U.S. financial sector businesses from 2011 through 2013. The hacks caused tens of millions of dollars in remediation damages and left hundreds of thousands of Americans without access to their online banking accounts.

U.S. Attorney General Addresses RSA Conference on Cybersecurity

On March 1, the U.S. Attorney General addressed the RSA Conference on Cybersecurity and described law enforcement's various efforts to combat cybercrime. Among other things, she touted the recent successful international operation that led to the shuttering of multiple "dark market" websites and discussed ongoing negotiations with the United Kingdom to allow UK authorities to investigate corporate accounts used by non-U.S. citizens or residents.

Financial Services

Credit Union National Association and National Association of State Credit Union Supervisors to Co-Host Cybersecurity Symposium

On August 1–2, the Credit Union National Association and National Association of State Credit Union Supervisors will host a third annual cybersecurity symposium. The event will focus on best practices and procedures that protect credit unions from the latest cyber threats.

Financial Services Sector Coordinating Council Releases Cyber Insurance Purchaser's Guide

On April 14, the Financial Services Sector Coordinating Council published a guide for organizations looking to mitigate the risks of a cybersecurity incident through the purchase of an insurance product. The guide provides an overview of the cyber insurance market and identifies key questions that a potential cyber insurance policyholder should consider.

SEC Brings Enforcement against Broker-Dealer for Failure to Adopt Policies and to Ensure Security of Customer Information

On April 12, the SEC instituted cease-and-desist proceedings against a broker-dealer and two of its principals based on the broker-dealer's "failure to adopt written policies and procedures reasonably designed to insure the security and confidentiality of customer records and information" and "to make and keep certain communications relating to its business." The SEC alleged, in part, that the broker-dealer violated securities laws by using email addresses other than those with its domain name to receive faxes containing sensitive customer information.

SEC Director Acknowledges SEC's Efforts to Bolster Cybersecurity

On March 14, at the Investment Company Institute's 2016 Mutual Funds and Investment Management Conference, the SEC Director for the Division of Investment Management responded to concerns that enhancing the reporting framework for investment companies and advisers would make the SEC a target for cyber criminals. He noted that the SEC was addressing cybersecurity in order to protect the information that it collects. He specifically recounted that the SEC chair had requested "funds from Congress to maintain and enhance the Commission's cyber capabilities" and that the Commission was "implementing certain cybersecurity protocols that are consistent with" recommended standards.


Department of Homeland Security Notes Continued Deficiencies in TSA's Security Technology Integrated Program

On May 9, the Department of Homeland Security Office of the Inspector General issued the results of an audit into the Transportation Security Administration's ("TSA") Security Technology Integrated Program ("STIP"). The audit assessed the current extent of TSA deficiencies and corrective actions, and provided recommendations to TSA to improve control, security, and functionality of STIP IT assets.

Health Care/HIPAA

FTC Launches New Mobile Health App Interactive Tool

In April, mobile health app developers began using the FTC's newMobile Health App Interactive Tool to obtain legal guidance regarding issues facing their app. The tool asks developers high-level questions about the health app's function, the data it collects, and the services it provides. The tool then points developers to information about federal laws the app might trigger, including the FTC Act, the FTC's Health Breach Notification Rule, the Health Insurance Portability and Accountability Act ("HIPAA"), and the Federal Food, Drug and Cosmetics Act. The FTC also issued its own Best Practices Guide for Mobile Health App Developers.

OCR Launches Phase 2 of HIPAA Audit Program

On March 21, the Department of Health and Human Services' Office for Civil Rights ("OCR"), the body responsible for enforcing HIPAA, announced that it would begin planning its second phase of audits of covered entities and their business associates. In this phase of audits, the OCR will review policies and procedures that are required by HIPAA to be adopted and followed with respect to HIPAA's Privacy, Security, and Breach Notification Rules.

Litigation, Judicial Rulings, and Agency Enforcements

Seventh Circuit Overturns Data Breach Dismissal

On April 14, the Seventh Circuit overturned a district court's dismissal of a case against a large national food chain on the grounds that plaintiffs did in fact have standing to bring claims. The case stemmed from a security breach involving restaurant patrons' credit card information. The court found that claims for future injuries, namely, "the increased risk of fraudulent charges and identity theft," constituted injuries for the purpose of Article III standing.

California District Court Consolidates Claims Against TV Manufacturer for Improper Data Sharing

On April 11, the U.S. District Court for the Central District of California consolidated cases brought against a smart-TV manufacturer for improperly sharing users' information. Plaintiffs alleged that the TV manufacturer collected data regarding "the date, time, channel of programs and whether users watch them live or recorded," and shared this information with third parties. This information allowed the third parties to engage in advertising targeted at the specific consumer.

Court Prohibits Defendant from Accessing Private Computer Systems

On April 8, in a claim that arose out of the leakage of patients' private health information, a California district court prevented a national health care organization from accessing plaintiffs' computer systems as part of the discovery process. The health care organization sought this information to negate causation, intending to show that some plaintiffs' identities may have been compromised prior to the breach. However, the court disagreed and found "that the burden of providing access to each plaintiff's computer system greatly outweigh[ed] its likely benefit."

Payment Processor Files Motion to Dismiss Proposed Class Action

On April 8, a payment processor filed a motion to dismiss a class action resulting from a security breach of consumers' email addresses and bank account information in the Northern District of California. The defendants compared the breached bank account information to written checks, arguing that "checks containing names, email addresses, and account information are exchanged in the open amongst people and businesses all the time." They claimed that the court would set an "unparalleled precedent" in permitting the plaintiffs' claims to proceed.

Class Actions Filed Against Cancer Center for Data Breach

In early April, following a security breach of patients' medical records, several class action suits were filed against a large cancer treatment center, alleging financial harm and other injuries.

FTC Settles with Oracle Regarding Java Security

On March 29, the FTC approved a final consent order with a cloud applications provider related to allegations that the company misrepresented the safety and security of installing a new version of Java software, which left an insecure version of the software intact. Under the terms of the order, Oracle must notify consumers of the risk and give them the option of uninstalling the outdated software, in addition to providing website and social media notification about the issue.

California State Court Approves $39M Settlement in Medical Center Data Breach

In March, a California state court approved a $39M settlement against a medical center in southern California. The case stemmed from a security breach of patients' personal health information, which was made publicly accessible. The medical center notified the approximately 31,000 affected patients, who in turn filed consolidated class actions, alleging negligence and violations of the California Unfair Competition Law and the California Business and Professions Code, among other claims.


House Unanimously Passes Email Privacy Reform Bill

On April 27, the House of Representatives voted 419–0 to pass a bill to amend the 1986 Electronic Communications Privacy Act with regard to emails and documents stored in the cloud. The Email Privacy Act would require the government to obtain probable cause warrants to access digital consumer records maintained by service providers, which are currently obtainable after 180 days via subpoena or court order.

Senate FAA Reauthorization Bill Mandates Cybersecurity Framework for Aviation

On April 19, the Senate passed a Federal Aviation Administration ("FAA") reauthorization bill that makes changes to a number of aviation policies, including a mandate to the FAA to develop a comprehensive cybersecurity framework for U.S. aviation. The bill also: (i) directs the FAA Administrator to develop a threat model and a plan to respond to cyber attacks; (ii) establishes a working group on aircraft systems information security to monitor the rulemaking and make recommendations; and (iii) suggests that cybersecurity for avionics systems be added as a new component of airworthiness certification.

Trade Secrets Bill Creates Private Civil Right of Action for Businesses

On April 4, the Senate passed the Defend Trade Secrets Act, establishing a new federal private right of action under which businesses can sue for trade secret theft in federal court and potentially seize property used to facilitate the theft in "extraordinary circumstances."


Nebraska Amends Data Breach Notification Statute

On April 13, the Nebraska governor signed into law LB 835, which broadens the definition of "personal information" in the state's data breach notification statute, Neb. Rev. Stat. §§ 87-802 to 87-804, and adds a regulator notification requirement. The amendments take effect on July 20.

Tennessee Amends Data Breach Notification Statute

On March 24, the Tennessee governor signed S.B. 2005, which requires businesses and government agencies in Tennessee to notify state citizens affected by data breaches within 45 days of discovering a breach. The bill also expands state breach notification requirements to cover breaches of personal information regardless of whether the information was encrypted. The bill goes into effect on July 1.

Oregon Enacts Model Digital Assets Law

On March 3, 2016, Oregon enacted legislation providing personal representatives of deceased individuals access to the email and social media accounts of the deceased person. The bill was based on the Uniform Fiduciary Access to Digital Assets Act and will be effective on January 1, 2017.

Executive Branch—States

New Jersey Governor Establishes Cybersecurity and Communications Integration Cell

On May 20, the New Jersey governor signed Executive Order 178 establishing the New Jersey Cybersecurity and Communications Integration Cell ("NJCCIC") within the Office of Homeland Security and Preparedness, seeking to bridge the information and intelligence divide between New Jersey's public and private sectors. The NJCCIC's efforts, which will involve the New Jersey Attorney General's office and the Office of Information Technology and the State Police, will facilitate information sharing related to cybersecurity risks and provide guidance for both public and private entities.

New York AG Announces 40 Percent Increase in Data Breach Notifications and Unveils New Electronic Submission Form

On May 4, the New York attorney general announced that his office received a more than 40 percent increase in data breach notifications over the previous year. The attorney general also unveiled a new electronic submission form to allow companies to file notice via a web submission. This new reporting is designed to expedite and streamline the reporting process, leading to faster notification and resolution for New York consumers.


Canadian Prime Minister Announces Canada Will Co-Lead Initiatives to Increase Nuclear Facilities' Cybersecurity

On April 1, Prime Minister Justin Trudeau announced that Canada will jointly lead two Nuclear Security Summit ("NSS") "gift baskets." Gift baskets are mechanisms by which NSS participants take action in specific areas. One of these gift baskets, co-led with the United Kingdom, will focus on increasing cybersecurity of industrial control and plant systems at nuclear facilities.

The following Jones Day attorneys contributed to the United States and Canada sections: Jeremy Close, Steven Gersten, Jay Johnson, Colin Leary, Tyson Lies, Alexandra McDonald, Kelly Ozurovich, Nicole Perry, Scott Poteet, Jessi Sawyer, Alexa Sendukas, John Sullivan, and Anand Varadarajan.



Argentina's Data Protection Authority Investigates Uber

On April 22, a Buenos Aires judge ordered the preventive blockage of Uber's webpage (source document in Spanish), digital platforms, and applications offered by the company. Likewise, Argentina's data protection agency (Dirección Nacional de Protección de Datos Personales), in order to verify its compliance with the data protection regulation, requested that Uber disclose the data that it collects, the protection and confidentiality measures in place, and the data's destination.


Final Report of Cyber Crimes Congressional Hearing Issued

On March 31, a Congressional Hearing (Comissio Parlamentar de Inquérito) investigating cyber crimes drafted its Final Report (source document in Portuguese). The report proposed several amendments to the Brazilian Civil Rights Framework for the Internet and Brazilian Cyber Crimes Statute (source documents in Portuguese). These amendments would, among other things, increase liability for internet service providers broadcasting offensive materials, grant IP address permissions to law enforcement personnel, broaden criminal liability for those who unlawfully access computers, and grant cyber crime investigative jurisdiction to the Brazilian Federal Police.


Court of Santiago Issues Ruling Regarding CCTV

On March 4, the Court of Appeals of Santiago issued a ruling (source document in Spanish) ordering the removal of surveillance aerostatic balloons with a closed-circuit television ("CCTV") system installed by the municipalities of Las Condes and Lo Barnechea after determining that their use violated the privacy right of local citizens. The aerostatic balloons were equipped with high-resolution cameras floating over these communities, even recording inside homes that were under the capture range of the devices.


Mexican Voters Registration List Leaks through Online Retailer

On April 22, Mexico's National Electoral Institute ("INE") issued a press release (source document in Spanish) stating that voter registration lists were uploaded to an online retailer's data storage site and subsequently made public. Information on the lists included the names and addresses of approximately 90 million Mexican citizens enrolled in the voter registry. INE filed a criminal complaint with the Special Prosecutor's Office for Electoral Crimes against the person responsible, although there is currently no indication that security systems were breached.

New Mexican General Data Protection Law Moves Forward in Senate

On April 21, the United Commissions of Government and Legislative Studies of the Mexican Senate approved theGeneral Data Protection Law Held by Regulated Subjects (source document in Spanish). The law will regulate the processing of personal data by all agencies of the executive, legislative, and judicial branches of the government that previously did not have a regulatory framework on the processing of personal data. The right to the protection of personal data will be limited only for reasons of national security, public order provisions, public health and safety, or to protect third-party rights.

Mexican Supreme Court Limits Access to Mobile Data

On April 13, Mexico's National Supreme Court declared the constitutionality (source document in Spanish) of article 190 of the Telecommunications and Broadcasting Federal Law, which orders telecommunications service companies to cooperate with authorities in locating mobile communication equipment and to allow authorities to access communication records. Although the law was ruled constitutional, the Supreme Court stated that authorization of a federal court is required for telecommunications companies to deliver the information requested by the authorities.

The following Jones Day attorneys contributed to this section: Daniel D'Agostini, Guillermo Larrea, Monica Pe?a Islas, and Elie Sherique.


European Union

Commission and European Parliament Announce Final Adoption of General Data Protection Regulation

On April 14, the Commission announced the EU Parliament's adoption of the final text of the new General Data Protection Regulation. Together with the Council's vote on April 8, this concluded the legislative procedure and formalized the political agreement reached on December 15, 2015. The Regulation is expected to be published in the Official Journal in June 2016.

Commission Seeks Stakeholders' Input on ePrivacy Directive

On April 11, the Commission launched a public consultation on the ePrivacy Directive (Directive 2002/58) to align it with the General Data Protection Regulation and ensure the security of digital services, confidentiality and privacy of sensitive data, and consistent regulatory enforcement. The consultation will remain open until July 5.

European Data Protection Supervisor Publishes Guidance Relating to Personal Data Processing Security

On March 21, the European Data Protection Supervisor ("EDPS") released guidance on information security risk management, which issues recommendations on how European institutions can enforce and enhance a secure digital environment. The guidance accounts for the General Data Protection Regulation recently approved by the EU and includes a multidisciplinary assessment that covers several functions within an organization, such as Data Protection Officer and Information Technology.

Article 29 Working Party

Article 29 WP Issues Opinion on EU-U.S. Privacy Shield Draft Adequacy Decision

On April 13, the Article 29 Working Party ("WP") adopted an opinion on the new EU-U.S. Privacy Shield framework for transatlantic exchanges of personal data for commercial purposes. As summarized in its press release, the Article 29 WP welcomes the improvements over the invalidated Safe Harbor framework but expresses concerns over the commercial aspects and access by public authorities.

Article 29 WP Publishes Working Document on Justified Surveillance Measures When Transferring Personal Data

On April 13, the Article 29 WP issued a Working Document assessing how the invalidation of the Safe Harbor framework affected data transfers to the United States. Specifically, the document analyzes the Court of Justice case law related to Articles 7, 8, and 47 of the Charter of Fundamental Rights and the jurisprudence of the European Court of Human Rights related to Article 8 of the European Convention on Human Rights.

Article 29 WP Issues Statement on 2016 Action Plan for Implementation

On February 2, the Article 29 WP released a statement on the guidelines, tools, and procedures to implement the General Data Protection Regulation by the first quarter of 2018. The action plan is structured around four pillars: administration structure, consistency mechanisms, guidance for processors and controllers, and strengthened communication.

European Network and Information Security Agency

ENISA Publishes Report on Common Practices of EU-Level Crisis Management and Applicability to Cyber Crises

On April 4, the European Network and Information Security Agency ("ENISA") issued a report providing a series of key recommendations regarding EU-level priorities to alter the outcome of the next cyber crisis. The report discusses legal framework strategies, training coordination, and information sharing.

ENISA Releases Report Relating to Big Data Security

On March 8, ENISA published a study that identifies the key security challenges facing companies implementing big data solutions, from infrastructures to analytics applications, and how those challenges may be mitigated.


CNIL 2015 Report Shows Record Number of Complaints

On April 8, the Commission Nationale de l'Informatique et des Libertés ("CNIL") issued its annual report for 2015 (source document in French). CNIL recorded 7,908 complaints relating to the protection of e-reputation and 5,980 requests for indirect access to the judicial registers following the issuance of search warrants, security measures, and permit withdrawals. CNIL also carried out 501 online controls, issued 93 formal notices, and levied 10 sanctions, including three pecuniary sanctions.

CNIL Audits Wireless Network Devices

In April, CNIL announced (source document in French) that, together with the Article 29 WP, it will carry out an online audit in May to assess the impact of wireless network devices on users' private lives. The audit will target home automation devices and health-related devices, assessing the quality of information delivered, the security levels implemented, and data subject control over personal data. The audit results will be published this fall.

CNIL Launches Compliance Package for Connected Vehicles

On March 23, CNIL launched (source document in French) the process to define the sixth compliance package relating to connected vehicles. This process will involve automotive operators, insurance and telecoms innovative companies, and public authorities. The compliance package is aimed at establishing guidelines to ensure personal data protection and encourage innovation in the automotive sector.

CNIL Imposes €100,000 Fine on Internet Search Engine for Failure to Comply with Right To Be Forgotten

On March 10, CNIL summoned an internet search engine to comply with the requests to delist internet links from the web search results within a certain frame. The internet search engine proposed to delist within a specific geography and to implement a region filter, but CNIL still levied a €100,000 fine because the company failed to comply within the required time frame. According to CNIL's opinion, the right to privacy is a universal right requiring full delisting regardless of the user's geographic region.

ANSSI Issues New Security Guidelines for Integration and Maintenance Providers of Industrial Systems

On March 9, the working group on the cybersecurity of the industrial systems ("CT CSI"), led by the French National Agency for Information Systems Security ("ANSSI"), identified integration and maintenance providers as key cybersecurity actors because of their constant role in the system's life cycle. The working group issued new guidelines (source document in French) relating to the security requirements to be taken by both the providers and the beneficiaries.


Conference of German Data Protection Authorities Views Privacy Shield as Insufficient

On April 20, the Conference of the Independent German Federal and State Data Protection Authorities (Konferenz der unabh?ngigen Datenschutzbeh?rden des Bundes und der L?nder) ("Conference") issued a resolution (source document in German) holding the current version of the EU-U.S. Privacy Shield as insufficient to ensure adequate protection for data transfers to the United States. In the resolution, the Conference also requested the legislature provide for an independent right of action enabling data protection authorities to challenge adequacy decisions of the EU Commission before national courts.

German Federal Constitutional Court Declares Federal Criminal Police Office Act Partly Unconstitutional

On April 20, the German Federal Constitutional ruled (source document in German) that the Federal Criminal Police Office Act (Bundeskriminalamtgesetz) is partly unconstitutional as a disproportionate intervention into private life. The court criticized the provisions on secret surveillance measures, such as the surveillance of telecommunication and online searches and the rules for disclosing data to foreign security authorities and domestic intelligence services.


Italian DPA Adopts a Vademecum for Setting Guidelines for Credit Collection

On April 18, the Italian Data Protection Authority published the vademecum for credit collection (source document in Italian), summarizing general principles to be applied when creditors carry out activities aimed at collecting amounts due from debtors. The handbook does not introduce material changes to the existing regime but pinpoints the rights of debtors in the case of direct contacts from credit collectors.


SDPA Publishes Identity Theft Guidelines

On March 14, the Spanish Data Protection Agency ("SDPA") and the Council of Consumers and Users released basic guidelines (source document in Spanish) on protecting against identity theft in telecommunications services. Through these guidelines, citizens can learn about their legal rights relating to privacy and data protection in Spain.

Spanish Constitutional Court Allows Employers to Record Employees Without Disclosure

On March 3, the Spanish Constitutional Court issued a decision (source document in Italian) allowing employers to use video surveillance systems to record their employees without prior disclosure. In this case, the video surveillance system was introduced after a suspected employee was taking money from the cash register.

The Netherlands

DDPA Finds Web Forms Need More Secure Connections

On March 15, the Dutch Data Protection Agency ("DDPA") wrote a letter to the Royal Dutch Society for Physiotherapy (source document in Dutch) regarding earlier questions concerning the security of patient contact forms. The DDPA responded that sensitive personal data submitted through web applications needs to be presented through a secure, https connection.

DDPA Approves Processing of Personal Data by BREIN Foundation on BitTorrent Users

On March 14, the DDPA published a decision (source document in Dutch) approving BREIN's intention to process the personal data of BitTorrent users. The BREIN foundation, a joint antipiracy program of authors and artists, seeks to track users who infringe on the copyright of BREIN's affiliated parties. The personal data to be processed includes IP addresses and user names, and the scope of the investigation is limited to productions of parties affiliated with the BREIN foundation and to Dutch users of the BitTorrent network.

DDPA Declares Processing of Personal Health Data of Employees Unlawful

On March 8, the DDPA issued a press release (source document in Dutch) on two companies that provided activity trackers to their employees to monitor their physical exercise. One of the employers also monitored the sleep patterns of its employees. Although the employees gave their consent to the monitoring, and participation was voluntary, the DDPA found that the data gathered was "sensitive personal data" regarding personal health, which employers are not allowed to process.

United Kingdom

ICO States that Data Protection Rules Required Regardless of Brexit Vote

On April 19, the ICO issued a statement that the UK will continue to need clear and effective data protection laws, whether or not it remains in the EU. The statement emphasizes the increased need for effective practices in light of the growing digital economy.

ICO Brings Prosecution Against Former Employee for Attempt to Obtain Personal Data

On April 8, the ICO prosecuted a former employee for attempting to obtain personal data. The ICO has stressed that stealing personal information is a crime in the UK. The prosecution stemmed from a recent initiative for stricter penalties for data thieves.

ICO Issues Updated Guidance on Direct Marketing

On March 24, the ICO updated its guidance on online marketing. There is now a greater emphasis on the application of the marketing rules to the not-for-profit sector and direction regarding third-party consent.

ICO Publishes Guidance on the Use of Encryption

On March 3, the ICO issued guidance on the use of encryption to protect personal data. The guidance stressed key areas such as the use of USB memory sticks and the risk of sending personal data to the wrong recipient.

The following Jones Day attorneys contributed to this section: Paloma Bru, Laurent De Muyter, Olivier Haas, Jorg Hladjk, Bastiaan Kout, Jonathon Little, Guiseppe Mezzapesa, and Undine von Diemar.


People's Republic of China

Ministry of Commerce Publishes Draft Specifications for Mobile and Cross-Border Commodity e-Commence

On March 22, the Ministry of Commerce of the People's Republic of China published drafts of the Business Services Specification for Mobile Commodity E-commerce and Business Services Specification for Cross-border Commodity E-commerce (source documents in Chinese), which contain provisions that require e-commerce service providers to take measures to ensure the security of operational data and service platforms. Under the draft specifications, any collection and processing of personal or transaction information requires the authorization of the data subject or parties to the transaction, and such information may not be directly used for commercial purposes unless it has been desensitized.

Hong Kong

PCPD Sanctions Insurance Agent for Using Personal Data without Consent

On April 25, the Privacy Commissioner for Personal Data ("PCPD") released a media statement revealing that an insurance agent was convicted of two offenses under the Personal Data (Privacy) Ordinance for using personal data in direct marketing without taking specified actions and obtaining the data subject's consent, and for failing to inform the data subject of his opt-out right when using his personal data in direct marketing. A Community Service Order of 80 hours was imposed by the court on the convicted insurance agent.

PCPD Joins Global Sweep Exercise

On April 15, PCPD announced that it had joined the Global Privacy Enforcement Network to conduct a privacy sweep from April 11, examining data privacy issues relating to Internet of Things devices such as smart electricity meters and internet-connected thermostats. PCPD had chosen to examine fitness bands produced in Hong Kong for the sweep exercise as well. The results of the sweep will be published in the third quarter of 2016.


Diet Passes Amending Bill to Set New Rules to Utilize Personal Information Held by Administrative Organs

On March 8, the Cabinet submitted a bill (source document in Japanese) to the Diet to amend the law protecting personal information held by administrative institutions. These amendments mirror recent amendments affecting personal information held by the private sector under the Personal Information Protection Act and set new rules for private entities to utilize personal information held by administrative institutions through an anonymization process. The bill passed the Diet on May 20 and will take effect before September 2017.


PDPC Issues Enforcement Guidelines

On April 21, the Personal Data Protection Commission ("PDPC") issued Advisory Guidelines on Enforcement for Data Protection Provisions. These guidelines outline the agency's enforcement procedures as they relate to alternative dispute resolutions, investigations, appellate rights, and rights of private action.

PDPC Releases List of Enforcement Actions

On April 21, PDPC released a list of enforcement actions brought by the agency over the past year. The list details the facts and circumstances surrounding 10 data breach-related actions in which organizations were breached or disclosed consumer data without consent. The list also discusses the penalties levied against these organizations.


The Executive Yuan Announces Effective Date of Amendments to Personal Information Protection Act

On February 25, the Executive Yuan announced (source document in Chinese) that the December 30, 2015 amendments to the Personal Information Protection Act will take effect on March 15. After the amendments take effect, personal data collection no longer requires consent unless the information relates to sensitive data, such as medical records, medical treatment, genetic information, health examinations, and criminal records.

The following Jones Day attorneys contributed to this section: Chiang Ling Li, Michiru Takahashi, and Richard Zeng.


Australian Privacy Awareness Week Held

Beginning May 15, the Office of the Australian Information Commissioner held its Privacy Awareness Week. The week's events were highlighted by a visit from the United Nations Special Rapporteur on the Right to Privacy, who hosted a Business Breakfast in Sydney and a public lecture on privacy in Canberra.

Australian Prime Minister Announces Cyber Security Strategy

On April 21, the Prime Minister of Australia announced the Australian Cyber Security Strategy for the next four years. Under the Strategy, the federal government proposes to spend A$230 million for initiatives to: (i) strengthen defenses to cybersecurity threats, including increasing the capacity of Australia's Computer Emergency Response Team and the Australian Cyber Security Center; (ii) appoint a Cyber Ambassador to represent Australia in international cyber issues; (iii) establish a Cyber Security Growth Center for cybersecurity research and development; and (iv) establish a fund for cybersecurity education.

The following Jones Day attorneys contributed to the Australia section: Adam Salter, Peter Brabant, and Nicola Walker.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions