Data Localization

Subscribe to Data Localization

On the second episode of our Inside Privacy Audiocast, we are aiming our looking glass at Russia, and are joined for our discussion by Partner Maria Ostashenko and Senior Associate Anastasia Petrova of the Data Protection and Cybersecurity practice at the Alrud law firm in Moscow.

The pair discuss Russia’s data protection framework, zooming in

On July 27, 2018, the Government of India’s Committee of Experts released a draft Protection of Personal Data Bill. Together with an accompanying report, the draft bill moves India one step closer towards enacting a comprehensive data protection regime.

Last year, the Supreme Court of India issued a landmark decision holding that privacy is a fundamental right under India’s Constitution. In that opinion, the Court invited the Government of India to formulate “a regime for data protection.” As a result, the Government established the Committee of Experts “to study various issues relating to data protection in India, make specific suggestions on principles underlying a data protection bill and draft such a bill.”

In November 2017, that Committee released a White Paper that outlined its views on data protection and solicited public comments. The draft bill incorporates those comments as well as the Committee’s own analysis.
Continue Reading India’s Committee of Experts Releases Draft Personal Data Protection Bill

On December 21, 2016 the Court of Justice of European Union (“CJEU”) issued its judgment in Joined Cases C-203/15 and C-698/15, Tele2 /Watson.

The decision considered the legality of UK and Swedish laws permitting the generalized retention of communications metadata (for 6-12 months) for the purposes of prevention, detection or prosecution of crime (not

On November 11, 2016, a Russian court in Moscow upheld the decision of an earlier court to block online access to the website LinkedIn throughout Russia.  This decision, which affirms a decision to penalize LinkedIn by the Russian data protection regulator, the Roskomnadzor, was based on the court’s view that LinkedIn had breached the new

On July 8, 2016, the draft EU-U.S. Privacy Shield adequacy decision was formally approved by the so-called “Article 31 Committee” of EU Member States (see press release, here).

That approval opens the door for the College of EU Commissioners to approve the Privacy Shield on Monday (July 11).  Once translated and published in the Official Journal of the EU, the adequacy decision will then enter into force.

However, there may need to be an implementation period during which the EU and U.S. put in place relevant structures; it is expected that Commissioner Věra Jourová will provide more details to the European Parliament on Monday, and in a joint press conference on Tuesday with U.S. Secretary of Commerce Penny Pritzker.

Once that implementation phase is complete, U.S.-based companies will be able to self-certify under the Privacy Shield.  Doing so provides a legal basis which entities in the European Economic Area can rely on to transfer personal data to those Privacy Shield-certified companies in the US.
Continue Reading Privacy Shield Deal Passes Major EU Hurdle

In May 2015, reports about the German government’s plans to establish federal German cloud infrastructure (the “Bundes-Cloud”) raised concerns about the possible introduction of data localization requirements (preventing the storage and processing of data outside Germany).  The criteria for the use of cloud services by Germany’s federal administration, which have recently been published, now give shape to these concerns.
Continue Reading Data Localization Requirements Through the Backdoor? Germany’s “Federal Cloud”, and New Criteria For the Use of Cloud Services by the German Federal Administration

 

  1. The CJEU “Right to be Forgotten” Ruling.  In May 2014, the Court of Justice of the European Union (CJEU) delivered an important judgement in a referral from Spain’s National High Court involving Google, a Spanish national, and the Spanish data protection authority (Case C-131/12).  The CJEU’s decision re-interpreted European data protection law to include a so-called “right to be forgotten” that enabled individuals to request search engines to block links that appear on searches of their names if the links go to information that is incomplete, inaccurate, irrelevant, or otherwise damaging to an individual’s privacy.  (This right is limited in the case of public figures, however.)  The decision also found that Google was subject to European data protection law because it operated subsidiaries in Europe whose business was to raise advertising revenues in relation to the search engine’s data processing activities.  The decision triggered an immediate tidal wave of tens of thousands of requests to Google and other search engines that continues to raise controversies to this day.
  1. CJEU strikes down the Data Retention Directive as invalid. In April 2014, the CJEU took the rare step of annulling the controversial Data Retention Directive, which mandated the systematic (“bulk”) retention of communications metadata by telecommunications companies in the EU, for potential access by law enforcement authorities (see our blog post here).  The Court criticised the Directive’s indiscriminate targeting of suspects and non-suspects alike, and the law’s general lack of safeguards, finding that it amounted to an “interference with the fundamental rights of practically the entire European population” contrary to Articles 7 and 8 of the Charter of Fundamental Rights of the EU.  The Directive’s invalidation raised questions about the continuing validity of the national laws that had implemented the Directive throughout the EU.  In the UK, this lead to the accelerated adoption of substitute legislation, the Data Retention and Investigatory Powers Act 2014 (“DRIPA”), and its implementing regulations.
    Continue Reading Top 10 International Privacy Developments of 2014

By Philippe Bradley and Dan Cooper

On April 23rd, 2014 Brazil’s president signed into law a wide-ranging civil rights bill for Internet users and service providers (the “Marco Civil da Internet”, or “Marco Civil”).  The law had been in the works since 2009; it was made a priority by the Brazilian government in the wake of Edward Snowden’s revelations about NSA espionage activities targeting Brazilian communications data.  This short article discusses the main provisions of the new law.

Continue Reading Brazil Enacts “Marco Civil” Internet Civil Rights Bill