On Thursday, the Court of Justice of the EU ordered Sweden to pay a lump sum of €3 million for failure to transpose the EU’s Data Retention Directive (the “Directive”) into national law within the prescribed period.  The Directive obliges electronic communications service providers to store information about communications for a period of 6 – 24 months in case they are needed by law enforcement authorities.  The deadline for EU Member States to transpose the Directive had expired on September 15, 2007.  In 2010, following an initial action brought by the European Commission, the Court held that Sweden had exceeded the time limit for adopting the laws, regulations and administrative provisions necessary to comply with the Directive.

In 2011, the Commission brought a subsequent action, asking the Court to order Sweden to pay a daily penalty for each day that Sweden delays in complying with that judgment.  In March 2012, however, the Swedish Parliament adopted measures transposing the Directive into Swedish legislation.  As a result, the Commission withdrew the request for a daily penalty payment, but maintained its claim regarding the payment of a lump sum.

In Thursday’s judgment, the Court held that it was necessary to order Sweden to make a lump sum payment as it had failed to fulfill its obligations under EU law.  In particular, the Court considered the impact of Sweden’s failure on both public and private interests, especially in view of the Directive’s aim to ensure that electronics communications data are available for the purpose of the investigation, detection and protection of serious crime. In calculating the amount,  the Court also considered the duration of the continuation of the infringement of over two years and the fact that Sweden was a first time “offender.”

Continue Reading Sweden Hit with €3M Penalty Payment For Delay in Transposing Data Retention Directive

By Mark Young and Oliver Grazebrook

The Irish Presidency of the Council of the EU has published a progress report on negotiations at Member State level on the EU CyberSecurity Strategy and proposed EU Directive on Network and Information Security (“NIS Directive”).  As we summarised in this post, if enacted in its current form, the NIS Directive will require companies in the energy, transport, financial services and health sectors, as well as a broad range of online companies, to implement mandatory security measures and report significant security incidents to national authorities.

Member States clearly have concerns with some fundamental aspects of the proposals.  The Presidency has highlighted the following issues:

Commission’s Impact Assessment (IA)

  • Several Member States have pointed out that the impact assessment does not sufficiently justify why specific sectors have been included in the proposal, such as “enablers of information society services”, and others have not, such as hardware/software manufacturers.
  • Most Member States have also raised the issue of the perceived significant costs involved in implementing the Directive and regretted that the IA fails to sufficiently assess the possible benefits. 
  • At a more fundamental level, Member States have requested further justification from the Commission why a legislative, rather than a voluntary approach, would be the preferred option to tackle the uneven level of security capabilities across the EU and the insufficient sharing of information on incidents, risks and threats. 


Continue Reading Progress Report on the Proposed EU Network and Information Security Directive

On Friday, an Italian appeals court in Milan overturned the 2010 criminal conviction of three Google Inc. executives for violating the privacy of a disabled boy by allowing a video of students bullying him to appear on Google Video. In February 2010, a court handed down six-month prison sentences to three senior Google executives—Senior Vice

By Alex Berengaut

On Monday, October 29, the Supreme Court heard oral argument in Clapper v. Amnesty International (No. 11-1025), a challenge brought by the American Civil Liberties Union (ACLU) against the FISA Amendments Act (FAA) of 2008.  The FAA amended the Foreign Intelligence Surveillance Act (FISA) of 1978 by authorizing new procedures for electronic

On 4 September, 2012, the Cayman Islands’ Data Protection Working Group (DPWG) released a consultation paper, inviting comments from the public on the draft Cayman Islands Data Protection Bill 2012. The Bill, which is modelled on the European Framework Data Protection Directive 95/46/EC, aims to protect individuals’ rights regarding the collection and use of personal

On 21 August 2012, the European Commission issued an Implementing Decision (the “Decision”) confirming that the Eastern Republic of Uruguay provides an adequate level of protection for personal data transferred from the European Union.  The effect of the Decision is to allow organizations established in European Member States to transfer personal data to organizations in Uruguay without additional protective measures being necessary.  It comes nearly four years after the country enacted its data protection statute, Act no. 18.331 on the Protection of Personal Data and Habeas Data Action of 11 August 2008 (the “Act”).

Continue Reading European Commission Issues Implementing Decision Finding Uruguay’s Data Protection Laws Provide Adequate Protection for Personal Data Transferred from EU

On March 20, 2012, the Philippines Senate unanimously passed the Data Privacy Act of 2011 (“the Act”) on its third and final reading. According to one of its sponsors, Senator Edgardo Angara, the Act is heavily based on the current EU Data Protection Directive (Directive 95/46/EC) and meets the standards of the Asia Pacific Economic Cooperation Privacy Framework. Legislators stated that the Act was necessary due to the importance of the IT industry to the Philippine economy and the need for the Philippines to adhere to international standards.

A key provision of the legislation is the creation of a data protection authority, the National Privacy Commission, whose role it will be to implement and enforce the Act’s provisions. The Act also sets out a range of penalties for offences such as the unauthorized processing or unauthorized disclosure of personal information. These include prison terms of up to six years and fines of up to PHP 5,000,000. The power to prosecute and impose these penalties however will rest with the Department of Justice, not the National Privacy Commission.

Continue Reading The Philippines and Singapore Move Towards New Data Protection Regimes

Last week, the American Bar Association adopted a rule calling on U.S. courts to “consider and respect, as appropriate, the data protection and privacy laws of any applicable foreign sovereign . . . with regard to data sought in discovery in civil litigation.”  In an extensive report accompanying the new rule, the ABA detailed the tensions that exist between the liberal discovery standards under the Federal Rules of Civil Procedure and the strict data protection regimes in many foreign countries. 

Continue Reading ABA Urges U.S. Courts to Respect Foreign Data Protection Laws