International

By Eric Carlson and Scott Livingston

On Friday, August 8, 2014, a Chinese court convicted British fraud investigator Peter Humphrey and his wife, Yu Yingzeng, a naturalized US citizen, of illegally obtaining personal information.  Mr. Humphrey was sentenced to two and a half years in prison and fined RMB 200,000 (about US $32,000); Ms. Yu was sentenced to two years in prison and fined RMB 150,000 (US $24,000).  For more information on the original arrests and Mr. Humphrey’s subsequent confession on state-owned TV, please see our earlier blog post here

The husband and wife team ran a China-based consulting firm, ChinaWhys Co., that specialized in providing risk advisory services to multinational companies doing business in China.  Under China’s Criminal Law, companies and individuals are subject to criminal penalties for illegally selling or obtaining the personal information of others where such violation is “serious.”  Prosecutors alleged that the couple violated the law’s prohibition on illegal obtainment by collecting 256 personal information records, including hukou (city residential permit) information, family information, and travel and phone records.  According to prosecutors, ChinaWhys purchased this information for RMB 800 to RMB 2000 (about US $130 to $325) per record and used it in background investigation reports prepared for ChinaWhys’ clients.Continue Reading Fraud Investigators Imprisoned for Illegally Collecting Personal Data in China

On Thursday, the Court of Justice of the EU ordered Sweden to pay a lump sum of €3 million for failure to transpose the EU’s Data Retention Directive (the “Directive”) into national law within the prescribed period.  The Directive obliges electronic communications service providers to store information about communications for a period of 6 – 24 months in case they are needed by law enforcement authorities.  The deadline for EU Member States to transpose the Directive had expired on September 15, 2007.  In 2010, following an initial action brought by the European Commission, the Court held that Sweden had exceeded the time limit for adopting the laws, regulations and administrative provisions necessary to comply with the Directive.

In 2011, the Commission brought a subsequent action, asking the Court to order Sweden to pay a daily penalty for each day that Sweden delays in complying with that judgment.  In March 2012, however, the Swedish Parliament adopted measures transposing the Directive into Swedish legislation.  As a result, the Commission withdrew the request for a daily penalty payment, but maintained its claim regarding the payment of a lump sum.

In Thursday’s judgment, the Court held that it was necessary to order Sweden to make a lump sum payment as it had failed to fulfill its obligations under EU law.  In particular, the Court considered the impact of Sweden’s failure on both public and private interests, especially in view of the Directive’s aim to ensure that electronics communications data are available for the purpose of the investigation, detection and protection of serious crime. In calculating the amount,  the Court also considered the duration of the continuation of the infringement of over two years and the fact that Sweden was a first time “offender.”Continue Reading Sweden Hit with €3M Penalty Payment For Delay in Transposing Data Retention Directive

By Mark Young and Oliver Grazebrook

The Irish Presidency of the Council of the EU has published a progress report on negotiations at Member State level on the EU CyberSecurity Strategy and proposed EU Directive on Network and Information Security (“NIS Directive”).  As we summarised in this post, if enacted in its current form, the NIS Directive will require companies in the energy, transport, financial services and health sectors, as well as a broad range of online companies, to implement mandatory security measures and report significant security incidents to national authorities.

Member States clearly have concerns with some fundamental aspects of the proposals.  The Presidency has highlighted the following issues:

Commission’s Impact Assessment (IA)

  • Several Member States have pointed out that the impact assessment does not sufficiently justify why specific sectors have been included in the proposal, such as “enablers of information society services”, and others have not, such as hardware/software manufacturers.
  • Most Member States have also raised the issue of the perceived significant costs involved in implementing the Directive and regretted that the IA fails to sufficiently assess the possible benefits. 
  • At a more fundamental level, Member States have requested further justification from the Commission why a legislative, rather than a voluntary approach, would be the preferred option to tackle the uneven level of security capabilities across the EU and the insufficient sharing of information on incidents, risks and threats. 

Continue Reading Progress Report on the Proposed EU Network and Information Security Directive

On Friday, an Italian appeals court in Milan overturned the 2010 criminal conviction of three Google Inc. executives for violating the privacy of a disabled boy by allowing a video of students bullying him to appear on Google Video. In February 2010, a court handed down six-month prison sentences to three senior Google executives—Senior Vice

By Alex Berengaut

On Monday, October 29, the Supreme Court heard oral argument in Clapper v. Amnesty International (No. 11-1025), a challenge brought by the American Civil Liberties Union (ACLU) against the FISA Amendments Act (FAA) of 2008.  The FAA amended the Foreign Intelligence Surveillance Act (FISA) of 1978 by authorizing new procedures for electronic

On 4 September, 2012, the Cayman Islands’ Data Protection Working Group (DPWG) released a consultation paper, inviting comments from the public on the draft Cayman Islands Data Protection Bill 2012. The Bill, which is modelled on the European Framework Data Protection Directive 95/46/EC, aims to protect individuals’ rights regarding the collection and use of personal

On 21 August 2012, the European Commission issued an Implementing Decision (the “Decision”) confirming that the Eastern Republic of Uruguay provides an adequate level of protection for personal data transferred from the European Union.  The effect of the Decision is to allow organizations established in European Member States to transfer personal data to organizations in Uruguay without additional protective measures being necessary.  It comes nearly four years after the country enacted its data protection statute, Act no. 18.331 on the Protection of Personal Data and Habeas Data Action of 11 August 2008 (the “Act”).Continue Reading European Commission Issues Implementing Decision Finding Uruguay’s Data Protection Laws Provide Adequate Protection for Personal Data Transferred from EU

On March 20, 2012, the Philippines Senate unanimously passed the Data Privacy Act of 2011 (“the Act”) on its third and final reading. According to one of its sponsors, Senator Edgardo Angara, the Act is heavily based on the current EU Data Protection Directive (Directive 95/46/EC) and meets the standards of the Asia Pacific Economic Cooperation Privacy Framework. Legislators stated that the Act was necessary due to the importance of the IT industry to the Philippine economy and the need for the Philippines to adhere to international standards.

A key provision of the legislation is the creation of a data protection authority, the National Privacy Commission, whose role it will be to implement and enforce the Act’s provisions. The Act also sets out a range of penalties for offences such as the unauthorized processing or unauthorized disclosure of personal information. These include prison terms of up to six years and fines of up to PHP 5,000,000. The power to prosecute and impose these penalties however will rest with the Department of Justice, not the National Privacy Commission.Continue Reading The Philippines and Singapore Move Towards New Data Protection Regimes