Worldwide: 环球隐私及网络安全更新,第十期(英文版)


The complicated fabric of privacy and data security regulations in Asia continues to challenge multinational clients. The last few months have seen significant regulatory changes within Asia—strengthened enforcement measures in many countries, a more robust Japanese Personal Information Protection Act, the creation of a Personal Information Protection Commission in Japan, and others. These changes, coupled with developments in Europe and the Americas, compel businesses with a global footprint to constantly monitor and update their compliance practices.

Michiru Takahashi, a partner based in Tokyo, Japan, assists clients on various privacy issues, including cross-border transfers of personal data, internal compliance programs, and data breach response. She regularly advises Japan-based multinational clients on global data protection issues as well as cross-border data transfers from Europe to the Americas to Asian Pacific nations. Her experience in these areas makes her a valuable asset for Jones Day's global Cybersecurity, Privacy & Data Protection team as well for clients situated throughout the world.


Policy, Best Practices, and Standards

FTC Urges FCC to Protect Privacy in New Television Set-Top Box Rulemaking

On April 22, the Federal Trade Commission ("FTC") Bureau of Consumer Protection issued a comment urging the Federal Communications Commission ("FCC"), in its rules expanding commercial availability of television set-top boxes, to require third-party set-top box manufacturers to certify that their products comply with the same privacy regulations applicable to cable and satellite providers. The Director also emphasized the need for third-party set-top box makers to issue consumer-facing statements regarding compliance that would be enforceable by the FTC.

FTC Scrutinizes App Developers' Audio Monitoring Software

On March 17, the FTC issued warning letters to 12 app developers using audio beacon technologies in their apps. The technologies are designed to monitor consumers' television and other video viewing habits for the purpose of facilitating targeted advertising and analytics. The FTC warned companies that obtaining permission to access a device's microphone is not sufficient; apps using these technologies should disclose that audio will be recorded in the background and that viewing habits may be logged.

Critical Infrastructure

NIST Analyzes Feedback from Critical-Infrastructure Leaders

On March 24, the National Institute of Standards and Technology ("NIST") published an analysis of feedback on the voluntary, federally led Cybersecurity Framework received from critical-infrastructure leaders and others. NIST's analysis of the feedback affirms the framework's current uses, recommends refinements, and suggests future directions.

NIST Announces Updates to Guidance on Strengthening Remote-Access Data Security

On March 14, NIST announced upcoming updates to guidance on telework to include the latest technology available to strengthen an organization's remote-access data security. As part of the update, NIST sought comments on two draft publications through April 15.

Financial Services Roundtable Commends NIST Cybersecurity Framework

On February 25, the Financial Services Roundtable ("FSR") issued a press release praising the NIST Cybersecurity Framework as "the 'Rosetta Stone' of Cross-Sector Cyber Defense for U.S. Companies." The FSR stated that the NIST framework allows a diverse set of industries to easily apply common approaches to assess and prevent cyber attacks. The press release warned against regulation schemes that are not aligned with the NIST framework, which can require organizations to comply with multiple regimes that potentially conflict.


District Court Finds Online Retailer Not Authorized to Charge for Kids' In-App Purchases

On April 26, the FTC prevailed on summary judgment against an online retailer in the U.S. District Court for the Western District of Washington, alleging that the retailer billed consumers for unauthorized in-app purchases made by children. The court found the retailer's disclosure about the possibility of in-app purchases within otherwise free apps was insufficient to inform consumers about the charges children could incur within the app. The court order seeks further information from the parties regarding out-of-pocket costs to consumers for the unauthorized purchases.

Defense, National Security, Economic Espionage, and Other Criminal Matters

Presidential Telecommunications Group Suggests "Good Samaritan" Framework to Promote Data Sharing

On May 11, the President's National Security Telecommunications Advisory Committee met in Silicon Valley and suggested a "Good Samaritan" framework to allow both companies and individuals to provide data to the government following a cyber or terrorist attack or natural disaster without fear of subsequent privacy lawsuits. The framework is part of the Advisory Committee's Report on "Big Data Analytics" and was supported by numerous high-ranking defense officials.

FBI Names New Associate Executive Assistant Director for Criminal, Cyber, Response and Services Branch

On April 27, the Federal Bureau of Investigations ("FBI") announced a new associate executive assistant director of the Criminal, Cyber, Response and Services Branch. His responsibilities will include overseeing the development of the FBI's cyber policy and strategy.

SpyEye Malware Hackers Receive Prison Sentences Totaling More Than 24 Years

On April 20, the Department of Justice ("DOJ") announced that the two international hackers who created the SpyEye Trojan malware were sentenced to 15 years and nine-and-a-half years, respectively, in federal prison. From 2010 through 2012, SpyEye was the preeminent banking Trojan that allowed the theft of login information for bank accounts, PINs, and credit card information.

U.S. District Court Sentences Former NRC Employee to 18 Months in Prison for Spear-Phishing Attack

On April 11, the U.S. District Court for the District of Columbia sentenced a former employee of the U.S. Nuclear Regulatory Commission ("NRC") to 18 months in prison after he pleaded guilty to accessing a protected computer without authorization and intentionally damaging it by sending emails to particular Department of Energy employees that would install a virus on their computers upon opening it.

DOJ Announces Indictment of Seven Iranians Accused of Computer Hacking

On March 24, seven Iranian hackers were indicted on computer hacking charges relating to distributed denial of service ("DDoS") attacks directed at 46 U.S. financial sector businesses from 2011 through 2013. The hacks caused tens of millions of dollars in remediation damages and left hundreds of thousands of Americans without access to their online banking accounts.

U.S. Attorney General Addresses RSA Conference on Cybersecurity

On March 1, the U.S. Attorney General addressed the RSA Conference on Cybersecurity and described law enforcement's various efforts to combat cybercrime. Among other things, she touted the recent successful international operation that led to the shuttering of multiple "dark market" websites and discussed ongoing negotiations with the United Kingdom to allow UK authorities to investigate corporate accounts used by non-U.S. citizens or residents.

Financial Services

Credit Union National Association and National Association of State Credit Union Supervisors to Co-Host Cybersecurity Symposium

On August 1–2, the Credit Union National Association and National Association of State Credit Union Supervisors will host a third annual cybersecurity symposium. The event will focus on best practices and procedures that protect credit unions from the latest cyber threats.

Financial Services Sector Coordinating Council Releases Cyber Insurance Purchaser's Guide

On April 14, the Financial Services Sector Coordinating Council published a guide for organizations looking to mitigate the risks of a cybersecurity incident through the purchase of an insurance product. The guide provides an overview of the cyber insurance market and identifies key questions that a potential cyber insurance policyholder should consider.

SEC Brings Enforcement against Broker-Dealer for Failure to Adopt Policies and to Ensure Security of Customer Information

On April 12, the SEC instituted cease-and-desist proceedings against a broker-dealer and two of its principals based on the broker-dealer's "failure to adopt written policies and procedures reasonably designed to insure the security and confidentiality of customer records and information" and "to make and keep certain communications relating to its business." The SEC alleged, in part, that the broker-dealer violated securities laws by using email addresses other than those with its domain name to receive faxes containing sensitive customer information.

SEC Director Acknowledges SEC's Efforts to Bolster Cybersecurity

On March 14, at the Investment Company Institute's 2016 Mutual Funds and Investment Management Conference, the SEC Director for the Division of Investment Management responded to concerns that enhancing the reporting framework for investment companies and advisers would make the SEC a target for cyber criminals. He noted that the SEC was addressing cybersecurity in order to protect the information that it collects. He specifically recounted that the SEC chair had requested "funds from Congress to maintain and enhance the Commission's cyber capabilities" and that the Commission was "implementing certain cybersecurity protocols that are consistent with" recommended standards.


Department of Homeland Security Notes Continued Deficiencies in TSA's Security Technology Integrated Program

On May 9, the Department of Homeland Security Office of the Inspector General issued the results of an audit into the Transportation Security Administration's ("TSA") Security Technology Integrated Program ("STIP"). The audit assessed the current extent of TSA deficiencies and corrective actions, and provided recommendations to TSA to improve control, security, and functionality of STIP IT assets.

Health Care/HIPAA

FTC Launches New Mobile Health App Interactive Tool

In April, mobile health app developers began using the FTC's newMobile Health App Interactive Tool to obtain legal guidance regarding issues facing their app. The tool asks developers high-level questions about the health app's function, the data it collects, and the services it provides. The tool then points developers to information about federal laws the app might trigger, including the FTC Act, the FTC's Health Breach Notification Rule, the Health Insurance Portability and Accountability Act ("HIPAA"), and the Federal Food, Drug and Cosmetics Act. The FTC also issued its own Best Practices Guide for Mobile Health App Developers.

OCR Launches Phase 2 of HIPAA Audit Program

On March 21, the Department of Health and Human Services' Office for Civil Rights ("OCR"), the body responsible for enforcing HIPAA, announced that it would begin planning its second phase of audits of covered entities and their business associates. In this phase of audits, the OCR will review policies and procedures that are required by HIPAA to be adopted and followed with respect to HIPAA's Privacy, Security, and Breach Notification Rules.

Litigation, Judicial Rulings, and Agency Enforcements

Seventh Circuit Overturns Data Breach Dismissal

On April 14, the Seventh Circuit overturned a district court's dismissal of a case against a large national food chain on the grounds that plaintiffs did in fact have standing to bring claims. The case stemmed from a security breach involving restaurant patrons' credit card information. The court found that claims for future injuries, namely, "the increased risk of fraudulent charges and identity theft," constituted injuries for the purpose of Article III standing.

California District Court Consolidates Claims Against TV Manufacturer for Improper Data Sharing

On April 11, the U.S. District Court for the Central District of California consolidated cases brought against a smart-TV manufacturer for improperly sharing users' information. Plaintiffs alleged that the TV manufacturer collected data regarding "the date, time, channel of programs and whether users watch them live or recorded," and shared this information with third parties. This information allowed the third parties to engage in advertising targeted at the specific consumer.

Court Prohibits Defendant from Accessing Private Computer Systems

On April 8, in a claim that arose out of the leakage of patients' private health information, a California district court prevented a national health care organization from accessing plaintiffs' computer systems as part of the discovery process. The health care organization sought this information to negate causation, intending to show that some plaintiffs' identities may have been compromised prior to the breach. However, the court disagreed and found "that the burden of providing access to each plaintiff's computer system greatly outweigh[ed] its likely benefit."

Payment Processor Files Motion to Dismiss Proposed Class Action

On April 8, a payment processor filed a motion to dismiss a class action resulting from a security breach of consumers' email addresses and bank account information in the Northern District of California. The defendants compared the breached bank account information to written checks, arguing that "checks containing names, email addresses, and account information are exchanged in the open amongst people and businesses all the time." They claimed that the court would set an "unparalleled precedent" in permitting the plaintiffs' claims to proceed.

Class Actions Filed Against Cancer Center for Data Breach

In early April, following a security breach of patients' medical records, several class action suits were filed against a large cancer treatment center, alleging financial harm and other injuries.

FTC Settles with Oracle Regarding Java Security

On March 29, the FTC approved a final consent order with a cloud applications provider related to allegations that the company misrepresented the safety and security of installing a new version of Java software, which left an insecure version of the software intact. Under the terms of the order, Oracle must notify consumers of the risk and give them the option of uninstalling the outdated software, in addition to providing website and social media notification about the issue.

California State Court Approves $39M Settlement in Medical Center Data Breach

In March, a California state court approved a $39M settlement against a medical center in southern California. The case stemmed from a security breach of patients' personal health information, which was made publicly accessible. The medical center notified the approximately 31,000 affected patients, who in turn filed consolidated class actions, alleging negligence and violations of the California Unfair Competition Law and the California Business and Professions Code, among other claims.


House Unanimously Passes Email Privacy Reform Bill

On April 27, the House of Representatives voted 419–0 to pass a bill to amend the 1986 Electronic Communications Privacy Act with regard to emails and documents stored in the cloud. The Email Privacy Act would require the government to obtain probable cause warrants to access digital consumer records maintained by service providers, which are currently obtainable after 180 days via subpoena or court order.

Senate FAA Reauthorization Bill Mandates Cybersecurity Framework for Aviation

On April 19, the Senate passed a Federal Aviation Administration ("FAA") reauthorization bill that makes changes to a number of aviation policies, including a mandate to the FAA to develop a comprehensive cybersecurity framework for U.S. aviation. The bill also: (i) directs the FAA Administrator to develop a threat model and a plan to respond to cyber attacks; (ii) establishes a working group on aircraft systems information security to monitor the rulemaking and make recommendations; and (iii) suggests that cybersecurity for avionics systems be added as a new component of airworthiness certification.

Trade Secrets Bill Creates Private Civil Right of Action for Businesses

On April 4, the Senate passed the Defend Trade Secrets Act, establishing a new federal private right of action under which businesses can sue for trade secret theft in federal court and potentially seize property used to facilitate the theft in "extraordinary circumstances."


Nebraska Amends Data Breach Notification Statute

On April 13, the Nebraska governor signed into law LB 835, which broadens the definition of "personal information" in the state's data breach notification statute, Neb. Rev. Stat. §§ 87-802 to 87-804, and adds a regulator notification requirement. The amendments take effect on July 20.

Tennessee Amends Data Breach Notification Statute

On March 24, the Tennessee governor signed S.B. 2005, which requires businesses and government agencies in Tennessee to notify state citizens affected by data breaches within 45 days of discovering a breach. The bill also expands state breach notification requirements to cover breaches of personal information regardless of whether the information was encrypted. The bill goes into effect on July 1.

Oregon Enacts Model Digital Assets Law

On March 3, 2016, Oregon enacted legislation providing personal representatives of deceased individuals access to the email and social media accounts of the deceased person. The bill was based on the Uniform Fiduciary Access to Digital Assets Act and will be effective on January 1, 2017.

Executive Branch—States

New Jersey Governor Establishes Cybersecurity and Communications Integration Cell

On May 20, the New Jersey governor signed Executive Order 178 establishing the New Jersey Cybersecurity and Communications Integration Cell ("NJCCIC") within the Office of Homeland Security and Preparedness, seeking to bridge the information and intelligence divide between New Jersey's public and private sectors. The NJCCIC's efforts, which will involve the New Jersey Attorney General's office and the Office of Information Technology and the State Police, will facilitate information sharing related to cybersecurity risks and provide guidance for both public and private entities.

New York AG Announces 40 Percent Increase in Data Breach Notifications and Unveils New Electronic Submission Form

On May 4, the New York attorney general announced that his office received a more than 40 percent increase in data breach notifications over the previous year. The attorney general also unveiled a new electronic submission form to allow companies to file notice via a web submission. This new reporting is designed to expedite and streamline the reporting process, leading to faster notification and resolution for New York consumers.


Canadian Prime Minister Announces Canada Will Co-Lead Initiatives to Increase Nuclear Facilities' Cybersecurity

On April 1, Prime Minister Justin Trudeau announced that Canada will jointly lead two Nuclear Security Summit ("NSS") "gift baskets." Gift baskets are mechanisms by which NSS participants take action in specific areas. One of these gift baskets, co-led with the United Kingdom, will focus on increasing cybersecurity of industrial control and plant systems at nuclear facilities.

The following Jones Day attorneys contributed to the United States and Canada sections: Jeremy Close, Steven Gersten, Jay Johnson, Colin Leary, Tyson Lies, Alexandra McDonald, Kelly Ozurovich, Nicole Perry, Scott Poteet, Jessi Sawyer, Alexa Sendukas, John Sullivan, and Anand Varadarajan.



Argentina's Data Protection Authority Investigates Uber

On April 22, a Buenos Aires judge ordered the preventive blockage of Uber's webpage (source document in Spanish), digital platforms, and applications offered by the company. Likewise, Argentina's data protection agency (Dirección Nacional de Protección de Datos Personales), in order to verify its compliance with the data protection regulation, requested that Uber disclose the data that it collects, the protection and confidentiality measures in place, and the data's destination.


Final Report of Cyber Crimes Congressional Hearing Issued

On March 31, a Congressional Hearing (Comissio Parlamentar de Inquérito) investigating cyber crimes drafted its Final Report (source document in Portuguese). The report proposed several amendments to the Brazilian Civil Rights Framework for the Internet and Brazilian Cyber Crimes Statute (source documents in Portuguese). These amendments would, among other things, increase liability for internet service providers broadcasting offensive materials, grant IP address permissions to law enforcement personnel, broaden criminal liability for those who unlawfully access computers, and grant cyber crime investigative jurisdiction to the Brazilian Federal Police.


Court of Santiago Issues Ruling Regarding CCTV

On March 4, the Court of Appeals of Santiago issued a ruling (source document in Spanish) ordering the removal of surveillance aerostatic balloons with a closed-circuit television ("CCTV") system installed by the municipalities of Las Condes and Lo Barnechea after determining that their use violated the privacy right of local citizens. The aerostatic balloons were equipped with high-resolution cameras floating over these communities, even recording inside homes that were under the capture range of the devices.


Mexican Voters Registration List Leaks through Online Retailer

On April 22, Mexico's National Electoral Institute ("INE") issued a press release (source document in Spanish) stating that voter registration lists were uploaded to an online retailer's data storage site and subsequently made public. Information on the lists included the names and addresses of approximately 90 million Mexican citizens enrolled in the voter registry. INE filed a criminal complaint with the Special Prosecutor's Office for Electoral Crimes against the person responsible, although there is currently no indication that security systems were breached.

New Mexican General Data Protection Law Moves Forward in Senate

On April 21, the United Commissions of Government and Legislative Studies of the Mexican Senate approved theGeneral Data Protection Law Held by Regulated Subjects (source document in Spanish). The law will regulate the processing of personal data by all agencies of the executive, legislative, and judicial branches of the government that previously did not have a regulatory framework on the processing of personal data. The right to the protection of personal data will be limited only for reasons of national security, public order provisions, public health and safety, or to protect third-party rights.

Mexican Supreme Court Limits Access to Mobile Data

On April 13, Mexico's National Supreme Court declared the constitutionality (source document in Spanish) of article 190 of the Telecommunications and Broadcasting Federal Law, which orders telecommunications service companies to cooperate with authorities in locating mobile communication equipment and to allow authorities to access communication records. Although the law was ruled constitutional, the Supreme Court stated that authorization of a federal court is required for telecommunications companies to deliver the information requested by the authorities.

The following Jones Day attorneys contributed to this section: Daniel D'Agostini, Guillermo Larrea, Monica Pe?a Islas, and Elie Sherique.


European Union

Commission and European Parliament Announce Final Adoption of General Data Protection Regulation

On April 14, the Commission announced the EU Parliament's adoption of the final text of the new General Data Protection Regulation. Together with the Council's vote on April 8, this concluded the legislative procedure and formalized the political agreement reached on December 15, 2015. The Regulation is expected to be published in the Official Journal in June 2016.

Commission Seeks Stakeholders' Input on ePrivacy Directive

On April 11, the Commission launched a public consultation on the ePrivacy Directive (Directive 2002/58) to align it with the General Data Protection Regulation and ensure the security of digital services, confidentiality and privacy of sensitive data, and consistent regulatory enforcement. The consultation will remain open until July 5.

European Data Protection Supervisor Publishes Guidance Relating to Personal Data Processing Security

On March 21, the European Data Protection Supervisor ("EDPS") released guidance on information security risk management, which issues recommendations on how European institutions can enforce and enhance a secure digital environment. The guidance accounts for the General Data Protection Regulation recently approved by the EU and includes a multidisciplinary assessment that covers several functions within an organization, such as Data Protection Officer and Information Technology.

Article 29 Working Party

Article 29 WP Issues Opinion on EU-U.S. Privacy Shield Draft Adequacy Decision

On April 13, the Article 29 Working Party ("WP") adopted an opinion on the new EU-U.S. Privacy Shield framework for transatlantic exchanges of personal data for commercial purposes. As summarized in its press release, the Article 29 WP welcomes the improvements over the invalidated Safe Harbor framework but expresses concerns over the commercial aspects and access by public authorities.

Article 29 WP Publishes Working Document on Justified Surveillance Measures When Transferring Personal Data

On April 13, the Article 29 WP issued a Working Document assessing how the invalidation of the Safe Harbor framework affected data transfers to the United States. Specifically, the document analyzes the Court of Justice case law related to Articles 7, 8, and 47 of the Charter of Fundamental Rights and the jurisprudence of the European Court of Human Rights related to Article 8 of the European Convention on Human Rights.

Article 29 WP Issues Statement on 2016 Action Plan for Implementation

On February 2, the Article 29 WP released a statement on the guidelines, tools, and procedures to implement the General Data Protection Regulation by the first quarter of 2018. The action plan is structured around four pillars: administration structure, consistency mechanisms, guidance for processors and controllers, and strengthened communication.

European Network and Information Security Agency

ENISA Publishes Report on Common Practices of EU-Level Crisis Management and Applicability to Cyber Crises

On April 4, the European Network and Information Security Agency ("ENISA") issued a report providing a series of key recommendations regarding EU-level priorities to alter the outcome of the next cyber crisis. The report discusses legal framework strategies, training coordination, and information sharing.

ENISA Releases Report Relating to Big Data Security

On March 8, ENISA published a study that identifies the key security challenges facing companies implementing big data solutions, from infrastructures to analytics applications, and how those challenges may be mitigated.


CNIL 2015 Report Shows Record Number of Complaints

On April 8, the Commission Nationale de l'Informatique et des Libertés ("CNIL") issued its annual report for 2015 (source document in French). CNIL recorded 7,908 complaints relating to the protection of e-reputation and 5,980 requests for indirect access to the judicial registers following the issuance of search warrants, security measures, and permit withdrawals. CNIL also carried out 501 online controls, issued 93 formal notices, and levied 10 sanctions, including three pecuniary sanctions.

CNIL Audits Wireless Network Devices

In April, CNIL announced (source document in French) that, together with the Article 29 WP, it will carry out an online audit in May to assess the impact of wireless network devices on users' private lives. The audit will target home automation devices and health-related devices, assessing the quality of information delivered, the security levels implemented, and data subject control over personal data. The audit results will be published this fall.

CNIL Launches Compliance Package for Connected Vehicles

On March 23, CNIL launched (source document in French) the process to define the sixth compliance package relating to connected vehicles. This process will involve automotive operators, insurance and telecoms innovative companies, and public authorities. The compliance package is aimed at establishing guidelines to ensure personal data protection and encourage innovation in the automotive sector.

CNIL Imposes €100,000 Fine on Internet Search Engine for Failure to Comply with Right To Be Forgotten

On March 10, CNIL summoned an internet search engine to comply with the requests to delist internet links from the web search results within a certain frame. The internet search engine proposed to delist within a specific geography and to implement a region filter, but CNIL still levied a €100,000 fine because the company failed to comply within the required time frame. According to CNIL's opinion, the right to privacy is a universal right requiring full delisting regardless of the user's geographic region.

ANSSI Issues New Security Guidelines for Integration and Maintenance Providers of Industrial Systems

On March 9, the working group on the cybersecurity of the industrial systems ("CT CSI"), led by the French National Agency for Information Systems Security ("ANSSI"), identified integration and maintenance providers as key cybersecurity actors because of their constant role in the system's life cycle. The working group issued new guidelines (source document in French) relating to the security requirements to be taken by both the providers and the beneficiaries.


Conference of German Data Protection Authorities Views Privacy Shield as Insufficient

On April 20, the Conference of the Independent German Federal and State Data Protection Authorities (Konferenz der unabh?ngigen Datenschutzbeh?rden des Bundes und der L?nder) ("Conference") issued a resolution (source document in German) holding the current version of the EU-U.S. Privacy Shield as insufficient to ensure adequate protection for data transfers to the United States. In the resolution, the Conference also requested the legislature provide for an independent right of action enabling data protection authorities to challenge adequacy decisions of the EU Commission before national courts.

German Federal Constitutional Court Declares Federal Criminal Police Office Act Partly Unconstitutional

On April 20, the German Federal Constitutional ruled (source document in German) that the Federal Criminal Police Office Act (Bundeskriminalamtgesetz) is partly unconstitutional as a disproportionate intervention into private life. The court criticized the provisions on secret surveillance measures, such as the surveillance of telecommunication and online searches and the rules for disclosing data to foreign security authorities and domestic intelligence services.


Italian DPA Adopts a Vademecum for Setting Guidelines for Credit Collection

On April 18, the Italian Data Protection Authority published the vademecum for credit collection (source document in Italian), summarizing general principles to be applied when creditors carry out activities aimed at collecting amounts due from debtors. The handbook does not introduce material changes to the existing regime but pinpoints the rights of debtors in the case of direct contacts from credit collectors.


SDPA Publishes Identity Theft Guidelines

On March 14, the Spanish Data Protection Agency ("SDPA") and the Council of Consumers and Users released basic guidelines (source document in Spanish) on protecting against identity theft in telecommunications services. Through these guidelines, citizens can learn about their legal rights relating to privacy and data protection in Spain.

Spanish Constitutional Court Allows Employers to Record Employees Without Disclosure

On March 3, the Spanish Constitutional Court issued a decision (source document in Italian) allowing employers to use video surveillance systems to record their employees without prior disclosure. In this case, the video surveillance system was introduced after a suspected employee was taking money from the cash register.

The Netherlands

DDPA Finds Web Forms Need More Secure Connections

On March 15, the Dutch Data Protection Agency ("DDPA") wrote a letter to the Royal Dutch Society for Physiotherapy (source document in Dutch) regarding earlier questions concerning the security of patient contact forms. The DDPA responded that sensitive personal data submitted through web applications needs to be presented through a secure, https connection.

DDPA Approves Processing of Personal Data by BREIN Foundation on BitTorrent Users

On March 14, the DDPA published a decision (source document in Dutch) approving BREIN's intention to process the personal data of BitTorrent users. The BREIN foundation, a joint antipiracy program of authors and artists, seeks to track users who infringe on the copyright of BREIN's affiliated parties. The personal data to be processed includes IP addresses and user names, and the scope of the investigation is limited to productions of parties affiliated with the BREIN foundation and to Dutch users of the BitTorrent network.

DDPA Declares Processing of Personal Health Data of Employees Unlawful

On March 8, the DDPA issued a press release (source document in Dutch) on two companies that provided activity trackers to their employees to monitor their physical exercise. One of the employers also monitored the sleep patterns of its employees. Although the employees gave their consent to the monitoring, and participation was voluntary, the DDPA found that the data gathered was "sensitive personal data" regarding personal health, which employers are not allowed to process.

United Kingdom

ICO States that Data Protection Rules Required Regardless of Brexit Vote

On April 19, the ICO issued a statement that the UK will continue to need clear and effective data protection laws, whether or not it remains in the EU. The statement emphasizes the increased need for effective practices in light of the growing digital economy.

ICO Brings Prosecution Against Former Employee for Attempt to Obtain Personal Data

On April 8, the ICO prosecuted a former employee for attempting to obtain personal data. The ICO has stressed that stealing personal information is a crime in the UK. The prosecution stemmed from a recent initiative for stricter penalties for data thieves.

ICO Issues Updated Guidance on Direct Marketing

On March 24, the ICO updated its guidance on online marketing. There is now a greater emphasis on the application of the marketing rules to the not-for-profit sector and direction regarding third-party consent.

ICO Publishes Guidance on the Use of Encryption

On March 3, the ICO issued guidance on the use of encryption to protect personal data. The guidance stressed key areas such as the use of USB memory sticks and the risk of sending personal data to the wrong recipient.

The following Jones Day attorneys contributed to this section: Paloma Bru, Laurent De Muyter, Olivier Haas, Jorg Hladjk, Bastiaan Kout, Jonathon Little, Guiseppe Mezzapesa, and Undine von Diemar.


People's Republic of China

Ministry of Commerce Publishes Draft Specifications for Mobile and Cross-Border Commodity e-Commence

On March 22, the Ministry of Commerce of the People's Republic of China published drafts of the Business Services Specification for Mobile Commodity E-commerce and Business Services Specification for Cross-border Commodity E-commerce (source documents in Chinese), which contain provisions that require e-commerce service providers to take measures to ensure the security of operational data and service platforms. Under the draft specifications, any collection and processing of personal or transaction information requires the authorization of the data subject or parties to the transaction, and such information may not be directly used for commercial purposes unless it has been desensitized.

Hong Kong

PCPD Sanctions Insurance Agent for Using Personal Data without Consent

On April 25, the Privacy Commissioner for Personal Data ("PCPD") released a media statement revealing that an insurance agent was convicted of two offenses under the Personal Data (Privacy) Ordinance for using personal data in direct marketing without taking specified actions and obtaining the data subject's consent, and for failing to inform the data subject of his opt-out right when using his personal data in direct marketing. A Community Service Order of 80 hours was imposed by the court on the convicted insurance agent.

PCPD Joins Global Sweep Exercise

On April 15, PCPD announced that it had joined the Global Privacy Enforcement Network to conduct a privacy sweep from April 11, examining data privacy issues relating to Internet of Things devices such as smart electricity meters and internet-connected thermostats. PCPD had chosen to examine fitness bands produced in Hong Kong for the sweep exercise as well. The results of the sweep will be published in the third quarter of 2016.


Diet Passes Amending Bill to Set New Rules to Utilize Personal Information Held by Administrative Organs

On March 8, the Cabinet submitted a bill (source document in Japanese) to the Diet to amend the law protecting personal information held by administrative institutions. These amendments mirror recent amendments affecting personal information held by the private sector under the Personal Information Protection Act and set new rules for private entities to utilize personal information held by administrative institutions through an anonymization process. The bill passed the Diet on May 20 and will take effect before September 2017.


PDPC Issues Enforcement Guidelines

On April 21, the Personal Data Protection Commission ("PDPC") issued Advisory Guidelines on Enforcement for Data Protection Provisions. These guidelines outline the agency's enforcement procedures as they relate to alternative dispute resolutions, investigations, appellate rights, and rights of private action.

PDPC Releases List of Enforcement Actions

On April 21, PDPC released a list of enforcement actions brought by the agency over the past year. The list details the facts and circumstances surrounding 10 data breach-related actions in which organizations were breached or disclosed consumer data without consent. The list also discusses the penalties levied against these organizations.


The Executive Yuan Announces Effective Date of Amendments to Personal Information Protection Act

On February 25, the Executive Yuan announced (source document in Chinese) that the December 30, 2015 amendments to the Personal Information Protection Act will take effect on March 15. After the amendments take effect, personal data collection no longer requires consent unless the information relates to sensitive data, such as medical records, medical treatment, genetic information, health examinations, and criminal records.

The following Jones Day attorneys contributed to this section: Chiang Ling Li, Michiru Takahashi, and Richard Zeng.


Australian Privacy Awareness Week Held

Beginning May 15, the Office of the Australian Information Commissioner held its Privacy Awareness Week. The week's events were highlighted by a visit from the United Nations Special Rapporteur on the Right to Privacy, who hosted a Business Breakfast in Sydney and a public lecture on privacy in Canberra.

Australian Prime Minister Announces Cyber Security Strategy

On April 21, the Prime Minister of Australia announced the Australian Cyber Security Strategy for the next four years. Under the Strategy, the federal government proposes to spend A$230 million for initiatives to: (i) strengthen defenses to cybersecurity threats, including increasing the capacity of Australia's Computer Emergency Response Team and the Australian Cyber Security Center; (ii) appoint a Cyber Ambassador to represent Australia in international cyber issues; (iii) establish a Cyber Security Growth Center for cybersecurity research and development; and (iv) establish a fund for cybersecurity education.

The following Jones Day attorneys contributed to the Australia section: Adam Salter, Peter Brabant, and Nicola Walker.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Mauricio F. Paez
Kevin D. Lyles
Adam Salter
Michiru Takahashi
Undine von Diemar
Richard J. Johnson
In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.