This site would like to set some non-essential temporary cookies. Some cookies we use are essential to make our site work.
Others such as Google Analytics help us to improve the site or provide additional but non-essential features to you.
No behavioural or tracking cookies are used.
To change your consent settings, read about the cookies we set and your privacy, please see our Privacy Policy

Data Protection Leader

Volume: 12 Issue: 12
(December 2015)


The European Parliament, the European Commission, and the Council of the European Union reached, on 15 December 2015, an agreement on the draft General Data Protection Regulation (‘GDPR’) and the draft Data Protection Directive with respect to police and justice sectors, during their final trilogue meeting. Following the agreement, the Civil Liberties, Justice and Home Affairs Committee confirmed, on 17 December 2015, the agreed texts. / read more

The Federal Trade Commission (‘FTC’) announced, on 9 December 2015, that Wyndham Worldwide Corp. agreed to settle FTC charges over failure to properly safeguard thousands of consumers’ payment card information (‘the Settlement’). According to the FTC, Wyndham engaged in a number of practices that ‘unreasonably and unnecessarily exposed consumers’ personal data to unauthorised access and theft.’ As a result, three data breaches caused the compromise of more than 619,000 consumers’ payment card account numbers. / read more

The Luxembourg Presidency of the EU Council of Ministers announced, on 7 December 2015, that it had reached an informal agreement with the European Parliament on the text of the proposed Directive on Network and Information Security Directive (‘the NIS Directive’). Once adopted, companies doing business in critical infrastructures, such as energy, transport, health and banking, will have to implement security measures and notify public authorities in cases of serious cyber incidents. / read more


A legal tsunami of overwhelming proportions. A ground breaking piece of legislation. A sweeping digital-privacy regime. A strict new legal framework that will have ripple effects globally. These are all hyperbolic expressions used to describe the impact of the newly agreed EU General Data Protection Regulation (‘GDPR’). Anyone who has read and digested the GDPR will appreciate the truth of these comments, but hyperbole should always be filtered through a process of calm and objective reflection to ascertain the reality of the situation. Otherwise, our cynical human nature is likely to dismiss all of that as baseless exaggerations and choose to largely ignore this development - at least until it becomes enforceable in more than two years from now. / read more

On 14 December 2014, the German Minister of Justice, Heiko Maas, tweeted that he opposed a German or European Data Retention Act as it violated the right to privacy and also violated data protection. However, he quickly changed his mind. Less than one year later, Heiko Maas reintroduced new data retention legislation which recently passed the German Bundestag and Bundesrat. In this article, Christian Leuthner and Sven Schonhofen, Associate and Research Assistant respectively at Olswang Germany LLP, critically analyse the new German data retention legislation. / read more

Currently Australian data protection law and, in particular, the Australian Privacy Principle (‘APP’) 11 requires entities that fall under its scope, to protect personal information they hold, but does not include a data breach notification obligation. The Attorney-General for Australia has recently released a Draft Breach Notification Bill, which follows the drafting of the previous 2013 draft bill. In this article, Alec Christie, Partner in EY’s IP/IT Data Privacy Group, provides an in-depth analysis of the new data breach notification obligation and advises organisations on how to prepare for when it becomes law. / read more

The Dutch Data Protection Authority (College bescherming persoonsgegevens, hereinafter ‘CBP’) published a report on 11 November following an investigation into Nike’s fitness app, the Nike+ Running app. The CBP found several violations of data protection law, according to its nearly hundred-page report. The report is interesting in that it provides detailed insight into how the Dutch Data Protection Authority views personal data concerning health and the thought processes behind the concept of health data, as Sofie van der Meulen and Erik Vollebregt of Axon Lawyers explain. / read more

Approximately one year has passed since the Court of Justice of the European Union (‘CJEU’) recognised the right to be forgotten (‘RTBF’) in its ruling in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (Case C-131/12) (‘the Ruling’). Heledd Lloyd-Jones, Associate at Bird & Bird, analyses the practical difficulties in implementing the RTBF and the further challenges posed by the General Data Protection Regulation (‘GDPR’). / read more

Peru is currently facing one of its main challenges since the defeat of terrorism in the mid nineties: organised crime and common delinquency. Due to the lack of consistent public policies in former governments, organised crime and common delinquency have been growing steadily in the main cities of the country; these are mainly groups of criminals and gangs involved in illicit activities including extortion, theft and robbery. The Government has addressed this issue by developing and amending the legal framework in order to increase the penalties for such illegal endeavours. This enforcement approach takes as a premise that high sanctions and penalties will be a strong disincentive to criminals and delinquents. / read more

The recent decision of the Court of Justice of the European Union (‘CJEU’) in the Schrems1 case has stirred up the discussion and concerns with respect to the safety of international data transfers to non-EU countries. João Alfredo Afonso and Leonor Bettencourt Nunes, Partner and Trainee Lawyer respectively at Morais Leitão, Galvão Teles, Soares da Silva & Associados, examine the safety concerns regarding international data transfers that are particularly relevant in the context of cloud computing, and the increasing use of remote servers for the storage and processing of data. / read more

As regulators become more sophisticated about dealing with data breaches, they gradually recognise that punishing organisations for simply having breaches is both naïve and counterproductive; naïve because it ignores the ubiquity of breaches, and counterproductive because it chills breach reporting. The better approach is to punish organisations for not doing what they can to prevent breaches and for failing to respond to breaches in ways that prevent harm. The LabMD decision against the Federal Trade Commission (‘FTC’), by its own Chief Administrative Law Judge (‘ALJ’), forces the FTC to reconsider its longstanding position that poor security safeguards inherently cause harm. / read more

About Data Protection Leader:

The monthly law publication which covers all aspects of data protection and data privacy. Topics covered include data transfers and outsourcing, data localisation and retention, the EU General Data Protection Regulation (GDPR), the e-Privacy Directive, data security, marketing and behavioural advertising, consent, employee monitoring, privacy compliance, risk management, DPO responsibilities, accountability, Privacy by Design, acquisition and mergers, the Internet of Things, cloud computing and Big Data / read more

Search Publication Archives

Our publication archives contain all of our articles, dating back to 2004.
Can’t find what you are looking for?
Try an Advanced Search

Log in to data protection leader
Subscribe to data protection leader
Register for a Free Trial to data protection leader
data protection leader Pricing

Social Media

Follow data protection leader on TwitterView data protection leader LinkedIn Profiledata protection leader RSS Feed