This site would like to set some non-essential temporary cookies. Some cookies we use are essential to make our site work.
Others such as Google Analytics help us to improve the site or provide additional but non-essential features to you.
No behavioural or tracking cookies are used.
To change your consent settings, read about the cookies we set and your privacy, please see our Privacy Policy

Data Protection Leader

Volume: 12 Issue: 5
(May 2015)


Data Protection Law and Policy confirmed, on 18 May 2015, with Joan Antokol, Partner at Park Legal LLC, that Phase 2 of the Health Insurance Portability and Accountability Act (HIPAA) Audit Programme is on its way. The US Department of Health and Human Services Office for Civil Rights (OCR), which will carry out the audits, is in the process of contacting around to 800 covered entities and, for the first time, 400 business associates (BAs) to complete a pre-audit questionnaire. The OCR will select the organisations to be audited from this pool. / read more

The Italian Data Protection Authority (Garante) announced, on 6 May 2015, that new guidelines regarding online profiling by online service providers (‘the Guidelines’) had been brought into force. The Guidelines mandate that any processing of personal data for profiling purposes, which is not required for supplying the service, will need the previous informed consent of the user. The Guidelines will be binding on all Italian-based businesses providing online services. / read more

The Personal Data Protection Commission of Singapore (PDPC) issued, on 8 May 2015, a set of advisory guidelines, including guidelines relating to consent for marketing purposes (‘the Guidelines’). The Guidelines show how sections 14(2)(a) and 46(1) of the Personal Data Protection Act 2012 (PDPA) will be interpreted by the PDPC through sample scenarios. / read more


It’s been said before but the Court of Justice of the European Union’s (CJEU) decision in the Google Spain v. AEPD case was a real game changer. Every law student on the planet learns that there are a number of sources that contribute to the legal system of a given jurisdiction. First and foremost are the statutes adopted by - in the best of cases - democratically elected parliaments. Then there are a myriad of legal obligations that arise from various sources ranging from regulatory guidance to market practices. Ultimately, the most authoritative source is the case law that is constantly emerging from courts’ decisions. Data protection law is no exception and the CJEU has emerged as the ultimate interpreter of the legislator’s will. Arguably, the most influential element of the entire Google Spain decision is the novel interpretation of the 20 year old criteria to determine the applicability of EU data protection law. The CJEU took the view that a non-EU based data controller is subject to European data protection law if a local EU establishment of that controller is involved in some way in the activities of the controller, even if that establishment is not actually dealing with the data at issue. The aim behind this reasoning is simply to bring within the scope of application of European law any organisation that may not have physical data operations in the EU, but has some kind of presence connected to its use of personal data. / read more

The Australian Parliament recently enacted requirements for communications providers to collect and retain information about communications carried by their services. The new law is controversial, but may well provide a lead for other countries considering mandatory retention requirements. In this two-part series, Peter Leonard, Partner at Gilbert +Tobin, describes the general operation of the laws (Part I), before delving deeper into their implications for communications service providers doing business in Australia (Part II). / read more

On 4 May 2015, the Office of the Australian Information Commissioner (OAIC) issued its Privacy Management Framework to assist both public and private sector organisations to meet their Australian privacy compliance obligations. In doing so, it joined the growing list of privacy regulators across the globe that have issued accountability guides or privacy governance frameworks. Having looked at the ongoing evolution of the accountability principle in international data protection instruments in Part I of this series, Anna von Dietze now examines the private sector accountability guides issued by national privacy regulators to date. / read more

Ghana’s Data Protection Commission (DPC) has been operational since November 2012 and began registration of data controllers and data processors on 1 May 2015. Data Protection Law and Policy spoke to the DPC’s Executive Director, Teki Akuetteh Falconer, about this period of transition for the Commission and the challenges faced by a privacy regulator operating in a developing African nation. / read more

South Korea’s wireless communications and internet environment is already widely acknowledged as being highly developed; and in moving toward the era of ‘Big Data 2.0,’ South Korea is focusing on creating practical value from the growth of Big Data. Kyoung Yeon Kim and Yong Yun, Partner and Director, respectively at Yulchon LLC, assess the latest regulatory guidelines issued on the subject of Big Data. / read more

In March 2015, Google experienced yet another setback in European courts. This time the English Court of Appeal found against it on three key issues arising out of Google’s so-called Safari cookie ‘workaround,’ in Google v Vidal-Hall [2015] EWCA Civ 311. The first finding was that the claimants were entitled to serve proceedings on Google in the United States for the misuse of their private information. The second is that there is an arguable case that browser-generated information (‘BGI’), such as cookies, constitutes personal data. Finally, the Court found that the claimants can claim for distress without having to prove pecuniary loss. Greg Palmer, Associate at Linklaters, considers the decision before considering its wider implications and the barriers that remain for compensation claims for breach of UK data protection law. / read more

Latin America, despite a shared history and a common language, has profound differences with respect to the protection of personal data. Nicolás Yuraszeck Peñaranda, Attorney at García Magliona y Cía. Abogados, outlines these contrasting legal provisions focusing specifically on consent requirements. / read more

About Data Protection Leader:

The monthly law publication which covers all aspects of data protection and data privacy. Topics covered include data transfers and outsourcing, data localisation and retention, the EU General Data Protection Regulation (GDPR), the e-Privacy Directive, data security, marketing and behavioural advertising, consent, employee monitoring, privacy compliance, risk management, DPO responsibilities, accountability, Privacy by Design, acquisition and mergers, the Internet of Things, cloud computing and Big Data / read more

Search Publication Archives

Our publication archives contain all of our articles, dating back to 2004.
Can’t find what you are looking for?
Try an Advanced Search

Log in to data protection leader
Subscribe to data protection leader
Register for a Free Trial to data protection leader
data protection leader Pricing

Social Media

Follow data protection leader on TwitterView data protection leader LinkedIn Profiledata protection leader RSS Feed