This site would like to set some non-essential temporary cookies. Some cookies we use are essential to make our site work.
Others such as Google Analytics help us to improve the site or provide additional but non-essential features to you.
No behavioural or tracking cookies are used.
To change your consent settings, read about the cookies we set and your privacy, please see our Privacy Policy

Data Protection Leader

Volume: 12 Issue: 7
(July 2015)


The French data protection authority (‘CNIL’) published, on 2 July 2015, two Privacy Impact Assessment (‘PIA’) guides (‘the Guides’); one regarding the method to be adopted by data controllers in conducting a PIA (‘the Method Guide’), and the other providing templates and samples of the same (‘the Tool Guide’). The Guides are aimed at helping data controllers comply with Section 34 of the French Law on Information Technology, Data Files and Civil Liberties No. 78-17 of 6 January 1978 (as amended), which requires them to ‘take all necessary precautions […] to preserve data security.’ / read more

The Personal Data Protection Commission (PDPC) published, on 7 July 2015, its ‘Public Consultation Paper No.1/2015,’ which seeks feedback on three draft standards relating to data security, data retention and data integrity (‘the Draft Standards’). This represents the first time that the PDPC has opted to use its power under the Data Protection Regulations 2013 to produce standards, which data users are legally obliged to comply with. / read more

The UK High Court of Justice (‘the High Court’) ruled, on 17 July 2015, that Sections 1 and 2 of the Data Retention and Investigatory Powers Act 2014 (‘DRIPA’) were unlawful, as they were found incompatible with Article 7 and 8 of the European Charter of Fundamental Rights, which protect the right to privacy and the right to data protection respectively. The case was brought before the High Court by two Members of Parliament, David Davis and Tom Watson, who were also represented by Liberty, a UK civil liberties organisation. The ruling comes exactly one year after DRIPA received Royal Assent, on 17 July 2014. / read more


Achieving the right balance between the protection of our privacy and the potential to exploit the data we generate is equally critical for human freedom and mankind’s future prosperity. Ignore privacy as a human value and we risk losing a big chunk of our ability to make choices. Restrict the opportunities presented by what our data says about us and we will have killed the next stage of our development as a species. As grand and sensationalist as those points may sound, much evidence and a lot of clever academic thinking, show them to be true. So, it is extremely important that we are able to find that right balance. That balance will hardly ever be an unmovable, straight line that separates right and wrong. That balance is a movable target that will need recalibrating as we go along. What is necessary is an understanding of the factors that affect most directly the issues at stake so that policy makers, legislators, regulators, privacy professionals, lawyers and decision makers can address them. / read more

Helen Dixon was appointed, on 10 September 2014, as the new Irish Data Protection Commissioner (‘DPC’). The role has become increasingly important from a European and international perspective and in light of the proposed ‘One Stop Shop’ mechanism that has been included in the draft General Data Protection Regulation (‘GDPR’). Data Protection Law & Policy spoke to Helen regarding her experiences so far as DPC, the One Stop Shop, and the GDPR. / read more

It is well known that digital video capture and the recording of images of persons may constitute processing of personal data under the Data Protection Directive (95/46/EC). On the whole, commercial management of such images complies with personal data and other privacy-related regulations. The use of images of persons by private individuals typically falls under the personal or household exemption from personal data regulation. Technological development continues, however, to present new challenges in applying privacy regulations. The increasing use of cameras mounted on Unmanned Aircraft Systems, commonly known as drones, and of dashcams, are topical examples of this. Henrik Nilsson, Partner at Gärde Wesslau advokatbyrå in Stockholm, discusses three cases which the Swedish Data Inspection Board (‘DIB’) is currently pursuing, where courts of the first instance have ruled that CCTV monitoring regulations do not apply to cameras on drones or to dashcams. / read more

The advertising ecosystem is changing radically, driven by our increasingly hyper-connected relationship with digital devices and a new generation of internet-enabled ‘things.’ As smart profiling, cross-platform (and cross-device) targeting and customer relation management on-boarding develop at pace, the ‘programmatic’ approach to media buying is becoming widespread. With this backdrop, David Lewis, Antonis Patrikios and Stuart Taylor, Director, Partner and Solicitor respectively at Fieldfisher, look ahead to consider how organisations and their advisors can equip themselves for marketing in the Internet of Things (‘IoT’) era. / read more

The US Office for Civil Rights (‘OCR’) recently began sending out pre-audit surveys as part of its Phase 2 Health Insurance Portability and Accountability Act (‘HIPAA’) - Health Information Technology for Economic and Cilinical Health Act (‘HITECH’) audit program. Phase 1 of the audit program, which was launched in 2011, was designed as a pilot to help OCR put together a comprehensive, flexible audit approach. The Phase 2 audits will build on the knowledge gained through Phase 1, with an expanded scope that includes covered entities as well as business associates. They will encompass the HIPAA-HITECH Privacy, Security and Breach Notification Rules, with a particular focus on the areas of insufficient compliance identified during Phase 1. As such, the Phase 2 audits will provide another opportunity for OCR to examine different mechanisms for compliance with HIPAA-HITECH, identify best practices, and address existing risks and vulnerabilities that impact the privacy and security of Protected Health Information (‘PHI’). Joan Antokol, Partner at Park Legal LLC, provides an overview of the Phase 1 and 2 audit programs, and sets out her recommendations for organisations. / read more

The Commission for the Protection of Personal Data of Senegal (‘CDP’) hosted, on 19-20 May 2015, the African Forum on the Protection of Personal Data (‘the Forum’) in Dakar. This was the first gathering of data protection authorities on the African continent and was themed: ‘Understanding the issues and know-how to protected personal data in Africa.’ Delegations from 12 countries across the continent attended the Forum, as well as the Council of Europe (‘CoE’), and data protection authorities (‘DPAs’) from France, Belgium and Quebec. Denise Fouche, Director at EndCode Legal Advisory, provides on overview of the key takeways from the Forum’s sessions and assesses how the Forum can develop in the future. / read more

The Danish Data Protection Agency (‘Datatilsynet’) published, on 3 July 2015, its decision regarding a case from August 2013 in relation to the Danish power company, Natur-Energi A/S, where information regarding the personal support cases of customers were made available via the internet, and it was discovered that Natur-Energi had recorded phone conversations without notifying its customers. A number of unintentional e-mails with a link to a database of customer support cases displayed further breaches of data security that granted additional access to personal data. The Datatilsynet criticised Natur-Energi for a number of issues, including the power company’s unsatisfactory technical and organisational security measures which it had adopted, and which revealed several violations of the Danish Act on Processing of Personal Data no. 429/2000, as amended (‘the Act’). / read more

About Data Protection Leader:

The monthly law publication which covers all aspects of data protection and data privacy. Topics covered include data transfers and outsourcing, data localisation and retention, the EU General Data Protection Regulation (GDPR), the e-Privacy Directive, data security, marketing and behavioural advertising, consent, employee monitoring, privacy compliance, risk management, DPO responsibilities, accountability, Privacy by Design, acquisition and mergers, the Internet of Things, cloud computing and Big Data / read more

Search Publication Archives

Our publication archives contain all of our articles, dating back to 2004.
Can’t find what you are looking for?
Try an Advanced Search

Log in to data protection leader
Subscribe to data protection leader
Register for a Free Trial to data protection leader
data protection leader Pricing

Social Media

Follow data protection leader on TwitterView data protection leader LinkedIn Profiledata protection leader RSS Feed