This site would like to set some non-essential temporary cookies. Some cookies we use are essential to make our site work.
Others such as Google Analytics help us to improve the site or provide additional but non-essential features to you.
No behavioural or tracking cookies are used.
To change your consent settings, read about the cookies we set and your privacy, please see our Privacy Policy

Data Protection Leader

Volume: 13 Issue: 1
(January 2016)


The Article 29 Working Party (‘WP29’) updated, on 16 December 2015, its Opinion 8/2010 on applicable law in light of the Court of Justice of the European Union (‘CJEU’) judgement in Case C-131/12 Google Spain SL and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (‘Google Spain case’). In particular, the update examines which law applies when a company has multiple establishments in several EU Member States and a designated ‘EU headquarters’ establishment in one Member State, which is the only one that carries out the functions of the controller in relation to processing operations. As a result, the WP29 introduced a new ‘inextricable link’ test to interpret the criteria of ‘the context of the activities of an establishment.’ / read more

The Personal Information Protection Commission (‘PPC’) was established, on 1 January 2016, and replaced the Specific Personal Information Commission (‘SPPC’), an independent data protection authority created to supervise the application of ‘the My-Number Act.’ In addition to the responsibilities related to the My-Number Act, the PPC is required to issue guidelines for the implementation of the Amendments to the Act on the Protection of Personal Information 2003 (‘the APPI Amendments’). / read more

The European Court of Human Rights (‘ECtHR’) issued, on 12 January 2016, its decision in Barbulescu v. Romania (Application no. 61496/08), in which it found that there had been no violation of Article 8 of the European Convention on Human Rights (‘ECHR’) and that a fair balance between employees’ rights and employers’ interests had been struck by Romanian law. / read more


It’s close to 7pm on a Friday evening and my team are trying their best to manage our clients’ stress and frantic desperation. Jokes about how much they love Max Schrems are shared by email. In the meantime, we are diligently working our way through endless charts of dataflows and attempting to cover every single one of them with intra-group agreements, model clauses and the like. It’s been like this since October and the pace is anything but slowing down. Sorting out international data transfers has always been a difficult compliance challenge for multinationals but the current levels of anxiety are simply unprecedented. / read more

Now that the General Data Protection Regulation (‘GDPR’) has finally been agreed, how should businesses start to prepare? Olswang’s Data Protection Team outline the top 10 things your board needs to know. / read more

Political agreement has been reached on a new EU regime imposing cyber security requirements and incident notification obligations on operators of essential services together with digital service providers. Rob Sumroy and Natalie Donovan of Slaughter and May, discuss the requirements set out in the Network and Information Security Directive (the ‘Directive’). / read more

On 23 December 2015, the Data Security, Retention and Integrity Standards came into effect. In this article, Adlin Abdul Majid, Partner at Lee Hishammuddin Allen & Gledhill, analyses the new requirements and their potential impact. / read more

The localisation requirement for personal data storage came into effect in the Republic of Kazakhstan on 1 January 2016. The new requirement will materially affect companies working transnationally with large amounts of personal data. Local IT businesses will also be in demand for their data storage and encryption services. Nataliya Shapovalova, Senior Associate at Dentons, answers questions regarding the implementation of the requirement and possible implications for business in the country. / read more

The US is often criticised for having insufficient data privacy laws and enforcement practices. Joan Antokol, Partner at Park Legal LLC, puts this criticism under the spotlight in relation to enforcement of the Health Insurance Portability and Accountability Act (‘HIPAA’)-Health Information Technology for Economic and Clinical Health (‘HITECH’) Act Rules, and the perceptions that, from a healthcare industry perspective, it appears as though major HIPAA-HITECH settlements with US healthcare organisations are announced on a regular basis. / read more

About Data Protection Leader:

The monthly law publication which covers all aspects of data protection and data privacy. Topics covered include data transfers and outsourcing, data localisation and retention, the EU General Data Protection Regulation (GDPR), the e-Privacy Directive, data security, marketing and behavioural advertising, consent, employee monitoring, privacy compliance, risk management, DPO responsibilities, accountability, Privacy by Design, acquisition and mergers, the Internet of Things, cloud computing and Big Data / read more

Search Publication Archives

Our publication archives contain all of our articles, dating back to 2004.
Can’t find what you are looking for?
Try an Advanced Search

Log in to data protection leader
Subscribe to data protection leader
Register for a Free Trial to data protection leader
data protection leader Pricing

Social Media

Follow data protection leader on TwitterView data protection leader LinkedIn Profiledata protection leader RSS Feed