This site would like to set some non-essential temporary cookies. Some cookies we use are essential to make our site work.
Others such as Google Analytics help us to improve the site or provide additional but non-essential features to you.
No behavioural or tracking cookies are used.
To change your consent settings, read about the cookies we set and your privacy, please see our Privacy Policy

Data Protection Leader

Volume: 13 Issue: 4
(April 2016)


The European Parliament (‘the Parliament’) adopted, on 14 April 2016, the draft General Data Protection Regulation (‘GDPR’) and the draft Data Protection Directive with respect to law enforcement (‘the Directive’), during its plenary sitting. The adoption ends more than four years of work since the GDPR and the Directive were first proposed by the European Commission in January 2012. The GDPR will enter into force 20 days after it is published in the Official Journal of the European Union (‘OJEU’), at which point businesses will then have two years to comply. / read more

Turkey’s new Law on Personal Data Protection (‘the Law’) was published, on 7 April 2016, in the Official Gazette, after over nine years of efforts to pass privacy and data protection-related legislation. The adoption follows Turkey’s recent ratification of Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, on 18 February 2016, 35 years after Turkey first signed it. / read more

The European Commission (‘the Commission’) launched, on 11 April 2016, a public consultation on Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (‘the ePrivacy Directive’). The consultation represents the first step in the ePrivacy Directive review process, which aims to evaluate whether its provisions related to confidentiality of information, processing of location and traffic data, unsolicited communications and tracking technologies are ‘fit for the digital age.’ / read more

The Italian data protection authority (Garante) announced, on 27 April 2016, that it had authorised the use of surveillance cameras equipped with an 'intelligent video software' in a production plant, further to a prior checking carried out in accordance with the video surveillance guidelines issued by the Garante in 2010 ('the Guidelines') and Article 17 of the Personal Data Protection Code, Legislative Decree no. 196 of 30 June 2003. The software enables the recognition of abnormal behavioural patterns, such as a man lying on the floor, and uses thermal measurement to detect human presence in restricted zones. / read more

The Swedish data protection authority ('Datainspektionen') released, on 4 May 2016, a checklist to assist organisations in the assessment of the measures required to comply with the General Data Protection Regulation ('GDPR') and 20 frequently asked questions ('FAQs') focusing on data processors, data protection officers ('DPOs') and breach notification. The FAQs clarify that any conflict of national laws and regulations with the GDPR, such as the Patient Data Act 2008, will be the subject of further review at the legislative level. / read more

The Court of Justice of the European Union's ('CJEU') Advocate General ('AG'), Campos Sánchez-Bordona, delivered, on 12 May 2016, his opinion ('the Opinion') in Patrick Breyer v. Federal Republic of Germany (C-582/14). The case concerns the German Government's storage of IP addresses belonging to users visiting the Government's websites. In his Opinion, the AG affirmed that dynamic IP addresses constitute 'personal data' in specific cases as well as confirmed that Member States' laws, which restrict the ability to store personal data beyond what is permitted under the Data Protection Directive (95/46/EC) ('the Directive'), are in violation of European law. / read more


This title is as sensationalist as this piece is going to get. I say this, because the announcement by the Article 29 Working Party (‘WP29’) on their stance on the EU-US Privacy Shield has been surrounded by much drama and somewhat exaggerated headlines. When it comes to transatlantic data flows between the EU and the US, we don’t need drama, we need a legal mechanism to overcome a slightly draconian prohibition and, more importantly, a way to extend the protection of personal data beyond the EU’s borders. The concerns raised by the WP29 may have been disappointing to those involved in crafting the Privacy Shield, but they were foreseeable given the huge sensitivities around surveillance and the feeling amongst privacy regulators that preventing a ‘1984’-type dystopia - as remote as it may seem in our democratic cultures - is their number one priority. / read more

The United Arab Emirates (‘UAE’) is quickly embracing new technologies, and drones are no exception. However, as drones with video and audio recording capabilities become increasingly available and affordable, there has naturally been a corresponding increase in privacy concerns associated with the use of such devices. Whether it be for surveillance, monitoring or simply recreational recording, the challenges associated with drones have been recognised by the UAE authorities, including the UAE General Civil Aviation Authority (‘GCAA’). Drone-specific regulations have also been put into place in 2015 and 2016, to support the existing and more general privacy rights that exist under UAE law. Eamon Holley, Mohamed Moussallati and Hannah O’Donovan, Legal Director, Consultant and Trainee Solicitor at DLA Piper’s Middle East Intellectual Property and Technology team, explore these issues. / read more

In Venezuela, the access to regulated and priority products is restricted by a limited quota. In order to keep track of this restriction, the Government has implemented a biometric system where citizens must provide personal information to the Government. Fernando Peláez-Pier and Alejandro Galotti, Founding and Junior Partners respectively at Hoet Peláez Castillo & Duque, explain the legal framework behind the system and the concerns it generates. / read more

In March 2016, the US Consumer Financial Protection Bureau (‘CFPB’) brought its very first enforcement action related to data security against online payment system operator Dwolla, Inc. David A. Stein and Caleb Skeath, Of Counsel and Associate at Covington & Burling assess the impact of the action and its significance regarding the CFPB’s enforcement remit. / read more

2016 marks ten years since the adoption of the Russian Federal Law on Personal Data (‘the Law’) dated 27 July 2006. The Russian Data Protection Authority ('Roskomnadzor') marked this anniversary by releasing, on 31 March 2016, their 2016-2020 strategic report ('the Report') which provides an overview of enforcement trends and their plans for tackling current problems in the area of data protection. Maria Ostashenko and Marina Yufa, Partner and Attorney respectively at Alrud, analyse the strategic goals set out in the Report. / read more

On 14 March 2016, the Information Commissioner’s Office (‘ICO’) held their annual Data Protection Practitioners Conference (‘DPPC’) in Manchester. Approximately 800 practitioners descended on Manchester’s Central Conference Centre for a day packed with data protection-related subjects. Scott Sammons, Information Governance & Risk Practitioner at the Medical Defence Union, provides insight into the some of the key discussions and lessons learnt from the Conference. / read more

In late December 2015, the Romanian Data Protection Authority (‘DPA’) unfastened the safety belt of notifications on processing of personal data by reducing the number of situations where such notifications of processing are necessary. Roxana Negutu and Diana Condurache, Partner and Managing Associate respectively at Voicu & Filipescu, provide a breakdown of the decision and discuss its legal implications. / read more

The Spanish Constitutional Court (‘the Court’) issued, on 3 March 2016, a ruling dismissing an appeal filed by an employee, who was fired after she was caught on CCTV, stealing money from the store’s counter. The employee was seeking invalidation of her dismissal, claiming that such CCTV surveillance amounted to a violation of her constitutional rights to privacy and image, set out in Articles 18 (1) and (4) of the Spanish Constitution. This was because she had not expressly consented to being monitored nor was she personally informed about the fact that CCTV cameras had been installed. / read more

About Data Protection Leader:

The monthly law publication which covers all aspects of data protection and data privacy. Topics covered include data transfers and outsourcing, data localisation and retention, the EU General Data Protection Regulation (GDPR), the e-Privacy Directive, data security, marketing and behavioural advertising, consent, employee monitoring, privacy compliance, risk management, DPO responsibilities, accountability, Privacy by Design, acquisition and mergers, the Internet of Things, cloud computing and Big Data / read more

Search Publication Archives

Our publication archives contain all of our articles, dating back to 2004.
Can’t find what you are looking for?
Try an Advanced Search

Log in to data protection leader
Subscribe to data protection leader
Register for a Free Trial to data protection leader
data protection leader Pricing

Social Media

Follow data protection leader on TwitterView data protection leader LinkedIn Profiledata protection leader RSS Feed