This site would like to set some non-essential temporary cookies. Some cookies we use are essential to make our site work.
Others such as Google Analytics help us to improve the site or provide additional but non-essential features to you.
No behavioural or tracking cookies are used.
To change your consent settings, read about the cookies we set and your privacy, please see our Privacy Policy

Data Protection Leader

Volume: 13 Issue: 5
(May 2016)


The Court of Justice of the European Union’s (‘CJEU’) Advocate General (‘AG’), Campos Sánchez-Bordona, delivered, on 12 May 2016, his opinion (‘the Opinion’) in Patrick Breyer v. Federal Republic of Germany (C-582/14). The case concerns the German Government’s storage of IP addresses belonging to users visiting the Government’s websites. The AG affirmed that dynamic IP addresses constitute ‘personal data’ in specific cases and confirmed that Member States’ laws, which restrict the ability to store personal data beyond what is permitted under the Data Protection Directive (95/46/EC) (‘the Directive’), are in violation of European law. / read more

The Swedish data protection authority (‘Datainspektionen’) released, on 4 May 2016, a checklist to assist organisations in the assessment of the measures required to comply with the General Data Protection Regulation (‘GDPR’), as well as 20 frequently asked questions (‘FAQs’), which focus on data processors, data protection officers (‘DPOs’) and breach notification. The FAQs clarify that any conflict of national laws and regulations with the GDPR, such as the Patient Data Act 2008, will be the subject of further review at the legislative level. / read more

The Argentinian National Directorate for Personal Data Protection (‘NDPDP’) announced, on 27 and 29 April 2016, that it had launched investigations into Uber, Inc. and Club Atletico Tigre respectively, to determine whether their data processing practices comply with the Argentinian Personal Data Protection Act 2000. These are the first investigations announced by the NDPDP this year. / read more

The German Federation of Consumer Organisations announced, on 17 May 2016, that the Berlin Superior Court of Justice ('the Court') ruled that WhatsApp, Inc. must provide its terms and conditions ('T&Cs') in German. The Court explained that WhatsApp's practice of providing its terms of use and privacy policy in English only, on its German website, places an unreasonable burden on German consumers, and that all clauses would therefore lack transparency and be considered legally void in the absence of a German translation. / read more

The European Data Protection Supervisor ('EDPS'), Giovanni Buttarelli, issued, on 30 May 2016, his opinion on the EU-US Privacy Shield draft adequacy decision ('the Opinion'), in which he called for "significant improvements" to be made, should the European Commission ('the Commission') wish to adopt such a decision. / read more

The Court of Justice of the European Union's ('CJEU') Advocate General ('AG'), Henrik Saugmandsgaard Øe, issued, on 2 June 2016, his opinion in Verein für Konsumenteninformation v. Amazon EU Sàrl (Case C-191/15) ('the Opinion'). The Opinion affirms that Article 4(1)(a) of the Data Protection Directive (95/46/EC) ('the Directive') must be interpreted as meaning that the law of one single Member State ('MS') applies to data processing operations, and the MS's applicable law should be determined looking at the controller's establishment, in the sense clarified by the CJEU in Weltimmo s. r. o. v. Nemzeti Adatvédelmi és Információszabadság Hatóság (C-230/14), i.e. any 'real and effective activity' exercised 'through stable arrangements.' / read more

The Personal Data Protection Commission ('PDPC') published, on 9 June 2016, its Guide to Handling Access Requests, which aims to assist organisations in complying with their legal obligations under the Personal Data Protection Act 2012 ('PDPA') when processing, rejecting and recording access requests ('the Guide'). In particular, it addresses how organisations should determine the response timeframe, ascertain the identity of the individual submitting the request, preserve personal data, as well as the circumstances in which they are not required to provide the data subject with access to their personal data. / read more


The thing about referendums, is that the consequences of one outcome or another are likely to be rather disparate. If Brexit turns out to be rejected by the majority of the UK electorate, we will simply carry on as normal - quietly enjoying the benefits of the European Union whilst moaning about the threat that the EU poses to our peculiar way of life. It is a tried and tested state of affairs, all too familiar within the UK and on the Continent. If on the other hand, Brexit wins, it will surely be a jump into the unknown. An unknown seen as a black hole by some, and a prosperous new world by others, but an entirely unfamiliar situation nonetheless. The point is that whatever happens in the UK on 23 June 2016, the future will be very different depending on which side wins. / read more

2016 marks a turning point in data protection legislation for Turkey. Convention 108, and its Additional Protocol, were ratified earlier this year, 35 years after the signing thereof. In addition, Turkey’s first comprehensive data protection legislation, the Personal Data Protection Act (‘the Act’), was adopted on 24 March 2016. Dr. Elif Küzeci, Assistant Professor at Bahcesehir University Faculty of Law, provides an overview of the legislative data protection regime prior to the adoption of the Act, and an analysis of Turkey’s major step in addressing the shortcomings in its regulation of data protection. / read more

Shortly after the European Commission’s publication of the EU-US Privacy Shield documents at the end of February 2016, the Article 29 Working Party (‘WP29’) issued a statement stressing that it would analyse them with ‘great attention as regards the need for restoring trust in transatlantic data flows.’ On 13 April 2016, the WP29 provided its position. Julie Brill and Winston Maxwell, Partners at Hogan Lovells LLP, provide a trans-Atlantic analysis of the WP29’s concerns. / read more

On 15 March 2016, the Personal Data Protection (Compounding of Offences) Regulations 2016 (‘the Compounding Regulations’) came into force, introducing the possibility to compound offences under the Personal Data Protection Act 2010 (‘PDPA’). The Compounding Regulations follow a survey conducted by the Malaysian Personal Data Protection Commissioner (‘the Commissioner’), which asked businesses whether they supported the intention to enforce compounding regulations and whether such regulations would increase their compliance with the PDPA. Jane Tan, Associate at Donovan & Ho, explores this new enforcement regime. / read more

In March 2016, a draft criminal reform bill (‘the Bill’) was first discussed in France, which includes provisions that would require tech companies to allow decryption of data during terrorist investigations. The provisions were later redrafted, expunging the obligation to build backdoors, however, the Bill is currently being discussed by a joint committee in an effort to draft a compromise text. Ariane Mole, Partner at Bird & Bird, retraces the debate and highlights the related privacy and security issues. / read more

The Parliamentary Commission of Inquiry on Cybercrime (‘CPI’) adopted, on 4 May 2016, its final cyber crime report (‘the Report’), which included a number of bills seeking to amend the Marco Civil da Internet (‘Marco Civil’), and impose a number of measures which would impact internet service providers (‘ISPs’) in particular. Renato Leite Monteiro, Privacy and Data Protection Specialist at Cetip and Bruno Ricardo Bioni, Attorney at the Brazilian Network Information Center, provide insight into the key provisions of the Report, particularly in relation to blockages of internet services, and its wider implications. / read more

On 4 April 2016, the US Federal Trade Commission (‘FTC’) released an interactive web-based tool for mobile health app developers, to help them understand which federal laws and regulations might apply to their app (‘the Tool’). In addition, the FTC also released its Mobile Health App Developers: FTC Best Practices guidance, which provides advice on how to incorporate privacy and security into apps (‘the Guidance’). Elizabeth G. Litten, Partner and HIPAA Privacy Officer at Fox Rothschild LLP, provides insight on the usefulness of the Tool and the Guidance for app developers, and highlights the gaps that remain. / read more

On 29 March 2016, the National Telecommunication and Information Administration (‘NTIA’) presented a draft of a voluntary code of conduct, Privacy Best Practice Recommendations for Commercial Facial Recognition Use, for private companies that use facial recognition technology (‘the Draft Code’). / read more

About Data Protection Leader:

The monthly law publication which covers all aspects of data protection and data privacy. Topics covered include data transfers and outsourcing, data localisation and retention, the EU General Data Protection Regulation (GDPR), the e-Privacy Directive, data security, marketing and behavioural advertising, consent, employee monitoring, privacy compliance, risk management, DPO responsibilities, accountability, Privacy by Design, acquisition and mergers, the Internet of Things, cloud computing and Big Data / read more

Search Publication Archives

Our publication archives contain all of our articles, dating back to 2004.
Can’t find what you are looking for?
Try an Advanced Search

Log in to data protection leader
Subscribe to data protection leader
Register for a Free Trial to data protection leader
data protection leader Pricing

Social Media

Follow data protection leader on TwitterView data protection leader LinkedIn Profiledata protection leader RSS Feed