The United States and the European Union announced in February their intent to launch negotiations this year on a far-reaching trade and investment partnership agreement. Negotiations on the treaty, known as “TTIP”, should commence in June following a Congressional and public consultation period in the United States, and a parallel process in the EU whereby the European Commission will obtain a formal mandate from the 27 EU member states. Differences in data privacy and protection between the US and EU have already arisen as an issue of contention as governments labor to construct a bilateral negotiating agenda.

Senior U.S. officials, including outgoing U.S. Trade Representative Ron Kirk and Deputy National Security Adviser Michael Froman have both commented publicly that rules on cross-border data flows should be up for negotiation in the TTIP, responding to interest from US industry to liberalize data flows not only across the Atlantic Ocean, but also between various EU member state markets.

Read More

The European Community’s Article 29 Working Party has just published an opinion on smartphone apps that discusses the obligations of app developers and all other parties involved in the development and distribution of apps under European data protection law. Among the Working Party’s recommendations is that free and informed consent of end users is essential for compliance with such law.

Read More

On January 14, 2013, Singapore passed an amendment to the Computer Misuse Act (now renamed the Computer Misuse and Cybersecurity Act), which provided the government with additional authorities to prevent, detect and counter cyber attacks on critical infrastructure. Key aspects of this law include the ability of the government to direct a person or organization to take specific steps – including exercising certain powers under the criminal procedure code -- with respect to preventing, detecting, or countering a cyber threat where the threat relates to certain types of critical infrastructure. Such broad authority could encompass directing companies to conduct “pre-emptive” strikes or other measures prior to the onset of an imminent cyber attack. Importantly, the law confers immunity from any civil or criminal liability resulting from fulfilling an obligation under the law, but also provides for criminal penalties for failing to comply.

Read More

Last week the United States Court of Appeals for the Fourth Circuit halted an attempt by three individuals involved in the ongoing WikiLeaks investigation to make information about the investigation public. Specifically, the three users sought to unseal the prosecution’s request for a court order requiring Twitter to disclose certain user account information, including the three user’s personal identifying information and account information, as well as all messages they sent and received using the service. The prosecution’s request would have included its reasoning behind why the government suspected the three user’s involvement, and may have included information regarding how the investigation has been operating. The users also moved to unseal any other orders that were issued to other companies demanding similar information be turned over to the government.

Read More

There is an adage that “the best defense is a good offense.” Many companies are taking this to heart as they are becoming increasingly frustrated with the limitations of today’s commonly deployed passive countermeasures and other defensive technologies. Emerging offensive technologies, generally called “active defense technologies” offer considerable promise in being able to identify and take meaningful action against sophisticated assailants. There are, however, considerable issues about the legality of these solutions, that, in certain instances, could render users of these technologies criminally liable. Active defense technologies that employ “hack backs” are of particular concern.

Read More

On October 15, 2012, the Singapore Parliament passed the Bill for the Personal Data Protection Act 2012. The enactment of this Act is a fundamental shift in Singapore's approach to data protection, away from the current sectoral approach to a more European-like general data protection approach. The Act aims to establish a framework for personal data protection, by including recognized data protection concepts such as consent, withdrawal, notification of purpose, and access to and correction of personal data.

Read More

Today the European Commission’s Article 29 Working Party released Opinion 08/2012 providing further input on the EU’s revised Data Protection Regulation. The purpose of the Opinion is to provide “further guidance, notably on certain key data protection concepts and by analysing the need for and the effect of the proposed delegated acts and where necessary suggesting more suitable alternatives.”

Read More

The Department of Commerce announced the approval of the United States’ participation in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules system (CBPR). The CBPR promotes “a baseline set of data privacy practices for companies doing business in participating APEC economies. The goal of the system is to enhance electronic commerce, facilitate trade and economic growth, and strengthen consumer privacy protections across the Asia Pacific region.” The CBPR is a voluntary but enforceable code of conduct implemented by participating businesses. In the U.S., the Federal Trade Commission (FTC) will be the Privacy Enforcement Authority (PE Authority).

Read More

India has clarified the applicability of its recently released privacy rules, causing a collective sigh of relief for outsourcing suppliers and customers around the globe. As detailed in our prior client alert on the topic, India released a set of rules earlier this year that would have radically impacted the manner in which outsourcing suppliers and customers dealt with personal data collected and processed in India. Indeed, the rules were nearly as expansive as the EU Data Directive and would have had a similar fundamental and profound impact on data practices for virtually every outsourcing relationship in which services were provided from India. On August 24, 2011, however, the Ministry of Communications & Information Technology clarified that the rules relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India is not subject to Rules 4 and 5, which included many of the more controversial aspects of the previous guidance. This type of clarification had been anticipated by much of the industry since mid July or so and has been uniformly well received.

India issues extensive Privacy Rules with potentially significant impact on Outsourcing Services

On April 11, 2011, India’s Central Government issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Privacy Rules”). Although positioned as an effort to provide clarification to terms left undefined in the Information Technology Act, 2000, the Privacy Rules put in place a significant new data privacy regime covering collection, use, disclosure or transfer of personal information in India. The Privacy Rules also impose new security standards and security obligations on a company’s data-related operations in India, and require the implementation of a privacy policy. Information qualifying as “sensitive personal data or information” (e.g., passwords, financial information, and medical records) is subject to tighter regulation, requiring, among other things, the written consent of the data subject before such information can be collected. 

Read More

The Article 29 Working Party has issued an opinion (WP185) on the data protection standards applicable to geolocation services on mobile devices. The opinion is consistent with the continuing focus of EU policymakers on the application of traditional privacy and security concepts to emerging technologies. The Working Party, an advisory body to the European Commission established pursuant to Directive 95/EC/46, recommends mobile device manufacturers and mobile app providers secure affirmative, opt-in consent before the collection of geolocation data. Consent standards in the EU are strict. The WP states that consent must be clear and specific, and may not be obtained through mandatory acceptance of terms and conditions required to use the device itself. The Working Party further recommends that mobile devices be configured “continuously [to] warn” of the collection of geolocation data, such as through a permanent screen icon.

Mobile app developers, device manufacturers and businesses that provide services over the mobile Web should take heed of these emerging standards as they design products and services for the European market. A copy of WP185 is available at the following link: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp185_en.pdf