On February 16, 2010, the EU Article 29 Working Party published Opinion 1/2010, in which it clarified the definitions of “data controller” and “data processor” as those designations are used within the European Data Protection Directive. The Working Party’s opinion is welcome guidance, as such designations are often difficult to apply in practice, especially given the increasing complexity of globalization, organizational differentiation, and information and communication technologies.
European Union
European Commission Seeks to Balance Data Protection and Business Globalization with Updated Standard Contractual Clauses
The European Commission has updated its Standard Contractual Clauses which govern the transfer of personal data from data exporters within the European Union to data processors outside of the European Union.
…
EU Article 29 Working Party Elevates Israel to Rank of Select Few Countries That Are Deemed to Possess “Adequate” Data Protection Laws
On January 5, 2010, the EU Article 29 Data Protection Working Party published an opinion finding that Israel provides an "adequate" level of data protection under the EU Data Protection Directive. Should the European Commission ("EC") adopt the Article 29 Working Party’s recommendation (and there is no reason to think that it would not), Israel will join the ranks of the select few countries that the EU has deemed to have an "adequate" level of data protection, such as Argentina, Canada, and Switzerland (notably, the United States is not on this list).
FTC Continues Safe Harbor Enforcement Streak With Six New Proposed Settlements
On October 6, 2009, in one fell swoop, the Federal Trade Commission (“FTC”) announced proposed settlements of charges against six companies for violations under the US/EU Safe Harbor Program. Specifically, these companies (World Innovators, Inc.; ExpatEdge Partners LLC; Onyx Graphics, Inc.; Directors Desk LLC; Collectify LLC; and Progressive Gaitways LLC) were alleged to have continued to represent in their online privacy policies that they were self-certified under the Safe Harbor Program when in fact they had allowed their certifications to lapse, and thus had engaged in deceptive practices.
First Subsidiary of a U.S. Based Multinational Company Fined for Data Protection Violations in France
Last month the French subsidiary of the U.S. based company, Tyco Healthcare, became the first local branch of a U.S. company to be fined for data protection violations. France’s data protection agency, La Commission Nationale de L’informatique et des Libertes (CNIL) levied a fine of 30,000 euro (or about $40,350) against the company after it both ignored CNIL’s requests for clarification about one of its human resource databases and then made misrepresentations concerning the database to the regulatory agency.
Dubai Becomes First Arab Nation to Enact Data Protection Law
Dubai recently became the first Arab nation to enact a substantial Data Protection Law (DIFC Law No. 1 of 2007) that aims to protect the personal information of its citizens. In a statement announcing the new law, Dubai called the enactment “pioneering in the region” and an examination of the law reveals that the description is rightly deserved. The new law will have immediate implications for companies operating in Dubai (and especially those companies that transfer data from one office to another), such as Halliburton, the giant energy company, which recently announced that it is moving its global headquarters from Texas to Dubai.