Archive for the ‘Privacy’ category

Long arm of EU privacy law: CJEU judgment in Weltimmo v Hatóság

October 15th, 2015

The territorial reach and enforcement jurisdiction of European Union’s data protection law has become a lot more important these days following the decision of the Court of Justice in the Schrems case. In a case decided just a few days before Schrems, the same court gave Directive 95/46/EC a broad reading holding that the laws of a Member State apply to data controllers in another Member State who operate a website that processes data of residents of the first Member State. The Court, however, construed the enforcement jurisdiction of supervisory authorities narrowly ruling they do not have the ability to impose penalties on controllers not established in the Member State. The judgment of the Court in Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, Case C‑230/14, October 1, 2015 has significant repercussions for EU and non-EU businesses that operate websites that target residents of a Member State and potentially for the territorial reach of the “right to be forgotten”.

Schrems, what the CJEU decided and why it is a problem for Canadian and other non-EU businesses (updated)

October 12th, 2015

On October 6, 2015 the Court of Justice of the European Union (CJEU) released a bombshell, but not completely unexpected judgment, invalidating a decision of the European Commission that underpinned the EU-US privacy safe harbor. In Schrems v. Data Protection Commissioner [2015] EUECJ C-362/14 (06 October 2015), the CJEU held that supervisory data authorities in Member States have the joint right with the EU Commission to review whether non-EU countries provide adequate protection to personal data transferred to them from the EU despite a decision by the EU Commission that such protection is provided. It also invalided Commission Decision 2000/520 which had found that transfers of personal data to the US from the EU provided adequate protection where the recipient complied with the EU-US Safe Harbour Principles.

Schrems brings down EU-US safe harbour

October 6th, 2015

EU’s highest court struck a major blow to the EU-US safe harbour earlier today in the closely watched case, Schrems v. Data Protection Commissioner [2015] EUECJ C-362/14 (06 October 2015). The decision of the CJEU, which followed the earlier opinion of the Advocate General, is the worst privacy nightmare that could have been imagined by the thousands of US and EU based companies that rely on the safe harbour to transfer personal data to the US for processing. It affects giant social networks like Facebook, search engines like Google, cloud hosting providers, and thousands of other companies that do business in the EU and that transfer personal data to the US.

Digital Privacy Act (Bill S-4) now law

June 18th, 2015

The Digital Privacy Act was given a quick third reading in the House yesterday and was speedily given royal assent to become law earlier today. This law, which has been in the making since 2007, updates Canada’s comprehensive federal privacy legislation PIPEDA in quite significant ways. I previously summarized salient aspects of the law in my blog posts, Digital Privacy Act: Important work still to be done by the INDU Committee and Cyber threats, information sharing and The Digital Privacy Act.

The year in review: developments in computer, internet and e-commerce law (2014-2015)

June 10th, 2015

I gave my annual presentation today to the Toronto computer Lawyers’ Group on “The year in review in Computer, Internet and E-Commerce Law”. It covered the period from June 2014 to June 2015. The developments included cases from Canada, the U.S. the U.K. and other Commonwealth countries.

The developments were organized into the broad topics of: Online Agreements, Licensing/Technology Contracting, Privacy, Online Liability, Cyber-security and Copyright.

The cases referred to are listed below. My slides can be viewed after the case listing.

Online Agreements

Nguyen v. Barnes & Noble, Inc., 763 F. 3d 1171 (9th.Cir. 2014)

Privacy by Design certification framework launched by Ryerson and Deloitte

May 25th, 2015

This morning, Ryerson University and Deloitte announced a new certification framework based on Privacy by Design principles. Privacy by Design is a set of principles that builds privacy into the design, operation and management of a given system, business process or design specification. It is based on 7 Foundational Principles developed by Dr Ann Cavoukian, Executive Director of Ryerson’s Privacy and Big Data Institute and the former Information and Privacy Commissioner of Ontario.

Under the Privacy by Design framework, Ryerson will be responsible for certifying organizations that meet the necessary privacy criteria. Organizations must first undergo an assessment by Deloitte, Ryerson’s exclusive assessment arm for the certification framework, against the 7 Foundational Principles.

Safari workaround claimants to get their day in UK court against Google: Google Inc v Vidal-Hall

March 30th, 2015

The ‘Safari workaround’ has cost Google millions. In 2012, it paid a civil penalty of US$22.5 million to settle charges brought by the US FTC that Google misrepresented to users of the Safari browser that it would not place tracking cookies or serve targeted advertisements to those users. In 2013 it paid US$17 million to settle US state consumer-based actions brought by State AGs.

Cyber threats, information sharing and The Digital Privacy Act

February 16th, 2015

Cyber security is top of mind these days in corporate boardrooms, governments, and with consumers. Last week was exemplary with more reports of hacks and governments moving forward with measures attempting to address the growing threats.

The New York Times reported that bank hackers stole millions using malware in a scam that allegedly involved an attack on more than 100 banks and other FIs in 30 nations. This followed a series of seemingly unending reports of attacks against other organizations.

Internet justice: Mosley v Google

February 2nd, 2015

In the landmark ruling in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (case no. C-131/12, May 13, 2014), the Court of Justice of the European Union (CJEU) recognized that search engines are controllers of the personal information they process and have the obligation, in appropriate cases, to de-list links to personal information in their search results. A recent decision in  Mosley v Google Inc & Anor [2015] EWHC 59 (QB) (15 January 2015) has recognized that a right to get a blocking order against a search engine might also exist in the United Kingdom under the UK Data Protection Act 1998. The case also illustrates the challenges individuals have in vindicating their privacy interests in the Internet context.

Cell phone searches legal say SCOC: R v Fearon

December 11th, 2014

A divided Supreme Court ruled that individuals cannot be secure that their most personal information will be protected from warrantless searches when arrested. In a 4 to 3 ruling, in R v Fearon, the Court held that if a person is lawfully arrested, a search is conducted that is incidental to the arrest, the search is tailored to its purpose, and the police take detailed notes, police may search the person’s cell phone.