Data & IT Law Monthly: December 2014

The overview of interesting Data & IT Law articles and news in December 2014!

EU Article 29 Working Party interpreting “Right to be forgotten” outside of EU

The Article 29 Working Party had issued guidance on an implementation of the Court of Justice of the European Union’s Google Spain case.

Among other things, the Working Party noted that “search engines should not limit de-listing to EU domains only”. However, this is very likely to set up a jurisdictional conflict with data protection legislation of other countries.

Secondly, the Working Party suggested that “search engines should stop contacting third party publishers to let them know that an individual has requested that content on such publishers’ sites be de-listed.”

Finally, the guidance had specified criteria that search engines should use to decide the legitimacy of a request. Some of them are: public life, accuracy, journalism, prejudice, sensitivity.

Predictions for e-discovery for 2015

The article gives an overview of predictions for e-discovery for 2015. The article is mainly focused on the situation in USA, but it is possible to generalize some of these predictions for other jurisdictions too.

Among other things, it deals with these topics: “Predictive coding case law will remain inconsistent. Destruction/preserving of big data databases. The Internet of Things won’t become the next big thing in e-discovery. Anonymous social media apps will complicate e-discovery. Courts will Increasingly employ cost shifting. Companies will continue struggling with preservation and production from clouds and mobile devices. Organizations will Increasingly engage legal process outsourcing of e-discovery.”

Domestic surveillance and its legality

The Court of Justice of European Union had analysed the issue of domestic use of CCTV surveillance. It ruled that it “should be strictly limited, and that the exemption in article 3(2) of the Data Protection Directive 95/46/EC for “personal or household activity” does not permit the use of domestic CCTV that also records any public space.”

The crucial point is an interpretation of household exemption. The Court noted that it “must be narrowly construed; that the narrow interpretation has its basis in the wording of the provision, which applies to processing carried out for a “purely” personal or household activity and that CCTV surveillance which covers a public space and which is accordingly directed outwards from the private setting of the person processing the data cannot be regarded as an activity which is a “purely personal or household activity”. 

The series “Cloud computing and privacy”

The firm Bird & Bird published a 6-article series of various legal aspects of cloud computing. The articles give an overview of basic theoretical, as well as practical issues associated with using cloud computing for business.

The series include these topics: the description of a general legal framework, data protection legal framework, security requirements and guidance, data anonymisation, health (sensitive) data and security and data breach requirements.

For more information, read the first article of the series.

Guidance on big data from various countries

More and more countries are publishing guidance on the use of big data. Recently, it was United Kingdom and South Korea.

UK Government defines big data and addresses its impact on internet of things. “The key principles are data minimisation, data anonymisation and consent (…) Companies should carry out privacy impact assessments to better understand the extent to which their existing services could infringe on privacy.” Moreover, the report describes, how big data might be used for citizen’s benefit: “Government could use ‘big data’ to pre-fill forms that the public need to complete when engaging with government services online, tailor those services to “individuals and population cohorts” and better monitor how policies are being delivered at local level”.

South Korean Communication Commission released Big Data Guidelines for Data Protection. “they are designed to prevent the misuse of “publicly available information” to create and exploit new information.” When personal information are a part of data, they must be “de-identified before it may be collected, retained, combined, analysed or sold”. Moreover, it includes “a duty to disclose their big data processing activities and policies to users, and to inform users of their rights to opt out.”