Practice tips for new Californian Law

Companies that handle personal information about Californian residents should take measures now to ensure compliance with the amended sections of the California Civil Code relating to personal information privacy. The amendments, signed into law on 30 September, will be coming into effect on 1 January 2015. Although there is no comprehensive guidance yet on what constitutes “reasonable” security procedures and practices, businesses should analyse their current procedures to ensure they are appropriate to the nature of the information handled.

Sony Pictures attack is first of its kind in the US

Experts investigating the cyber-attack that crippled email and other systems at Sony Pictures Entertainment for much of last week, believe that the hackers used malicious software to launch a destructive cyber-attack, thought to be the first waged against a company in the US. According to an FBI report, the malware is said to override all data on the hard drives of computers, including the master boot record, preventing them from booting up and making it extremely difficult and costly to recover data. Sony Pictures have confirmed that the hackers accessed a “large amount” of confidential information, including personnel files and movies.

New criminal offence under the Data Protection Act 1998

Section 56 of the Data Protection Act 1998 (DPA) is expected to be implemented shortly, having been dormant since the DPA came into force. The implementation of this section will make it a criminal offence for employers to require staff to use their subject access rights under the DPA to obtain and then provide certain records, as a condition of employment, a practice commonly referred to as ‘enforced subject access requests’.

EU regulators call for ‘right to be forgotten’ ruling to apply worldwide

The Article 29 Working Party (WP29), the European data protection advisory body, agreed a set of guidelines last week for the implementation of the so-called ‘right to be forgotten’ ruling. Google, the dominant search engine in Europe, has so far only been removing results from the European versions of its websites, such as, but not Isabelle Falque-Pierrotin, the head of the WP29, told a news conference: “From the legal and technical analysis we are doing, [Google] should include the ‘.com’”. A Google spokesman said the company would study the guidelines carefully when they are published.

EU Commission finds existing regulations adequate for drone privacy

The European Commission has published a 378 page report, finding that Europe’s existing regulation frame work is adequate to address the privacy impact of drones (referred to as remotely piloted aircraft systems in the report). The Commission noted that because the regulations were technology neutral, they were “adequate to address the privacy, data protection and ethical impacts” of drones; however problems may lay in educating the industry about their obligations and enforcing the regulatory mechanisms already in place.

Italian Garante introduces mandatory breach notification

The Italian Data Protection Authority (Garante) issued a general resolution on biometrics last week, which introduces a 24-hour notification obligation for data breaches that could have a significant impact on biometric systems or on stored personal data. It is thought that the Garante will introduce a wide data breach notification obligation and that this is the start of a progressive introduction.

Australian privacy commissioner pushes to avoid human rights merger

Following the introduction of legislation in October to abolish the Office of the Australian Information Commissioner, the Australian government is seeking to place the retained privacy commissioner within the Human Rights Commission (AHRC). Both the president of the AHRC and the privacy commissioner, Timothy Pilgrm, have expressed concern about the proposed merger, with Pilgrim detailing these concerns in a letter to a Senate committee.