2015

The Bavarian Data Protection Authority (DPA) issued a press release stating that it imposed a significant fine on a data controller for failing to adequately specify the security controls protecting personal data in a data processing agreement with a data processor. The DPA stated that the data processing agreement did not contain sufficient information regarding the technical and organizational measures to protect the personal data. The press release said the agreement was not specific enough and merely repeated provisions mandated by law. According to the DPA, the law provides some flexibility for companies to determine which contractual obligations are appropriate for a particular engagement. The DPA stated that this choice may depend on the data security plan of the data processor and related data processing systems used.

"The ramifications of the European Court of Justice (ECJ) decision in the Schrems case, invalidating Safe Harbor, have continued. First, the European Parliament announced it will have EU commissioners and councilors address its plenary. Second, the data protection commissioner from the German state of Schleswig-Holstein has taken the step that many have predicted and issued a position paper that follows the ECJ 's logic to declare model contract clauses, even consent, to likely be invalid ways of transferring data to the U.S. The release from Parliament notes that MEPs are ""likely to ask the Commission to clarify the legal situation following the (Safe Harbor) ruling and demand immediate action to ensure effective data protection for EU citizens."" Businesses in Schleswig-Holstein that transmit personal data to the U.S. should review its procedures as quickly as possible and consider alternatives for the processing of personal data."

Schedule 6 of the Public Sector and MPP Accountability and Transparency Act, 2014, which amends the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act, has been proclaimed into force effective January 1, 2016.

The amendments will: require institutions to ensure that reasonable measures are put into place for the preservation of records within the custody and control of the institution, in accordance with any recordkeeping or records retention requirements applicable to the institution, create a new offence in cases where a person alters, conceals or destroys, or causes any other person to do so, a record with the purpose of denying a right to access the record or the information in it, and in a prosecution for an offence under the statute, permit a court to take precautions to avoid the disclosure by the court or any person of certain specified information.