News Archives

Wednesday, August 31, 2016

107 Companies on Privacy Shield List in First Month

A review of the Department of Commerce’s Privacy Shield List, conducted after close of business on Wednesday, August 31, 2016, shows that 107 companies have had their self-certification information posted by the DOC.  The List reports the existence of an additional 62 covered entities, presumably affiliates of the 107 companies (although this number is suspect, given that the alleged covered entity of two companies on the “W” page, Whiteboard Ventures and Workday, is self-referential).   In any event, Privacy Shield has a long way to go before it can claim a buy-in comparable to that of Safe Harbor, which had at least 3,500 companies listed as participants.

Surprisingly, only 24 of the 107 companies (22%) have certified for HR data, whereas HR certifications for Safe Harbor were above 50%.  Only three of the 107 companies certified only for HR data (Employment Screening Resources, Perceptx and RECSOLU), although all three may have erred in claiming they are processing HR data when it appears that they are only processing data of clients who have employees in the EU. 

Only a few companies are well-known, including Microsoft, Salesforce and Workday.  The other 104 companies appear to be smaller niche firms, although sometimes unknown companies prove to be quite substantial.  Media reports suggest that there are hundreds of self-certifications in the pipeline, a number likely to grow as the October 1 deadline approaches for securing the nine-month grace period with respect to third party agents.

As a website, the Privacy Shield List is best described by technical terms:  slick, but lame. The Previous and Next buttons yield strange results, if any.  Under Advanced search one has to click through each individual letters of the alphabet to view all the participants, since the “All” choice is not working.  The four filters yield the same frustrating limits to showing results by letter of the alphabet.  Three of the filters (Participation Status, Covered Data and Framework) are worthless. For all of the supposedly careful review of submissions, parenthetical remarks (such as ‘we revised the policy on August 3, but didn’t post it until the 15th’ and “Thank you”) are included in policy descriptions.  Companies appear under the wrong letter of the alphabet (Etleap with the D’s; Visible Health in the E’s; Employment Screening Resources in the I’s).  There are doubtlessly other problems undetected as well.  

Monday, August 22, 2016

Survey Finds Insiders at Fault for Most Data Breaches

A new Ponemon Institute survey of 3,000 employees in the US, UK, France and Germany revealed that in most breaches of corporately-held data, negligent staff are usually the party creating the vulnerability, rather than external hackers acting independently.  Compromised employee accounts are the typical vector for these breaches, exacerbated by employees and third parties having more access to sensitive data than they need.  According to the study, while 76% of respondents said that their organization had experienced a breach over the past two years, only 29% of IT respondents said their organizations enforce a least-privilege model designed to keep information on a need-to-know basis.  A separate Ponemon study in June showed that the average cost of a data breach is now approximately $4 million, up 29% since 2013.  A third Ponemon study, the 2016 Global Visual Hacking Experiment, underscores the role of poorly-trained employees in preventing walk-around hacking in the workplace,

These findings are consistent with those reported by the Association of Corporate Counsel in December 2015 (“Survey Finds Employees the Leading Cause of Data Breaches”) and by Comp TIA and the SANS Institute in April 2015 (“Single Biggest IT Security Threat Remains Employees”).  Whether insiders are more responsible for breaches than external hackers – and this has varied over the past decade (see for example, the June 2009 Verizon study (“Growing Role of Organized Crime in Data Breaches”) – is hardly the point.  No matter what percentage of breaches are caused by employees and other insiders, these are known and well-established vulnerabilities that are amenable to remediation.  Accountability for not addressing them seems sadly to be in short supply.

Wednesday, August 17, 2016

Mexican DPA Affirms DP Law Applies to HR

On July 21, Mexico's National Institute of Access to Information and Data Protection (INAI) confirmed that companies are responsible for the processing of personal data of their employees under the Federal Law on Protection of Personal Data Held by Private Parties 2010.  The affirmation came in a INAI decision in which a company argued that it could rely upon the personal use exemption to process its employees' personal data without consideration of the federal data protection law.  The case concerned a complaint filed by an employee, after his employer refused to comply with his access request at first, and later granted only partial access, on the grounds that the processing was used exclusively for internal purposes and not disclosed or used for commercial purposes.  The INAI rejected this attempt to exploit ambiguity around the personal use exemption, and also warned that data concerning an employee or former employee, such as their position, email, and salary constitute personal information and must be processed in accordance with the DP law.

Slow Take-up for Privacy Shield Unlikely to Last

During the first 15 days that the Privacy Shield self-certification process was open for submissions, only 40 companies were placed on the list by the Department of Commerce, although the DOC announced that it was reviewing another 200 or so filings.  A review of the certifications conducted a few days ago showed that the only well-known companies on the list were Microsoft, Salesforce and Workday, with the balance appearing to be small niche-oriented firms.  At the present time, however, navigation past the handful of companies appearing on the first page of the list is unavailable, possibly due to traffic overload or other technical problems or disruptions. 

The take-up for the Safe Harbor framework was also slow back in 2000, much slower in fact, but back then companies were still discovering that they had compliance obligations under the EU Data Protection Directive and the program was quite novel, with considerable uncertainty attached to it.   These conditions don’t apply today, but there are new inhibiting factors at play:  (a) a gap of some nine months since the Safe Harbor adequacy decision was invalidated by the Court of Justice of the European Union, forcing many companies to switch to and settle into other transfer mechanisms, such as model contracts; and (b) continuing uncertainty about whether Privacy Shield will withstand the legal challenges likely to be brought against it by citizens or DPAs such as Hamburg's Johannes Caspar.   Nevertheless, Privacy Shield remains the only game in town for a large number of companies, making it very likely that the number of participants will swell, even if the mechanism proves to be only a temporary solution.  According to an August 16 press release, TRUSTe is working with over 500 companies to assess and verify compliance with the new requirements for Privacy Shied.

Increased numbers of submissions can be expected by September 30, the last day to take advantage of an official grace period to bring contractual relationships with third parties into alignment with Privacy Shield requirements.  However unfair and unjustifiable this grace period may be, companies submitting certifications after that date will have to attest that they have such relationships in order as of the date of filing.  

Tuesday, August 2, 2016

FTC Cracks Down on False APEC CBPR Certification Claims

In mid-July, the Federal Trade Commission issued warning letters to 28 companies about apparently false claims on their websites that they were certified participants in the APEC Cross-Border Privacy Rules (CBPRs).  Only APEC-recognized Accountability Agents, such as TRUSTe, can certify that the privacy policies and practices of participating companies are compliant with the CBPR system program requirements.  The letters ask the companies to immediately remove representations claiming CBPR participation from all public documents and threaten to take legal action if a timely and satisfactory response is not received.  The identity of the companies receiving the letters was not disclosed.  

The CBPR system is a self-regulatory initiative to protect data that moves among APEC member economies through a voluntary but enforceable code of conduct implemented by participating businesses. Four APEC members are currently participating in the CBPR system:  the US, Mexico, Japan and Canada.  At present there are 16 APEC CBPR-certified companies, including Apple, Box, Cisco, HP, IBM, Merck, Workday and Ziff Davis.  The operational use and value of the certifications, apart from positive public relations, remains opaque.

Friday, July 29, 2016

CJEU Finds Terms of Use Irrelevant as Basis for Determining Applicable DP Law

In a July 28 ruling in VKI v. Amazon EU, the Court of Justice of the European Union reaffirmed the reasoning about applicable data protection law it advanced in the Weltimmo and Google Spain cases.  Ignoring the contract between Amazon and its customers, which provided that Luxembourg law shall apply, the court held that “the processing of data in the context of the activities of an establishment is governed by the law of the Member State in whose territory that establishment is situated.”  Furthermore, the court found that it is up to national courts to determine whether Amazon is carrying out the data processing in question in the context of the activities of an establishment situated in their Member States.  As to when a company may be regarded as having an establishment, the CJEU reiterated its position that the establishment of a data processing operation “extends to any real and effective activity, even a minimal one, exercised through stable arrangements.”  The Court also held that a data processing operation will not be established “merely because the undertaking’s website is accessible” in a particular Member State.

Game On: Dept. of Commerce Launches Privacy Shield Website

On July 26, the same day as the Article 29 Working Party issued its statement of ongoing concerns about Privacy Shield, the U.S. Department of Commerce launched its website for the new data transfer framework.  The website contains the full text of the Privacy Shield Principles (both basic and supplemental), Annex I, and related letters and attachments from the Department of Commerce, the International Trade Association, the FTC, the Department of Transportation, the Department of State, the Office of the Director of National Intelligence and the Department of Justice.  It also contains guidance for organizations on how to self-certify for the program, for European companies and individuals on how to determine if a U.S. company is a Privacy Shield participant, and for European individuals to submit either a complaint or a request relating to U.S. national security access to their data.  (Note:  When launched, the website indicated, in a departure from Safe Harbor requirements, that the HR privacy policies of participants would have to be publicly available; however, this statement was subsequently retracted.)  A procedure for direct contact by DPAs to the DOC’s Privacy Shield team, as well as a link to a new FTC website about their oversight and enforcement activities, is also included. The Department of Commerce will begin accepting self-certifications under Privacy Shield on August 1.