News Archives

Thursday, November 3, 2016

649 Companies Participating in Privacy Shield

According to HR Privacy Solution’s analysis of data on the Dept. of Commerce’s Privacy Shield website, 649 companies were listed as active participants in the EU-U.S. Privacy Shield framework as of close of business on October 31, 2016.  This is up from 107 companies participating by the end of August and 304 by the end of September.  

The analysis also revealed the following:

  • Of the 649 companies, 18 (3%) certified for HR data only, 144 (22%) certified for both HR data and non-HR data, and 487 (75%) certified for non-HR data only.
  • The 18 companies certifying for HR data only are largely not well-known:  Amplifinity, Babcock & Wilcox, CDK Global, Cornerstone OnDemand, DDB Worldwide, Edgeview Personal Care, Employment Screening Services, Fort Hill Company, HCR Software Solutions, i9Advantage, Kiran Analytica, Maseke, Perceptyx, PRO Unlimited, Recsolv (Yello), Tenneco and VWR.
  • Better-known companies on the list include:  Amazon, Avon, Babcock & Wilcox, Box, Brother, Ceridian, Cisco, Citrix, DDB Worldwide, Deloitte, Dropbox, Dun & Bradstreet, Eaton, Electronic Arts, Ernst & Young, Facebook, Google, Ingersoll Rand, Intuit, ITT, Kingston Technologies, Microsoft, Northrop Grumman, Omnicom, Oracle, Pinkerton, Salesforce, Tenneco, Tiffany, TRUSTe, Viacom and Workday.
  • Of these 32 better-known companies, all certified for non-HR data, except for Babcock & Wilcox, DDB Worldwide and Tenneco.
  • Of these 32 better-known companies, those not certifying for HR data included Amazon, Box, Brother, Cisco, Citrix, Dropbox, Dun & Bradstreet, Kinston Technologies, Oracle, Salesforce, Tenneco and TRUSTe.
  • There were an additional 858 covered companies listed in the certifications of the 649 Privacy Shield participants.
The analysis confirms an earlier finding that Privacy Shield is being used as a transfer mechanism overwhelmingly by smaller niche companies to legalize the import of non-HR data from Europe.  Only 5% of participating companies are better-known and only 25% are using Privacy Shield to import HR data.

The design of the DOC website makes analysis difficult and impractical.  For example, determination of the distribution of industry segments of participants would require inspection of each certification on an individual basis.  In addition, three months after launch, the website remains unstable and bug-ridden.  Seventeen companies are listed out of alphabetical order when searching letter-by-letter under Advanced Search.  Some companies, such as etleap, are not found at all when searched for individually.  Session history influences the results displayed when searching. The site disables a browser’s Back key, forcing a user to exit and re-enter the list when attempting to locate particular companies.  Is this the best that can be expected of government work?


Sunday, October 30, 2016

UK Will Follow EU DP Rules, But For How Long?

With the EU’s General Data Protection Regulation (GDPR) coming into effect in May 2018, and the UK’s exit from the EU not occurring until the following summer if the timetable announced by PM Theresa May on October 2 holds, there is a growing consensus that the GDPR will be both legally and operationally implemented in the UK at least through the time Brexit takes effect.  According to Elizabeth Denham, the former Information and Privacy Commissioner for British Columbia and new UK Information Commissioner, the UK is going to want to continue to do business with Europe, which will require its data protection law to be equivalent, leading her to state that “I don’t think Brexit should mean Brexit when it comes to standards of data protection.”  Whether PM May agrees with this outspoken position is unclear, since the outlines of her proposed Great Repeal Bill allow for continued post-Brexit adoption of EU law but with a provision for Parliament to amend or cancel any legislation so enacted.  Would Parliament want to chip away at the GDPR with the risk of cutting off the free flow of information with the EU and damaging the UK economy?  Will this provision of the Great Repeal Bill be enacted or modified?  Only time will tell.  From a regulatory point of view, what is clear is that UK companies need to be gearing up to the stricter requirements of the GDPR.

Legal Challenge to Privacy Shield Lodged in CJEU

On October 27, it was announced that an Irish privacy advocacy group had filed a legal challenge to the EU-U.S. Privacy Shield framework in the Court of Justice of the European Union (CJEU).  The action by Digital Rights Ireland calls for an annulment of the adequacy decision for the framework reached by the European Commission on July 12, 2016.  The activist group has been influential, helping overturn the Commission’s Data Retention Directive in 2014 and contributing to the lawsuit by Maximilian Schrems that led to the collapse of Safe Harbor.  It could be a year or more before the CJEU rules on the case.  Other legal challenges can be expected, with the head of one Irish privacy consulting firm stating that the latest proceeding appeared to mark "the start of open season on Privacy Shield".

Friday, October 21, 2016

Privacy Shield Certifications Top 500 by Mid-October

According to a spokesperson from the U.S. Department of Commerce, the Privacy Shield self-certifications of 500 companies have been approved by the department by mid-October, while those of an additional 1,000+ companies are under review. The DOC announcement came during the Privacy Commissioners’ 38th International Conference in Marrakesh, Morocco on October 20, 2016.  The take-up rate of certifications since Privacy Shield opened for business on August 1, 2016 has been substantial and appears to be accelerating:  approximately 100 during the first month, another 200 in the second month, and an additional 200 during the first two weeks of the current month. 

Friday, October 14, 2016

Facebook Enters Enterprise Social Networking Market

On October 10, after 20 months in closed beta testing, Facebook launched an enterprise-focused communication and social networking service under the name Workplace, intended to compete with the likes of Slack, Yammer, Chatter, Hipchat and Jive.   The ad-free app, available for both desktop and mobile devices, includes an interface and features already familiar to Facebook users, such as News Feed, Groups, Chat direct messaging, Live video, Reactions, translation features, and video and audio calling.  Early adopters include the Royal Bank of Scotland, Danone, Starbucks, Telenor and Booking.com.  According to the company, integrations with other services such as Workday will follow, after the current emphasis upon usability and engagement builds a viable user base.  Mark Zuckerberg is quoted as saying "It's an app, but I think about it more as a way of running a company."   Whether companies will want to place their futures in the hands of Facebook, given its long record of questionable data privacy and protection practices, remains to be seen.    

Monday, October 10, 2016

Yahoo Email Scanning Could Torpedo Privacy Shield

According to a Reuters report on October 4, Yahoo, in response to a government demand, secretly built a custom software program last year to search all of its customers’ incoming emails in real time for a specific but undisclosed set of characters.  If true, this would represent massive surveillance of a type going beyond that exposed by Edward Snowden, whose 2013 revelations only described access to stored communications by national security agencies or particular targeted individuals.  Other tech giants, including Google, Facebook, Apple, Twitter and Microsoft, quickly denied engaging in such behavior and stated that they would go to court rather than comply.  Since e-mails of all Yahoo’s European customers would be included in the Yahoo scanning, the new revelations, if true, would undermine claims made by the U.S. government in launching the Privacy Shield framework that it did not engage in mass surveillance.  The following day, on October 5, Reuters reported that European politicians and consumer organizations had called upon the European Commission and data protection authorities to look into the issue, while lawyers said that a legal challenge to Privacy Shield was now more likely.  Even the business-friendly DPA of Ireland called the matter one of “considerable concern” that was prompting it to make inquiries. 

Update:  On October 27, the Article 29 Working Party sent a letter to Yahoo calling for an explanation of "the legal basis and justification" for the reported email scanning and "how this is compatible with EU law and protection for EU citizens".  The letter also called for information and remedial actions in connection with Yahoo's September 22 announcement of a breach of the personal data in at least 500 million user accounts.

Friday, September 30, 2016

Privacy Shield Triples in Size, Guidance Emerges

Participation in the EU-U.S. Privacy Shield framework tripled during its second month, with 304 companies included on the Privacy Shield List as of close of business at the end of September, not counting subsidiary or affiliated companies of the primary participants.  Of the 304 companies, only 77, or 25%, joined to cover transfers of HR data, compared to the 50% or more that did so through Safe Harbor, and only a handful joined solely for HR data. Large or well-known companies on the List are far and few between:  Dun & Bradstreet, Dropbox, Facebook, Google, Microsoft, Northrup Grumman, Oracle and Salesforce, with only Google, Microsoft, Northrup Grumman and Oracle joining for HR data.  In summary, after two months of receiving certifications Privacy Shield has emerged as a transfer mechanism overwhelmingly used by smaller niche companies to legalize the import of non-HR data from Europe.

Guidance relating to Privacy Shield emerged in the EU during September, with the European Commission issuing a 24-page Guide to the EU-U.S. Privacy Shield geared towards educating individuals about their rights under the framework and how to exercise them, and the Data Protection Authority of the German state of North Rhine-Westphalia issuing the first DPA-crafted FAQs on Privacy Shield and how it will be strictly enforced and supplemented.  Finally, as a small demonstration of some of the complexity inherent in interpretation of data transfer requirements, as well as proof that not all the facts asserted in posts to The National Law Review should be taken at face value, we have the following September 22 statement:  “Data regulators have (for now) rejected the EU-U.S. Privacy Shield agreement…”