News Archives

Friday, October 21, 2016

Privacy Shield Certifications Top 500 by Mid-October

According to a spokesperson from the U.S. Department of Commerce, the Privacy Shield self-certifications of 500 companies have been approved by the department by mid-October, while those of an additional 1,000+ companies are under review. The DOC announcement came during the Privacy Commissioners’ 38th International Conference in Marrakesh, Morocco on October 20, 2016.  The take-up rate of certifications since Privacy Shield opened for business on August 1, 2016 has been substantial and appears to be accelerating:  approximately 100 during the first month, another 200 in the second month, and an additional 200 during the first two weeks of the current month. 

Friday, September 30, 2016

Privacy Shield Triples in Size, Guidance Emerges

Participation in the EU-U.S. Privacy Shield framework tripled during its second month, with 304 companies included on the Privacy Shield List as of close of business at the end of September, not counting subsidiary or affiliated companies of the primary participants.  Of the 304 companies, only 77, or 25%, joined to cover transfers of HR data, compared to the 50% or more that did so through Safe Harbor, and only a handful joined solely for HR data. Large or well-known companies on the List are far and few between:  Dun & Bradstreet, Dropbox, Facebook, Google, Microsoft, Northrup Grumman, Oracle and Salesforce, with only Google, Microsoft, Northrup Grumman and Oracle joining for HR data.  In summary, after two months of receiving certifications Privacy Shield has emerged as a transfer mechanism overwhelmingly used by smaller niche companies to legalize the import of non-HR data from Europe.

Guidance relating to Privacy Shield emerged in the EU during September, with the European Commission issuing a 24-page Guide to the EU-U.S. Privacy Shield geared towards educating individuals about their rights under the framework and how to exercise them, and the Data Protection Authority of the German state of North Rhine-Westphalia issuing the first DPA-crafted FAQs on Privacy Shield and how it will be strictly enforced and supplemented.  Finally, as a small demonstration of some of the complexity inherent in interpretation of data transfer requirements, as well as proof that not all the facts asserted in posts to The National Law Review should be taken at face value, we have the following September 22 statement:  “Data regulators have (for now) rejected the EU-U.S. Privacy Shield agreement…”  

Enforcement of DP Law Begins in Ghana; Implementation Moves Forward in the Philippines and Turkey

Ghana’s Data Protection Commission (DPC) has begun taking enforcement actions against data controllers who fail to register as such, as required by the Data Protection Act 2012. The DPC began the registration process in April 2015, and some 500 controllers have registered their data processing activities since that time.  Failure to register, which is the first step in demonstrating compliance with the law, is a criminal offense which can result in both a fine and imprisonment for up to two years.  The chair of the DPC, Teki Akuetteh Falconer, attributed the slow take-up to “a general environment of apathy towards laws in our society and a lack of awareness on the value data protection can bring.”  In other countries in which the movement towards effective data protection laws has been long and drawn-out, on September 9 the National Privacy Commission of The Philippines finalized and issued implementing rules and regulations for the country’s Data Privacy Act of 2012, and Turkey will be establishing its Data Protection Authority on October 7, at which time the most significant provisions of its data protection law will come into effect.

Tuesday, September 27, 2016

Model Contracts Clearly the Primary Mechanism for Importing EU Data

According to a survey of 600 privacy professionals carried out by the International Association of Privacy Professionals this summer, 81% of U.S. companies rely upon standard contractual clauses as the legal underpinning for data transfers from the EU to the U.S., and 89% of EU companies do also.  Looking forward, only 34% of companies intend to use the EU-U.S. Privacy Shield framework, down from the 50% who used Safe Harbor in the past.  Uncertainties over the long-term viability of Privacy Shield, as well as the length of the time lapse between the invalidation of Safe Harbor and the launch of Privacy Shield, are significant factors in the lessened interest in Privacy Shield.  As of the third week in September, some 200 companies were said to have been become participants in Privacy Shield, up from the 107 in the first month, while self-certifications of hundreds more were reported to be in the DOC review pipeline.  Surveys about legal mechanisms for data transfers, such as IAPP’s, fail to acknowledge and account for the fact that that many companies use multiple mechanisms, often for different data sets but sometimes for the same data.  Nevertheless, market acceptance of Privacy Shield is likely to be significantly less than it was for Safe Harbor.

People Analytics Impacts Employees, Requires Attention to Privacy

New forms of technology-driven data collection and assessment are having a significant impact upon employees, as evidenced by four separate reports in September on the use of people analytics in the workplace.  In the first, an article in the Harvard Business Review describes how the tracking of customers in retail settings is having a largely unintended but significant spill-over effect upon employees, affecting their day-to-day experiences, their job security and their financial well-being. The second features an employer service start-up called Joberate, which gathers and consolidates publicly-available information from social media accounts to develop what it calls a “J-Score” that estimates the level of job-seeking activity of employees. The third describes a new generation of ID badges from a firm called Humanyze that contain microphones and sensors with motion detectors that trigger beacons throughout an office, enabling tracking and monitoring of the physical, interpersonal and emotional characteristics of employees.  The fourth reports on a Helsinki company, Futurice, that integrates wi-fi beacon triangulation, motion sensors, air-quality sensors and cameras into an Android app that displays the location of staff, the availability of unused work spaces, the occupancy of toilets and other facets of the office of the future.  A positive aspect of all four reports is what seems to be a growing awareness in disparate quarters that innovations such as these can only succeed if privacy concerns of employees are met, for example by providing only aggregate data to employers and by allowing employees to choose whether to participate in monitoring. 

Wednesday, August 31, 2016

107 Companies on Privacy Shield List in First Month

A review of the Department of Commerce’s Privacy Shield List, conducted after close of business on Wednesday, August 31, 2016, shows that 107 companies have had their self-certification information posted by the DOC.  The List reports the existence of an additional 62 covered entities, presumably affiliates of the 107 companies (although this number is suspect, given that the alleged covered entity of two companies on the “W” page, Whiteboard Ventures and Workday, is self-referential).   In any event, Privacy Shield has a long way to go before it can claim a buy-in comparable to that of Safe Harbor, which had at least 3,500 companies listed as participants.

Surprisingly, only 24 of the 107 companies (22%) have certified for HR data, whereas HR certifications for Safe Harbor were above 50%.  Only three of the 107 companies certified only for HR data (Employment Screening Resources, Perceptx and RECSOLU), although all three may have erred in claiming they are processing HR data when it appears that they are only processing data of clients who have employees in the EU. 

Only a few companies are well-known, including Microsoft, Salesforce and Workday.  The other 104 companies appear to be smaller niche firms, although sometimes unknown companies prove to be quite substantial.  Media reports suggest that there are hundreds of self-certifications in the pipeline, a number likely to grow as the October 1 deadline approaches for securing the nine-month grace period with respect to third party agents.

As a website, the Privacy Shield List is best described by technical terms:  slick, but lame. The Previous and Next buttons yield strange results, if any.  Under Advanced search one has to click through each individual letters of the alphabet to view all the participants, since the “All” choice is not working.  The four filters yield the same frustrating limits to showing results by letter of the alphabet.  Three of the filters (Participation Status, Covered Data and Framework) are worthless. For all of the supposedly careful review of submissions, parenthetical remarks (such as ‘we revised the policy on August 3, but didn’t post it until the 15th’ and “Thank you”) are included in policy descriptions.  Companies appear under the wrong letter of the alphabet (Etleap with the D’s; Visible Health in the E’s; Employment Screening Resources in the I’s).  There are doubtlessly other problems undetected as well.  

Monday, August 22, 2016

Survey Finds Insiders at Fault for Most Data Breaches

A new Ponemon Institute survey of 3,000 employees in the US, UK, France and Germany revealed that in most breaches of corporately-held data, negligent staff are usually the party creating the vulnerability, rather than external hackers acting independently.  Compromised employee accounts are the typical vector for these breaches, exacerbated by employees and third parties having more access to sensitive data than they need.  According to the study, while 76% of respondents said that their organization had experienced a breach over the past two years, only 29% of IT respondents said their organizations enforce a least-privilege model designed to keep information on a need-to-know basis.  A separate Ponemon study in June showed that the average cost of a data breach is now approximately $4 million, up 29% since 2013.  A third Ponemon study, the 2016 Global Visual Hacking Experiment, underscores the role of poorly-trained employees in preventing walk-around hacking in the workplace,

These findings are consistent with those reported by the Association of Corporate Counsel in December 2015 (“Survey Finds Employees the Leading Cause of Data Breaches”) and by Comp TIA and the SANS Institute in April 2015 (“Single Biggest IT Security Threat Remains Employees”).  Whether insiders are more responsible for breaches than external hackers – and this has varied over the past decade (see for example, the June 2009 Verizon study (“Growing Role of Organized Crime in Data Breaches”) – is hardly the point.  No matter what percentage of breaches are caused by employees and other insiders, these are known and well-established vulnerabilities that are amenable to remediation.  Accountability for not addressing them seems sadly to be in short supply.