News Archives

Friday, March 31, 2017

House Committee Passes Controversial Wellness Bill

A controversial bill that would give employers greater leeway in obtaining genetic and other sensitive health information from employees and increase the financial incentives for employees to participate in workplace wellness programs was passed by the House Committee on Education and the Workforce along party lines on March 8, 2016.  Critics of the Preserving Employee Wellness Programs Act contend that it will gut key protections in the Americans with Disabilities Act (ADA) and the Genetic Information Non-Discrimination Act (GINA), coerce employees into giving up genetic and health information, and weaken the role of the EEOC in overseeing wellness programs.  Opposition to the bill has been expressed by a wide range of consumer, health and privacy advocacy groups, including the AARP, the American Diabetes Association, the American Academy of Pediatrics, the Epilepsy Foundation, the March of Dimes, the National Association for Rare Disorders, the American Society for Human Genetics and the ACLU.  HHS Secretary Tom Price reportedly is among those expressing concern about the bill, which still needs to be taken up by the House Ways and Means Committee before it could advance to the full House and the Senate.   

Human Factors Play Major Role in Data Breaches

According to Verizon’s recent 2017 Data Breach Digest, a 99-page report by the company’s data breach investigation team, breaches are becoming more complex and now touch every part of an organization. The Digest describes 16 common breach scenarios, divided into four clustered groupings:  (1) the human element; (2) device misuse or tampering; (3) configuration exploitation; and (4) malicious software.  Verizon data indicates that the human element was the major vulnerability relied upon in one-third of confirmed data breaches, ranking behind hacking and malware, while also being a factor in up to one-half of all breaches. Tactics and techniques used to exploit the human element include phishing (92%), pretexting (42%) and bribery/solicitation (3%).  Email is overwhelmingly the primary means of communicating with targets, highlighting the importance of employee education and training across the organization, as well as the need for multi-factor authentication.

Friday, March 24, 2017

Privacy Shield Update: EU Parliament Restive, No Complaints

On March 23, the EU Parliament’s civil liberties, justice and home affairs committee (LIBE) passed a resolution declaring Privacy Shield to be inadequate and calling upon the European Commission to examine the following deficiencies when it carries out its first annual review this summer:
  • Continued U.S. bulk surveillance of Europeans, in violation of the Schrems ruling by the CJEU
  • The viability of redress mechanisms, which are all U.S.-based
  • The lack of an independent oversight by the U.S. ombudsman 
  • Data retention provisions
The resolution includes explicit references to Yahoo’s October 2017 admission that it created software at the request of the NSA to scan users’ email and the decision of the Obama administration to share raw SIGINT data with 16 other agencies without court order.

The vote by the LIBE committee passed by a narrow margin of 29 to 25.  The resolution is expected to be taken up by the full EU Parliament during the first week of April.

Earlier, the U.S. Dept. of Commerce administrator for the Privacy Shield framework, Catlin Fennessy, stated at a recent IAPP seminar in London that over 1800 companies had certified compliance with the Privacy Shield framework, with another 300 companies in the pipeline. Confirming an earlier analysis by HR Privacy Solutions, Fennessy reported that participants are largely small-to-medium-sized enterprises, with some 70% having fewer than 500 employees.  In addition, participants are heavily slanted towards the technology and consulting sectors.  Perhaps most significantly, no complaints about Privacy Shield from data subjects have reached the FTC, the Commerce Department or the special arbitration mechanism set up as a last-resort option.

Thursday, March 2, 2017

Advocacy Groups Call on EU to Re-evaluate Privacy Shield

On February 28, two prominent advocacy groups, the American Civil Liberties Union (ACLU) and Human Rights Watch, called upon European officials to re-examine assurances about privacy protection they received from the U.S. government, assurances that form the foundation of both the Privacy Shield agreement and the U.S.-EU umbrella agreement concerning exchanges of information for law enforcement purposes.  The letter, sent to key officials in the European Commission, the EU Parliament and the Article 29 Working Party, argued that the assurances had been undermined by President Trump’s executive order on enhancing public safety and by the deterioration and lapse of the Privacy and Civil Liberties Oversight Board (PCLOB).  Although former and current FTC Commissioners have contended that the executive order does not impact recently-extended Privacy Act protections for Europeans, the advocacy groups offer a detailed analysis of three ways in which these protections have been significantly reduced by the order.  They also contended that oversight by a fully-functioning PCLOB was clearly an important factor in the European Commission’s adequacy decision with respect to Privacy Shield.

Two days later, in an interview with Bloomberg, EU Justice Commissioner Vera Jourova said she "will not hesitate" to suspend the Privacy Shield framework if the Trump administration makes significant changes in the understandings that underpin the agreement.  Jourova will be meeting with U.S. officials in Washington later this month, seeking reconfirmation and reassurances about these understandings.  According to Johannes Caspar, the Hamburg DPA, “the disruptive political style of the new U.S. administration fills anyone working in the field of privacy with concern,” adding that “You don’t need to gaze into a crystal ball to see that the air surrounding the Privacy Shield is becoming thinner.”

Tuesday, February 28, 2017

National DP Laws Now in 120 Countries

Since 1973, when Sweden became the first country to enact comprehensive data protection legislation at a national level, an accelerating number of countries have followed suit. According to the latest compilation and analysis by Prof. Graham Greenleaf, published by Privacy Laws & Business, some 120 countries now have omnibus laws at the national level. In addition, another 31 countries have formulated and are considering such laws.  The only major countries at this point without comprehensive national data protection legislation, either enacted or drafted, are India, China and the U.S., with China taking incremental steps towards adoption of internationally-accepted privacy standards. The growing isolation of the U.S. with respect to its approach to privacy protection can also be seen in the fact that the U.S. is the only member of the OECD, which currently has 35 members, to lack comprehensive data protection legislation.   How the U.S.’s targeted, fix-it-later-maybe approach to privacy protection will play out in President Trump’s new world of America First and trade protectionism remains to be seen. To the extent that transfers of personal data become a trade issue, the leverage resides with the 120 countries hewing to a common standard.

Sunday, February 26, 2017

Implementation of POPI Proceeds in South Africa

Progress in the implementation of South Africa’s Protection of Personal Information Act, passed in 2013, continues, albeit at a slow pace.  The supervisory authority, known as the Information Regulator, has finally been established and funded, and recently launched its dedicated website.  On February 13, during a briefing in Cape Town, the Regulator announced that work on implementing regulations for POPI (or POPIA, as it calls the Act) was underway, with a goal of introducing them to the Parliament in six months or so and then setting a POPI commencement date that would occur before the end of 2017. Recognizing that this may be an ambitious schedule, the Regulator indicated that the commencement date might be sometime in 2018.  Given the one-year grace period that follows the commencement period, POPI is unlikely to come into effect until 2019 or even 2020.

Tempting as it may be to conclude that development of data protection and other laws moves more slowly in Africa than elsewhere, it is worth remembering that the first consultation on the reform of the EU Data Protection Directive was held in 2009.  The outcome of the reform process, the General Data Protection Regulation, will come into effect in May 2018, some nine years later. And how long has an update to the Electronic Communications Privacy Act (ECPA) been pending in the U.S.?  Time may indeed move more slowly in Africa, but you wouldn’t necessarily know this from the history of POPI.  

Japan Tightening Data Protection Law in May

Last year, as Japan’s 2003 Act on the Protection of Personal Information fell increasingly behind advancing technology and international privacy standards, the Diet passed a number of significant amendments to the Act to bring it up to date.  While many details of how the amendments will be translated into practice remain to be fleshed out by the newly-established Privacy Protection Commission, their relevance for international businesses is quite clear.  Most prominently, while any extra-territorial applicability of the Act had been conspicuously missing, this will no longer be the case, with the Act now explicitly applying to any business that processes the data of Japanese citizens.  Secondly, the current exemption from coverage by the Act for businesses that process the data of less than 5,000 individuals will disappear.  Thirdly, the definition of personal data will be expanded to bring it into line with European standards, including the introduction of the concept of “sensitive” information requiring a higher level of protection. Fourthly, data transfers will require the express consent of the individual unless a business relies upon one the “opt-out” exemptions specified in the amendments and notifies the Privacy Protection Commission accordingly.  Finally, “opt-out” exemptions will not be available unless the data transfer is made to a country having an adequate and similar level of protection; such transfers will require both express consent and special contractual safeguards.  The new amendments come into effect on May 30, 2017.