News Archives

Friday, August 31, 2018

What’s Happening with GDPR Enforcement?

Three months have passed since the EU’s General Data Protection Regulation came into effect, without any reports of significant enforcement actions or fines.  Yes, Google was hit with a whopping $5.1 billion fine on July 18, which would come close to wiping out their profits for the most recent quarter.  However, while the fine was testament to the willingness of EU regulators to maximize the leverage at their command, the violations involved were of antitrust rather than data protection law. 

It is worth noting that the Google fine came two years after charges were filed against the company, and even longer after an investigation into its practices was initiated.  Enforcement by EU data protection authorities often follows similar time frames – drawn out by US standards – in which attempts at education about compliance are followed if necessary by official warnings, the filing of charges if the warnings are not effective, a further period of time to allow a response to the warnings, and only then the issuance of an enforcement order and penalty.  David Meyer describes this more tolerant and collegial approach to enforcement in an IAPP Privacy Advisor article on why GDPR fines could be months away.

Of course, not all GDPR enforcement actions take years to progress.  When confronted with egregious data processing, more fully-empowered DPAs now have the power to order the suspension of such processing.  And even where some aeration of complaints is appropriate, it is worth considering what’s in the pipeline.  According to a poll of DPAs conducted by IAPP, several thousand complaints about violations of the GDPR were received within the first month.  According to  European Data Protection Board Chair Andrea Jelinek, as of July 19 there were around 100 cross-border cases under investigation in the Internal Market Information System (IMI).  According to Giovanni Buttarelli, the EU’s data protection supervisor, as of August 14, an additional 30 alleged violations of the GDPR were being actively investigated by the EU’s independent DPAs.

Furthermore, not all GDPR enforcement is initiated by DPAs.  Max Schrems filed the first legal cases against Google and Facebook under the GDPR just hours after the Regulation came into effect.  The possibility of collective action lawsuits for privacy violations was introduced by the GDPR and one is said to be brewing against Facebook in the UK. 

GDPR enforcement may be slow, but experts have never expected otherwise.  What is clear is that the enforcement is coming.  Companies that still adopt a “show me the money” approach to gauging and responding to risks – and what US privacy consultant hasn’t encountered these – will be ill-prepared for what is to come.

Wednesday, August 29, 2018

Obstacles in Second Annual Review of Privacy Shield

On July 4th, the EU Parliament called for the suspension of the of EU-US Privacy Shield framework if a number of deficiencies in US compliance with its commitments were not remedied by September 1st.  As the second annual EU-US review of the framework, slated for October, draws closer, it is worth considering the obstacles the two parties will need to contend with.  

Here are a half-dozen major concerns the Europeans have: 

1. The failure of the US to have a functional Privacy and Civil Liberties Oversight Board (PCLOB) in place.  While President Trump finally nominated two individuals to the Board on August 7, the US Senate has failed to move forward with the nominations. Earlier in the summer a coalition of major tech companies urged governmental action on the issue.  In late August, a coalition of 31 privacy groups pressed the Senate to act without delay, while Cameron Kerry, former General Counsel and Acting Director of the Department of Commerce, wrote in Lawfare that “The status of the PCLOB is the biggest issue in the annual review underway of the Privacy Shield framework”, adding that “The European Commission counted heavily on independent PCLOB oversight of intelligence surveillance in initially approving the Privacy Shield and, in its first review last year, called for ‘swift appointment of the missing members’ before the next review.” 

2. The refusal of the Trump administration to make public even unclassified portions of a 2014 PCLOB report on NSA surveillance completed for President Obama in December 2016, which prompted an ACLU FOIA request on July 12 that notes the importance of the report’s release to the EU for the Privacy Shield review.

3.  Adding additional fuel to this fire was the May 4 report in the New York Times that the NSA had tripled its collection of data from US phone companies and the August 13 report of the Inspector General of the NSA, which detailed numerous privacy concerns with the agency’s open source intelligence collection process.

4.  The failure of the Trump administration to appoint the permanent and independent Ombudsperson called for under the Privacy Shield framework.

5. Revelations concerning massive abuses of personal information by Facebook and Cambridge Analytica, even though both were participants in the Privacy Shield framework.

6. Concerns about the newly-enacted CLOUD Act creating potential conflicts with EU data protection laws.

As far as is known, the US has no complaints with Europe about the operation of Privacy Shield; the complaints all run the other way.   How tolerant the EU will be of the US failure to live up to its Privacy Shield commitments remains to be seen.

Friday, August 17, 2018

Eight Years Later, Brazil Enacts General Data Privacy Law

On August 14, following passage by the Federal Senate a month earlier and years of false starts, President Michel Temer signed into law Brazil’s General Data Privacy Law, a comprehensive data protection bill which will come into effect in early 2020.  Aligning closely with the EU’s General Data Protection Regulation, the law lays the foundation for the pursuit of an adequacy decision from the EU.  Key provisions include requirements for data protection officers; documentation and registration of the legal basis for processing; strict requirements for consent; data breach notification; requirements for privacy by design and privacy impact assessments; restrictions on cross-border data transfers; and fines for violations of up to 2% of gross sales.  The cross-border restrictions even go beyond the requirements found in the GDPR, by applying to any processing conducted solely outside Brazil that affects or targets Brazilian citizens.  President Temer exercised his right to carry out line-item vetoes by rejecting several provisions of the bill passed by the Senate, including one calling for creation of an independent supervisory authority.  However, Temer attributed the rejection to procedural defects and pledged to send Congress a separate bill establishing a national DPA that would remedy the problem.

Tuesday, July 31, 2018

Omnibus Data Protection Bills Continue to Spread

July was a busy month for anyone tracking the spread of comprehensive data protection legislation around the globe.  Besides the momentous development of the government of India publishing a draft bill closely aligned with the EU’s General Data Protection Regulation, and Brazil being on the cusp of enacting its GDPR-inspired General Data Protection Law, progress towards omnibus data protection legislation was reported in five other countries.  In Barbados, the Ministry of Small Business, Entrepreneurship and Commerce launched a public consultation on the draft Data Protection Act 2018.  In Ecuador, the Ministry of Telecommunications and Information Society issued a position paper on the urgent need for data protection legislation, setting a goal of having a bill submitted to the National Assembly by the end of the year.  In Iran, the Minister of Communications announced that the government had prepared a draft data protection act for consideration by the Parliament and was interested in discussing data protection issues with the EU.  In Kosovo, the Government submitted a draft Personal Data Protection Law to the Assembly modeled upon the GDPR.  In Pakistan, the Ministry of Information Technology and Telecommunications released a draft Personal Data Protection Bill for public consultation.

Omnibus data protection bills in India and Brazil, and now in Iran and Pakistan.  China adopting comprehensive protections across a number of laws.  Hmm, perhaps when word emerges of a comprehensive data protection bill in North Korea, Congress will figure out that our increasingly exceptional piece-meal sectoral approach to privacy protection is not fit for purpose in the digital age.

Monday, July 30, 2018

Gov’t of India Publishes Draft Data Protection Bill

On July 27, India’s Ministry of Electronics and Information Technology (MEIT) published the country’s long-awaited draft data protection bill, prepared by the committee chaired by former Supreme Court Justice B.N. Srikrishna.  A lengthy commentary on the nature of privacy and the draft legislation, released at the same time, described the approach taken in the bill as a “template for the developing world” and a “Fourth Way” triangulating between the data protection models advanced by the US, the EU and China. At the same time, the draft appears to be closely aligned with the GDPR, being comprehensive rather than sectoral; establishing a data protection authority; requiring the appointment of data protection officers; requiring data protection impact assessments when needed; including cross-border data transfer restrictions; requiring notification of data breaches to the DPA and if warranted to individuals; including the right to data portability and the right to be forgotten; and setting fines of up to 4% of annual turnover.  A notable divergence from the GDPR is the bill’s requirements for data localization with respect to financial and health data.  Following a period of public consultation and likely adjustments as a result, the Personal Data Protection Bill will be submitted to the Parliament of India.

Friday, July 20, 2018

EU and Japan Announce Plans for Reciprocal Adequacy Findings

On July 17, the European Commission announced that the EU successfully concluded talks with Japan, begun in January 2017, with an agreement to recognise each other's data protection systems as equivalent.  The announcement was unusual in that it acknowledges that Japan has a number of significant additional safeguards to put in place before the Commission will be able to adopt an adequacy decision.  This unprecedented pre-approval reflects the EU’s close cooperation with Japan as evidenced in the same day’s announcement of the EU-Japan Economic Partnership Agreement, a pact which will create the world’s largest open trade zone covering over 600 million people.

A report that both the EU and Japan expect the Commission’s adequacy decision to be adopted in the autumn of this year seems optimistic.  An detailed analysis by Prof. Graham Greenleaf, published by Privacy Laws & Business, describes the Commission’s “many rivers to cross” on the EU side, including a favorable opinion from the European Data Protection Board and the approval of the 28 EU member states, while on the Japanese side, the nation’s DPA will need to formulate and adopt a very complex and customized set of Supplementary Rules under its Protection of Personal Information Act (PPIA).  The new requirements to be met by Japan will need to be completed before the half-dozen review processes required for an adequacy decision by the EU can proceed. 

Thursday, July 5, 2018

European Parliament Calls for Suspension of Privacy Shield

On July 4, the European Parliament voted in favor of a resolution advanced by its LIBE Committee urging the European Commission to suspend the EU-U.S. Privacy Shield framework if the U.S. government does not fully comply with its obligations under the agreement by September 1, 2018.  The vote on the resolution was 303 to 223, with 29 abstentions, a result only marginally different than the vote on a similar resolution in April 2017, which was 306 to 240, with 40 abstentions.  Amongst the concerns driving passage of the resolution was enactment of the Clarifying Lawful Overseas Use of Data Act (or CLOUD Act; failure to appoint a permanent Ombudsperson; failure to re-establish the Privacy and Civil Liberties Oversight Board (PCLOB); and the fact that both Facebook and Cambridge Analytica were Privacy Shield participants when the scandal surrounding their data massive data breach and misuse came to light.  

Responding to the vote, the European Commission stated that it intends to continue to work with the U.S. to improve the implementation of Privacy Shield, noting that some 4,000 companies are currently using it.  The second joint annual review of Privacy Shield is scheduled for this October.  If history is any guide, progress will be reported by both the EU and the U.S., the Commission will endorse the outcome, the European Data Protection Board will express its lack of satisfaction, and Privacy Shield will muddle along, until struck down, like Safe Harbor, by the CJEU.  Deja-vu all over again.