News Archives

Thursday, July 5, 2018

European Parliament Calls for Suspension of Privacy Shield

On July 4, the European Parliament voted in favor of a resolution advanced by its LIBE Committee urging the European Commission to suspend the EU-U.S. Privacy Shield framework if the U.S. government does not fully comply with its obligations under the agreement by September 1, 2018.  The vote on the resolution was 303 to 223, with 29 abstentions, a result only marginally different than the vote on a similar resolution in April 2017, which was 306 to 240, with 40 abstentions.  Amongst the concerns driving passage of the resolution was enactment of the Clarifying Lawful Overseas Use of Data Act (or CLOUD Act; failure to appoint a permanent Ombudsperson; failure to re-establish the Privacy and Civil Liberties Oversight Board (PCLOB); and the fact that both Facebook and Cambridge Analytica were Privacy Shield participants when the scandal surrounding their data massive data breach and misuse came to light.  

Responding to the vote, the European Commission stated that it intends to continue to work with the U.S. to improve the implementation of Privacy Shield, noting that some 4,000 companies are currently using it.  The second joint annual review of Privacy Shield is scheduled for this October.  If history is any guide, progress will be reported by both the EU and the U.S., the Commission will endorse the outcome, the European Data Protection Board will express its lack of satisfaction, and Privacy Shield will muddle along, until struck down, like Safe Harbor, by the CJEU.  Deja-vu all over again.

Saturday, June 30, 2018

Council of Europe Updates Convention 108

On May 18, following a process lasting seven years, the Council of Europe formally updated its Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108) via an amending Protocol, and issued an explanatory report on the new provisions.  The changes were prompted by new information and communication technologies, as well as by the need to strengthen the implementation components of the Convention.  According to the Council, the modernized convention “provides a robust and flexible multilateral legal framework to facilitate the flow of data across borders while providing effective safeguards when personal data are being used. It constitutes a bridge between different regions of the world and different normative frameworks.”  Fifty-three countries have adopted the legally binding international treaty, which is open to any country in the world as a unique global standard.  On June 29, Mexico became the 53rd country to accede to Convention 108.  Other non-European parties to the Convention include Uruguay, Senegal, Mauritius, Tunisia and Cabo Verde.

Wednesday, June 27, 2018

Complaints Under the GDPR Begin to Mount

Within hours of the General Data Protection Regulation coming into effect, Max Schrems and his non-profit advocacy group, None of Your Business, filed four complaints - one against Facebook, another two against its subsidiaries Instagram and WhatsApp, and a fourth against Google – all claiming that the tech companies coerced their users into accepting their terms and conditions.  The complaints were filed with DPAs in Austria, Belgium, France and Hamburg and could lead to fines of €7.6 billion.  Later in the month, the French advocacy group La Quadrature du Net filed similar charges with the French DPA against Facebook, Google, Apple, Amazon and LinkedIn.  Notably, this is the first time that non-profit organizations are asserting claims to represent data subjects under Article 80 of the GDPR, and also the first time that complaints have being filed in the data subjects’ member states rather than in a company’s European headquarters.

Other reports about complaints came from regulators and the International Association of Privacy Professionals.  Accordingly to a June 18 statement by Andrea Jelinek, Chair of the European Data Protection Board, she and her colleague DPAs are investigating 24 cross-border complaints involving forced consent. An IAPP survey of regulators found that as of June 25, some 2,944 complaints had been received by 15 DPAs since the GDPR came into effect.  However, a break-out of how many of these complaints related to new requirements under the GDPR was not available. 

Vietnam Adopts Restrictive Cybersecurity Law

On June 12, the Vietnamese Ministry of Information and Communications announced that the National Assembly had approved, by an overwhelming majority, a cybersecurity law designed to protect national security.  Amongst its provisions are requirements for companies providing telecom and internet services to users in Vietnam for data localization, the establishment of local headquarters and making information about users judged to be engaged in anti-state activities available to authorities.  Vietnam has one of Asia’s fastest growing digital economies, but companies such as Google and Facebook may need to cease operations there, since compliance would be incompatible with their global privacy policies. How the new requirements apply to other multi-national companies remains to be determined.  The new law comes into effect on January 1, 2019.

Thursday, June 14, 2018

LIBE Calls for Suspension of Privacy Shield

On June 11, the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) voted, by 29 to 25, to ask the European Commission to suspend the EU-U.S. Privacy Shield framework unless the U.S. government meets its obligations under the framework by September 1.  A similar resolution was approved by the identical margin by the LIBE in March 2017.  Of particular concern to the LIBE was the non-functioning of the U.S. Privacy Civil Liberties Oversight Board (PCLOB), the failure to appoint a permanent Ombudsperson, and the recent adoption of the Clarifying Lawful Overseas Use of Data Act or CLOUD Act.  According to LIBE Chair Claude Moraes, “the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. It is therefore up to the US authorities to effectively follow the terms of the agreement and for the Commission to take measures to ensure that it will fully comply with the GDPR."  The non-binding resolution will be taken up by the full Parliament in July; even if passed, as is likely, any decision about Privacy Shield will remain with the European Commission.

Thursday, May 31, 2018

Monitoring Brainwaves of Employees Growing in China

According to a report in the South China Morning Post, use of brain-reading technology to detect changes in the emotional states of employees is increasingly common in Chinese factories, public transport, state-owned companies and the military.  Wireless sensors concealed in safety helmets or uniform hats stream brainwave data to computers that use AI algorithms to detect emotional spikes, such as depression, anxiety, rage of fatigue.  Use of the technology in safety-sensitive positions, such as high-speed train operators or airline pilots, or amongst workers on a high-tech assembly line, where a single over-stressed employee could bring down an entire production line, has evident value.  The same can be said of using it to monitor employee responses in virtual reality training sessions.

However, where to draw the line between appropriate and inappropriate usage of the technology is a challenge.  Should it be used to increase the speed of a production line to the maximum its workers can tolerate?  To sideline, demote or discipline employees?  To assess the response of employees to company pronouncements?  There is clearly a slippery slope from reasonable usage to that which is not, conjuring up Orwell’s thought police.  Are workers surrendering their autonomy when their brainwaves are being read?  Do they have any protections against abuse of the technology?  Furthermore, according to a note in the MIT Technology Review, what can be reliably detected about human emotions from over-the-skin EEG sensors is still fairly unclear. 

Tuesday, May 29, 2018

General Data Protection Regulation Arrives, Ready or Not

On May 25, after advance notice that gave companies two years to bring their practices and policies into compliance, the EU’s General Data Protection Regulation came into effect.  From all reports, the majority of US firms still have a lot of work to carry out to achieve compliance.  At the same time, EU member states were equally lax, with only 11 meeting the deadline for enacting legislation reconciling their Directive-era data protection laws with the Regulation.  Only Germany, Austria, Slovakia, Denmark, Sweden, UK, the Netherlands, Poland, Belgium, Ireland and Croatia met the deadline; France did adopt a new DP law but it was immediately placed under constitutional review.  The 16 member states failing to implement the Regulation are technically subject to infringement proceedings by the European Commission, although such proceedings are unlikely given the fact that the Regulation itself came into immediate effect in each member state.  Rounding out the unreadiness of US firms and member state legislators was the lack of preparedness of regulators.  Seventeen of 24 DPAs responding to a Reuters survey in early May said they lacked the necessary funding, or would initially lack the powers, to fulfill their GDPR responsibilities.   GDPR compliance and enforcement are clearly works-in-progress.