News Archives

Monday, April 6, 2015

UN Again Elevates Privacy as a Human Rights Issue

On March 28, the United Nations Human Rights Council voted to establish a special rapporteur on the right to privacy. Special rapporteurs are expert individuals appointed with specific mandates to investigate, monitor, and report on particular human rights concerns that can range from access to water to extrajudicial killings.  Rapporteurs serve three-year terms and report annually to the Council and to the General Assembly.  Brazil, Germany, Austria, Switzerland, Norway, Liechtenstein and Mexico sponsored the resolution to establish the special rapporteur, which was adopted unanimously by the 47 members of the Council

U.S. support for the resolution was certainly ironic, given that it was mass surveillance by the NSA that elevated the profile of privacy within the United Nations.  Following the outrage that erupted over Snowden's revelations, the 193 members of the General Assembly unanimously approved, in November 2013, a Brazilian-German declaration entitled The Right to Privacy in the Digital Age.  This latest resolution, which re-affirmed the right to privacy articulated in Article 12 of the seminal 1948 Universal Declaration of Human Rights, added the principle that "the same rights that people have offline must also be protected online, including the right to privacy" and calls upon states to reign in their security operations.  It will be interesting to see how the U.S., a country that still does not regard or protect privacy as a basic human right and shows little appetite for reigning in its surveillance apparatus, fares in the first report of the new special rapporteur, which is expected in September. 

Sunday, April 5, 2015

Russian Ombudsman Challenges Data Localization Law

As the clock ticks down towards the September 1 implementation of Russia's data localization law, the country's Internet Ombudsman, Dmitry Marinichev, sent a letter to President Putin proposing that foreign online companies be allowed to store Russians' personal data in a third country if consent from the user is obtained.  Marinichev suggested allowing these companies to store the data in one of the 46 countries that, like Russia, have signed the Council of Europe's Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention No. 107).   While the Russian DPA, Roskomnadzor, has yet to issue formal guidance on the new law, it has been meeting with various industry groups to explain its approach.  Key take-aways from these meetings include the assertions that the new law will apply to all data operators, including foreign businesses, collecting personal data directly from Russian citizens; that the primary databases involved must be located in Russia; that cross-border transfers may continue to occur if compliant with previous requirements (such as obtaining the consent of data subjects); that any structured set of personal data is subject to the law irrespective of the format and means of processing (including data found in spreadsheets and card files).

CNIL Eases Trans-Border Notification Requirements

The French data protection authority, the CNIL, streamlined international data transfers for companies with Binding Corporate Rules (BCRs), replacing the practice of requiring notification of each type of data transfer with a new procedure under which only one authorization will be needed by the group, with affiliates then submitting a simplified registration indicating that their data transfers outside the EU fall under that authorization.  As a sign of their support for BCRs, the CNIL will be directly contacting each of the 60 or so multi-nationals with BCRs to explain the new procedure.  Separately, the CNIL issued guidelines on March 4 for companies regarding Bring Your Own Device (BYOD) policies, appropriate safeguards for protecting the privacy of employees and notification of BYOD activities.

Major Data Protection Rulings in the UK and France

Court rulings in March in two EU member states affirmed the jurisdiction of European courts over foreign companies accused of violating national data protection laws.  In the UK, the England and Wales Court of Appeal (EWCA) handed down a historic judgment in Google Inc v. Vidal-Hall & Ors, in a case brought by three users of Apple’s Safari web browser who claimed that Google ignored their privacy settings to profile them and deliver personalized ads.  The EWCA, besides finding found foreign companies to be subject to UK data protection law, recognized a new tort of misuse of private information and found that the UK Data Protection Act 1998 failed to correctly implement several sections of the EU Data Protection Directive (95/46/EC) into UK law.  In France, the Paris Court of First Instance found that jurisdictional provisions in Facebook's Terms & Conditions notwithstanding, French courts have jurisdiction against foreign companies that collect, process and transfer personal information in France. Both cases underscore how defenses based upon jurisdiction clauses are unraveling.

ECJ Hears Arguments in Challenge to Safe Harbor

On March 24, the European Court of Justice heard arguments in the case brought by Austrian privacy activist Max Schrems challenging the position of Ireland's DPA that it was bound by the European Commission’s adequacy decision in 2000 with respect to the EU-US Safe Harbor framework, and therefore could not consider his claim that NSA surveillance made Safe Harbor invalid.  The impact of the case could be wide-ranging, with some 4,000 US-based organizations currently relying upon Safe Harbor as their legal basis for importing personal data from the EU. Notably, the Commission admitted during the hearing that it cannot guarantee EU citizens’ fundamental right to privacy when their data is transferred to the US under Safe Harbor.  Arguments supporting Schrems were advanced by Austria, Belgium, Poland, Slovenia, the European Parliament, the European Data Protection Supervisor and Digital Rights Ireland. Former French public prosecutor Yves Bot will render the Advocate-General opinion for the case, likely by June 24, with the final opinion of the full 15-member bench of the ECJ to follow.