News Archives

Wednesday, March 14, 2018

CNIL Shows Pragmatic Flexibility on GDPR Enforcement

With the EU General Data Protection Regulation coming into full force and effect on May 25, 2108, the French data protection authority has announced its plans for enforcement activity once that date arrives.  Even though the adopted text of the GDPR was released nearly three years ago, in principle giving companies ample time to come into compliance, the CNIL has recognized the reality that many companies are still struggling to understand and execute the many new measures that will be required.  Demonstrating flexibility, the CNIL says that it will distinguish between two types of obligations:  the fundamental principles of data protection found in the current Data Protection Directive, and the new obligations or rights found in the GDPR, such as the right to data portability and privacy impact assessments.  

According to the CNIL, it will continue to “vigorously enforce” the fundamental principles, while focusing on helping companies understand and implement the new rights and obligations. Where companies are making “good faith” efforts to comply with the new rights and obligations, the CNIL states that sanction procedures will normally not be instituted “in the first months.”  The very concept of a “transitional period” during which the potential for significant sanctions will be held in abeyance, while vaguely defined, is both pragmatic and generous.  The February 19 guidance also waives the need for the immediate completion of a privacy impact assessment by companies whose processing was previously approved by the CNIL and addresses issues faced by companies awaiting CNIL response to their registrations. 

Tuesday, March 13, 2018

Update on Data Protection Enforcement in Russia

English-language information on data protection in Russia is hard to come by, thanks to the latest iteration of the Cold War, so an update by Hogan Lovells is worth highlighting.  The Russian DPA, Roskomnadzor, held a recent open house to publicize its 2017 enforcement activities.  If there was ever any doubt that Russian entities were paying attention to DP law, Roskomnadzor reported that over 400,000 data operators had registered with the authority through the end of 2017.  The majority of data subject complaints received by the DPA were directed against banks, housing services providers and debt collection agencies, with general website operators also a significant focus of complaints.  In a uniquely Russian approach to the latter, Roskomnadzor maintains a register of websites that violate data subjects rights.  In 2017, 453 websites were added to the register, with 176 blocked because of the seriousness of their violations, an increase in enforcement activity consistent with Roskomnadzor’s shift to systemic monitoring of entities as opposed in individual inspections.

Of particular note to US-based companies operating in Russia, the Roskomnadzor clarified that data operators should obtain separate written consent for each purpose of processing.  Such guidance is consistent with the GDPR’s requirements around granular consent, although compelling it to be in writing is not.  Finally, in contrast with the weaker protections provided by US law, Roskomnadzor stated that personal data posted by social media users should not be treated as publicly available data and should only be processed on the basis of a lawful ground.

Thursday, March 1, 2018

US Supreme Court Hears Arguments in Microsoft-Ireland Case

On February 27, the US Supreme Court heard oral arguments in United States v. Microsoft Corp., where the issue is court-described as “whether a United States provider of email services must comply with a probable-cause-based warrant…by making disclosure in the United States of electronic communications within that provider's control, even if the provider has decided to store that material abroad.”  Legal proceedings began in 2013 when Microsoft challenged a warrant by law enforcement issued under the 1986 Stored Communications Act to turn over email of a target account that was stored in Ireland, a position that was upheld by the US Court of Appeals for the Second Circuit in 2016.  Dozens of amicus briefs in the case were filed by tech companies, industry associations, advocacy groups, scholars, legislators on both sides of the Atlantic, EU member states, the European Commission and attorney generals in 35 US states.

According to a report by Reuters, Supreme Court justices appeared to be divided during the hearing, with some, like Roberts and Alito, expressing sympathy for the government’s position and others, like Ginsburg and Sotomayor, questioning whether the court should act given that Congress is considering bipartisan legislation to resolve the issue.  A more extended analysis in the Lawfare blog suggests that a decision is unlikely to be made along ideological lines, that current Congressional deliberation on the CLOUD Act may be very influential, and that issues relating to sovereignty of foreign nations and global responses to any definitive ruling were only partially addressed.  A ruling in the case is expected in June.

Tuesday, February 27, 2018

Spread of National DP Laws Continues

February brought news of progress by a number of nations towards adoption of comprehensive data protection laws.  

In Brazil, the National Congress is debating two separate bills, one in the Senate and one in the House.  The House Bill on the Protection of Personal Data is strongly influenced by the EU’s General Data Protection Regulation, even updating and strengthening GDPR requirements in a number of areas.  While the bill may secure passage in 2018, comprehensive bills have been debated in Brazil on and off since 2010 (see the December 2010 report in this blog) and the current political and economic turmoil in the country may lead to further delays.

In South Africa, the country’s Information Regulator is now expected to put the Protection of Personal Information (POPI) Act into effect in the second half of 2018.  POPI was signed into law by President Jacob Zumi in 2013, but its implementation delayed while regulatory infrastructure, capability and guidance were developed.

In India, Electronics and IT Minister Ravi Shankar Prasad stated that a report from the 10-member Srikrishna Committee on data protection was expected shortly, after which a comprehensive bill would be prepared.  In a hearing challenging the Aadhaar near the end of January, the country’s Attorney General informed the Supreme Court that a draft bill would be ready by March 2018.

In Thailand, a public consultation on a revised Personal Data Protection Bill, which incorporates a number of concepts from the GDPR, concluded on February 6.  The next steps for the bill will be its advancement to the country’s Cabinet for approval, then to the National Legislative Assembly and finally to the country’s King for final approval.

Finally, definitive effective dates for previously enacted comprehensive DP laws were reported for Bermuda and the Cayman Islands.  Bermuda’s Personal Information Protection Act, passed in July 2016, will come into full force in December 2018.  Cayman’s Data Protection Law, passed in March 2017, will come into effect a month after Bermuda's, in January 2019.

Thursday, February 22, 2018

ECHR Upholds Search of Employee Work Computer

On February 22, the European Court of Human Rights upheld the termination of a French employee on the basis of discovery of pornography on his work computer.   Eric Libert, a regional director of surveillance for SNCF, was fired in 2008 after a search of his computer revealed a large number of files containing pornographic content and what was described as forged certificates for third parties.  Libert had appealed to French courts, claiming that his employer had violated his “right to respect for private and family life,” a right guaranteed in Article 8 of the European Convention on Human Rights.  However, the courts ruled that while he had marked the files as “personal,” he should have marked them as “private,” which under French law would have prevented scrutiny by his employer.  The ECHR agreed, adding that SNCF ““had pursued a legitimate aim of protecting the rights of employers, who might legitimately wish to ensure that their employees were using the computer facilities which they had placed at their disposal in line with their contractual obligations and the applicable regulations.”  It is curious that so little consideration was given by the courts to Libert’s evident intent to keep access to certain files to himself, with the ruling apparently turning upon his use of the wrong file descriptor.

The ECHR has been active in recent years in cases involving workplace monitoring, threading the needle on this issue by deciding cases with close attention to the facts involved.  As reported in this blog, the ECHR backed the monitoring of chats and webmail accounts of a Romanian employee in January 2016, but just last month ruled against what turned out to be partially covert video surveillance of Spanish employees.  As noted in the earlier case, ECHR rulings, unlike those of the Court of Justice of the European Union, are only applicable in the member state in which the case originates.

Sunday, February 11, 2018

Next Frontier for the Labor Movement: Data Privacy & AI

A recent report by Sarah O’Connor in The Financial Times (“Algorithms at work signal a shift to management by numbers”) provided a well-balanced and thoughtful overview of the benefits and risks associated with the use of artificial intelligence in the workplace.  Of particular interest is her highlighting of two new sets of principles a major international union has issued focusing upon data privacy and AI in the workplace.  On December 17, 2017, the UNI Global Union issued ten principles in each domain that it contends should be incorporated into collective bargaining agreements and international labor standards.  The Swiss-based UNI Global Union represents 20 million skills and services workers in over 900 trade unions located in 150 countries.  According to UNI’s General Secretary:  “Data collection and artificial intelligence are the next frontier for the labour movement. Just as unions established wage, hour, and safety standards during the Industrial Revolution, it is urgent that we set new benchmarks for the Digital Revolution.”

The data privacy principles, drawn from the GDPR, Council of Europe Recommendation CM/Rec (2015) and the Article 29 Working Party Opinion 2/2017, address familiar data protection concepts, such as data subject access, data security, minimization, transparency, accountability, and notification.  The ethical AI principles, drawn from half a dozen sources, include transparency; equipping AI systems with an “ethical black box;” making AI serve people and planet; adopting a human-in-command approach; ensuring genderless, unbiased AI; establishing global governance mechanisms and banning the attribution of responsibility to robots.

While the rights and interests of workers on matters relating to data protection and automation have a well-established and familiar platform within Europe, namely through workers councils, the same cannot be said elsewhere.  If unions and other employee organizations outside of Europe have been active around these issues, they have kept it a closely-guarded secret, one that the UNI Global Union and its Future of Work project hopes to put an end to.  

Thursday, February 1, 2018

Corporate Use of Social Networking Media Continues to Grow

In a recent article, CIO Journal provided an update on corporate adoption of social media platforms as collaboration tools.  As reported in this blog, Facebook entered the enterprise social networking market in October 2016, after beta testing a product called Workplace with companies such as the Royal Bank of Scotland, Danone, Starbucks, Telenor and  According to Facebook, Workplace is now used by 30,000 organizations, within which over a million user groups have formed.  Newer adopters include Wal-Mart, Stanley Black & Decker and Virgin Atlantic.  Microsoft launched its networking and collaboration tool, Teams, in March 2017, as a free component of the enterprise and small-business versions of Office 365. According to Microsoft, Teams is now used by 125,000 organizations.  With a large and ever increasing number of competitors to both Workplace and Teams, the overall market for corporate social networking tools is forecast to be worth $3.2 billion by 2021, representing an average annual growth rate of 11%.  Obstacles remain, however, with trust, security and siloization caused by the profusion of product choices continuing to be major issues.