News Archives

Tuesday, June 30, 2015

DP Guidelines to be Developed by European Commission

Following the first round of trilogue discussions between the European Commission, European Parliament and Council of Ministers, the Commission announced that it would develop, in collaboration with DPAs, "very precise and concrete guidelines" explaining how the new data protection law should be interpreted.  Justice Commissioner Vera Jourová stated that since "the Regulation cannot contain all the cases which might occur," the guidelines "will be important for fine tuning and equalization of imposing of penalties, because we are introducing quite strict penalties."  She also reported that the three-way discussions are "on track" to be completed by the end of 2015. 

PIPEDA Amendments Finally Enacted

If technology is the hare, legislation is the tortoise when it comes to privacy protection and Canada is the slowest turtle in the pack. As we await the finalization of the EU's General Data Protection Regulation, first proposed in January 2012, and modernization of the Electronic Communications Privacy Act, first introduced into Congress in 2011, the Canadian Parliament has finally enacted some modest amendments to the Personal Information Protection and Electronic Documents Act, some nine years after the initiation of a legally mandated review in 2006. Bill S-4, the Digital Privacy Act, received royal assent on June 18, with some amendments to PIPEDA coming into effect immediately, including clarifications of consent and regulatory compliance agreements, an exemption for business contact information and the waiving of consent requirements in typical employment-related contexts. The most important amendment, establishing a national data breach notification regime with significant deadlines and fines, will come into force only after public consultation has been held and implementing regulations have been developed and issued. 

OPM Breaches Slam Federal Workforce and National Security

Early in the month, the Office of Personnel Management reported that the personal data of 4 million current and former federal employees had been compromised by a hack which other officials attributed to China.  By the number of workers impacted, the breach was the worst in U.S. history, exceeding the 3.5 million current and former employees placed at risk in 2011 by a massive breach at the Texas Comptroller's office. As the month progressed, news relating to OPM worsened dramatically, with revelations of a second hack, this time of a database of highly sensitive background investigation information gathered from up to 14 million employees, contractors and applicants who had sought national security clearances. The potential for blackmail and manipulation of those whose information was exposed is a significant blow to national security, prompting some members of Congress to label it a digital Pearl Harbor. Considering the battering OPM administrators and contractors deservedly received during Congressional hearings, it seems very likely that a new leadership team will soon be required at the agency.

If insiders and hackers can overcome the cyber defenses of the State Department, NSA and OPM to gain access to their crown jewels, how secure is any information available via the Internet? Some would argue that the private sector can protect data they control better than the government, but we may be only one news cycle away from disproving this contention. In any event, June has certainly been a sobering month for anyone concerned about safeguarding employee information.

Monday, June 29, 2015

EU and U.S. Officials Optimistic about Resolving Safe Harbor Standoff - Again

Top EU and U.S. officials reported in June that they are close to agreement in their two-year talks on reforms to the Safe Harbor framework. Following Snowden's revelations of massive U.S. surveillance in 2013, the European Commission called for 13 changes to the program, threatening suspension of Safe Harbor if they were not agreed upon. Citing progress following a meeting in Latvia, both U.S. Attorney General Loretta Lynch and EU Justice Commissioner Vera Jourová stated that a final accord was well within reach, with the national security exemption being the main hurdle to be overcome. However, this is not the first time that an agreement was said to be at hand: one year ago, Jourová's predecessor, Viviane Reding, stated that an agreement was close at hand, with 95% of the issues resolved. Although the optimism may be questioned, it appears to have been a factor in the decision by the advocate general of the European Court of Justice to delay his opinion in Europe v. Facebook past its scheduled release date of June 24. The case, brought by Austrian law student Max Schrems, represents a fundamental challenge to the Safe Harbor framework, and turns upon the national security exemption.

Article 29 WP Expands Guidance on Processor BCRs

At the beginning of the month, the Article 29 Working Party updated its earlier guidance on how companies that act as data processors, such as cloud-based service providers, can adopt Binding Corporate Rules (BCRs) as the basis for compliance with European data protection requirements. The 20-page document (WP 204 rev.01, "Explanatory Document on the Processor Binding Corporate Rules") most notably addresses for the first time the controversial issue of how Processor BCR companies should respond to requests for access to data from foreign governments. While not retreating from its requirement that any such request be put on hold until the relevant European DPA is informed and determines the appropriate response, the Working Party recognizes that such notification may be prohibited by a law in the originating country. Where this is the case, companies are urged to exercise their “best efforts to obtain the right to waive this prohibition in order to communicate as much information as it can and as soon as possible”.  In addition, these efforts should be documented and annual summaries containing as much information as permitted by law should be forwarded to the relevant DPA. 

Monday, June 15, 2015

European Council Reaches Agreement on DP Reform

On June 15, the European Council of Ministers finalized their position on the proposed General Data Protection Regulation, clearing the way for trilogue negotiations with the Commission and the Parliament to begin on June 24.   The less-than-enthusiastic conclusion to the Council's tortuous attempts to reach a common position came fifteen months after the European Parliament adopted its position and three and a half years after the European Commission first issued its proposal.  Internal dissent within the Council notwithstanding, Justice Commissioner Vera Jourová expressed confidence that a final agreement with the Council and the Parliament can be reached by the end of the year.

According to a summary issued by the Commission, the justice ministers agreed to the following basic components of the data protection reform package:
  • establishment of a single set of rules on data protection across the EU
  • application of the rules to companies outside the EU that offer services within the EU
  • development of a "one-stop shop" or single supervisory regulator for companies operating in multiple member states
  • strengthening the so-called right to be forgotten, while recognizing it is not absolute
  • fines for data protection violations of up to 2% of global annual turnover.
Critics of the Council's 200-page agreement cautioned that the devil was in the details, claiming that many of the dozens of amendments introduced by the ministers would significantly undermine the current level of protection.  How these amendments will fare in the trilogue discussions, and whether a final agreement can be reached by December 31, 2015, remains to be seen.

Wednesday, June 3, 2015

Tracking Staff Through Wearables

A June 1 article in Forbes rather breathlessly claims that employers will soon be embracing, and even mandating, the use of wearable devices as a means of improving employee health and restraining health care costs.  The article cites a report from a Colorado-based research firm that the market for corporate and industrial users of wearables will skyrocket over the next five years, from 1% of sales now to 17% by 2020.  While there is little doubt that the market for, and potential health value of, wearables is huge, two key questions will have to be addressed along the way:  whether any employer can mandate use of a wearable, and whether data from the devices will be available to the employer in a personally-identifiable manner.   The Forbes reporter intimates an affirmative answer to both questions is in the offing, but HIPAA within the U.S. and privacy laws abroad are unlikely to allow this. At the same time, with appropriate planning and privacy safeguards in place, both employers and employees should be able to reap the potential benefits of wearables.