News Archives

Friday, March 24, 2017

Privacy Shield Update: EU Parliament Restive, No Complaints

On March 23, the EU Parliament’s civil liberties, justice and home affairs committee (LIBE) passed a resolution declaring Privacy Shield to be inadequate and calling upon the European Commission to examine the following deficiencies when it carries out its first annual review this summer:
  • Continued U.S. bulk surveillance of Europeans, in violation of the Schrems ruling by the CJEU
  • The viability of redress mechanisms, which are all U.S.-based
  • The lack of an independent oversight by the U.S. ombudsman 
  • Data retention provisions
The resolution includes explicit references to Yahoo’s October 2017 admission that it created software at the request of the NSA to scan users’ email and the decision of the Obama administration to share raw SIGINT data with 16 other agencies without court order.

The vote by the LIBE committee passed by a narrow margin of 29 to 25.  The resolution is expected to be taken up by the full EU Parliament during the first week of April.

Earlier, the U.S. Dept. of Commerce administrator for the Privacy Shield framework, Catlin Fennessy, stated at a recent IAPP seminar in London that over 1800 companies had certified compliance with the Privacy Shield framework, with another 300 companies in the pipeline.  Confirming an earlier analysis by HR Privacy Solutions, Fennessy reported that participants are largely small-to-medium-sized enterprises, with some 70% having fewer than 500 employees.  In addition, participants are heavily slanted towards the technology and consulting sectors.  Perhaps most significantly, no complaints about Privacy Shield from data subjects have reached the FTC, the Arbitral Panel set up as a last-resort option of the Council of Better Business Bureaus.

Thursday, March 2, 2017

Advocacy Groups Call on EU to Re-evaluate Privacy Shield

On February 28, two prominent advocacy groups, the American Civil Liberties Union (ACLU) and Human Rights Watch, called upon European officials to re-examine assurances about privacy protection they received from the U.S. government, assurances that form the foundation of both the Privacy Shield agreement and the U.S.-EU umbrella agreement concerning exchanges of information for law enforcement purposes.  The letter, sent to key officials in the European Commission, the EU Parliament and the Article 29 Working Party, argued that the assurances had been undermined by President Trump’s executive order on enhancing public safety and by the deterioration and lapse of the Privacy and Civil Liberties Oversight Board (PCLOB).  Although former and current FTC Commissioners have contended that the executive order does not impact recently-extended Privacy Act protections for Europeans, the advocacy groups offer a detailed analysis of three ways in which these protections have been significantly reduced by the order.  They also contended that oversight by a fully-functioning PCLOB was clearly an important factor in the European Commission’s adequacy decision with respect to Privacy Shield.

Two days later, in an interview with Bloomberg, EU Justice Commissioner Vera Jourova said she "will not hesitate" to suspend the Privacy Shield framework if the Trump administration makes significant changes in the understandings that underpin the agreement.  Jourova will be meeting with U.S. officials in Washington later this month, seeking reconfirmation and reassurances about these understandings.  According to Johannes Caspar, the Hamburg DPA, “the disruptive political style of the new U.S. administration fills anyone working in the field of privacy with concern,” adding that “You don’t need to gaze into a crystal ball to see that the air surrounding the Privacy Shield is becoming thinner.”

Tuesday, February 28, 2017

National DP Laws Now in 120 Countries

Since 1973, when Sweden became the first country to enact comprehensive data protection legislation at a national level, an accelerating number of countries have followed suit. According to the latest compilation and analysis by Prof. Graham Greenleaf, published by Privacy Laws & Business, some 120 countries now have omnibus laws at the national level. In addition, another 31 countries have formulated and are considering such laws.  The only major countries at this point without comprehensive national data protection legislation, either enacted or drafted, are India, China and the U.S., with China taking incremental steps towards adoption of internationally-accepted privacy standards.  How the U.S.’s targeted, fix-it-later-maybe approach to privacy protection will play out in President Trump’s new world of America First and trade protectionism remains to be seen.  To the extent that transfers of personal data become a trade issue, the leverage resides with the 120 countries hewing to a common standard.

Sunday, February 26, 2017

Implementation of POPI Proceeds in South Africa

Progress in the implementation of South Africa’s Protection of Personal Information Act, passed in 2013, continues, albeit at a slow pace.  The supervisory authority, known as the Information Regulator, has finally been established and funded, and recently launched its dedicated website.  On February 13, during a briefing in Cape Town, the Regulator announced that work on implementing regulations for POPI (or POPIA, as it calls the Act) was underway, with a goal of introducing them to the Parliament in six months or so and then setting a POPI commencement date that would occur before the end of 2017. Recognizing that this may be an ambitious schedule, the Regulator indicated that the commencement date might be sometime in 2018.  Given the one-year grace period that follows the commencement period, POPI is unlikely to come into effect until 2019 or even 2020.

Tempting as it may be to conclude that development of data protection and other laws moves more slowly in Africa than elsewhere, it is worth remembering that the first consultation on the reform of the EU Data Protection Directive was held in 2009.  The outcome of the reform process, the General Data Protection Regulation, will come into effect in May 2018, some nine years later. And how long has an update to the Electronic Communications Privacy Act (ECPA) been pending in the U.S.?  Time may indeed move more slowly in Africa, but you wouldn’t necessarily know this from the history of POPI.  

Japan Tightening Data Protection Law in May

Last year, as Japan’s 2003 Act on the Protection of Personal Information fell increasingly behind advancing technology and international privacy standards, the Diet passed a number of significant amendments to the Act to bring it up to date.  While many details of how the amendments will be translated into practice remain to be fleshed out by the newly-established Privacy Protection Commission, their relevance for international businesses is quite clear.  Most prominently, while any extra-territorial applicability of the Act had been conspicuously missing, this will no longer be the case, with the Act now explicitly applying to any business that processes the data of Japanese citizens.  Secondly, the current exemption from coverage by the Act for businesses that process the data of less than 5,000 individuals will disappear.  Thirdly, the definition of personal data will be expanded to bring it into line with European standards, including the introduction of the concept of “sensitive” information requiring a higher level of protection. Fourthly, data transfers will require the express consent of the individual unless a business relies upon one the “opt-out” exemptions specified in the amendments and notifies the Privacy Protection Commission accordingly.  Finally, “opt-out” exemptions will not be available unless the data transfer is made to a country having an adequate and similar level of protection; such transfers will require both express consent and special contractual safeguards.  The new amendments come into effect on May 30, 2017.

Protect Employee Data? Not Necessary in Pennsylvania

The Pennsylvania Superior Court, ruling in Dittman v. University of Pittsburgh Medical Center, held that under state law an employer is not responsible for protecting employee data, even where the breach of such data causes economic harm. The case stemmed from a 2014 data breach that exposed the data of 62,000 UPMC employees and resulted in at least 788 of them becoming victims of tax fraud.  According to the court, employees had no reasonable expectation that their data would be held securely when they turned it over to the UPMC, since data breaches are all too common and there is no way to prevent them. Laws to protect the privacy of individuals in the digital age have notably lagged in Pennsylvania, since the same fact pattern would likely lead to a quite contrary ruling in many other states.  Dittman v. UPMC is a good illustration of the patchwork nature of privacy protections prevalent in the United States.

Friday, February 24, 2017

Irish High Court Hears Challenge to Model Contracts

On February 2, the High Court of Ireland began hearing a case brought by the country’s Data Protection Commissioner, Helen Dixon, urging the court to request a ruling from the Court of Justice of the European Union (CJEU) as to the validity of standard contractual clauses as a mechanism for the transfer of personal data to the U.S. from the EU.  The case first arose as a complaint to the Commissioner from privacy activist Maximillian Schrems about access by U.S. government security agencies to information in his Facebook account that had been transferred from Ireland utilizing standard contractual clauses.  Through his attorney, Schrems has argued that the Commissioner, having made a draft finding in May 2016 that his objections were well-founded, has the authority to suspend the data transfers and that there is no need to send the matter to the CJEU.  An attorney for Facebook contended that the Commissioner’s draft finding was deeply flawed and overtaken by developments such as the conclusion of the Privacy Shield framework agreement.  Submissions to the court were also made by the U.S. government, a US privacy law expert, EPIC, the ACLU, the Business Software Alliance and Digital Europe.  The proceedings, originally expected to run for three weeks, appear to be headed for at least five.

Invalidation of standard contractual clauses would have a profound, if not devastating, impact upon nearly a trillion dollars of trans-Atlantic trade, since model contracts are by far the primary data transfer mechanism used by U.S. companies.  Should the High Court refer the issue of the validity of model contracts to the CJEU, that court may decide to first take up the challenge to Privacy Shield pending before it by Digital Rights Ireland.  Since the EU Data Protection Directive was enacted 22 years ago, there has never been a more turbulent and uncertain regulatory environment around data transfers to the U.S.