News Archives

Saturday, April 29, 2017

Busy Month for German DPAs, Court, Legislators

April saw three significant privacy developments in Germany.  On April 14, the federal and state data protection authorities released a draft Standard Data Protection Model, developed to assist data controllers by providing a practical approach to fulfilling their data security obligations under German law and the General Data Protection Regulation.  An English translation of the 47-page guidance, prepared by the North Rhine-Westphalia DPA, is available here.  Without being prescriptive, the Model contains a catalog of data security measures and a methodology for applying them. It structures legal requirements in terms of data protection goals, such as data minimization, availability, integrity, confidentiality, transparency, unlinkability and intervenability. 

On April 25, the Hamburg administrative court upheld the September 2016 order by Hamburg DPA Johannes Caspar that Facebook stop sharing the data of German WhatsApp users with Facebook, agreeing with him that consent of the 35 million users for such transfers had not been obtained.  While Facebook indicated it would appeal, it has for some time suspended such transfers of WhatsApp user data across Europe.

On April 27, the German Parliament passed a new Data Protection Act, designed to adjust current German data protection laws with the requirements of the GDPR and replace the current Federal Data Protection Act. Taking advantage of the GDPR’s opening clauses to exercise national discretion in certain areas, the Act contains provisions on such matters as the rights of data subjects, data protection officers, data processing in the employment context, and exceptions for processing special categories of personal data.  The Act was passed in spite of considerable criticism, with the European Commission expressing dissatisfaction with it as late as one week prior to its passage.  According to the Commission, the opening clauses were not intended to be used in this manner and doing so undermines the harmonization goals of the GDPR.   For example, while the GDPR sets significant penalties for non-compliance by companies, the Act creates rules allowing for the sanctioning of individuals, leading to potential liability by managers, employees and data protection officers, including the possibility of prison terms of up to three years.

Friday, April 28, 2017

Indian DP Law Anticipated Once Again

Pressure for, and the likelihood of, a new data protection law in India has been waxing and waning for many years.  Although there were reports in May 2016 that the government was drafting new legislation, by the end of the year, with a ruling still pending in Justice K.S. Puttaswamy (Retd.) & Another v. Union of India & Others on whether a right to privacy exists under the Indian constitution, the prospects for a new law appeared to be minimal. However, on April 19 came news that the Modi government had decided to enact a new law to protect digital privacy before the end of October. The law was described by the Indian Attorney General as “a data protection framework…in line with US law on this subject.” Prior to Modi, the new law under consideration was said to be modeled upon European precedents. Government interest in a more comprehensive privacy law was also cited in a report on the country’s Guidelines for Government Departments on Contractual Terms Related to Cloud Services, released the following day.

China Plans Expansion of Data Localization, Security Review Requirements

On April 11, the Cyberspace Administration of China issued draft rules, entitled the Measures for the Security Assessment of Personal Information and Critical Data Leaving the Country, designed to guide the implementation of the country’s Cybersecurity Law, slated to come into effect on June 1.  Whereas previously requirements for data localization appeared to be restricted to “key information infrastructure operators,” the proposed measures expand their scope to all “network operators.”  Insofar as “network operators” are defined as “those entities that own or administer a network, and to network service providers,” this would appear to impose data residency requirements on all technology/online companies, along with any company that uses its own IT networks or infrastructure.  Having a website directed to Chinese users might be sufficient to qualify an organization as a “network operator.” 

A second major problem for multi-nationals operating in China lies is the requirement in both the Cybersecurity Law and the Measures that a security assessment be conducted before personal data is transferred out of the country.  This assessment can be conducted internally, unless one of a number of conditions exist, such as with data transfers that involve more than 500,000 individuals or more than one terabyte of data; that relate to critical and sensitive facilities or infrastructure; or that impact the country’s national security or public interest.  Should one of these conditions apply, the security assessment would need to be carried out by an industry regulator. 

The draft measures, issued for public comment until May 11, contain many ambiguous terms and are subject to revision as a result of the public consultation.  Hogan Lovells has prepared a detailed analysis of the measures, available here, while an English translation released by Hunton & Williams may be found here.  The high-level brevity of the measures, considering their potentially profound impact upon businesses operating in China, is striking.

Friday, April 14, 2017

Swiss-U.S. Privacy Shield Open for Business

On April 12, the U.S. Dept. of Commerce announced that the recently agreed-upon Swiss-U.S. Privacy Shield Framework had begun accepting self-certifications. Companies already participating in the EU-U.S. Privacy Shield framework can log into their Privacy Shield website account and add coverage for personal data transfers from Switzerland to those from the EU via a parallel and accompanying certification.  The Swiss Privacy Shield re-certification date will be adjusted to correspond to that of the EU-U.S. Privacy Shield certification. A separate annual fee, geared to a company’s annual revenue, will be required in order to participate. FAQs addressing key points relating to the Swiss-U.S. Privacy Shield Framework have been published on the Privacy Shield website.

In other Privacy Shield developments, a week earlier the EU Parliament backed a proposal by its LIBE committee urging the European Commission to investigate whether the data transfer agreement adequately protects the privacy rights of European citizens in the face of U.S. surveillance. The MEPs, who voted 306 to 240 in favor of the resolution, also expressed concerns about many recent developments previously noted in this blog, such as the sharing of NSA data with 16 other agencies, the roll back of FCC privacy rules, cooperation of service providers with security agencies, and the inoperability of the Privacy and Civil Liberties Oversight Board.  The first annual joint review of the Privacy Shield framework is scheduled to take place this coming September.

Monday, April 10, 2017

Working Party Issues GDPR Guidance

In early April, the Article 29 Working Party issued finalized versions of three documents providing guidelines to organizations on the proper interpretation of key topics in the General Data Protection Regulation, which will come into effect on May 25, 2018.  The guidelines cover the right to data portability, Data Protection Officers, and the lead supervisory authority.  In addition, the Working Party launched a public consultation, running through May 23, on draft guidance on data protection impact assessments and determining whether processing is “likely to result in a high risk.”  According to its 2017 GDPR Action Plan, issued in January, the Working Party will also complete work underway  on administrative fines, setting up the European Data Protection Board (EDPB), the one stop shop and the EDPB consistency mechanism. Other topics to be addressed in 2017 include consent and profiling, transparency, data transfers to third countries and data breach notifications.

Friday, March 31, 2017

House Committee Passes Controversial Wellness Bill

A controversial bill that would give employers greater leeway in obtaining genetic and other sensitive health information from employees and increase the financial incentives for employees to participate in workplace wellness programs was passed by the House Committee on Education and the Workforce along party lines on March 8, 2016.  Critics of the Preserving Employee Wellness Programs Act contend that it will gut key protections in the Americans with Disabilities Act (ADA) and the Genetic Information Non-Discrimination Act (GINA), coerce employees into giving up genetic and health information, and weaken the role of the EEOC in overseeing wellness programs.  Opposition to the bill has been expressed by a wide range of consumer, health and privacy advocacy groups, including the AARP, the American Diabetes Association, the American Academy of Pediatrics, the Epilepsy Foundation, the March of Dimes, the National Association for Rare Disorders, the American Society for Human Genetics and the ACLU.  HHS Secretary Tom Price reportedly is among those expressing concern about the bill, which still needs to be taken up by the House Ways and Means Committee before it could advance to the full House and the Senate.   

Human Factors Play Major Role in Data Breaches

According to Verizon’s recent 2017 Data Breach Digest, a 99-page report by the company’s data breach investigation team, breaches are becoming more complex and now touch every part of an organization. The Digest describes 16 common breach scenarios, divided into four clustered groupings:  (1) the human element; (2) device misuse or tampering; (3) configuration exploitation; and (4) malicious software.  Verizon data indicates that the human element was the major vulnerability relied upon in one-third of confirmed data breaches, ranking behind hacking and malware, while also being a factor in up to one-half of all breaches. Tactics and techniques used to exploit the human element include phishing (92%), pretexting (42%) and bribery/solicitation (3%).  Email is overwhelmingly the primary means of communicating with targets, highlighting the importance of employee education and training across the organization, as well as the need for multi-factor authentication.