News Archives

Thursday, October 8, 2015

No Shortage of Safe Harbor Questions

The Safe Harbor framework no longer exists as a viable legal basis for transferring personal data from Europe to the US, that much is clear.  However, as of this morning the US Department of Commerce Safe Harbor website and list of participating companies remains accessible, as though nothing has changed.  Dual versions of reality, like a painting of an impossible landscape by Rene Magritte?

In any event, for companies that had been participants, the CJEU ruling has raised a number of questions: 

1. What can, or should, be done with transferred data received prior to the ruling?  Can it continue to be held and processed, or must it be deleted?

2. If such previously-received data can continue to be held and processed, under what conditions may this occur?  Would a publicly-stated commitment to continue to apply the former Safe Harbor Privacy Principles and FAQs to the handling of the data suffice?  Or a similar commitment to seek data subject consent, or to develop either a model contract or Binding Corporate Rules?

3. Do any of the legal obligations on participants created by virtue of Safe Harbor participation survive the demise of the framework?

4. Can new personal data be lawfully received in the absence of an executed model contract or approved BCRs?  Could, or should, previous Safe Harbor participation allow for a grace period for transition to another transfer mechanism?

5. Should every current published privacy policy or notice referencing Safe Harbor be amended?  What should the amendment say?

6. If a privacy policy indicating reliance upon Safe Harbor contained a pledge to contact data subjects in the event of a material change in the policy, has the ruling triggered the need for such communications?

7. Must the Safe Harbor privacy seal be removed wherever it is displayed?

8. Does the US-Swiss Safe Harbor Framework remain in place as a valid basis for transfers of personal data from Switzerland to the US?  

9.  What significance, if any, do the commitments from both the Department of Commerce and the European Commission to create what is being called Safe Harbor 2.0 have, given the two years this has been under discussion and the enormity of the gap remaining?

Both the European Commission and the Article 29 Working Party have announced that they are working on an expedited basis to develop guidance that may provide answers to some of these questions.  This in turn gives rise to a final question:  

10.  What risk or liability do participating companies face should they defer changing their data handling policies or practices until regulatory guidance is in hand?

Tuesday, October 6, 2015

CJEU Delivers Colossal Blow to Mass Surveillance

On October 6, the Court of Justice of the European Union declared the Safe Harbor framework to be invalid as a legal basis for transferring personal data from Europe to the US, nullifying the adequacy decision reached by the European Commission in 2000. Agreeing with the reasoning of its Advocate General, the Court further instructed the Irish Data Protection Commissioner to take up the complaint against Facebook lodged by Maximillian Schrems and to determine whether the company's transfer of his data to the US should be suspended.

The CJEU ruling, clearly the most significant development in international data privacy in the past 15 years, raises a host of questions for thousands of companies that relied upon Safe Harbor to legitimize their data transfers. Actors in this unfolding high drama include the Irish DPA, the Irish High Court, the European Commission, DPAs in other member states, the Article 29 Working Party, the European Data Protection Supervisor, the US Department of Commerce, the companies and of course the individuals whose personal data has been, and is being, transferred to the US. How each will respond will only be evident in the coming days and weeks.

Much of the early coverage in the mass market media, both in the US and in the Europe, focuses on the impact of the decision upon companies and what these companies must do to satisfy European requirements. While certainly a valid and pressing area of concern, indeed one that HR Privacy Solutions advises and assists clients with, the bigger headline is, I would argue, the one found above. At a time when judicial and legislative efforts within the US to reign in mass surveillance have advanced only in small increments, Europe's top court has unequivocally said that mass surveillance is incompatible with the right to privacy and must stop. A clarion call has been issued that is likely to be heard around the world.

Wednesday, September 30, 2015

CJEU Schrems Decision Coming October 6

On September 23, the CJEU Advocate General's issued his blockbuster opinion in the Schrems case that the European Commission's adequacy decision with respect to Safe Harbor is - and should declared - invalid and that member state DPAs should determine for themselves whether data transfers under the mechanism should be stopped. Six days later, on September 29, as the privacy community was still grappling with the enormous implications of this opinion, the Court of Justice, barely skipping a beat, announced via its Twitter account that it will publish its ruling in the Schrems case on Tuesday, October 6 at 9:30 am.

A day earlier, on September 28, the US Mission to the EU released the first official response of the US government to the AG's opinion, contending that it rests upon inaccurate assertions about US intelligence practices and a misinterpretation of ongoing US-EU discussions to strengthen Safe Harbor. The Mission predicted far-reaching and profound consequences should the CJEU follow the AG's opinion.

Is there any need to say "Mark Your Calendars"?!!!

Thursday, September 24, 2015

OPM Data Breach Included 5.6 Million Fingerprints

On September 23 the Office of Personnel Management acknowledged that the fingerprints of 5.6 million federal employees were included in the data stolen by hackers announced in early June. Previously the agency had stated that only 1.1 million sets of fingerprints were among the records of approximately 22 million individuals that were compromised. Having access to the fingerprints would allow the Chinese government, believed to be responsible for the hack, to identify intelligence agents, defense personnel or government contractors visiting China. Other data that was stolen, for example about bankruptcies and personal and sexual relationships, could be used for blackmailing these individuals. A senior US intelligence figure said that "there will be people we cannot send to China" as a result of the breach, adding that "That's only part of the damage." Unlike password or even Social Security Numbers, fingerprints cannot be changed, making the theft all the more fraught with consequences at a time when use of biometric identifiers is becoming more widespread. 

Wednesday, September 23, 2015

CJEU AG Backs Schrems, Calls Safe Harbor "Invalid"

In a blockbuster development on September 23, the Advocate General of the Court of Justice of the European Union (CJEU), Yves Bot, issued his opinion in the challenge to the Irish Data Protection Commissioner brought by Maximillian Schrems. The Advocate General upheld Schrems' argument that Ireland's DPA has the authority and duty to investigate whether, in the light of NSA mass surveillance, Safe Harbor provides adequate protection for data transferred to the U.S. by companies such as Facebook. This is a very significant finding, representing the first time that judicial authorities have proclaimed that the European Commission is "not empowered to restrict the powers of the national supervisory authorities," since these powers are derived from the Data Protection Directive.

Going even further, however, the Advocate General held that the European Commission's decision on the adequacy of the level of protection provided by the Safe Harbor privacy principles and FAQs is "invalid," as demonstrated by the fact that the Commission has been negotiating with the U.S. to strengthen the bi-lateral framework. According to his opinion, the Commission should have suspended the application of its Safe Harbor decision upon learning of NSA surveillance, as it was urged to do by all 17 German DPAs and a huge majority of the EU Parliament.

While the Advocate General's Opinion is not binding on the CJEU, most legal experts believe it is likely to be largely upheld by the Court when it issues its ruling in the case later this fall. Most observers believed that the Irish DPA would be compelled to re-open the matter, but few anticipated the possibility that the Court might force an immediate suspension to Safe Harbor. What form this suspension might take, and how disruptive it might prove, remain to be determined. Prudent multi-national companies relying upon Safe Harbor will want to assess how to proceed should the program be brought to a halt, including the use of alternative legal grounds for data transfers, relocation of data centers to Europe and the development of processing based upon pseudonymous information.

Monday, September 14, 2015

Survey Finds HR Staff a Huge Threat to IT Security

A survey of 500 global security professionals by UK-based tech form Clearswift found that HR came in second only to finance among departments posing the biggest threat to IT security, and first according to respondents in the UK. The reasons cited for this were described as cultural, manifested by sending information to the wrong recipients, inadvertently installing malware on computers and deliberate theft by employees and contractors. While HR staff have far more access to personal data than those in finance, the survey focused on security rather than privacy lapses. Interestingly, the largest threat perceived by respondents appeared to come from male HR middle managers working in the office, who were under time and financial pressure to perform but without an obvious stake in the consequences of losing data.

Thursday, September 10, 2015

Amendments to Japanese DP Law Promulgated

Amendments to the Japanese Personal Information Protection Act (PIPA), passed by the lower house of the Diet on May 21, 2015 and by the upper house on September 3, 2015, were officially promulgated on September 9, 2015. The new consolidated data protection authority, the Personal Information Protection Committee, is expected to be established on January 1, 2016. The initial duties of the Committee will include development of a list of foreign countries having an adequate level of protection for personal data, as well as eligibility standards to be met by data recipients in foreign countries not on the list. Once the necessary guidance has been issued on these and other topics, enforcement of the amendments will begin, no later than September 10, 2017.  Additional information about the amendments my be found in a May 31, 2015 post here