News Archives

Wednesday, December 30, 2015

No Safe Harbor Progress as January 31 Deadline Looms

On November 30, EU Justice Commissioner Vera Jourova told an interviewer that the EU and the US are close to a deal on a strengthened Safe Harbor and should reach an agreement during December, adding that this would probably be accomplished during a meeting scheduled for December 17.  However, the meeting was apparently postponed, possibly in light of the December 12 announcement of agreement on the final text of the General Data Protection Regulation.  In any event, the month has come and gone without any official announcement of the status of the talks. 

If Jourova was playing the optimist, an opposing perspective was issued on the same day that Jourova spoke, during Parliamentary testimony by the Dutch Justice Minister. According to the Minister, Artd van der Steur, the likelihood of an agreement being reached by the end of January is very low, particularly since discussion of the most critical issue in the talks, mass surveillance of internet traffic by the NSA, had not even begun.  With the Netherlands taking over the presidency of the Council of the European Union on January 1, 2016 and its justice ministry becoming an official channel for discussions with the US on Safe Harbor, van der Steur’s views are particularly pertinent.  Noting that European DPAs have threatened to “take all necessary and appropriate actions, which may include coordinated enforcement actions” if a solution is not found with US authorities by January 31, 2016,” the Justice Minister indicated that planning for such enforcement actions was underway.

Some ten day later, on December 10, Isabelle Falque-Pierrotin, the chair of the Article 29 Working Party, appeared to hedge on the significance of the January 31 deadline, stating that she was uncertain if a final agreement could be reached by that time and suggesting that "some kind of a political sign" that US authorities understood the main message of the CJEU judge might suffice.

Sunday, December 20, 2015

GDPR Clears Final Hurdle

On December 12, in a development that some expected and others hoped would never come, the European Commission, the European Parliament and the Council successfully concluded their trilogue discussions by announcing agreement on the final text of the General Data Protection Regulation.  The agreement comes six years after the Commission held its first stakeholder consultation and four years after it released a proposed text.  In spite of intense lobbying and opposition by some business groups and member states, the original text survived largely intact, with mostly minor and subtle changes and some significant strengthening, as in the higher maximum fines for violations.  Formalities of official approval by the Parliament and the Council remain, but these are expected early in 2016, with the Regulation to come into force two years later, early in 2018.

As the first major reform of European data protection law in 25 years, the Regulation is a monumental game-changer, a perspective well-summarized by Oxford lecturer Jeffrey Ritter.  It also comes at a critical time in the EU’s current confrontation with the US over data privacy, demonstrating a political will to secure European human rights that puts muscle behind the legal gauntlet thrown down by the CJEU’s Schrems ruling.  Terrorist attacks in Paris and Santa Barbara notwithstanding, it re-affirms the message that Europe will not tolerate sacrificing privacy on the altar of security.

BYOD Guidelines Issued in Canada

During the late summer, the Office of the Privacy Commissioner of Canada, together with the Alberta and British Columbia Privacy Commissioners, issued guidance for employers to consider before allowing employees to use their own mobile devices for both work and personal uses.  The guidance, entitled Is a Bring Your Own Device (BYOD) Program the Right Choice for Your Organization? Privacy and Security Risks of a BYOD Program, can be summarized section-by-section as follows:
  • Ensure commitment by Senior Management
  • Conduct privacy impact & threat risk assessments
  • Develop, communicate, implement and enforce a BYOD policy
  • Test the BYOD program (before rolling it out)
  • Develop training materials & programs
  • Demonstrate accountability
  • Mitigate risks through “containerization”
  • Identify policies and procedures for storing and retaining personal information
  • Implement encryption for devices and communication
  • Address patch and software vulnerabilities
  • Manage apps and app configurations
  • Support effective authentication and authorization practices
  • Address malware protection
  • Formalize a BYOD incident management process
As noted by Kelly O’Ferrall of Stikeman Elliot, the underlying message to employers in this worthwhile but sobering guidance appears to be “proceed with caution, if at all.”

Employee Wearables Deliver Benefits in Test Run

A test run of employee-monitoring wearables by the accounting firm Deloitte, in its office in  St. Johns, Newfoundland and Labrador, yielded positive results.  In conjunction with switching to an “open concept” office design, Deloitte invited employees to wear ID badges with embedded microphones and accelerometers. The badges tracked conversations and movement around the office, generating as much as four gigabytes of data a day from each employee.  The data indicated how often employees engaged co-workers in conversation, tracked their body language and how frequently they moved around.  In return, employees received daily updates on their office behavior, including advice on whether they were speaking enough at meetings or demonstrating leadership.  According to the company, the tracking program successfully motivated employees to improve their behavior and tracked performance, while confirming their preference for the new office design.

Unlike a similar program of Hitachi in Japan called “Human Big Data,” Deloitte made the project optional, guaranteed participants anonymity, and agreed by contract that the data remained the employee’s personal property.  Whether Hitachi’s mandatory program will survive the new amendment to PIPA coming into effect in Japan remains to be seen.  In the meantime, the Deloitte experiment shows that with proper attention to privacy concerns, wearable technology can be effectively introduced into the workplace.

Survey Finds Employees the Leading Cause of Data Breaches

A new cybersecurity survey by the Association of Corporate Counsel, released on December 9, found employees to be responsible for most data breaches.  According to responses from more than 1,000 in-house lawyers in 30 countries, 60% of data breaches can be attributed to employees in the following ways:  employee error, such as in sending an errant email (24%); inside job (15%); phishing (12%); and lost laptop/device (9%).  Other identified causes of breaches were access through a third party (12%); application vulnerability (7%); malware (7%); ransomware (1%) and operating system vulnerability (<1%).  Even through most breaches are caused by employees, the survey also found that fewer than half of the companies involved provide mandatory data security training to employees, and even fewer track or test employee knowledge.

These findings are thoroughly consistent with earlier ones reported in this blog over the years, including most recently, Single Biggest IT Security Threat Remains Employees (April 30, 2015).  Sadly, it appears that companies will continue failing to train and test employees in data security until legally compelled to do so, even if it is manifestly in their own interest to do so.  Furthermore, it will be another two years before companies doing business in Europe will be required to demonstrate their accountability in this area.

Sunday, November 29, 2015

Update on the CJEU’s Safe Harbor Decision

As we reach the end of November, an update is in order on the rapid-paced and continuing fall-out from the Court of Justice of the European Union’s October 6 ruling in the Schrems case.  Over the past month or so, the main developments have been as follows: 
  • The EU Parliament LIBE committee issued a press release condemning mass surveillance in the US and in some member states and calling upon the European Commission to take action before the end of 2015 to come up with alternatives to Safe Harbor (Oct. 13).
  • The Schleswig-Holstein DPA announced that data transfers to the US based upon model contracts should be terminated or suspended (Oct. 14).
  • DPAs in Bemen and Berlin confirmed that they agree with their colleague in Schleswig-Holstein on the unacceptability of model contracts as an alternative to Safe Harbor (Oct.15).
  • The Article 29 Working Party issued a statement calling for a “robust, collective and common position” on implementing Schrems; pledging to review the viability of model contracts and BCRs, while noting that they can in the meantime still be used absent particular circumstances; and warning that it would “take all necessary and appropriate actions, which may include coordinated enforcement actions” if a solution is not found with US authorities by January 31, 2016 (Oct. 16).
  • The Israeli data protection authority (ILITA) revoked its acceptance of Safe Harbor membership as a valid basis for data transfers to the US (Oct. 19).
  • Calling for recognition that privacy is a fundamental human right, the President and Chief Legal Officer of Microsoft proposed four steps to resolve the impasse over trans-Atlantic data transfers (Oct. 20).
  • The US House of Representatives passed the Judicial Redress Act that would extend to foreigners the same rights to judicial redress as US citizens have in law enforcers violate their privacy (Oct. 21).
  • The Swiss DPA announced that data transfers to the US could no longer be based upon the US-Swiss Safe Harbor framework (Oct. 22).
  • The German data protection authorities collectively announced that they would no longer approve new data transfers based upon model contracts or BCRs and would immediately investigate data transfers to the US by large US companies (Oct. 27).
  • The European Union announced that it had struck a deal “in principle” with the US on a new data-sharing agreement to strengthen Safe Harbor, a deal involving greater oversight by the Dept. of Commerce and a review by European officials of access to transferred data by US security and law enforcement agencies (Oct. 27).
  • Oracle revealed that it is now keeping all data regarding European citizens within the EU (Oct. 28).
  • The US Commerce Secretary said that a solution she called “Safe Harbor 2.0” is “totally doable” and will be coming “shortly” (Oct. 29).
  • The EU Parliament re-iterated its concerns about mass surveillance in the US and in Europe, called for a report by the Commission by the end of 2015 and urged member states to grant whistle blower status and protection to Edward Snowden (Oct. 29).
  • Large US companies such as Facebook and Airbnb said that they rely upon transfer mechanisms other than Safe Harbor (Nov. 1).
  • The Spanish DPA (AEPD) announced that it had sent a letter to all companies operating in Spain that had previously notified the AEPD of cross-border data transfers to Safe Harbor certified companies, given them until January 29, 2016 to inform the authority of what mechanisms for data transfers they were now using (Nov. 3).
  • The Dubai International Financial Centre DPA stated that data controllers needed a legal basis for data transfers to the US other than Safe Harbor (Nov. 5).
  • The European Commission issued a communication about the Schrems decision stating that model contracts and BCRs can still be used while discussions proceed with the US (Nov. 6).
  • Microsoft announced that in conjunction with Deutsche Telekom it will be offering cloud services from Germany and other EU member states that will be beyond the reach of US authorities.  Other cloud vendors such as Amazon, Google and Syncplicity are also ramping up their opening of data centers in Europe (Nov. 11).
  • A group of 40 privacy groups from both Europe and the US said that the proposal for a new data transfer agreement is insufficient to protect privacy and will likely be struck down by regulators and Europe's high court (Nov. 16). 

It is worth noting that no significant developments relevant to Schrems and Safe Harbor have been reported during the last two weeks, the likely reason being the November 13 terrorist attacks in Paris.  Although some believe, or hope, that the attacks are shifting the pendulum from privacy to security, it is difficult to see how they impact or change the current EU-US legal impasse over data transfers.

Meanwhile, the clock continues to click towards the January 31, 2016 deadline, as massive a date in the data protection community as Y2K was a decade and a half ago for society in general.  However, the chances that January 31 will be as much a non-event as Y2K proved to be are very small.  Whether we see a successful conclusion to the Safe Harbor 2.0 negotiations or not, the next few months are going to be memorable and consequential.

Privacy at Risk in Employee Wellness Programs

Employees face significant privacy risks when invited to participate in an employer-sponsored wellness program, according to reports airing in October on CNN and NPR.  The CNN report, prepared by Kaiser Health News, begins with a description of the dilemma encountered by employees of the City of Houston when compelled to participate in a new program or pay an extra $300 per year for health insurance.  It also notes that a web of entities besides wellness provides may receive employee health information, including rewards companies, employers, health insurers, fitness app companies, wearable device makers, medical test labs, fitness centers, advertisers and unidentified third parties and agents.  HIPAA privacy laws generally do not protect information generated via wellness programs.  Uncertainties about who will has access to wellness data and what limitations exist upon their use and further disclosure of that data are also highlighted in the NPR report entitled “7 Questions to Ask your Boss about Wellness Programs.”


The privacy risks involved with increasingly trendy health-related wearables, which are often one of the components of wellness programs, were also underscored during October, when the Consumer Electronics Association (CEA) released its 5-page Guiding Principles on the Privacy and Security ofPersonal Wellness Data.  These voluntary guidelines for private-sector organizations that handle the type of data produced by wearable technologies include recommendations in eight areas: security; policy and practice; concise notice; unaffiliated third party transfers; fairness; personal data review, correction and deletion; advertising communications; and law enforcement response.  In spite of the potential benefits of wearable devices, a variant of long-familiar consumer advice is appropriate:  Wearer Beware.

Weltimmo: Another Landmark CJEU Decision

The stunning character of the Schrems decision overshadowed another major decision of the Court of Justice of the European Union, one that has profound implications for multi-national and Internet companies operating in multiple EU member states.  Ruling in the case of  Weltimmo s.r.o. v NemzetiAdatvédelmi és Információszabadság Hatóság, the CJEU found that a company has an “establishment” in a member state if it exercises a real and effective activity, even if only a minimal one, through stable arrangements, in that state.  Applying this test, the Court found that if Weltimmo, a Slovakian-registered company, had a website targeting the country in the Hungarian language, as well as a legal representative, letter box and bank account all located in Hungary, then it would be established in Hungary and subject to the requirements of Hungarian data protection law.  

The ruling severely undercuts the strategy of companies that have located their European headquarters in member states such as Ireland that are known to be very permissive in their enforcement of data protection law.  Such companies, with Facebook being a leading example, have claimed that the only member state law to which they must adhere is that of the state in which they have their headquarters, regardless of their activities in other member states.  Such an argument would be untenable under the new General Data Protection Regulation; it is now untenable under the old Data Protection Directive as well.

Thursday, November 26, 2015

Sony to Pay Millions to Employees for 2014 Data Hack

A federal judge has given preliminary approval to a settlement reached by Sony Pictures Entertainment and employees who sued over the exposure of their personal information resulting from a hack of the company's computers in 2014.  Even though the US government blamed North Korea for the attack, employees sued on the grounds that Sony had failed to protect their information. Under the terms of the settlement, Sony will pay current and former employees up to $4.5 million to compensate for their losses and up $3.5 million in legal fees.  Individual employees will receive up to $10,000 under the settlement, including up to $1,000 for claims without documentation and an additional two years of ID theft protection. The settlement is expected to be finalized in March 2016.

While employees have sued employers over data breaches for many years now, this is one of the largest awards of compensation on record.  When reviewing their budgets for data security, employers would be well-advised to consider that an ounce of prevention can be worth a pound of cure.

Saturday, October 31, 2015

Safe Harbor: Open for Business or the Walking Dead?

Leaving the Safe Harbor website open and accessible, the US Department of Commerce has pledged to “continue to administer the Safe Harbor program, including processing submissions for self-certification” (see my October 12 post).  Brian Hengesbaugh, a former DOC attorney who helped negotiate the Safe Harbor framework, defends this decision, stating that the program remains “fully functional and operational,” since the Schrems judgment did not “repeal or otherwise dismantle” it.

How does this claim that Safe Harbor is still “fully functional and operational” in today’s post-Schrems world, stand up to scrutiny?  No one will dispute the DOC’s statement, made on the Safe Harbor home page, that the framework was developed in order to bridge differences in approaches to the protection of privacy between the US and the European Union and provide a streamlined and cost-effective means for U.S. organizations to comply with the Directive.  

However, how many of the following statements, found on the U.S.-EU Safe Harbor Overview page, are true today?


  • “The U.S.-EU Safe Harbor Framework….is an important way for U.S. organizations to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by EU member state authorities…”
  • “Self-certifying to the U.S.-EU Safe Harbor Framework will ensure that EU organizations know that your organization provides "adequate" privacy protection, as defined by the Directive.”
  • “Benefits for participating U.S. organizations include:

  • o   All 28 Member States of the European Union will be bound by the European Commission’s finding of “adequacy”;
    o   Participating organizations will be deemed to provide “adequate” privacy protection;
    o   Member State requirements for prior approval of data transfers either will be waived or approval will be automatically granted….and
    o   Compliance requirements are streamlined and cost-effective…”

    The answer is clear: although once true, all of these statements are false today, even though the DOC has declined to withdraw or modify them and they continue as the US government’s official definition and description of the program and its benefits.  If a program utterly fails to meet its main objectives, the raison d’etre for its existence, in what sense can it be said to be “fully functional and operational”?  Becky Richards and her colleagues at the DOC may continue going through the motions of reviewing and disposing of new self-certifications they receive, but pretending that this program, as we knew it, continues to be operational is a pure charade.

    At the same time, it would be a mistake to write off the DOC’s posture vis-à-vis Safe Harbor as merely delusional, because it is a charade with indefensible and harmful consequences.  Chief among these deleterious consequences are the following:

    1. Violating the privacy rights of data subjects by failing to provide adequate notice relating to safeguards for their data.  While data controllers bear the primary responsibility for providing notice to data subjects, the DOC has responsibility here as well as the developer of a program to protect the privacy of Europeans when their data is transferred to the US.  Millions of European consumers and employees have been informed, via privacy notices, policies and other means, that their personal data will be protected in the US under a framework approved by the European Commission.  Such data subjects, going to the DOC Safe Harbor website today, however, will at the most find on the home page a one-sentence, legalistic reference to the ruling of the CJEU and, in the News and Events section, statements of regret from the Secretary of Commerce and support for updating the Safe Harbor framework.  Meanwhile, 99% of the total text on the website remains unchanged and anyone clicking directly from a privacy policy or notice to an organizational listing will find no reference whatsoever to the CJEU ruling.  By stating that Safe Harbor will remain open for business and failing to state that data transfers can no longer be based upon Safe Harbor, the DOC is misleading data subjects.  This is an ironic, but also sad, development for a government that once contended that a robust notice-and-choice regime was superior to the comprehensive data protection approach of Europe.

    2. Complicity in ongoing violations of European data transfer requirements. Based upon available evidence, the DOC has failed to inform Safe Harbor organizations that the framework can no longer be used as a legal basis for data transfers.  Indeed, by stating that it will continue to administer the program and process self-certifications, the DOC is complicit with companies that either consciously choose to ignore European data transfer requirements or can plausibly claim that the DOC’s posture led them to believe that a de facto grace period permitted a business-as-usual response.  Where is the guidance to Safe Harbor companies on the legality of ongoing data transfers dependent upon the framework?  What responsible bridge development authority would tell drivers that although some court has found the center span of the bridge has fallen into the water, the bridge remains open and drivers may continue to pay their tolls and use it?

    3. Exposing many Safe Harbor organizations to DPA orders.  It is often overlooked that many organizations that joined Safe Harbor made a commitment to cooperate with, and abide by the advice of, DPAs, even including the open-ended possibility of being compelled to pay compensation to data subjects.  Such cooperation was mandatory if Safe Harbor covered transfers of HR data and voluntary with respect to other types of data.  By maintaining that Safe Harbor is an ongoing, operational program, the DOC has needlessly extended the otherwise expired authority of DPAs to order the deletion of data transferred under the framework, the payment of compensation to data subjects and whatever other measures are deemed appropriate.  Violation of such orders, which Safe Harbor requires be interpreted by European rather than US law, would be actionable by the FTC.  By contrast, had the DOC suspended the Safe Harbor program, these organizations could have treated the orders as having no authority and could continue to hold and use previously transferred data, avoiding FTC enforcement as long as they continue to apply the Safe Harbor Privacy Principles to their handling of the data.

    4.  Diminishing the chances of successfully achieving Safe Harbor 2.0.  Safe Harbor was built upon bi-lateral trust between the US and the EU, a trust gravely imperiled by Snowden’s revelations of NSA mass surveillance.  Trust is not restored by misleading European data subjects or by treating compliance by US companies with European data privacy requirements as a European problem. Trust is further eroded by downplaying the significance of a landmark ruling by Europe’s highest court and effectively saying “Here’s what we think of your court ruling:  we will carry on as usual.”  With dozens of independent European DPAs replacing the bureaucratic European Commission in the driver’s seat, such displays of unilateralism, which could easily be taken as arrogance, are profoundly misguided.  One would hope that the policy makers at the DOC, intent on building a new bridge with the EU, would pay attention to the message being sent to Europe by the Safe Harbor website.  

    Monday, October 19, 2015

    What the Art 29 WP Guidance Doesn’t Say

    On October 16, 2015, the Article 29 Working Party issued a highly-anticipated statement on the implementation of the CJEU Maximilian Schrems v Data Protection Commissioner case. From the perspective of companies that relied upon Safe Harbor as their sole legal basis for importing personal data from Europe, and currently lack and are unable to quickly utilize an alternate mechanism, the statement is as notable for questions not addressed as for those that were taken on.  

    Here are five questions that the Article 20 Working Party statement doesn’t address for these companies.

    With respect to data transferred before October 6, 2015:
    1. Can the data continue to be held, as opposed to being immediately deleted?
    2. If yes, can it continue to be used for the legitimate purposes for which it was collected and transferred?
    3. If yes again, can it be updated via a new transfer, even in the absence of an alternate mechanism, if it is in the data subject’s interest to do so?
    In general:
    4. Should there be a grace period, during which new data transfers under Safe Harbor may occur while a company transitions to implementation of an alternate mechanism?
    5. Should references to Safe Harbor in privacy policies, notices and websites be amended immediately?

    What is to be made of the fact that the Working Party is silent on these topics?  It may be that the magnitude of the sudden shift in the EU DP acquis caused by the Schrems ruling renders any attempt to formulate answers to these questions too complex and fraught with legal uncertainty.  What was lawful one day became unlawful the next, but only on one side of the Atlantic.  Furthermore, the focus is an unprecedented quasi-legal framework created out of thin air through political negotiation and agreement.  It may also be the case that taking into consideration the uncertainty the Working Party acknowledges as to the post-Schrems viability of alternate transfer mechanisms, that they believe it best to defer questions about how one unravels previously acceptable mechanisms to a later time when the bigger picture has been brought into focus.  Or the Working Party may have had intense discussions about these questions and concluded that they are best answered on a case-by-case basis by individual DPAs.   The need to produce a statement that reflects a consensus or common position of all the DPAs may have played a determinative role as well.

    Whatever the factors underlying the limited focus of the Working Party’s October 16 statement, it remains striking that a document professing to discuss the implementation of a judicial ruling invalidating the Safe Harbor framework has so little practical guidance to provide to thousands of Safe Harbor companies about their current data processing activities.

    My own thoughts on these questions are that one has to begin by distinguishing between legal obligations that apply to European companies and those that apply to US companies.  Since Safe Harbor was designed to bridge the gap that exists, it is not surprising that its demise yields quite divergent answers depending upon the jurisdiction a company is located in. 

    At the same time, this division of applicable law by jurisdiction does not apply to Safe Harbor companies with respect to transfers of human resources data.  According to the sixth paragraph of the Safe Harbor Privacy Principles “U.S. law will apply to questions of interpretation and compliance with the Safe Harbor Principles….except where organizations have committed to cooperate with European Data Protection Authorities.”  Making such a commitment is mandatory under Safe Harbor when it comes to HR data.  Consequently, what follows holds only for non-HR data, or for HR data in situations in which the DPAs have not intervened.

    Here is my analysis:

    With respect to data transferred before October 6, 2015:
    1. Under European DP law, a good case can be made that the data must be deleted immediately, along the lines that even storage of data is a form of data processing under the Directive and that no legal ground exists post-Schrems to engage in such processing.  At the same time, a counter argument could be made that the CJEU Schrems ruling only applies to transfers going forward and doesn’t address the past or current legitimacy of data processing activities that were lawful when initiated.  In addition, immediate deletion could have serious unintended consequences for data subjects, such as for those who have paid for products to be delivered or for surgery to be performed remotely by companies reliant upon Safe Harbor.  

    Under US law, the situation is less ambiguous.  A company should be able to retain pre-Schrems data.  While companies are explicitly required by FAQ 6 to delete transferred data if they leave the Safe Harbor program, there is nothing in the text of the Safe Harbor documents that addresses whether transferred data can or cannot continue to be held if the program itself ceases to exist.  The FTC would have grounds to take enforcement action against a company that fails to continue to apply the Safe Harbor privacy principles and FAQs to the transferred data.  However, I see no basis under which the FTC could take action against a company solely for failing to delete Safe Harbor data in light of the CJEU ruling.

    2. Under European law, the answer to the questions as to whether data transferred before October 6, 2015 can continue to be used for the legitimate purposes for which it was collected and transferred would likely follow the answer to the previous question about storage.  It should be noted that the CJEU did not find that Safe Harbor companies were using transferred data in illegitimate ways, rather that the US government was doing so, by virtue of its indiscriminate mass surveillance with no access and correction rights or recourse for data subjects.  It would not be surprising if some DPAs would be amenable to allowing the continued use of pre-Schrems data, at least in some cases and for some periods of time.

    Under US law, a Safe Harbor company should be able to use pre-Schrems data as long as it continues to apply the Safe Harbor Privacy Principles and FAQs to its handling of the data.

    3.  Under European law, the CJEU ruling makes crystal clear that new data transfers cannot be made lawfully on the basis of Safe Harbor participation, whether on an interim or a long-term basis.  At the same time, if the grounds for allowing pre-Schrems data to continue to be used described above are persuasive, would they not remain so if a new data transfer was only an update of data previously supplied, such as a change in shipping address or a request for data subject access? One begins to sense a slippery slope with this line of argument, yet some DPAs might weight the interests of data subjects and decide to look the other way and focus on more consequential matters.

    US law, on the other hand, contains no prohibitions against receipt of data from Europe without the protections required by European law. While a European company is now legally prohibited from exporting personal data on the basis of Safe Harbor, no such strictures apply on the receiving side. 

    In general:
    4. Given the unequivocal rejection of Safe Harbor as a basis for new data transfers by the CJEU, it was probably a pipe dream to imagine that the Working Party could find a way to allow for a grace period that would allow Safe Harbor data exporters and importers to continue business as usual until an alternate transfer mechanism was developed and in place.  The best that can now be hoped in this regard is that individual DPAs will allow an unspoken de facto grace period to come into existence.

    On the US side, the fact that the US Department of  Commerce has adopted the position that Safe Harbor remains open for business (see http://export.gov/safeharbor/ and my blog), however, bizarre and indefensible that may be, would appear to encourage new data transfers from European companies willing to overlook the legalities involved or from European consumers who may be unaware of the CJEU ruling or its significance.

    5. By anyone’s standards, be they European or American, it would be both unethical and a violation of law to not amend policies, notices or websites that reference Safe Harbor and thereby fail to inform European data subjects that the program said to ensure protection for their US-bound data has been ruled invalid and ineffective by Europe’s top court. The adequacy of notice provided to data subjects is fundamental both in European DP law and in the more narrow Notice-and-Choice approach to privacy protection found in the US and in the Safe Harbor Privacy Principles.  Furthermore, given the indispensability of transparency, such amendments should also address, at a minimum, what is being done with previously transferred data, what the company is doing about new transfers and what options the data subject has in this new regulatory environment.

    So there you have it.  We have received regulatory guidance that either ducks the difficult responsibility of explaining how to apply the Schrems ruling to the real world or farms that responsibility out to dozens of DPAs to sort out on their own on a case-by-case basis. 

    Hang on to your seat belts.  We live in interesting times.

    Monday, October 12, 2015

    Safe Harbor Open for Business, Says US Govt

    The US Department of Commerce has added the following statement to the landing page of its Safe Harbor website:

    * * * *
    Advisory:

    On October 6, 2015, the European Court of Justice issued a judgment declaring as “invalid” the European Commission’s Decision 2000/520/EC of 26 July 2000 “on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce.”

    In the current rapidly changing environment, the Department of Commerce will continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor Framework. If you have questions, please contact the European Commission, the appropriate European national data protection authority, or legal counsel.

    * * * *

    This is an incredibly obtuse and indefensible statement under the circumstances that exist. By indicating that the DOC will continue processing submissions for self-certification, while cloaking its description of the CJEU ruling in a legalistic reference, the department is encouraging consumers and companies to believe that Safe Harbor still provides the protections and assurances that are legally required. This is arguably an "unfair and deceptive" practice that should warrant FTC review and intervention.

    It does make sense to leave the Safe Harbor website accessible, since links to it are contained in thousands of privacy policies and it contains useful information about companies and their handling of personal data. However, the site should be far more honest and informative about the current situation. Yes, it is difficult to precisely define what the current status of Safe Harbor is, but to say that administration and self-certification will continue as usual is simply preposterous. "Under your laws, the framework we agreed upon is dead; under my laws, it lives on." Oh, please!

    Thursday, October 8, 2015

    No Shortage of Safe Harbor Questions

    The Safe Harbor framework no longer exists as a viable legal basis for transferring personal data from Europe to the US, that much is clear.  However, as of this morning the US Department of Commerce Safe Harbor website and list of participating companies remains accessible, as though nothing has changed.  Dual versions of reality, like a painting of an impossible landscape by Rene Magritte?

    In any event, for companies that had been participants, the CJEU ruling has raised a number of questions: 

    1. What can, or should, be done with transferred data received prior to the ruling?  Can it continue to be held and processed, or must it be deleted?

    2. If such previously-received data can continue to be held and processed, under what conditions may this occur?  Would a publicly-stated commitment to continue to apply the former Safe Harbor Privacy Principles and FAQs to the handling of the data suffice?  Or a similar commitment to seek data subject consent, or to develop either a model contract or Binding Corporate Rules?

    3. Do any of the legal obligations on participants created by virtue of Safe Harbor participation survive the demise of the framework?

    4. Can new personal data be lawfully received in the absence of an executed model contract or approved BCRs?  Could, or should, previous Safe Harbor participation allow for a grace period for transition to another transfer mechanism?

    5. Should every current published privacy policy or notice referencing Safe Harbor be amended?  What should the amendment say?

    6. If a privacy policy indicating reliance upon Safe Harbor contained a pledge to contact data subjects in the event of a material change in the policy, has the ruling triggered the need for such communications?

    7. Must the Safe Harbor privacy seal be removed wherever it is displayed?

    8. Does the US-Swiss Safe Harbor Framework remain in place as a valid basis for transfers of personal data from Switzerland to the US?  

    9.  What significance, if any, do the commitments from both the Department of Commerce and the European Commission to create what is being called Safe Harbor 2.0 have, given the two years this has been under discussion and the enormity of the gap remaining?

    Both the European Commission and the Article 29 Working Party have announced that they are working on an expedited basis to develop guidance that may provide answers to some of these questions.  This in turn gives rise to a final question:  

    10.  What risk or liability do participating companies face should they defer changing their data handling policies or practices until regulatory guidance is in hand?

    Tuesday, October 6, 2015

    CJEU Delivers Colossal Blow to Mass Surveillance

    On October 6, the Court of Justice of the European Union declared invalid the decision reached by the European Commission in 2000 that found the Safe Harbor framework to provide an adequate legal basis for transferring personal data from Europe to the US. Agreeing with the reasoning of its Advocate General, the Court further instructed the Irish Data Protection Commissioner to take up the complaint against Facebook lodged by Maximillian Schrems and to determine whether the company's transfer of his data to the US should be suspended.

    The CJEU ruling, clearly the most significant development in international data privacy in the past 15 years, raises a host of questions for thousands of companies that relied upon Safe Harbor to legitimize their data transfers. Actors in this unfolding high drama include the Irish DPA, the Irish High Court, the European Commission, DPAs in other member states, the Article 29 Working Party, the European Data Protection Supervisor, the US Department of Commerce, the companies and of course the individuals whose personal data has been, and is being, transferred to the US. How each will respond will only be evident in the coming days and weeks.

    Much of the early coverage in the mass market media, both in the US and in the Europe, focuses on the impact of the decision upon companies and what these companies must do to satisfy European requirements. While certainly a valid and pressing area of concern, indeed one that HR Privacy Solutions advises and assists clients with, the bigger headline is, I would argue, the one found above. At a time when judicial and legislative efforts within the US to reign in mass surveillance have advanced only in small increments, Europe's top court has unequivocally said that mass surveillance is incompatible with the right to privacy and must stop. A clarion call has been issued that is likely to be heard around the world.

    Wednesday, September 30, 2015

    CJEU Schrems Decision Coming October 6

    On September 23, the CJEU Advocate General's issued his blockbuster opinion in the Schrems case that the European Commission's adequacy decision with respect to Safe Harbor is - and should declared - invalid and that member state DPAs should determine for themselves whether data transfers under the mechanism should be stopped. Six days later, on September 29, as the privacy community was still grappling with the enormous implications of this opinion, the Court of Justice, barely skipping a beat, announced via its Twitter account that it will publish its ruling in the Schrems case on Tuesday, October 6 at 9:30 am.

    A day earlier, on September 28, the US Mission to the EU released the first official response of the US government to the AG's opinion, contending that it rests upon inaccurate assertions about US intelligence practices and a misinterpretation of ongoing US-EU discussions to strengthen Safe Harbor. The Mission predicted far-reaching and profound consequences should the CJEU follow the AG's opinion.

    Is there any need to say "Mark Your Calendars"?!!!

    Thursday, September 24, 2015

    OPM Data Breach Included 5.6 Million Fingerprints

    On September 23 the Office of Personnel Management acknowledged that the fingerprints of 5.6 million federal employees were included in the data stolen by hackers announced in early June. Previously the agency had stated that only 1.1 million sets of fingerprints were among the records of approximately 22 million individuals that were compromised. Having access to the fingerprints would allow the Chinese government, believed to be responsible for the hack, to identify intelligence agents, defense personnel or government contractors visiting China. Other data that was stolen, for example about bankruptcies and personal and sexual relationships, could be used for blackmailing these individuals. A senior US intelligence figure said that "there will be people we cannot send to China" as a result of the breach, adding that "That's only part of the damage." Unlike password or even Social Security Numbers, fingerprints cannot be changed, making the theft all the more fraught with consequences at a time when use of biometric identifiers is becoming more widespread. 

    Wednesday, September 23, 2015

    CJEU AG Backs Schrems, Calls Safe Harbor "Invalid"

    In a blockbuster development on September 23, the Advocate General of the Court of Justice of the European Union (CJEU), Yves Bot, issued his opinion in the challenge to the Irish Data Protection Commissioner brought by Maximillian Schrems. The Advocate General upheld Schrems' argument that Ireland's DPA has the authority and duty to investigate whether, in the light of NSA mass surveillance, Safe Harbor provides adequate protection for data transferred to the U.S. by companies such as Facebook. This is a very significant finding, representing the first time that judicial authorities have proclaimed that the European Commission is "not empowered to restrict the powers of the national supervisory authorities," since these powers are derived from the Data Protection Directive.

    Going even further, however, the Advocate General held that the European Commission's decision on the adequacy of the level of protection provided by the Safe Harbor privacy principles and FAQs is "invalid," as demonstrated by the fact that the Commission has been negotiating with the U.S. to strengthen the bi-lateral framework. According to his opinion, the Commission should have suspended the application of its Safe Harbor decision upon learning of NSA surveillance, as it was urged to do by all 17 German DPAs and a huge majority of the EU Parliament.

    While the Advocate General's Opinion is not binding on the CJEU, most legal experts believe it is likely to be largely upheld by the Court when it issues its ruling in the case later this fall. Most observers believed that the Irish DPA would be compelled to re-open the matter, but few anticipated the possibility that the Court might force an immediate suspension to Safe Harbor. What form this suspension might take, and how disruptive it might prove, remain to be determined. Prudent multi-national companies relying upon Safe Harbor will want to assess how to proceed should the program be brought to a halt, including the use of alternative legal grounds for data transfers, relocation of data centers to Europe and the development of processing based upon pseudonymous information.

    Monday, September 14, 2015

    Survey Finds HR Staff a Huge Threat to IT Security

    A survey of 500 global security professionals by UK-based tech form Clearswift found that HR came in second only to finance among departments posing the biggest threat to IT security, and first according to respondents in the UK. The reasons cited for this were described as cultural, manifested by sending information to the wrong recipients, inadvertently installing malware on computers and deliberate theft by employees and contractors. While HR staff have far more access to personal data than those in finance, the survey focused on security rather than privacy lapses. Interestingly, the largest threat perceived by respondents appeared to come from male HR middle managers working in the office, who were under time and financial pressure to perform but without an obvious stake in the consequences of losing data.

    Thursday, September 10, 2015

    Amendments to Japanese DP Law Promulgated

    Amendments to the Japanese Personal Information Protection Act (PIPA), passed by the lower house of the Diet on May 21, 2015 and by the upper house on September 3, 2015, were officially promulgated on September 9, 2015. The new consolidated data protection authority, the Personal Information Protection Committee, is expected to be established on January 1, 2016. The initial duties of the Committee will include development of a list of foreign countries having an adequate level of protection for personal data, as well as eligibility standards to be met by data recipients in foreign countries not on the list. Once the necessary guidance has been issued on these and other topics, enforcement of the amendments will begin, no later than September 10, 2017.  Additional information about the amendments my be found in a May 31, 2015 post here

    Wednesday, September 9, 2015

    Russian Data Localization Law Comes into Effect

    Any wishful thinking that the effective date of the new Russian data localization law would be postponed were dashed when the government allowed the law came into force on September 1, 2015. While the applicability of the law to HR data remains murky, the Russian DPA, Roskomnadzor, has indicated verbally that it does not intend to begin enforcing the law until January 2016. In addition, fines for non-compliance are currently quite low, with an upper limit of RUB 25,000 (under $500), although this could change. More telling is the authority of Roskomnadzor to name-and-shame offending companies, order a cessation of data processing and confiscate data processing equipment. Companies that already have their primary HR database for Russian employees located in Russia, with transfers abroad limited to relevant processing that otherwise meets Russian data protection requirements, should be able to weather the uncertainty surrounding the new law.

    Sunday, August 30, 2015

    Here's Your New Employee ID Card and Your Bio-Sensor

    In mid-August, Bloomberg Business reported that the provisioning of employees with bio-sensing devices linked to the kinds of tracking systems and analytic tools commonly used with highly competitive athletes were making significant inroads into hedge funds, banks, call centers and consultancies across the UK.  The new tools are designed to link human behavior and physiological data, such as heart rate, stress levels, breathing, skin temperature and body position, to business performance.  While the use of such devices for health and safety reasons in industries such as oil, gas, mining and construction is not surprising, their increasing use in white collar positions is.  Some applications include monitoring what goes on outside the workplace as well, including tracking of exercise, sleep, food, alcohol consumption and caffeine intake.  The use of wearable technology in this way may be regarded as creepy by some, but insiders believe the privacy debate will fade once people realize the potential of this sort of human performance analytics.  Companies identified as exploring the use of bio-sensors in the workplace include Bank of America, KPMG, GlaxoSmithKline and Goldman Sachs.  (See mid-September article here)

    FTC Takes Another Swing at Safe Harbor Enforcement

    In mid-August the Federal Trade Commission announced enforcement actions against 13 companies that falsely claimed to be certified as Safe Harbor participants.  All were minor and little-known firms, with six companies claiming Safe Harbor membership without ever applying for it, and another seven failing to keep their certifications up-to-date through annual re-certification. No fines were imposed and the consequences for the companies were fundamentally a slap on the wrist.  At a time when the very existence of the Safe Harbor framework is under maximum duress in Europe, and the US is laboring to persuade the European Commission of its commitment to the program, the enforcement actions seem destined to underwhelm.

    UN Emerging as Strong Critic of US on Privacy, Surveillance


    The United Nations is emerging as a new player and holder of the bully pulpit on the global privacy scene, following the November 2013 unanimous vote of the General Assembly to approve the Brazilian-German declaration entitled The Right to Privacy in the Digital Age and the March 28, 2015 unanimous decision of the UN Human Rights Council to establish a special rapporteur on the right to privacy.  On July 28, a new UN Human Rights Committee issued its mid-term report card for several countries based on how well they have adhered to and implemented its recommendations related to the International Covenant of Civil and Political Rights. The U.S. performance in several aspects of protecting privacy was graded “not satisfactory," including its current system of oversight for surveillance activities and its obligation under the Covenant to ensure that any interference with privacy is authorized by law.  At the end of August, the newly-appointed Special Rapporteur, Joseph Cannataci, a Maltese human rights and data privacy scholar, blasted the current state of surveillance of Internet users as "Orwellian" and called for a new Geneva convention for the Internet.

    South Korean Government Clamping Down on Data Breaches

    On August 24, it was reported that the South Korean government announced an amendment to the country's Personal Information Protection Act that would require companies to pay up to three times the damage caused by the "loss, theft, leakage, forgery, alternation or impairment of personal information because of a deliberate act or serious error."  Under the amendment, individual consumers will be able to claim damages of up to 3 million won (or about $2,500) each. Given the numerous data breaches affecting millions of individuals in South Korea in recent years, this could result in huge penalties rivaling those under consideration in the European Union.  In addition, the amendment will also give the country's Personal Data Protection Committee greater powers, including dispute handling and the ability to recommend policy and system changes.  The status of the amendment, including whether it has been introduced into the National Assembly, was not indicated.  In a related development, the Korean Communications Commission (KCC) announced implementation of a new penalty reduction scheme, under which companies that voluntarily report data breaches will receive a 30% reduction in any administrative fine imposed by the KCC.

    Saturday, August 8, 2015

    Indian Supreme Court Weighing Right to Privacy

    Whether or not the Constitution of India establishes a right to privacy has become a central issue in a legal challenge to the government's Aadhaar identity card scheme being heard by the Supreme Court.  The Attorney General for the Modi government, Mukul Rohatgi, argued that since there is no fundamental right to privacy in the Constitution, arguments that the scheme violated this right did not need to be addressed. At the same time, Rohatgi suggested that a larger Constitutional panel of judges should be asked to render its judgment on this issue if greater clarity was needed. The government's argument was received with skepticism by the court, which countered that surely a right to privacy was implicit in the right to liberty that is explicitly provided in Article 21 of the Constitution. The Supreme Court is expected to issue a ruling in the case, deciding whether a referral of the issue to a constitutional bench is appropriate, on August 11.

    Similar questions exist as to whether privacy is a constitutionally-guaranteed right in the United States, in both cases from the absence of the word privacy in the Constitution but with arguments that it is implicit in other rights that are explicitly stated. Years ago this was characterized as the Tinker Bell stratagem, namely that if you clap your hands and believe you see privacy in the Constitution, then it must be there! Unlike the U.S., however, India appears to have a judicial mechanism, which may be invoked shortly, for resolving constitutional issues in a direct manner apart from the particularities of individual cases.

    One outcome of the Aadhaar case might be to stimulate the Modi government to introduce the comprehensive privacy bill recommended by the Shah committee in 2012.  After all, to argue that there is no right to privacy in a constitution is not the same as arguing that there should not be such a right.


    Update:  On August 12, it was reported that the Supreme Court decided to refer the case to a five-judge bench for resolution of the privacy issue, while also imposing severe restrictions upon the use of the unique ID number established under the Aadhaar scheme.

    Wednesday, August 5, 2015

    BYOD Issues Spur Technological Solutions

    As more and more employers allow their employees to use their own personal mobile devices for business purposes, issues arising from BYOD practices have spurred technology companies to offer products and services addressing the problems involved. With California requiring employers to reimburse workers for work-related expenses, the difficulty of determining defensible reimbursement levels has prompted Good Technologies to launch what its calls an Enterprise Split Billing service. The service segregates apps used for business purposes, with the associated expenses being paid directly by the employer, thereby obviating the need for a reimbursement program. Meanwhile, in an unlikely partnership, Google and Silent Circle announced that the next version of Silent Circle's Blackphone will come equipped with Google's Android for Work software, which will allow employees to compartmentalize personal and professional usage. Driven more by data security needs than by questions of reimbursement, the cooperative agreement shows that even companies that prioritize data privacy and security can find common ground with companies whose business model rests upon collecting huge amounts of user data to sell advertising.