News Archives

Sunday, May 31, 2015

Major Revisions to DP Law Under Consideration in Japan

Recognizing that significant advances in information and communications technology have occurred since Japan's Act on the Protection of Personal Information came into force ten years ago, the The Asahi Shimbun reports that the Diet is now considering major amendments to the Act.  At present the administration of the law is decentralized, with some 13 ministries and agencies responsible for compliance in different industries. The amendments would create a Personal Information Protection Commission; expand the definition of personal information; define categories of sensitive information that can be collected or processed only with a data subject's consent; eliminate the 5,000 record exemption; allow for sharing of anonymized or psuedonymized personal data without consent; extend the extraterritorial jurisdiction of the Act to foreign entities offering services in Japan; and allow for transfer of personal data out of Japan only if special safeguards such as contracts are in place or the recipient country has equivalent data protection standards.  The amendments would be introduced in three stages, with the expectation that they will be fully in force in 2017.

Canadian Courts Support Vicarious Liability for Employee Privacy Breaches

Canadian employers may face class action lawsuits based upon their accountability for violations of privacy by their employees, according to two recent court cases, each of which builds upon the 2012 decision in Jones v. Tsige which introduced the tort of intrusion upon seclusion. In the first case, Evans v. Wilson, the court found that a bank could be sued for its failure to properly supervise an employee who accessed customer information for personal purposes.  In the second case, Hopkins v. Kay, the court came to a similar conclusion about employer liability with respect to breaches of patient information by hospital employees.  The cases highlight the need for Canadian employers to establish strong privacy policies and programs, including appropriate training, supervision and monitoring of employees who have access to personal information.

Fining Authority in the Wings, Belgian DPA Slams Facebook

More evidence emerged in May of the sea change underway in Belgium with respect to enforcement of data protection laws, with State Secretary for Privacy Bart Tommelein confirming that the country's Privacy Commission, which began auditing companies last year, would soon be vested with fining powers.  While the fines were initially expected to be small, comparable to those that can be imposed by Belgian telecom and energy regulators, the Dutch Senate passed a bill on May 26 that gives the DPA the power to issue fines up to €810,000 or 10% of annual turnover should a prior binding recommendation of the Commission not be observed.  The effective date of the legislation, which also establishes a data breach notification obligation, remains to be determined.  Although the Commission remains under-resourced, it is becoming clear that the days of what one commentator called "data protection complacency" in Belgium are fading fast.  

In mid-month, the increasingly assertive Privacy Commission, which is leading an investigation into Facebook on behalf of several data protection authorities, announced that it is "make or break time" for the company to show that it prioritizes user privacy.  In a 28-page report, the Commission said that Facebook processes the personal data of its members as well as other Internet users "in secret," without asking for consent or adequately explaining how the data will be used.  According to William Debeuckalaere, the President of the Commission, "The way in which [Facebook] is contemptuous of the private lives of its members and of all Internet users demands action."  For its part, Facebook claims that the Belgium DPA has no jurisdiction over its activities and that it already complies with European data protection law, continuing a stance of Silicon Valley stonewalling that even Google has begun to move away from.

Saturday, May 30, 2015

Timely Demonstration of Vulnerability of Employees to Phishing

In a post on April 30, 2015 ("Single Biggest IT Threat Remains Employees"), I made the case for real-time testing of the susceptibility of employees to malicious phishing emails. Two weeks later, the Canada Revenue Agency (CRA) provided a timely demonstration of this vulnerability by sending its 16,000 employees an email designed to simulate the potentially dangerous messages sent by phishers.  Some 3,500 employees, or 22% of the agency's workforce, fell for the scam and clicked on the phony link - even though they were informed ahead of time that a test would take place!  In 2014, the CRA was forced to delay the country's tax-filing deadline due to the infection of its network by the Heartbleed bug via a phishing email. 

Friday, May 29, 2015

Privacy Management Framework Launched by OAIC

As a part of Privacy Awareness Week in early May, the Office of the Australian Information Commissioner (OAIC) launched a new Privacy management framework to assist public and private sector organisations meet their compliance obligations.  The framework outlines the major components of four key steps organizations need to take, including creating and embedding a culture of privacy that values personal information; establishing robust and effective privacy practices, procedures and systems; evaluating these practices, procedures and systems to ensure continued effectiveness; and responding proactively to results of the evaluations and to new privacy challenges.  Taken collectively, the steps (Embed; Establish;Evaluate; and Enhance) set forth the expectations of the OAIC as to how organizations should meet the requirements of APP 1.2.  This provision requires them to take reasonable steps to implement practices, procedures and systems that ensure compliance with all the Australian Privacy Principles (APPs), which came into effect in March 2014.  

The framework may be helpful to some degree, but it leaves much to be desired in being only a high level summary of the issues and concerns that any privacy management framework should address.  The framework is basically a six-page document presenting key steps followed by half-a-dozen or so single-sentence bullet points.  By comparison, the draft Privacy Risk Management Framework issued in the U.S. by the National Institute of Standards and Technology (NIST) in later May, while covering much the same ground, weighs in at 64 pages and is far more substantive. It would appear that having a comprehensive privacy law on the books is no substitute for having a sufficiently resourced standard-setting regulator. There are many indications that it will take significantly more than rudimentary educational efforts by the OAIC to induce many Australian businesses to take privacy seriously.  

Federal Judge Knocks Gov't on Searches at U.S. Borders

On May 8, U.S. District Judge Amy Berman Jackson ruled that the search of a traveler's laptop at a Los Angeles airport, in the absence of suspicion of ongoing or imminent criminal activity, was unreasonable and a violation of constitutional privacy protections.  The judge's 44-page opinion was a scathing indictment of the government's long-standing policy of allowing law enforcement to inspect anything, including electronics, at border crossings, without the applicability of normal Fourth Amendment rights against unreasonable searches and seizures. Other federal judges, such as Edward R. Korman, have upheld the government policy, prompting the ACLU to call areas withing 100 miles of all U.S. borders a "Constitution-Free Zone."  Whether the government will appeal the ruling in the LA case is not known.  The policy has forced a number of multi-national firms to restrict their employees from leaving or entering the country with certain types of files or information on their laptops and mobile devices.