News Archives

Wednesday, July 29, 2015

Commission Aims to Finalize Safe Harbor Talks in Coming Weeks

On July 23, the European Commissioner for Justice, Vera Jourová met in Brussels with US Commerce Secretary Penny Pritzker to continue discussions, begun in November 2013, about strengthening the Safe Harbor framework.  According to a press release issued by the Commission, Jourová welcomed the progress made to date and "aims for a finalisation of discussions in the coming weeks."  Reports that an agreement is almost in hand have been been made on several occasions over the past year.  Further delays could undercut the ability of the two sides to reach a conclusion, since highly relevant compromises may be reached first by the participants in the GDPR trilogue negotiations.

Update on 8/8/15:  During the first week of August there were additional reports that the U.S. and the Commission were "close to a deal" on Safe Harbor, with an agreement to be announced before the end of the summer. While holding one's breath in anticipation of such a development would hardly be advisable, it is noteworthy that both Reuters and Banking Technology claim that a key focus of the new agreement will be stronger controls on transfer of personal data by Safe Harbor participants to third parties.  A December 2014 post on CNIL objections to Safe Harbor fleshes out two specific concerns relating to data transfers to third parties under Safe Harbor.

Tuesday, July 28, 2015

Progress Reported at Second Trilogue Meeting on GDPR

Significant progress was reported during the second round of trilogue negotiations on the new EU General Data Protection Regulation, which was held on July 14, 2015.  According to participants, agreement was reached on the issues of territorial scope and international data transfers, although work remains to be done on exceptions for national security purposes. Topics viewed as more contentious, including the rights of consumers, duties of data controllers and limitations on further processing of data for incompatible purposes, will be addressed at the next meeting on September 1.  Negotiators were said to have been sufficiently encouraged to set themselves an ambitious deadline for finalizing the GDPR negotiations, namely the Justice and Home Affairs Council meeting in October.  As Oliver Proust makes clear in a detailed explication of the trilogue process, any compromise agreement reached in October would still need to be followed by adoption of the text in second readings by both the Parliament's General Assembly and the Council.

On July 27, the European Data Protection Supervisor, Giovanni Buttarelli, issued the recommendations of his office to trilogue participants, along with a 520-page table that compares, on a line-by-line basis, the texts proposed by the Commission, the Parliament and the Council with the recommendations of the EDPS.  In a sign of new communications sophistication, the comparative table was also released by the EDPS as a mobile app available via iTunes or Google Play.  A useful overview of the potential impact of the GDPR upon data protection in the workplace - potential because no final text has been agreed upon - is provided by Hogan Lovells. 

China Issues Draft Network Security Law

On July 6, 2015, China’s National People’s Congress released a draft of a new Network Security Law for public comment through August 5, 2015.  While the draft consolidates a number of previously-issued obligation for network operators, it adds several new ones: a requirement that data breaches be notified to users, as well as to government authorities; a prohibition on transfers of certain types of sensitive personal information outside of China, unless approved by national network administration authorities; and the creation of a new category of personal data, namely "personal biometric information."  According to Covington & Burling, provisions of the draft law "reflect a recent trend of tightening rules regarding cross-border data transfers. It will be more burdensome for multinational companies operating critical information infrastructure in China to transfer personal data internationally, whether intra-group or to third parties (such as data processing contractors)."  Like most high-level laws, the draft Network Security Law employs broad language, leaving many aspects of interpretation and clarification to implementing rules that will be issued by government regulators. 

Art 29 WP to Issue Code of Conduct for Cloud Computing

The Article 29 Working Party, an advisory body composed of representatives from the DPAs of each EU member state, was reported to be close to completing a code of conduct for cloud service providers. Work on the code, developed by a European Commission-chaired Cloud Select Industry Group on Code of Conduct, whose members include Microsoft, Oracle and the Cloud Industry Forum, began in April 2013. The aim of the new code, according to the Commission, is to "help potential cloud computing users assess whether a cloud provider complies with EU data protection rules, and with their own data protection obligations". Resolving differing interpretations of cloud obligations by member states, particularly where cross-border services are involved and issues of "data location" arise, is seen as important in spurring greater adoption of cloud computing within the EU. The Working Party is expected to publish the code of conduct either later this summer or before the end of the year.

Thursday, July 23, 2015

Government of Bermuda Issues Draft Data Protection Law

The government of Bermuda has issued a proposed comprehensive data protection bill for public consultation running through August 17.  The Personal Information Protection Act (PIPA), modeled primarily upon European precedents, sets out in detail what the government calls "a set of internationally accepted privacy principles that reflect accepted standards of good business practices for the use of personal information.”  Under the Act, data breaches that could adversely affect an individual must be reported to a Privacy Commissioner and to affected individuals.  Among the details deemed “sensitive” will be information such as race, ethnicity, disability and political views.  Requirements for international transfers of personal data will mirror those in the EU, with the Privacy Commissioner designating jurisdictions that have a comparable level of data protection. According to a report in the Royal Gazette, as well as comments included in the draft bill, the legislation has been drafted in a manner which should allow Bermuda to receive an adequacy finding by the European Commission.

Should the Act be adopted, Bermuda would become the second Caribbean nation, following The Bahamas, to enact comprehensive privacy legislation.  It should be noted, however, that in 2008 the government attempted to enact such a law without success. 

Separately, the Ministry of Information and Communications Technology of Qatar announced that it is planning to issue a digital privacy law, containing general rules regarding the protection of personal information of Internet users, by the beginning of 2016.

ECJ to Rule on Jurisdictional Competencies of DPAs

The European Court of Justice (ECJ) is expected to issue a decision in coming months addressing the competency of member state data protection authorities to investigate and take enforcement actions against data controllers whose principle place of business is in another member state.  In  Weltimmo s.r.o. v. NAIH (National Authority for Data Protection and Freedom of Information Hungary), the Court will rule on whether the Hungarian DPA acted within its authority under the EU Data Protection Directive when it fined an Slovakian-registered company that operated websites for real estate ads targeting Hungarians. According to the Privacy Laws & Business International Report, the Advocate General of the ECJ, Pedro Cruz Villalón, issued his opinion on June 25, 2015 that the NAIH exceeded its authority insofar as the applicable law in this case was that of Slovakia.

The ECJ typically follows the reasoning of its Advocate General, as it did in its Google Spain ruling, but whether it will do so in this case remains to be seen.  It may elect to defer its decision until the contentious issue of the "one stop shop" has been resolved in the current trilogue discussions, for fear of undermining whatever political compromises that are reached in that process.  For similar reasons, it may hold back on its decision in the case brought by Max Schrems until the EU and the US complete their negotiations over reforms to the Safe Harbor program.

Wednesday, July 22, 2015

FTC Highlights Role of Non-Technical Employees in Data Breaches

On June 30, the Federal Trade Commission published Start with Security:  A Guide for Business, a brochure which summarizes lessons learned from the 50+ settlements the FTC has reached with companies accused of unfair and deceptive practices with respect to the protection of customer data.  The Guide is structured into what the FTC describes as ten common-sense lessons that apply to businesses of all sizes:
  1. Start with security
  2. Control access to data sensibly
  3. Require secure passwords and authentication
  4. Store sensitive personal information securely and protect it during transmission
  5. Segment your network and monitor who's trying to get in and out
  6. Secure remote access to your network
  7. Apply sound security practices when developing new products
  8. Make sure your service providers implement reasonable security measures
  9. Put procedures in place to keep your security current and address vulnerabilities as they arise
  10. Secure paper, physical media, and devices.
Each lesson is illustrated with practices in named companies that deviate from these prescriptions, and not surprisingly, the role of non-technical employees in security breaches is mentioned often in these examples:  Eight security lapses are identified:
  • Accretive:  (a) used real people’s personal information in employee training sessions, and then failed to remove the information from employees’ computers after the sessions were over; and (b) an employee left a laptop containing more than 600 files, with 20 million pieces of information related to 23,000 patients, in the locked passenger compartment of a car, which was then stolen. 
  • Goal Financial:  (a) failed to restrict employee access to personal information stored in paper files and on its network; as a result, employees transferred more than 7,000 consumer files containing sensitive information to third parties without authorization; and (b) an employee sold surplus hard drives that contained the sensitive personal information of approximately 34,000 customers in clear text.
  • Twitter:   (a) granted almost all of its employees administrative control over Twitter’s system, including the ability to reset user account passwords, view users’ nonpublic tweets, and send tweets on users’ behalf; (b) let employees use common dictionary words as administrative passwords, as well as passwords they were already using for other accounts; (c) failed to establish policies that prohibited employees from storing administrative passwords in plain text in personal email accounts
  • CBR Systems:   backup tapes, a laptop, and an external hard drive – all of which contained sensitive information – that were lifted from an employee’s car. 
To be sure, most of the examples of weak security practices cited in the Guide relate to actions taken or not taken by technical employees or their managers.  While HR staff should certainly advocate for the correction of technical lapses they are aware of, they should insist upon adequate data security policies and training for practices that vest responsibility in the general employee population.  A key part of HR's mission should be to help employees be productive and avoid harming both their own careers and the company through obviously imprudent handling of personal information. 

Tuesday, July 21, 2015

Australian Govt. Continues to Weaken Privacy Oversight

Enforcement of the Privacy Act, the Freedom of Information Act and the Information Commissioner Act continued to erode in Australia, under the plan of the Liberal/National coalition government led by Tony Abbott to disband the Office of the Australian Information Commissioner (OAIC) as part of its "small government" agenda.  In mid-July, the government announced that Timothy Pilgrim, whose five-year term as Privacy Commissioner was about to expire, would move into the overarching position of Acting Information Commissioner for a period of three months. During this period the government is expected to enact legislation mandating the dissolution of the OAIC, with the future of the privacy oversight function remaining to be determined.

A palpable disinterest in privacy laws and enforcement is found in all three major Commonwealth nations, Australia, Canada and the United Kingdom, at least under the leadership of their current conservative-led coalition governments.  All have privacy laws on the books, inherited directly or indirectly from an earlier UK government's attempt to integrate itself with Europe, that they don't seem to know quite what to do with.  All are marching to the same national security drumbeat with respect to surveillance laws and powers.  Each in their own way demonstrate that the presence of privacy laws at the national level is no guarantee of a government's commitment to privacy protection.