News Archives

Sunday, August 30, 2015

Here's Your New Employee ID Card and Your Bio-Sensor

In mid-August, Bloomberg Business reported that the provisioning of employees with bio-sensing devices linked to the kinds of tracking systems and analytic tools commonly used with highly competitive athletes were making significant inroads into hedge funds, banks, call centers and consultancies across the UK.  The new tools are designed to link human behavior and physiological data, such as heart rate, stress levels, breathing, skin temperature and body position, to business performance.  While the use of such devices for health and safety reasons in industries such as oil, gas, mining and construction is not surprising, their increasing use in white collar positions is.  Some applications include monitoring what goes on outside the workplace as well, including tracking of exercise, sleep, food, alcohol consumption and caffeine intake.  The use of wearable technology in this way may be regarded as creepy by some, but insiders believe the privacy debate will fade once people realize the potential of this sort of human performance analytics.  Companies identified as exploring the use of bio-sensors in the workplace include Bank of America, KPMG, GlaxoSmithKline and Goldman Sachs.  (See mid-September article here)

FTC Takes Another Swing at Safe Harbor Enforcement

In mid-August the Federal Trade Commission announced enforcement actions against 13 companies that falsely claimed to be certified as Safe Harbor participants.  All were minor and little-known firms, with six companies claiming Safe Harbor membership without ever applying for it, and another seven failing to keep their certifications up-to-date through annual re-certification. No fines were imposed and the consequences for the companies were fundamentally a slap on the wrist.  At a time when the very existence of the Safe Harbor framework is under maximum duress in Europe, and the US is laboring to persuade the European Commission of its commitment to the program, the enforcement actions seem destined to underwhelm.

UN Emerging as Strong Critic of US on Privacy, Surveillance

The United Nations is emerging as a new player and holder of the bully pulpit on the global privacy scene, following the November 2013 unanimous vote of the General Assembly to approve the Brazilian-German declaration entitled The Right to Privacy in the Digital Age and the March 28, 2015 unanimous decision of the UN Human Rights Council to establish a special rapporteur on the right to privacy.  On July 28, a new UN Human Rights Committee issued its mid-term report card for several countries based on how well they have adhered to and implemented its recommendations related to the International Covenant of Civil and Political Rights. The U.S. performance in several aspects of protecting privacy was graded “not satisfactory," including its current system of oversight for surveillance activities and its obligation under the Covenant to ensure that any interference with privacy is authorized by law.  At the end of August, the newly-appointed Special Rapporteur, Joseph Cannataci, a Maltese human rights and data privacy scholar, blasted the current state of surveillance of Internet users as "Orwellian" and called for a new Geneva convention for the Internet.

South Korean Government Clamping Down on Data Breaches

On August 24, it was reported that the South Korean government announced an amendment to the country's Personal Information Protection Act that would require companies to pay up to three times the damage caused by the "loss, theft, leakage, forgery, alternation or impairment of personal information because of a deliberate act or serious error."  Under the amendment, individual consumers will be able to claim damages of up to 3 million won (or about $2,500) each. Given the numerous data breaches affecting millions of individuals in South Korea in recent years, this could result in huge penalties rivaling those under consideration in the European Union.  In addition, the amendment will also give the country's Personal Data Protection Committee greater powers, including dispute handling and the ability to recommend policy and system changes.  The status of the amendment, including whether it has been introduced into the National Assembly, was not indicated.  In a related development, the Korean Communications Commission (KCC) announced implementation of a new penalty reduction scheme, under which companies that voluntarily report data breaches will receive a 30% reduction in any administrative fine imposed by the KCC.

Saturday, August 8, 2015

Indian Supreme Court Weighing Right to Privacy

Whether or not the Constitution of India establishes a right to privacy has become a central issue in a legal challenge to the government's Aadhaar identity card scheme being heard by the Supreme Court.  The Attorney General for the Modi government, Mukul Rohatgi, argued that since there is no fundamental right to privacy in the Constitution, arguments that the scheme violated this right did not need to be addressed. At the same time, Rohatgi suggested that a larger Constitutional panel of judges should be asked to render its judgment on this issue if greater clarity was needed. The government's argument was received with skepticism by the court, which countered that surely a right to privacy was implicit in the right to liberty that is explicitly provided in Article 21 of the Constitution. The Supreme Court is expected to issue a ruling in the case, deciding whether a referral of the issue to a constitutional bench is appropriate, on August 11.

Similar questions exist as to whether privacy is a constitutionally-guaranteed right in the United States, in both cases from the absence of the word privacy in the Constitution but with arguments that it is implicit in other rights that are explicitly stated. Years ago this was characterized as the Tinker Bell stratagem, namely that if you clap your hands and believe you see privacy in the Constitution, then it must be there! Unlike the U.S., however, India appears to have a judicial mechanism, which may be invoked shortly, for resolving constitutional issues in a direct manner apart from the particularities of individual cases.

One outcome of the Aadhaar case might be to stimulate the Modi government to introduce the comprehensive privacy bill recommended by the Shah committee in 2012.  After all, to argue that there is no right to privacy in a constitution is not the same as arguing that there should not be such a right.

Update:  On August 12, it was reported that the Supreme Court decided to refer the case to a five-judge bench for resolution of the privacy issue, while also imposing severe restrictions upon the use of the unique ID number established under the Aadhaar scheme.

Wednesday, August 5, 2015

BYOD Issues Spur Technological Solutions

As more and more employers allow their employees to use their own personal mobile devices for business purposes, issues arising from BYOD practices have spurred technology companies to offer products and services addressing the problems involved. With California requiring employers to reimburse workers for work-related expenses, the difficulty of determining defensible reimbursement levels has prompted Good Technologies to launch what its calls an Enterprise Split Billing service. The service segregates apps used for business purposes, with the associated expenses being paid directly by the employer, thereby obviating the need for a reimbursement program. Meanwhile, in an unlikely partnership, Google and Silent Circle announced that the next version of Silent Circle's Blackphone will come equipped with Google's Android for Work software, which will allow employees to compartmentalize personal and professional usage. Driven more by data security needs than by questions of reimbursement, the cooperative agreement shows that even companies that prioritize data privacy and security can find common ground with companies whose business model rests upon collecting huge amounts of user data to sell advertising.

Application of Russian Localization Law to Employee Data Remains Unclear

On August 3, one month before the Russian Data Localization Law comes into effect, the Ministry of Communications published non-binding clarifications of the law. Under this new guidance, which thus far is the only written guidance that has been published, employee data will be exempted from coverage by the Data Localization Law. However, during meetings in June and July with industry and trade associations, the opposite position was taken by Roskomnadzor, the data protection authority, namely that employee data will be subject to the law. Requests made by the business associations for a one year extension of the implementation date of the law have thus far yielded no results.