News Archives

Wednesday, September 30, 2015

CJEU Schrems Decision Coming October 6

On September 23, the CJEU Advocate General's issued his blockbuster opinion in the Schrems case that the European Commission's adequacy decision with respect to Safe Harbor is - and should declared - invalid and that member state DPAs should determine for themselves whether data transfers under the mechanism should be stopped. Six days later, on September 29, as the privacy community was still grappling with the enormous implications of this opinion, the Court of Justice, barely skipping a beat, announced via its Twitter account that it will publish its ruling in the Schrems case on Tuesday, October 6 at 9:30 am.

A day earlier, on September 28, the US Mission to the EU released the first official response of the US government to the AG's opinion, contending that it rests upon inaccurate assertions about US intelligence practices and a misinterpretation of ongoing US-EU discussions to strengthen Safe Harbor. The Mission predicted far-reaching and profound consequences should the CJEU follow the AG's opinion.

Is there any need to say "Mark Your Calendars"?!!!

Thursday, September 24, 2015

OPM Data Breach Included 5.6 Million Fingerprints

On September 23 the Office of Personnel Management acknowledged that the fingerprints of 5.6 million federal employees were included in the data stolen by hackers announced in early June. Previously the agency had stated that only 1.1 million sets of fingerprints were among the records of approximately 22 million individuals that were compromised. Having access to the fingerprints would allow the Chinese government, believed to be responsible for the hack, to identify intelligence agents, defense personnel or government contractors visiting China. Other data that was stolen, for example about bankruptcies and personal and sexual relationships, could be used for blackmailing these individuals. A senior US intelligence figure said that "there will be people we cannot send to China" as a result of the breach, adding that "That's only part of the damage." Unlike password or even Social Security Numbers, fingerprints cannot be changed, making the theft all the more fraught with consequences at a time when use of biometric identifiers is becoming more widespread. 

Wednesday, September 23, 2015

CJEU AG Backs Schrems, Calls Safe Harbor "Invalid"

In a blockbuster development on September 23, the Advocate General of the Court of Justice of the European Union (CJEU), Yves Bot, issued his opinion in the challenge to the Irish Data Protection Commissioner brought by Maximillian Schrems. The Advocate General upheld Schrems' argument that Ireland's DPA has the authority and duty to investigate whether, in the light of NSA mass surveillance, Safe Harbor provides adequate protection for data transferred to the U.S. by companies such as Facebook. This is a very significant finding, representing the first time that judicial authorities have proclaimed that the European Commission is "not empowered to restrict the powers of the national supervisory authorities," since these powers are derived from the Data Protection Directive.

Going even further, however, the Advocate General held that the European Commission's decision on the adequacy of the level of protection provided by the Safe Harbor privacy principles and FAQs is "invalid," as demonstrated by the fact that the Commission has been negotiating with the U.S. to strengthen the bi-lateral framework. According to his opinion, the Commission should have suspended the application of its Safe Harbor decision upon learning of NSA surveillance, as it was urged to do by all 17 German DPAs and a huge majority of the EU Parliament.

While the Advocate General's Opinion is not binding on the CJEU, most legal experts believe it is likely to be largely upheld by the Court when it issues its ruling in the case later this fall. Most observers believed that the Irish DPA would be compelled to re-open the matter, but few anticipated the possibility that the Court might force an immediate suspension to Safe Harbor. What form this suspension might take, and how disruptive it might prove, remain to be determined. Prudent multi-national companies relying upon Safe Harbor will want to assess how to proceed should the program be brought to a halt, including the use of alternative legal grounds for data transfers, relocation of data centers to Europe and the development of processing based upon pseudonymous information.

Monday, September 14, 2015

Survey Finds HR Staff a Huge Threat to IT Security

A survey of 500 global security professionals by UK-based tech form Clearswift found that HR came in second only to finance among departments posing the biggest threat to IT security, and first according to respondents in the UK. The reasons cited for this were described as cultural, manifested by sending information to the wrong recipients, inadvertently installing malware on computers and deliberate theft by employees and contractors. While HR staff have far more access to personal data than those in finance, the survey focused on security rather than privacy lapses. Interestingly, the largest threat perceived by respondents appeared to come from male HR middle managers working in the office, who were under time and financial pressure to perform but without an obvious stake in the consequences of losing data.

Thursday, September 10, 2015

Amendments to Japanese DP Law Promulgated

Amendments to the Japanese Personal Information Protection Act (PIPA), passed by the lower house of the Diet on May 21, 2015 and by the upper house on September 3, 2015, were officially promulgated on September 9, 2015. The new consolidated data protection authority, the Personal Information Protection Committee, is expected to be established on January 1, 2016. The initial duties of the Committee will include development of a list of foreign countries having an adequate level of protection for personal data, as well as eligibility standards to be met by data recipients in foreign countries not on the list. Once the necessary guidance has been issued on these and other topics, enforcement of the amendments will begin, no later than September 10, 2017.  Additional information about the amendments my be found in a May 31, 2015 post here

Wednesday, September 9, 2015

Russian Data Localization Law Comes into Effect

Any wishful thinking that the effective date of the new Russian data localization law would be postponed were dashed when the government allowed the law came into force on September 1, 2015. While the applicability of the law to HR data remains murky, the Russian DPA, Roskomnadzor, has indicated verbally that it does not intend to begin enforcing the law until January 2016. In addition, fines for non-compliance are currently quite low, with an upper limit of RUB 25,000 (under $500), although this could change. More telling is the authority of Roskomnadzor to name-and-shame offending companies, order a cessation of data processing and confiscate data processing equipment. Companies that already have their primary HR database for Russian employees located in Russia, with transfers abroad limited to relevant processing that otherwise meets Russian data protection requirements, should be able to weather the uncertainty surrounding the new law.