News Archives

Wednesday, December 30, 2015

No Safe Harbor Progress as January 31 Deadline Looms

On November 30, EU Justice Commissioner Vera Jourova told an interviewer that the EU and the US are close to a deal on a strengthened Safe Harbor and should reach an agreement during December, adding that this would probably be accomplished during a meeting scheduled for December 17.  However, the meeting was apparently postponed, possibly in light of the December 12 announcement of agreement on the final text of the General Data Protection Regulation.  In any event, the month has come and gone without any official announcement of the status of the talks. 

If Jourova was playing the optimist, an opposing perspective was issued on the same day that Jourova spoke, during Parliamentary testimony by the Dutch Justice Minister. According to the Minister, Artd van der Steur, the likelihood of an agreement being reached by the end of January is very low, particularly since discussion of the most critical issue in the talks, mass surveillance of internet traffic by the NSA, had not even begun.  With the Netherlands taking over the presidency of the Council of the European Union on January 1, 2016 and its justice ministry becoming an official channel for discussions with the US on Safe Harbor, van der Steur’s views are particularly pertinent.  Noting that European DPAs have threatened to “take all necessary and appropriate actions, which may include coordinated enforcement actions” if a solution is not found with US authorities by January 31, 2016,” the Justice Minister indicated that planning for such enforcement actions was underway.

Some ten day later, on December 10, Isabelle Falque-Pierrotin, the chair of the Article 29 Working Party, appeared to hedge on the significance of the January 31 deadline, stating that she was uncertain if a final agreement could be reached by that time and suggesting that "some kind of a political sign" that US authorities understood the main message of the CJEU judge might suffice.

Sunday, December 20, 2015

GDPR Clears Final Hurdle

On December 12, in a development that some expected and others hoped would never come, the European Commission, the European Parliament and the Council successfully concluded their trilogue discussions by announcing agreement on the final text of the General Data Protection Regulation.  The agreement comes six years after the Commission held its first stakeholder consultation and four years after it released a proposed text.  In spite of intense lobbying and opposition by some business groups and member states, the original text survived largely intact, with mostly minor and subtle changes and some significant strengthening, as in the higher maximum fines for violations.  Formalities of official approval by the Parliament and the Council remain, but these are expected early in 2016, with the Regulation to come into force two years later, early in 2018.

As the first major reform of European data protection law in 25 years, the Regulation is a monumental game-changer, a perspective well-summarized by Oxford lecturer Jeffrey Ritter.  It also comes at a critical time in the EU’s current confrontation with the US over data privacy, demonstrating a political will to secure European human rights that puts muscle behind the legal gauntlet thrown down by the CJEU’s Schrems ruling.  Terrorist attacks in Paris and Santa Barbara notwithstanding, it re-affirms the message that Europe will not tolerate sacrificing privacy on the altar of security.

BYOD Guidelines Issued in Canada

During the late summer, the Office of the Privacy Commissioner of Canada, together with the Alberta and British Columbia Privacy Commissioners, issued guidance for employers to consider before allowing employees to use their own mobile devices for both work and personal uses.  The guidance, entitled Is a Bring Your Own Device (BYOD) Program the Right Choice for Your Organization? Privacy and Security Risks of a BYOD Program, can be summarized section-by-section as follows:
  • Ensure commitment by Senior Management
  • Conduct privacy impact & threat risk assessments
  • Develop, communicate, implement and enforce a BYOD policy
  • Test the BYOD program (before rolling it out)
  • Develop training materials & programs
  • Demonstrate accountability
  • Mitigate risks through “containerization”
  • Identify policies and procedures for storing and retaining personal information
  • Implement encryption for devices and communication
  • Address patch and software vulnerabilities
  • Manage apps and app configurations
  • Support effective authentication and authorization practices
  • Address malware protection
  • Formalize a BYOD incident management process
As noted by Kelly O’Ferrall of Stikeman Elliot, the underlying message to employers in this worthwhile but sobering guidance appears to be “proceed with caution, if at all.”

Employee Wearables Deliver Benefits in Test Run

A test run of employee-monitoring wearables by the accounting firm Deloitte, in its office in  St. Johns, Newfoundland and Labrador, yielded positive results.  In conjunction with switching to an “open concept” office design, Deloitte invited employees to wear ID badges with embedded microphones and accelerometers. The badges tracked conversations and movement around the office, generating as much as four gigabytes of data a day from each employee.  The data indicated how often employees engaged co-workers in conversation, tracked their body language and how frequently they moved around.  In return, employees received daily updates on their office behavior, including advice on whether they were speaking enough at meetings or demonstrating leadership.  According to the company, the tracking program successfully motivated employees to improve their behavior and tracked performance, while confirming their preference for the new office design.

Unlike a similar program of Hitachi in Japan called “Human Big Data,” Deloitte made the project optional, guaranteed participants anonymity, and agreed by contract that the data remained the employee’s personal property.  Whether Hitachi’s mandatory program will survive the new amendment to PIPA coming into effect in Japan remains to be seen.  In the meantime, the Deloitte experiment shows that with proper attention to privacy concerns, wearable technology can be effectively introduced into the workplace.

Survey Finds Employees the Leading Cause of Data Breaches

A new cybersecurity survey by the Association of Corporate Counsel, released on December 9, found employees to be responsible for most data breaches.  According to responses from more than 1,000 in-house lawyers in 30 countries, 60% of data breaches can be attributed to employees in the following ways:  employee error, such as in sending an errant email (24%); inside job (15%); phishing (12%); and lost laptop/device (9%).  Other identified causes of breaches were access through a third party (12%); application vulnerability (7%); malware (7%); ransomware (1%) and operating system vulnerability (<1%).  Even through most breaches are caused by employees, the survey also found that fewer than half of the companies involved provide mandatory data security training to employees, and even fewer track or test employee knowledge.

These findings are thoroughly consistent with earlier ones reported in this blog over the years, including most recently, Single Biggest IT Security Threat Remains Employees (April 30, 2015).  Sadly, it appears that companies will continue failing to train and test employees in data security until legally compelled to do so, even if it is manifestly in their own interest to do so.  Furthermore, it will be another two years before companies doing business in Europe will be required to demonstrate their accountability in this area.