News Archives

Wednesday, December 28, 2016

CJEU Rejects Mass Surveillance Again in UK Case

On December 21, the Court of Justice of the European Union unequivocally re-affirmed that “general and indiscriminate retention of traffic data and location data” was contrary to EU law, echoing its invalidation of the Data Retention Directive in the 2014 Digital Rights Ireland case.  The current decision, in a case variously referred to as either Tele2 or Watson, arose as a challenge within the UK against the 2014 Data Retention and Investigatory Powers Act (DRIPA), brought by Tom Watson, deputy leader of the Labour Party, amongst others. Since the DRIPA was superseded by the enactment of the 2016 Investigatory Powers Act 2016 last month, and the IPA – dubbed by critics the Snooper’s Charter – gives even wider and more intrusive powers of mass surveillance to the government, the IPA is also likely to be unlawful under EU law.  While the CJEU decision does not directly address the legality of the IPA, it clearly supports legal challenges against it likely to come from privacy groups.

Given Brexit, the new ruling places the UK in a difficult bind at a time when Brexit itself is enormously challenging.  The government can ignore the ruling but thereby risk not obtaining a future adequacy ruling from the European Commission that will be needed to ensure the continuance of data exchanges with the EU, or it can re-open what was a wrenching and divisive debate on the Investigatory Powers Act with a view of bringing it into conformity with EU law. 

Tuesday, December 27, 2016

Eyeing GDPR, EU Member States Updating DP Laws

The EU General Data Protection Regulation comes into force directly and immediately across all member states of the European Union on May 25, 2018, without any need for enabling legislation to be passed by national governments.  It is a Regulation after all, not a Directive, and is designed to establish a single and consistent base DP law across the EU. So what should be made of all the reports by reliable media sources about this or that member state – Germany, France, Spain, the Netherlands – working on new data protection laws to implement the Regulation? The simple answer is that reporters on arcane matters like data protection law can easily choose the wrong words.  But more importantly, what is really going on?  What are these mis-identified “implementing” laws all about?

In general, these new member state laws, which anticipate the GDPR and amend current national data protection legislation, have one or both of the following objectives:
  • to bring certain provisions of the GDPR into effect prior to May 25, 2018; or
  • to legislate in areas not directly addressed by the GDPR but in which the GDPR allows member states a margin of maneuver or derogation to enact supplemental laws.
Examples of member states advancing the effective date of certain GDPR provisions include The Netherlands (which implemented a data breach notification requirement in January) and France (where the Digital Republic Bill enacted in October increased the fines that can be imposed by CNIL to €3 million - still far below the maximum level set by the GDPR – and also introduced the right to data portability).

Examples of member states working on supplemental or complimentary legislation include Spain (which is reported to be preparing a draft bill for consultation in February 2017 to harmonize its broad-based Organic Law on Data Protection with the GDPR) and Germany (which is attempting once again to legislate protections specifically directed to the employment context).

Multi-national companies have an easer time dealing with legislative changes in the first category, since these are basically timing issues.  Those in the second category are more troublesome, since they detract from the promise of a single, consistent data protection standard across the EU.  On the bright side, the differences between member states are likely to be far less stark and frustrating than those that have prevailed over the past 20 years.

Working Party Issues Guidance on GDPR Implementation

Following a plenary meeting in mid-December, the Article 29 Working Party released guidelines and FAQs on three major implementation topics under the General Data Protection Regulation:  the right to data portability, Data Protection Officers, and the lead supervisory authority (“one-stop-shop”). The 61 pages of guidance need to be closely analyzed by companies preparing for the May 2018 effective date of the GDPR. The WP29 invited comments on the guidance from stakeholders through the end of January 2017, suggesting that they were open to further refinements.  Additional guidance, on data protection impact assessments and on certification, is scheduled for release in 2017.  The Working Party also indicated that it is working on steps necessary to establish the European Data Protection Board called for by the GDPR, and announced that it will take on the role of the “EU centralized body” referenced in the Privacy Shield framework as the EU complaint-handling entity.

Dutch Court Ruling a Threat to App Deployment in the EU

In late November, the Administrative Court in The Hague upheld a penalty imposed by the country’s DPA against WhatsApp for its failure to appoint a representative in the Netherlands.  The requirement to do so is found in Article (4)(2) of the EU Data Protection Directive, applicable whenever a data controller not established in the EU makes use of equipment situated in a member state for the purpose of processing personal data.  Although some observers have characterized the court’s ruling as “extreme”, it is consistent with guidance issued by the Article 29 Working Party in 2013 and in 2010, as well as with court rulings such as that of the High Court of Berlin in 2014 that Facebook was subject to German law due to its use of cookies on German computers.

WhatsApp could have satisfied the requirement to have an in-country representative by contracting with a Dutch entity and indemnifying them in case a fine or penalty was imposed as the result of a violation of data protection law.  However, the larger challenge faced by the company, owned since 2014 by Facebook, is that it would need to have a representative located in each EU member state in which its app is used.  The General Data Protection Directive, coming into effect in May 2018, eases this burden by allowing the appointment of one local representative covering all member states.  WhatsApp may appeal the court’s decision against it to the Dutch State Council, hoping that it has the exceptional case in which enforcement actions of a DPA are overturned. It may also be reluctant to have a legal representative through whom even larger fines for other legal violations – such as those involved in the merging of personal data across Facebook and WhatsApp accounts – could be extracted.

Tuesday, November 29, 2016

Challenges to Privacy Shield Mount

There were a number of developments around challenges to the EU-U.S. Privacy Shield framework in November. Details were released of the formal complaint filed by Digital Rights Ireland with the Court of Justice of the European Union (CJEU) back in September, advancing ten grounds to justify its call for an annulment of the European Commission’s adequacy decision for the framework.  Violations of the EU Data Protection Directive, the Charter of Fundamental Rights and the CJEU’s Schrems decision were claimed in nine of the ten grounds.  In France, three organizations – the privacy advocacy group La Quadrature du Net, the non-profit ISP French Data Network and the Federation FDN industry association – were reported to have filed a legal challenge to Privacy Shield at the Luxembourg-based General Court. On November 11, it was announced that the European Commission had asked the U.S. government about a secret court order Yahoo used to scan thousands of customer emails for possible terrorism links, following concerns that this may have violated understandings reached during Privacy Shield negotiations. In the final agreement that was reached, the U.S. pledged not to engage in mass, indiscriminate surveillance of the data of Europeans.  Meanwhile, the Irish DPA was said to have stepped up its investigation of Yahoo’s breach of the personal data of 500 million individuals, while still being in the early stages of looking into the issue of how the company’s e-mail scanning on behalf of U.S. authorities might impact Privacy Shield.

Monday, November 28, 2016

German Government Not on Same Page as DPAs

Germany has traditionally been viewed as the European country with the most rigorous data protection laws and culture.  However, privacy developments during November were of a decidedly mixed character.  On the one hand, the data protection authorities in ten German states initiated a coordinated mass audit of 500 randomly-selected companies, focusing upon their data transfer policies and practices.  Companies still relying upon Safe Harbor as a basis for data transfers to the U.S. would likely see enforcement actions brought against them.  Enforcement actions by individual DPAs also continued, for example the fining of an unnamed company by the Bavarian DPA for appointing a data protection officer who continued in his role as IT manager.

On the other hand, the German interior ministry released the draft of a bill that would prevent DPAs from investigating breaches of medical and legal records and also allow businesses to withhold notice about personal data they collected if such notice “would seriously jeopardize the business purposes of a company.”  Theo Weichert, the out-spoken former DPA for Schleswig-Holstein, called the provisions a “disaster” that would represent a “massive” erosion of privacy in Germany, while the federal DPA, Andrea Vosshoff, said they would make DPA control “in many sensitive areas, for instance health insurance companies, job centers, or other social service operators, almost impossible, and is not acceptable." Other criticisms of the draft bill were prominent in an analysis published by federal and state DPAs on November 11.  Finally, in a sign of what appears to be a growing cultural bifurcation, Chancellor Angela Merkel called upon EU member states to take “a pragmatic approach” to the application of data protection laws, balancing the need to prevent the mis-use of personal data with the need to enable the development of big data projects.

Data Localization Taking Root in China, Russia

Significant developments relating to data localization occurred in both China and Russia during November.  In China, the National People’s Congress Standing Committee enacted the final draft of the Network Security Law (also referred to as the Cybersecurity Law) on November 7, with an effective date of June 1, 2017.  The Law requires enterprises providing “key information infrastructure” to store critical data and personal information collected and generated in the course of their operations within the territory of China, irrespective of the citizenship of the data subjects. Such information may be transferred outside of China only when there is a genuine business need to do so and a favorable security assessment has been carried out.  A key issue for multi-national businesses situated outside of China will be how the State Council determines the scope of “key information infrastructure” and how stable such a demarcation will be.  In another important development, the Law establishes a broad range of privacy protections reflective of, and consistent with, the EU General Data Protection Regulation and other international standards.

In Russia, the country’s data protection authority, Roskomnadzor, ordered that access to LinkedIn’s website be blocked as of November 17, making this the first time a foreign online service has been forced to shut down for failing to comply with the Data Localization Law. Other major U.S. web giants, such as Microsoft, Apple and Google, were reported to have conformed to the Law by moving the personal data of Russian citizens to Russian-based servers, while Facebook and Twitter are under regulatory pressure to do so.  Should LinkedIn follow suit, which would be relatively easy to do utilizing data centers operating within Russia such as Microsoft’s, their service could be restored.  In an exceptionally lame excuse for non-compliance, LinkedIn argued that it failed to respond to the inquiry from Roskomnadzor that led to the website shut-down because the DPA had sent its inquiry to the firm’s U.S. office instead of to LinkedIn Ireland, which is responsible for the data of non-U.S. citizens.

Thursday, November 3, 2016

649 Companies Participating in Privacy Shield

According to HR Privacy Solution’s analysis of data on the Dept. of Commerce’s Privacy Shield website, 649 companies were listed as active participants in the EU-U.S. Privacy Shield framework as of close of business on October 31, 2016.  This is up from 107 companies participating by the end of August and 304 by the end of September.  

The analysis also revealed the following:

  • Of the 649 companies, 18 (3%) certified for HR data only, 144 (22%) certified for both HR data and non-HR data, and 487 (75%) certified for non-HR data only.
  • The 18 companies certifying for HR data only are largely not well-known:  Amplifinity, Babcock & Wilcox, CDK Global, Cornerstone OnDemand, DDB Worldwide, Edgeview Personal Care, Employment Screening Services, Fort Hill Company, HCR Software Solutions, i9Advantage, Kiran Analytica, Maseke, Perceptyx, PRO Unlimited, Recsolv (Yello), Tenneco and VWR.
  • Better-known companies on the list include:  Amazon, Avon, Babcock & Wilcox, Box, Brother, Ceridian, Cisco, Citrix, DDB Worldwide, Deloitte, Dropbox, Dun & Bradstreet, Eaton, Electronic Arts, Ernst & Young, Facebook, Google, Ingersoll Rand, Intuit, ITT, Kingston Technologies, Microsoft, Northrop Grumman, Omnicom, Oracle, Pinkerton, Salesforce, Tenneco, Tiffany, TRUSTe, Viacom and Workday.
  • Of these 32 better-known companies, all certified for non-HR data, except for Babcock & Wilcox, DDB Worldwide and Tenneco.
  • Of these 32 better-known companies, those not certifying for HR data included Amazon, Box, Brother, Cisco, Citrix, Dropbox, Dun & Bradstreet, Kinston Technologies, Oracle, Salesforce, Tenneco and TRUSTe.
  • There were an additional 858 covered companies listed in the certifications of the 649 Privacy Shield participants.
The analysis confirms an earlier finding that Privacy Shield is being used as a transfer mechanism overwhelmingly by smaller niche companies to legalize the import of non-HR data from Europe.  Only 5% of participating companies are better-known and only 25% are using Privacy Shield to import HR data.

The design of the DOC website makes analysis difficult and impractical.  For example, determination of the distribution of industry segments of participants would require inspection of each certification on an individual basis.  In addition, three months after launch, the website remains unstable and bug-ridden.  Seventeen companies are listed out of alphabetical order when searching letter-by-letter under Advanced Search.  Some companies, such as etleap, are not found at all when searched for individually.  Session history influences the results displayed when searching. The site disables a browser’s Back key, forcing a user to exit and re-enter the list when attempting to locate particular companies.  Is this the best that can be expected of government work?

Sunday, October 30, 2016

UK Will Follow EU DP Rules, But For How Long?

With the EU’s General Data Protection Regulation (GDPR) coming into effect in May 2018, and the UK’s exit from the EU not occurring until the following summer if the timetable announced by PM Theresa May on October 2 holds, there is a growing consensus that the GDPR will be both legally and operationally implemented in the UK at least through the time Brexit takes effect.  According to Elizabeth Denham, the former Information and Privacy Commissioner for British Columbia and new UK Information Commissioner, the UK is going to want to continue to do business with Europe, which will require its data protection law to be equivalent, leading her to state that “I don’t think Brexit should mean Brexit when it comes to standards of data protection.”  Whether PM May agrees with this outspoken position is unclear, since the outlines of her proposed Great Repeal Bill allow for continued post-Brexit adoption of EU law but with a provision for Parliament to amend or cancel any legislation so enacted.  Would Parliament want to chip away at the GDPR with the risk of cutting off the free flow of information with the EU and damaging the UK economy?  Will this provision of the Great Repeal Bill be enacted or modified?  Only time will tell.  From a regulatory point of view, what is clear is that UK companies need to be gearing up to the stricter requirements of the GDPR.

Legal Challenge to Privacy Shield Lodged in CJEU

On October 27, it was announced that an Irish privacy advocacy group had filed a legal challenge to the EU-U.S. Privacy Shield framework in the Court of Justice of the European Union (CJEU). The action by Digital Rights Ireland calls for an annulment of the adequacy decision for the framework reached by the European Commission on July 12, 2016.  The activist group has been influential, helping overturn the Commission’s Data Retention Directive in 2014 and contributing to the lawsuit by Maximilian Schrems that led to the collapse of Safe Harbor.  It could be a year or more before the CJEU rules on the case.  Other legal challenges can be expected, with the head of one Irish privacy consulting firm stating that the latest proceeding appeared to mark "the start of open season on Privacy Shield".

Friday, October 21, 2016

Privacy Shield Certifications Top 500 by Mid-October

According to a spokesperson from the U.S. Department of Commerce, the Privacy Shield self-certifications of 500 companies have been approved by the department by mid-October, while those of an additional 1,000+ companies are under review. The DOC announcement came during the Privacy Commissioners’ 38th International Conference in Marrakesh, Morocco on October 20, 2016.  The take-up rate of certifications since Privacy Shield opened for business on August 1, 2016 has been substantial and appears to be accelerating:  approximately 100 during the first month, another 200 in the second month, and an additional 200 during the first two weeks of the current month. 

Friday, October 14, 2016

Facebook Enters Enterprise Social Networking Market

On October 10, after 20 months in closed beta testing, Facebook launched an enterprise-focused communication and social networking service under the name Workplace, intended to compete with the likes of Slack, Yammer, Chatter, Hipchat and Jive.   The ad-free app, available for both desktop and mobile devices, includes an interface and features already familiar to Facebook users, such as News Feed, Groups, Chat direct messaging, Live video, Reactions, translation features, and video and audio calling.  Early adopters include the Royal Bank of Scotland, Danone, Starbucks, Telenor and  According to the company, integrations with other services such as Workday will follow, after the current emphasis upon usability and engagement builds a viable user base.  Mark Zuckerberg is quoted as saying "It's an app, but I think about it more as a way of running a company."   Whether companies will want to place their futures in the hands of Facebook, given its long record of questionable data privacy and protection practices, remains to be seen.    

Monday, October 10, 2016

Yahoo Email Scanning Could Torpedo Privacy Shield

According to a Reuters report on October 4, Yahoo, in response to a government demand, secretly built a custom software program last year to search all of its customers’ incoming emails in real time for a specific but undisclosed set of characters.  If true, this would represent massive surveillance of a type going beyond that exposed by Edward Snowden, whose 2013 revelations only described access to stored communications by national security agencies or particular targeted individuals.  Other tech giants, including Google, Facebook, Apple, Twitter and Microsoft, quickly denied engaging in such behavior and stated that they would go to court rather than comply.  Since e-mails of all Yahoo’s European customers would be included in the Yahoo scanning, the new revelations, if true, would undermine claims made by the U.S. government in launching the Privacy Shield framework that it did not engage in mass surveillance.  The following day, on October 5, Reuters reported that European politicians and consumer organizations had called upon the European Commission and data protection authorities to look into the issue, while lawyers said that a legal challenge to Privacy Shield was now more likely.  Even the business-friendly DPA of Ireland called the matter one of “considerable concern” that was prompting it to make inquiries. 

Update:  On October 27, the Article 29 Working Party sent a letter to Yahoo calling for an explanation of "the legal basis and justification" for the reported email scanning and "how this is compatible with EU law and protection for EU citizens".  The letter also called for information and remedial actions in connection with Yahoo's September 22 announcement of a breach of the personal data in at least 500 million user accounts.

Friday, September 30, 2016

Privacy Shield Triples in Size, Guidance Emerges

Participation in the EU-U.S. Privacy Shield framework tripled during its second month, with 304 companies included on the Privacy Shield List as of close of business at the end of September, not counting subsidiary or affiliated companies of the primary participants.  Of the 304 companies, only 77, or 25%, joined to cover transfers of HR data, compared to the 50% or more that did so through Safe Harbor, and only a handful joined solely for HR data. Large or well-known companies on the List are far and few between:  Dun & Bradstreet, Dropbox, Facebook, Google, Microsoft, Northrup Grumman, Oracle and Salesforce, with only Google, Microsoft, Northrup Grumman and Oracle joining for HR data.  In summary, after two months of receiving certifications Privacy Shield has emerged as a transfer mechanism overwhelmingly used by smaller niche companies to legalize the import of non-HR data from Europe.

Guidance relating to Privacy Shield emerged in the EU during September, with the European Commission issuing a 24-page Guide to the EU-U.S. Privacy Shield geared towards educating individuals about their rights under the framework and how to exercise them, and the Data Protection Authority of the German state of North Rhine-Westphalia issuing the first DPA-crafted FAQs on Privacy Shield and how it will be strictly enforced and supplemented.  Finally, as a small demonstration of some of the complexity inherent in interpretation of data transfer requirements, as well as proof that not all the facts asserted in posts to The National Law Review should be taken at face value, we have the following September 22 statement:  “Data regulators have (for now) rejected the EU-U.S. Privacy Shield agreement…”  

Enforcement of DP Law Begins in Ghana; Implementation Moves Forward in the Philippines and Turkey

Ghana’s Data Protection Commission (DPC) has begun taking enforcement actions against data controllers who fail to register as such, as required by the Data Protection Act 2012. The DPC began the registration process in April 2015, and some 500 controllers have registered their data processing activities since that time.  Failure to register, which is the first step in demonstrating compliance with the law, is a criminal offense which can result in both a fine and imprisonment for up to two years.  The chair of the DPC, Teki Akuetteh Falconer, attributed the slow take-up to “a general environment of apathy towards laws in our society and a lack of awareness on the value data protection can bring.”  In other countries in which the movement towards effective data protection laws has been long and drawn-out, on September 9 the National Privacy Commission of The Philippines finalized and issued implementing rules and regulations for the country’s Data Privacy Act of 2012, and Turkey will be establishing its Data Protection Authority on October 7, at which time the most significant provisions of its data protection law will come into effect.

Tuesday, September 27, 2016

Model Contracts Clearly the Primary Mechanism for Importing EU Data

According to a survey of 600 privacy professionals carried out by the International Association of Privacy Professionals this summer, 81% of U.S. companies rely upon standard contractual clauses as the legal underpinning for data transfers from the EU to the U.S., and 89% of EU companies do also.  Looking forward, only 34% of companies intend to use the EU-U.S. Privacy Shield framework, down from the 50% who used Safe Harbor in the past.  Uncertainties over the long-term viability of Privacy Shield, as well as the length of the time lapse between the invalidation of Safe Harbor and the launch of Privacy Shield, are significant factors in the lessened interest in Privacy Shield.  As of the third week in September, some 200 companies were said to have been become participants in Privacy Shield, up from the 107 in the first month, while self-certifications of hundreds more were reported to be in the DOC review pipeline.  Surveys about legal mechanisms for data transfers, such as IAPP’s, fail to acknowledge and account for the fact that that many companies use multiple mechanisms, often for different data sets but sometimes for the same data.  Nevertheless, market acceptance of Privacy Shield is likely to be significantly less than it was for Safe Harbor.

People Analytics Impacts Employees, Requires Attention to Privacy

New forms of technology-driven data collection and assessment are having a significant impact upon employees, as evidenced by four separate reports in September on the use of people analytics in the workplace.  In the first, an article in the Harvard Business Review describes how the tracking of customers in retail settings is having a largely unintended but significant spill-over effect upon employees, affecting their day-to-day experiences, their job security and their financial well-being. The second features an employer service start-up called Joberate, which gathers and consolidates publicly-available information from social media accounts to develop what it calls a “J-Score” that estimates the level of job-seeking activity of employees. The third describes a new generation of ID badges from a firm called Humanyze that contain microphones and sensors with motion detectors that trigger beacons throughout an office, enabling tracking and monitoring of the physical, interpersonal and emotional characteristics of employees.  The fourth reports on a Helsinki company, Futurice, that integrates wi-fi beacon triangulation, motion sensors, air-quality sensors and cameras into an Android app that displays the location of staff, the availability of unused work spaces, the occupancy of toilets and other facets of the office of the future.  A positive aspect of all four reports is what seems to be a growing awareness in disparate quarters that innovations such as these can only succeed if privacy concerns of employees are met, for example by providing only aggregate data to employers and by allowing employees to choose whether to participate in monitoring. 

Wednesday, August 31, 2016

107 Companies on Privacy Shield List in First Month

A review of the Department of Commerce’s Privacy Shield List, conducted after close of business on Wednesday, August 31, 2016, shows that 107 companies have had their self-certification information posted by the DOC.  The List reports the existence of an additional 62 covered entities, presumably affiliates of the 107 companies (although this number is suspect, given that the alleged covered entity of two companies on the “W” page, Whiteboard Ventures and Workday, is self-referential).   In any event, Privacy Shield has a long way to go before it can claim a buy-in comparable to that of Safe Harbor, which had at least 3,500 companies listed as participants.

Surprisingly, only 24 of the 107 companies (22%) have certified for HR data, whereas HR certifications for Safe Harbor were above 50%.  Only three of the 107 companies certified only for HR data (Employment Screening Resources, Perceptx and RECSOLU), although all three may have erred in claiming they are processing HR data when it appears that they are only processing data of clients who have employees in the EU. 

Only a few companies are well-known, including Microsoft, Salesforce and Workday.  The other 104 companies appear to be smaller niche firms, although sometimes unknown companies prove to be quite substantial.  Media reports suggest that there are hundreds of self-certifications in the pipeline, a number likely to grow as the October 1 deadline approaches for securing the nine-month grace period with respect to third party agents.

As a website, the Privacy Shield List is best described by technical terms:  slick, but lame. The Previous and Next buttons yield strange results, if any.  Under Advanced search one has to click through each individual letters of the alphabet to view all the participants, since the “All” choice is not working.  The four filters yield the same frustrating limits to showing results by letter of the alphabet.  Three of the filters (Participation Status, Covered Data and Framework) are worthless. For all of the supposedly careful review of submissions, parenthetical remarks (such as ‘we revised the policy on August 3, but didn’t post it until the 15th’ and “Thank you”) are included in policy descriptions.  Companies appear under the wrong letter of the alphabet (Etleap with the D’s; Visible Health in the E’s; Employment Screening Resources in the I’s).  There are doubtlessly other problems undetected as well.  

Monday, August 22, 2016

Survey Finds Insiders at Fault for Most Data Breaches

A new Ponemon Institute survey of 3,000 employees in the US, UK, France and Germany revealed that in most breaches of corporately-held data, negligent staff are usually the party creating the vulnerability, rather than external hackers acting independently.  Compromised employee accounts are the typical vector for these breaches, exacerbated by employees and third parties having more access to sensitive data than they need.  According to the study, while 76% of respondents said that their organization had experienced a breach over the past two years, only 29% of IT respondents said their organizations enforce a least-privilege model designed to keep information on a need-to-know basis.  A separate Ponemon study in June showed that the average cost of a data breach is now approximately $4 million, up 29% since 2013.  A third Ponemon study, the 2016 Global Visual Hacking Experiment, underscores the role of poorly-trained employees in preventing walk-around hacking in the workplace,

These findings are consistent with those reported by the Association of Corporate Counsel in December 2015 (“Survey Finds Employees the Leading Cause of Data Breaches”) and by Comp TIA and the SANS Institute in April 2015 (“Single Biggest IT Security Threat Remains Employees”).  Whether insiders are more responsible for breaches than external hackers – and this has varied over the past decade (see for example, the June 2009 Verizon study (“Growing Role of Organized Crime in Data Breaches”) – is hardly the point.  No matter what percentage of breaches are caused by employees and other insiders, these are known and well-established vulnerabilities that are amenable to remediation.  Accountability for not addressing them seems sadly to be in short supply.

Wednesday, August 17, 2016

Mexican DPA Affirms DP Law Applies to HR

On July 21, Mexico's National Institute of Access to Information and Data Protection (INAI) confirmed that companies are responsible for the processing of personal data of their employees under the Federal Law on Protection of Personal Data Held by Private Parties 2010.  The affirmation came in a INAI decision in which a company argued that it could rely upon the personal use exemption to process its employees' personal data without consideration of the federal data protection law.  The case concerned a complaint filed by an employee, after his employer refused to comply with his access request at first, and later granted only partial access, on the grounds that the processing was used exclusively for internal purposes and not disclosed or used for commercial purposes.  The INAI rejected this attempt to exploit ambiguity around the personal use exemption, and also warned that data concerning an employee or former employee, such as their position, email, and salary constitute personal information and must be processed in accordance with the DP law.

Slow Take-up for Privacy Shield Unlikely to Last

During the first 15 days that the Privacy Shield self-certification process was open for submissions, only 40 companies were placed on the list by the Department of Commerce, although the DOC announced that it was reviewing another 200 or so filings.  A review of the certifications conducted a few days ago showed that the only well-known companies on the list were Microsoft, Salesforce and Workday, with the balance appearing to be small niche-oriented firms.  At the present time, however, navigation past the handful of companies appearing on the first page of the list is unavailable, possibly due to traffic overload or other technical problems or disruptions. 

The take-up for the Safe Harbor framework was also slow back in 2000, much slower in fact, but back then companies were still discovering that they had compliance obligations under the EU Data Protection Directive and the program was quite novel, with considerable uncertainty attached to it.   These conditions don’t apply today, but there are new inhibiting factors at play:  (a) a gap of some nine months since the Safe Harbor adequacy decision was invalidated by the Court of Justice of the European Union, forcing many companies to switch to and settle into other transfer mechanisms, such as model contracts; and (b) continuing uncertainty about whether Privacy Shield will withstand the legal challenges likely to be brought against it by citizens or DPAs such as Hamburg's Johannes Caspar.   Nevertheless, Privacy Shield remains the only game in town for a large number of companies, making it very likely that the number of participants will swell, even if the mechanism proves to be only a temporary solution.  According to an August 16 press release, TRUSTe is working with over 500 companies to assess and verify compliance with the new requirements for Privacy Shied.

Increased numbers of submissions can be expected by September 30, the last day to take advantage of an official grace period to bring contractual relationships with third parties into alignment with Privacy Shield requirements.  However unfair and unjustifiable this grace period may be, companies submitting certifications after that date will have to attest that they have such relationships in order as of the date of filing.  

Tuesday, August 2, 2016

FTC Cracks Down on False APEC CBPR Certification Claims

In mid-July, the Federal Trade Commission issued warning letters to 28 companies about apparently false claims on their websites that they were certified participants in the APEC Cross-Border Privacy Rules (CBPRs).  Only APEC-recognized Accountability Agents, such as TRUSTe, can certify that the privacy policies and practices of participating companies are compliant with the CBPR system program requirements.  The letters ask the companies to immediately remove representations claiming CBPR participation from all public documents and threaten to take legal action if a timely and satisfactory response is not received.  The identity of the companies receiving the letters was not disclosed.  

The CBPR system is a self-regulatory initiative to protect data that moves among APEC member economies through a voluntary but enforceable code of conduct implemented by participating businesses. Four APEC members are currently participating in the CBPR system:  the US, Mexico, Japan and Canada.  At present there are 16 APEC CBPR-certified companies, including Apple, Box, Cisco, HP, IBM, Merck, Workday and Ziff Davis.  The operational use and value of the certifications, apart from positive public relations, remains opaque.

Friday, July 29, 2016

CJEU Finds Terms of Use Irrelevant as Basis for Determining Applicable DP Law

In a July 28 ruling in VKI v. Amazon EU, the Court of Justice of the European Union reaffirmed the reasoning about applicable data protection law it advanced in the Weltimmo and Google Spain cases.  Ignoring the contract between Amazon and its customers, which provided that Luxembourg law shall apply, the court held that “the processing of data in the context of the activities of an establishment is governed by the law of the Member State in whose territory that establishment is situated.”  Furthermore, the court found that it is up to national courts to determine whether Amazon is carrying out the data processing in question in the context of the activities of an establishment situated in their Member States.  As to when a company may be regarded as having an establishment, the CJEU reiterated its position that the establishment of a data processing operation “extends to any real and effective activity, even a minimal one, exercised through stable arrangements.”  The Court also held that a data processing operation will not be established “merely because the undertaking’s website is accessible” in a particular Member State.

Game On: Dept. of Commerce Launches Privacy Shield Website

On July 26, the same day as the Article 29 Working Party issued its statement of ongoing concerns about Privacy Shield, the U.S. Department of Commerce launched its website for the new data transfer framework.  The website contains the full text of the Privacy Shield Principles (both basic and supplemental), Annex I, and related letters and attachments from the Department of Commerce, the International Trade Association, the FTC, the Department of Transportation, the Department of State, the Office of the Director of National Intelligence and the Department of Justice.  It also contains guidance for organizations on how to self-certify for the program, for European companies and individuals on how to determine if a U.S. company is a Privacy Shield participant, and for European individuals to submit either a complaint or a request relating to U.S. national security access to their data.  (Note:  When launched, the website indicated, in a departure from Safe Harbor requirements, that the HR privacy policies of participants would have to be publicly available; however, this statement was subsequently retracted.)  A procedure for direct contact by DPAs to the DOC’s Privacy Shield team, as well as a link to a new FTC website about their oversight and enforcement activities, is also included. The Department of Commerce will begin accepting self-certifications under Privacy Shield on August 1.

Thursday, July 28, 2016

Art 29 WP Remains Concerned about Privacy Shield

On July 26, the Article 20 Working Party issued a statement praising improvements in the Privacy Shield mechanism secured by the European Commission over the past three months, but also indicating that “a number of concerns remain regarding both the commercial aspects and the access by U.S. public authorities to data transferred from the EU.”  As examples of concerns with respect to commercial activities, the Working Party cited the lack of: (a) specific rules on automated decisions; (b) a general right to object; and (c) clarity as to how the Privacy Shield Principles apply to processors.  With respect to access by U.S. public authorities, the WP29 remains uncomfortable concerning the independence and powers of the Ombudsperson and regrets the lack of concrete assurances that mass and indiscriminate surveillance does not take place.

These concerns notwithstanding, the Working Party stated that the robustness and efficiency of the Privacy Shield mechanism will be best assessed during the first joint annual review, insofar as all members of the review team “shall have the possibility to directly access all the information necessary” to carry out the review.  The WP29 concluded its statement with a commitment to “proactively and independently” assist data subjects with exercising their rights under the Privacy Shield mechanism.  In addition, the Working Party stated that it would soon provide guidance on the mechanism to both data controllers and to citizens, along with its suggestions on the composition of the EU centralized body envisaged by the agreement and the practical organization of the joint annual review.

Contrary to numerous reports in the press, a careful reading of the Working Party statement reveals that they did not approve or endorse the Privacy Shield framework, nor did they say that they would not challenge the adequacy of the agreement for at least one year.  With the Commission formally adopting the mechanism on July 12, the WP29, as an advisory body, was not in a position to either approve or reject it.  Given the independence of data protection authorities, as well as their obligations to protect the privacy of data subjects, the Working Party was also not in a position to pledge to refrain from taking such steps as may be necessary to fulfill their responsibilities.  Buttressed by the Schrems ruling that affirmed their independence even in the face of an adequacy decision, one or more of the EU’s DPAs, such as those in Germany, may not be as patient as the Working Party appears to be.

A fairer summation of the position of the Working Party is that its assessment of Privacy Shield remains incomplete, that it looks forward to completing that assessment during the joint annual review, and that in the meantime it will vigorously and independently investigate any complaints from data subjects about how their personal data is handled under the mechanism. To read this as a "tepid endorsement," "temporary green light" or "moratorium" on challenging Privacy Shield reflects wishful thinking.

It is true that Isabelle Falque-Pierrotin, chairman of the Article 29 Working Party, stated verbally at a press conference on July 26 that the EU DPAs would not launch legal action on their own initiative in the next year.  However, this is not to say that they may not be involved in a legal action brought by another party, such as an individual, a Member State, the EU Parliament or another EU institution, that challenges the Privacy Shield mechanism.  Should a complaint from an individual come forth, such as the one promised by Max Schrems, they may feel obligated to request guidance from the courts as to the adequacy of Privacy Shield.

Thursday, July 14, 2016

Appeals Court Backs Microsoft in Overseas Email Case

Reversing an April 2014 ruling by the District Court for the Southern District of New York, the U.S. Court of Appeals for the Second Circuit in New York quashed a search warrant that would have required Microsoft to disclose contents of emails stored on a server in Ireland.  The Court ruled that the U.S. Stored Communications Act neither explicitly nor implicitly envisioned the applications of its warrant provisions overseas, which was the government's central argument in the case, agreeing with Microsoft that inter-governmental mutual legal assistance treaties should be relied upon in cases such as this. Tech companies, lobbying groups and media associations had submitted briefs to support Microsoft’s position, arguing that allowing a warrant to be served would undermine their business prospects abroad and lead to tit-for-tat retaliation by foreign governments with respect to emails stored in the US.  At a time of great uncertainty over the legality of trans-atlantic data flows, the ruling removes a key obstacle to reaching a viable accord with the EU and demonstrates the independence of the US judicial system.  Whether the US government will appeal the ruling remains to be seen.

Friday, July 8, 2016

Article 31 Committee Approves Privacy Shield

On July 8, the Article 31 Committee, comprised of ministerial representatives of the 28 EU member states, approved the revised version of the EU-US Privacy Shield. Four member states abstained from the vote:  Austria, Bulgaria, Croatia and Slovenia. Ratification by the College of Commissioners is expected on Monday, followed shortly by the official launch of the new data transfer framework by EU Justice Commissioner Vera Jourova and US Secretary of Commerce Penny Pritzker.

According to the European Commission, the arrangement “is fundamentally different” from the former “safe harbor” pact because “it imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice.”  Critics claim that the agreement will not withstand legal challenges - for example, Max Schrems was quoted as saying "they walked a mile but they should have walked one hundred miles" - which may dissuade many US companies from participating in it.

The complete 158-page text of the Privacy Shield agreement, in an undated and unofficial version, is available here

Thursday, June 30, 2016

Commission Pressing Ahead with Privacy Shield Launch

On June 24, after months of difficult negotiations with U.S. authorities, the European Commission sent the text of a revised Privacy Shield agreement to the members of the Article 31 Committee for a vote scheduled to occur on July 4.  Should the agreement receive the Committee’s approval and subsequent pro forma endorsement by the College of Commissioners, Privacy Shield could be officially launched prior to the August recess.  According to EU Justice Commissioner Vera Jourova, “We reached an accord on more precise listing of cases when bulk collection can occur and a better definition of how our American partners understand the difference between bulk collection which may be justified and mass surveillance without any purpose, which is not tolerable.” Other issues addressed by the revised draft were said to include the independence of the special ombudsman and limits on the retention of transferred data by companies.

Significantly, the Commission is not seeking an evaluation of the new draft from the Article 29 Working Party nor giving the Parliament much time to respond to it.  Instead, the Commission appears to be resigned to facing the legal challenges to Privacy Shield that are all but certain to come, even though the cloud of uncertainty they and criticisms of the agreement create over the program may dissuade many U.S. companies from signing-up.  

Whether the Commission will be able to secure the approval of the Article 31 Committee by the required qualified majority vote remains to be seen.  Also unclear is what impact the Brexit vote will have on the Committee’s deliberations.  While the UK remains a full member of the EU, suppose the qualified majority would be reached only with the UK’s backing of the proposed agreement.  Would other member states take this into account in determining their own stance on the new text?

Brexit Vote: Short-term Continuity, Long-Term Uncertainty

The June 23 referendum vote by the UK electorate to leave the European Union has muddled the waters around a host of regulatory and business issues, not least of all that of how data transfers in and out of the UK will be handled in the future.  As Scott Blackmer points out in an excellent summary of the daunting complexities raised by Brexit, the timing of the UK’s departure could be awkward, since the General Data Protection Regulation (GDPR) will come into force on May 25, 2018, months ahead of the earliest projected date for the actual separation.  While the exact form and terms of any new relationship between the UK and the EU remains to be determined, the UK’s Information Commissioner has confirmed the country’s desire to have a data protection standard in place that is equivalent to that of the GDPR.  With so much up in the air, the ICO’s advice to companies following the October 2015 Schrems ruling seems even more apt at this time: keep calm and carry-on.

CJEU to Address Bulk Surveillance Issues This Fall

The Court of Justice of the European Union (CJEU) is expected to rule in two cases this fall that will compel it to examine the issue of bulk collection of personal data by law enforcement and security agencies in greater detail than it did in the Schrems case.  The first is a challenge to the Canada-EU Passenger Name Record (PNR) Agreement and the second involves the data retention laws of the UK and Sweden.  A thoughtful analysis by Kenneth Propp, former legal counselor to the US Mission to the EU, outlines the broader risks rulings in the cases could pose to the 2011 PNR and the 2009 Terrorist Finance Tracking Program (TFTP) Agreements between the US and the EU, let alone to the proposed Privacy Shield framework.

With so much at stake, it is not surprising that on June 13 the US government announced that it had asked the Irish High Court to be joined as an amicus in Max Schrems’s latest complaint concerning the validity of standard contractual clauses as a basis for data transfers to the US.  Since the Irish DPA had previously announced that it was referring the matter to the CJEU, the amicus status will provide the US with an opportunity to describe and defend its surveillance practices directly in a court of law.  The development was welcomed by Max Schrems, who said ““This is a huge chance to finally get solid answers in a public procedure. I am very much looking forward to raise all the uncomfortable questions on US surveillance programs in this procedure. It will be very interesting how the US government will react to the clear evidence already before the court.”

Hamburg DPA Fines Three Companies for Reliance on Safe Harbor

Reports of enforcement actions against companies based upon continued reliance on Safe Harbor for data transfers to the US have been few and far between.  One German regulator, however, broken the ice.

On June 6, the Hamburg data protection authority announced that it had fined three companies – Adobe, Pepsi subsidiary Punica and Unilever – for continuing to rely on Safe Harbor as their legal basis for transferring personal data to the US. While the fines could have been as large as €300,000, they were reduced to €11,000 or less because each of the companies switched to the use of alternative transfer mechanisms during the course of the authority's proceedings.

The fines were the outcome of an inspection of the data transfer procedures of 35 internationally active Hamburg-based companies.  According to the authority, the vast majority of the companies switched to the use of standard contractual clauses within several months of the invalidation of Safe Harbor by the European Court of Justice in October 2015.  Proceedings against a few companies continue, with Commissioner Johannes Caspar warning that stricter sanctions would be imposed if alternative transfer measures were not adopted.  Caspar also indicated that his office would look into the admissibility of alternative transfer mechanisms, and standard contractual clauses in particular, should negotiations over the Privacy Shield not succeed.

China Developing Personal Information Security Standard

China’s National Information Security Standardization Technical Committee was reported on May 31st to have organized a meeting to launch a working group, comprised of representatives from government, academia and industry, tasked with drafting a national Personal Information Security Standard.  The standard would serve as a non-binding baseline for the data privacy and security practices of companies operating in China.  It could influence future data privacy and security-related legislation, while also providing regulators with guidance on current laws and regulations that are often vaguely worded.

EEOC Issues Final Rules on Employer Wellness Programs

In mid-May, the Equal Employment Opportunities Commission (EEOC) published final rules on employer wellness programs describing how the American with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA) apply to wellness programs offered by employers.  According to some of the key provisions of the rules, employee wellness or health programs must be “reasonably designed to promote health or prevent disease,” prohibiting measurements, tests, screening or information collection that does not lead to follow-up advice.  In addition, the programs must be voluntary and while incentives may be offered for participation in a program, they cannot be so great as to be coercive.  In accordance with principles of fair information practice, participants must receive in advance written notice describing in plain language what medical information will be collected, how it will be used and restrictions on its use.  Finally, all information collected must be held confidentially and not provided to an employer in a form that would disclose the identity of particular individuals.  

Tuesday, May 31, 2016

Privacy Shield on Life Support

Developments in the six weeks since the Article 29 Working Party panned the proposed EU-U.S. Privacy Shield agreement have left it in a critical state, with little chance that it will ever be successfully launched as the replacement for Safe Harbor.  

Here are the developments:

  • At the end of April, the U.S. Supreme Court unilaterally amended Rule 41 of the Federal Rule of Criminal Procedure to allow judges to sign warrants allowing federal authorities to hack into computers outside a judge's jurisdiction as part of a criminal investigation and to use one warrant to search multiple computers anywhere.  This massive new surveillance capability will come into effect on December 1, unless Congress takes it up before then and votes it down.  At a time when the EU has been pressing the U.S. to limit indiscriminate surveillance of its citizens, the new rule clearly bolsters the arguments of European critics about the unreliability of legal protections in the U.S. and could prove to be the nail in the coffin of any new data transfer agreement.
  • On May 19, the Article 31 Committee, comprised of ministerial representatives of each of the EU’s 28 member states, met and failed to reach an agreement on the Privacy Shield.  The Committee, whose approval is needed if Privacy Shield is to go forward, concluded that more time was needed to consider the implications of the proposal.  A qualified majority, or 16 member states representing at least 65% of the EU’s population, must approve the pact.
  • On May 23, an open letter from ministers in 14 member states was released, calling for more flexibility for businesses with respect to data protection. A quick check of the population of the signatory countries - Belgium, Bulgaria, Czech Republic, Denmark, Estonia, Finland, Ireland, Latvia, Luxembourg, Lithuania, Poland, Slovenia, Sweden and the UK – reveals that they comprise only 33% of the EU’s population.  Achieving the approval of the Article 31 Committee for Privacy Shield appears most unlikely.
  • On May 26, the European Parliament approved a resolution calling for the European Commission to reopen negotiations with the U.S. and to fully implement the recommendations of the Article 29 Working Party.  The non-binding act was approved by 77% of the MEPs (501 votes to 119, with 31 abstentions).
  • On May 30, Giovanni Buttarelli, Europe’s top data protection advisor, slammed the proposed agreement as being “not robust enough to withstand future legal scrutiny before the Court” and called for significant improvements in it.  He also argued that the Privacy Shield would be only a short term solution, since it is not compliant with the General Data Protection Regulation, which will enter into force in May 2018.
In response to these developments, the European Commission has reportedly pushed back its target date for the launching of the Privacy Shield from June until “sometime this summer.”  With the Commission attempting to resolve surveillance issues with the U.S. government since 2013, the prospects for meeting this target date are next to nil.

Chicken Little May be Right

The sky may indeed be falling, with the May 25 report that the Irish Data Protection Commissioner was referring the question of the validity of standard contractual clauses as a basis for data transfers to countries lacking an adequate level of data protection to Europe’s top court, the Court of Justice of the European Union (CJEU).  Once again, it is Max Schrems’ complaint against Facebook, which led to the court’s invalidation of the Safe Harbor framework last October, that is driving the referral.  Most observers agree with Schrems that the lack of protection for personal data stemming from U.S. government surveillance of data transferred under Safe Harbor applies equally well to data transferred under model contracts.  

CJEU invalidation of the use of standard contractual clauses for data transfers to the U.S. would exponentially increase the risks of profound disruptions in international business, since it is widely believed that more companies, and certainly larger companies, rely upon such clauses than upon Safe Harbor as the legal basis for their data transfers.  In addition, model contracts are the chief mechanism used by European companies to transfer personal data to third countries around the world.  A CJEU ruling that standard contractual clauses cannot be utilized without consideration of the recipient country’s surveillance practices could jeopardize far more than business relationships with the United States.

And if model contracts go, can Binding Corporate Rules be far behind?  Or consent?  We live in interesting times.  Hang on!

France Edges Closer to Data Localization

In another sign of the significant and ongoing impact of the CJEU ruling on Safe Harbor and concerns about surveillance by governments in the U.S. and elsewhere, the French Senate on May 3 amended a “Digital Republic” bill, previously passed by the National Assembly, with a provision that would require the storage of personal data in data centers located in the European Union and prohibit the transfer of personal data to a non-EU third country. The bill also accelerates the applicability of a number of provisions of the General Data Protection Regulation, which will come into effect on May 25, 2018.  Given certain incompatibilities between the language of the bill and the GDPR, which prohibits member states from restricting transfers to third countries, the final language of the bill is expected to change.