News Archives

Friday, January 29, 2016

Crunch Time in Brussels for Safe Harbor Talks

With the official work week now over in Europe, the International Business Times reported that EU and US officials were engaged in intensive negotiations in Brussels, with the talks expected to continue through the weekend, in an effort to reach agreement on a new Safe Harbor framework.  While the Judiciary Committee of the US Senate finally approved the Judicial Redress Act yesterday, January 28, a crippling amendment, sponsored by Sen. John Cornyn (R-TX), was included that undercut whatever good will final ultimate passage of the bill might achieve.  Meanwhile, EU Justice Commissioner Vera Jourova is expected to update the European Parliament on the status of the negotiations on Monday at 2:45 EST. The Article 29 Working Party will meet on Tuesday and Wednesday, February 2 and 3, to discuss the outcome of the talks and to plan for coordinated enforcement actions should no agreement be reached.

Friday, January 22, 2016

Little Hope with Ten Days Left in Safe Harbor Talks

The EU’s data protection authorities have set January 31 as the deadline for achieving a successful conclusion to the US-EU negotiations over a strengthened Safe Harbor framework.
  
With only ten days to go, here are the latest reported developments:
  • On January 21, Reuters reported that the DPAs are “leaning towards the restriction of personal data transfers to the US because of the risk of U.S. surveillance,” with their February 2 meeting to decide the extent of the restrictions.  During a preparatory meeting held on January 20, a consensus may be forming around prohibiting any new data transfers relying upon model contracts or BCRs. 
  • Should this prove to be the position of the Article 29 Working Party, it would be a bitter pill for companies that decided to put off securing an alternative legal basis for data transfers until the outcome of the Safe Harbor talks was known.  Had they acted promptly after the October 6 Schrems ruling, and developed contractual solutions, for example, they would not face a business-crushing cut-off in data transfers should a bar against new authorizations be announced.  According to a survey of over 300 businesses carried out in December by TRUSTe, 78% of companies are continuing with Safe Harbor and awaiting a new Safe Harbor 2.0. The fact that the US Dept. of Commerce has kept Safe Harbor open for business, and not advised participants to seek the alternative mechanisms recommended by the DPAs, would be a major contributing factor to such a debacle.
  • Also on January 21, The Hill reported that the Judicial Redress Act, having passed the House, is stalled in the Senate.  Many observers believe that enactment of the bill would be more symbolic than substantive, since extending the same protections against government surveillance enjoyed by Americans to Europeans would only create equity in the lack of effective protection enjoyed by anyone.  In addition, both former DOC official Cameron Kerr and the US Chamber of Commerce agree that passage of the Act would not have a direct impact upon the negotiations (a point confirmed by one of the EU's negotiators, Andre Glorioso, a few days later). At the same time, its passage might at least have bought some good will in Europe and more time for talks to continue.  
  • On January 22, Forbes reported that according to European Commission spokesperson Christian Wigand, intense negotiations are occurring and are ongoing. Although US Commerce Secretary Penny Pritzker was said to have recently presented at least two packages stating the US position to the Commission, details of these packages have been withheld.  According to Forbes, the assurances against inappropriate surveillance contained in Pritzker’s proposals “fall far short of what EU law requires.”  As an indication of the immensity of the gap separating the two sides, Paul Nemitz, director for fundamental rights at the Commission’s Justice directorate and one of the negotiators in the Safe Harbor talks, said that it would be “a misunderstanding to say we’re only talking about national security right now.” 

Monday, January 18, 2016

European Commission: No Breakthrough as January 31 Deadline Looms

Additional details about the status of the US-EU Safe Harbor negotiations have emerged, with a report in Politico that the European Commission informed a committee of EU member states on January 14 that while some progress had been made, there had been no breakthrough in the talks.  Several participants in the Commission briefing described successfully meeting the January 31 deadline as unrealistic and unlikely, with the overall message being pessimistic.  A general political agreement could conceivably be reached by the end of the month, and might be sufficient to buy more time from the Article 29 Working Party.  Whether the Working Party would place much credence in a political agreement, after years of negotiations have passed without agreement being reached on a narrower set of issues, remains to be seen.

Sunday, January 17, 2016

Safe Harbor Talks Stall; Article 29 WP to Meet February 2


According to a Bloomberg News report on January 14, talks between the US and the EU over a revised Safe Harbor framework have stalled, two weeks ahead of the January 31 deadline set by the Article 29 Working Party for avoiding coordinated enforcement actions.  Some US officials were said to have hoped that the attacks in Paris would lead the EU to “tone down its demands,” revealing ignorance on their part that the stand-off over Safe Harbor is driven by legal rather than policy differences.  One has to wonder what these unnamed officials believe about the rule of law, given their opinion that the EU’s position is malleable and that the confrontation might be resolved by some high-level discussions in Davos.  Indeed, another strong warning shot was fired from Europe a few days later by Margrethe Vestager, the EU’s antitrust chief, who said that the collection of a vast amount of users’ data by a small number of tech companies like Google and Facebook could be in violation of EU competition rules.  

Also on January 14, Reuters reported that the Article 29 Working Party plans to meet in Brussels on February 2 to determine whether and how data transfers to the U.S. can continue in the absence of Safe Harbor.  Since disagreement exists among the data protection authorities about the viability of model contracts and BCRs in light of the CJEU Schrems decision, it is questionable whether they will be able to reach a common position in this matter.  While coordinated enforcement actions are likely to be announced against companies continuing to rely upon Safe Harbor, this being pretty much a slam dunk, coordinated enforcement in other areas may prove more difficult.

Thursday, January 14, 2016

How to Screw Up Employee Monitoring

The UK newspaper Daily Telegraph has provided a brilliant example of how NOT to engage in monitoring employees when it covertly installed motion and heat sensors recently on the under side of the desks of employees.  Arriving at work on January 11, journalists discovered the devices, googled the device's brand name, OccupEye, and found that they provided management with complete data about whether and when an employee is at their desk.  In the face of the ensuing firestorm of protest, with HR reported to be "frantically rowing back on it," the company claimed that the sensors had been installed for only four weeks as an environmental measure to determine office usage and to lower heating, cooling and lighting costs at times of low usage.  Four hours after BuzzFeed News contacted the Telegraph about the sensors, management announced that it was withdrawing them immediately.

So what did the Telegram do wrong?  Not informing employees of the monitoring would be at the top of the list.  Not consulting with union representatives would be another.  Failing to inform employees about how the desk usage data would, and would not, be used and retained, would be a third.  Put all these together and the result was that employees felt they were being spied on.  What a shame, given the highly plausible objective management claims to have been pursuing!

Stories like this reverberate around the globe.  In New Zealand, a rather naive tech journalist for Stuff.co.nz said that "while the Daily Telegraph has tried and failed at covertly monitoring its workers , it seems privacy laws would prevent any New Zealand employer from trying the same trick."  Uh, isn't what the Telegram did a violation of UK data protection law?  And since when did the existence of privacy laws "prevent" employers from violating them?  In Australia, the Telegram debacle led to an analysis of inconsistencies in privacy protections for employees across various states and territories.  The Australian Law Reform Commission (ALRC) called for uniform national laws on surveillance in the workplace in June 2014, but the federal government has not introduced the legislation that would be required.

Taiwan Amends its Data Protection Law

On December 30, the Taiwanese government announced that amendments to the country's Personal Information Protection Act would come into effect before the end of March 2016. Several provisions of the 2010 Act had been sidelined because of their draconian nature, such as prohibitions against processing of medical information even with the consent of data subjects and a requirement to inform data subjects that their personal data has been collected within 12 months of full implementation of the law. These obstacles, found in Articles 6 and 54, have now been overcome through the revised amendments. The text of the new amendments is currently available only in Chinese.

Russia Targeting Multi-nationals under Data Localization Law

According to a January 7 report by Reed Smith, Roskomnadzor, the Russian data protection authority, recently announced its intention to step up enforcement of the Data Localization Law.  The DPA stated that it would conduct about 1,000 compliance audits and another 2,000 monitoring procedures during 2016, with multi-nationals believed to be primary target of the reviews. During 2015, Roskomnadzor carried out 300 audits, focusing mainly on domestic companies. The law, which came into effect on September 15, 2015, requires that all companies collecting or processing personal data of Russian citizens, do so on servers located within Russia. Companies also have an obligation to notify Roskomnadzor of the location of such servers.

Separately, it was reported that China's controversial new counter-terrorism law, passed on December 27, omitted a provision found in earlier drafts that would have required companies to maintain Chinese data on servers located within China.  Whether by explicit legal compulsion or by government and marketplace pressures, data localization continues to be a global phenomenon spurred by revelations of NSA mass surveillance.

ECHR Backs Monitoring of Employee Messages

On January 12, the European Court of Human Rights, upholding the ruling of a Romanian court, found that an employer had the right to monitor the messages an employee sent via chat software and webmail accounts and to use information contained in those messages to terminate the employee. However, the ruling was far from a blanket endorsement of monitoring by employers, since it turned upon the somewhat unusual facts in the case, specifically that: (a) the employer had a published policy explicitly banning the sending of personal messages from work and informing employees that monitoring would occur; and (b) the employer owned primary chat account and the computing devices involved. Under these circumstances, the judges held that it was not "unreasonable that an employer would want to verify that employees were completing their professional tasks during working hours". Only one of the seven judges on the ECHR panel disagreed with the decision, saying that the employer's blanket ban on personal use of the Internet at work was unacceptable. The ruling would likely have been different, at least in its elaboration and reasoning, if not in its outcome for the employee, had the case been heard by the Court of Justice of the European Union. The fact that the case originated in Romania, where reading messages of employees is legal, also was a significant factor.

The following day, bodies representing directors and employees, as well as privacy and human resources groups, warned employers not to take the ECHR ruling as a green light to institute Stasi-style surveillance at work. Further limiting the impact of the ruling is the fact that ECHR decisions are only legally binding on the country named in a case, with other member states free to adopt their own approach to the court's decisions.