News Archives

Thursday, March 31, 2016

Turkey Enacts Data Protection Law

On March 24, the Turkish Parliament adopted the Law on Personal Data Protection, legislation modeled upon the EU Data Protection Directive that had been under consideration for nine years.  The move followed the ratification, five weeks earlier, of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), some 35 years after Turkey first signed it.  The new law is expected to be ratified by the President and published in the Official Gazette within a few weeks, according to attorneys with BTS Legal.  Furthermore, while there will be a two-year transitional period before the law comes into effect for existing data processing operations, new processing will have to be carried out in compliance with the law immediately.  In a sign of commitment to enforcement, a Personal Data Protection Authority will be established with a staff of 200 and the power to impose fines of up to 300,000 euros and prison sentences of up to four years in cases of non-compliance.
  
The recent summit meetings of European and Turkish leaders over the refugee crisis, which led to a commitment by the EU to accelerate accession talks with Turkey, clearly were instrumental in moving data protection legislation forward.  Given the instability in Turkey stemming from millions of Syrian refugees and what borders on a civil war with Kurdish separatists, as well as the increasingly autocratic actions by Turkey’s government, the passage of long-deferred data protection legislation is certainly an unexpected but positive development.  It is also an affirmation that respect for privacy can be acknowledged even by repressive governments.

Update:  Following ratification by the President, the Law on Personal Data Protection was published in the Official Gazette on April 7 and came into force.

Google Fined in France over ‘Right to be Forgotten’

On March 24, the French data protection agency (CNIL) announced it had fined Google 100,000 euros  (about $117,000) for failing to adequately remove links to inaccurate, out-of-date and irrelevant data from its search engine results.  Google had responded to the CNIL’s orders, which were based upon the landmark Court of Justice of the European Union ruling in the 2014 Costeja case, by incrementally expanding the scope of its link-scrubbing.  At first it made the links unavailable only to individuals searching the national versions of its search engine, such as Google.fr and Google.de.  Then, under continued pressure from the CNIL, the company began using geo-location data, such as ISP addresses, to make the links unavailable to anyone searching Google.com from the EU member state where the take-down request originated.  Pointing out that a web searcher can easily cross member state lines in Europe or use a VPN connection to mask his or her location, the CNIL rejected this compromise and issued its fine.  If its past actions are any guide, Goggle is likely to challenge the fine in court.

Unbridled Surveillance Leads to Call for Employee Privacy Protection Act

The rapid development of technologies that enable pervasive and invasive monitoring of employees, both in the workplace and beyond, both during working hours and at other times, has prompted a trio of legal scholars to call for legislative protections for employee privacy.  In an article slated for publication in the California Law Review, the authors contend that “with the advent of almost ubiquitous network records, browser history retention, phone apps, electronic sensors, wearable fitness trackers, thermal sensors, and facial recognition systems, there truly could be limitless worker surveillance.”  The diminishing cost of these technologies and the lack of legal restraints, at least in the U.S., have fueled their rapid and ever-expanding deployment.

Citing the outrage that followed when workers at The Daily Telegraph in the UK discovered “OccupEye” sensors surreptitiously placed under their desks and the lawsuit engendered when an Intermex employee was fired for disabling the Xora GPS app that tracked her 24 hours a day, legal scholars Ifeoma Ajunwa, Kate Crawford, and Jason Schultz argue in "Limitless Worker Surveillance” that workplace monitoring has moved beyond a legitimate interest in productivity and efficiency into areas that violate personal rights and are actually counter-productive.  To remedy this situation, they make the case for a federal Employee Privacy Protection Act that would limit workplace surveillance to actual workplaces and prohibit agreements that waived such privacy rights. The authors also call for a similar law to protect employee health data.

Wednesday, March 30, 2016

Dutch DPA Bars Employer Access to Fitness Tracker Data

On March 8, the Personal Data Authority of the Netherlands (formerly the College Bescherming Persoonsgegevens, or CBP) issued a decision prohibiting two unnamed employers from monitoring their employees’ activity via fitness trackers, even after obtaining their consent.  The Authority found that data on movement and sleep patterns constituted sensitive personal information which could only be processed with the valid consent of the individual.  However, given that employees are financially dependent upon their employers, and that consent therefore cannot be freely given in the employment context under European data protection law, employers processing such fitness tracking data are violating the country’s data protection legislation.  The Authority made it clear that it had no objection to companies giving fitness trackers to employees, as long as the employees are in control of the data they generate.

To my knowledge, there have been no legal cases brought forth to date in the U.S. over the collection of fitness tracker data by employers, although it would not be at all surprising if they arise, given the momentum behind employee wellness programs and the embrace of self-quantification devices by individuals.  The outcome of such cases would likely turn upon which state the case was developed in, since some states, such as California, are more sympathetic to arguments that consents, whether in the consumer or employment context, can be invalid if there is a profound imbalance in bargaining power between the parties involved.

On an interesting side note in the Dutch case, local media identified one of the companies as BeBright, a consultancy that had handed out the bracelets to its staff.  When asked about the decision, the company said it wasn’t going to quibble with the judgment, since it is the Authority’s role to “investigate where the line is.”  Contrast this stance with the common position of U.S. tech giants, such as Google, who all too frequently respond to enforcement actions initiated by DPAs by contending that they are in full compliance with national data protection legislation and look forward to the opportunity to prove this in court.  Granted that the enforcement actions they face have more far-reaching consequences for their business models and profits, such arguments are so specious as to be little more than testimonies to their ability to exploit the current weaknesses in the enforcement powers of European DPAs.  We will have to see if they continue to be advanced when the sanctioning powers of the DPAs are dramatically strengthened under the General Data Protection Regulation.