Participation in the EU-U.S. Privacy Shield framework tripled during its second month, with 304 companies included on the Privacy Shield List as of close of business at the end of September, not counting subsidiary or affiliated companies of the primary participants. Of the 304 companies, only 77, or 25%, joined to cover transfers of HR data, compared to the 50% or more that did so through Safe Harbor, and only a handful joined solely for HR data. Large or well-known companies on the List are far and few between: Dun & Bradstreet, Dropbox, Facebook, Google, Microsoft, Northrup Grumman, Oracle and Salesforce, with only Google, Microsoft, Northrup Grumman and Oracle joining for HR data. In summary, after two months of receiving certifications Privacy Shield has emerged as a transfer mechanism overwhelmingly used by smaller niche companies to legalize the import of non-HR data from Europe.
Guidance relating to Privacy Shield emerged in the EU during September, with the European Commission issuing a 24-page Guide to the EU-U.S. Privacy Shield geared towards educating individuals about their rights under the framework and how to exercise them, and the Data Protection Authority of the German state of North Rhine-Westphalia issuing the first DPA-crafted FAQs on Privacy Shield and how it will be strictly enforced and supplemented. Finally, as a small demonstration of some of the complexity inherent in interpretation of data transfer requirements, as well as proof that not all the facts asserted in posts to The National Law Review should be taken at face value, we have the following September 22 statement: “Data regulators have (for now) rejected the EU-U.S. Privacy Shield agreement…”
Friday, September 30, 2016
Ghana’s Data Protection Commission (DPC) has begun taking enforcement actions against data controllers who fail to register as such, as required by the Data Protection Act 2012. The DPC began the registration process in April 2015, and some 500 controllers have registered their data processing activities since that time. Failure to register, which is the first step in demonstrating compliance with the law, is a criminal offense which can result in both a fine and imprisonment for up to two years. The chair of the DPC, Teki Akuetteh Falconer, attributed the slow take-up to “a general environment of apathy towards laws in our society and a lack of awareness on the value data protection can bring.” In other countries in which the movement towards effective data protection laws has been long and drawn-out, on September 9 the National Privacy Commission of The Philippines finalized and issued implementing rules and regulations for the country’s Data Privacy Act of 2012, and Turkey will be establishing its Data Protection Authority on October 7, at which time the most significant provisions of its data protection law will come into effect.
Tuesday, September 27, 2016
According to a survey of 600 privacy professionals carried out by the International Association of Privacy Professionals this summer, 81% of U.S. companies rely upon standard contractual clauses as the legal underpinning for data transfers from the EU to the U.S., and 89% of EU companies do also. Looking forward, only 34% of companies intend to use the EU-U.S. Privacy Shield framework, down from the 50% who used Safe Harbor in the past. Uncertainties over the long-term viability of Privacy Shield, as well as the length of the time lapse between the invalidation of Safe Harbor and the launch of Privacy Shield, are significant factors in the lessened interest in Privacy Shield. As of the third week in September, some 200 companies were said to have been become participants in Privacy Shield, up from the 107 in the first month, while self-certifications of hundreds more were reported to be in the DOC review pipeline. Surveys about legal mechanisms for data transfers, such as IAPP’s, fail to acknowledge and account for the fact that that many companies use multiple mechanisms, often for different data sets but sometimes for the same data. Nevertheless, market acceptance of Privacy Shield is likely to be significantly less than it was for Safe Harbor.
New forms of technology-driven data collection and assessment are having a significant impact upon employees, as evidenced by four separate reports in September on the use of people analytics in the workplace. In the first, an article in the Harvard Business Review describes how the tracking of customers in retail settings is having a largely unintended but significant spill-over effect upon employees, affecting their day-to-day experiences, their job security and their financial well-being. The second features an employer service start-up called Joberate, which gathers and consolidates publicly-available information from social media accounts to develop what it calls a “J-Score” that estimates the level of job-seeking activity of employees. The third describes a new generation of ID badges from a firm called Humanyze that contain microphones and sensors with motion detectors that trigger beacons throughout an office, enabling tracking and monitoring of the physical, interpersonal and emotional characteristics of employees. The fourth reports on a Helsinki company, Futurice, that integrates wi-fi beacon triangulation, motion sensors, air-quality sensors and cameras into an Android app that displays the location of staff, the availability of unused work spaces, the occupancy of toilets and other facets of the office of the future. A positive aspect of all four reports is what seems to be a growing awareness in disparate quarters that innovations such as these can only succeed if privacy concerns of employees are met, for example by providing only aggregate data to employers and by allowing employees to choose whether to participate in monitoring.