News Archives

Sunday, October 30, 2016

UK Will Follow EU DP Rules, But For How Long?

With the EU’s General Data Protection Regulation (GDPR) coming into effect in May 2018, and the UK’s exit from the EU not occurring until the following summer if the timetable announced by PM Theresa May on October 2 holds, there is a growing consensus that the GDPR will be both legally and operationally implemented in the UK at least through the time Brexit takes effect.  According to Elizabeth Denham, the former Information and Privacy Commissioner for British Columbia and new UK Information Commissioner, the UK is going to want to continue to do business with Europe, which will require its data protection law to be equivalent, leading her to state that “I don’t think Brexit should mean Brexit when it comes to standards of data protection.”  Whether PM May agrees with this outspoken position is unclear, since the outlines of her proposed Great Repeal Bill allow for continued post-Brexit adoption of EU law but with a provision for Parliament to amend or cancel any legislation so enacted.  Would Parliament want to chip away at the GDPR with the risk of cutting off the free flow of information with the EU and damaging the UK economy?  Will this provision of the Great Repeal Bill be enacted or modified?  Only time will tell.  From a regulatory point of view, what is clear is that UK companies need to be gearing up to the stricter requirements of the GDPR.

Legal Challenge to Privacy Shield Lodged in CJEU

On October 27, it was announced that an Irish privacy advocacy group had filed a legal challenge to the EU-U.S. Privacy Shield framework in the Court of Justice of the European Union (CJEU). The action by Digital Rights Ireland calls for an annulment of the adequacy decision for the framework reached by the European Commission on July 12, 2016.  The activist group has been influential, helping overturn the Commission’s Data Retention Directive in 2014 and contributing to the lawsuit by Maximilian Schrems that led to the collapse of Safe Harbor.  It could be a year or more before the CJEU rules on the case.  Other legal challenges can be expected, with the head of one Irish privacy consulting firm stating that the latest proceeding appeared to mark "the start of open season on Privacy Shield".

Friday, October 21, 2016

Privacy Shield Certifications Top 500 by Mid-October

According to a spokesperson from the U.S. Department of Commerce, the Privacy Shield self-certifications of 500 companies have been approved by the department by mid-October, while those of an additional 1,000+ companies are under review. The DOC announcement came during the Privacy Commissioners’ 38th International Conference in Marrakesh, Morocco on October 20, 2016.  The take-up rate of certifications since Privacy Shield opened for business on August 1, 2016 has been substantial and appears to be accelerating:  approximately 100 during the first month, another 200 in the second month, and an additional 200 during the first two weeks of the current month. 

Friday, October 14, 2016

Facebook Enters Enterprise Social Networking Market

On October 10, after 20 months in closed beta testing, Facebook launched an enterprise-focused communication and social networking service under the name Workplace, intended to compete with the likes of Slack, Yammer, Chatter, Hipchat and Jive.   The ad-free app, available for both desktop and mobile devices, includes an interface and features already familiar to Facebook users, such as News Feed, Groups, Chat direct messaging, Live video, Reactions, translation features, and video and audio calling.  Early adopters include the Royal Bank of Scotland, Danone, Starbucks, Telenor and  According to the company, integrations with other services such as Workday will follow, after the current emphasis upon usability and engagement builds a viable user base.  Mark Zuckerberg is quoted as saying "It's an app, but I think about it more as a way of running a company."   Whether companies will want to place their futures in the hands of Facebook, given its long record of questionable data privacy and protection practices, remains to be seen.    

Monday, October 10, 2016

Yahoo Email Scanning Could Torpedo Privacy Shield

According to a Reuters report on October 4, Yahoo, in response to a government demand, secretly built a custom software program last year to search all of its customers’ incoming emails in real time for a specific but undisclosed set of characters.  If true, this would represent massive surveillance of a type going beyond that exposed by Edward Snowden, whose 2013 revelations only described access to stored communications by national security agencies or particular targeted individuals.  Other tech giants, including Google, Facebook, Apple, Twitter and Microsoft, quickly denied engaging in such behavior and stated that they would go to court rather than comply.  Since e-mails of all Yahoo’s European customers would be included in the Yahoo scanning, the new revelations, if true, would undermine claims made by the U.S. government in launching the Privacy Shield framework that it did not engage in mass surveillance.  The following day, on October 5, Reuters reported that European politicians and consumer organizations had called upon the European Commission and data protection authorities to look into the issue, while lawyers said that a legal challenge to Privacy Shield was now more likely.  Even the business-friendly DPA of Ireland called the matter one of “considerable concern” that was prompting it to make inquiries. 

Update:  On October 27, the Article 29 Working Party sent a letter to Yahoo calling for an explanation of "the legal basis and justification" for the reported email scanning and "how this is compatible with EU law and protection for EU citizens".  The letter also called for information and remedial actions in connection with Yahoo's September 22 announcement of a breach of the personal data in at least 500 million user accounts.