News Archives

Tuesday, November 29, 2016

Challenges to Privacy Shield Mount

There were a number of developments around challenges to the EU-U.S. Privacy Shield framework in November. Details were released of the formal complaint filed by Digital Rights Ireland with the Court of Justice of the European Union (CJEU) back in September, advancing ten grounds to justify its call for an annulment of the European Commission’s adequacy decision for the framework.  Violations of the EU Data Protection Directive, the Charter of Fundamental Rights and the CJEU’s Schrems decision were claimed in nine of the ten grounds.  In France, three organizations – the privacy advocacy group La Quadrature du Net, the non-profit ISP French Data Network and the Federation FDN industry association – were reported to have filed a legal challenge to Privacy Shield at the Luxembourg-based General Court. On November 11, it was announced that the European Commission had asked the U.S. government about a secret court order Yahoo used to scan thousands of customer emails for possible terrorism links, following concerns that this may have violated understandings reached during Privacy Shield negotiations. In the final agreement that was reached, the U.S. pledged not to engage in mass, indiscriminate surveillance of the data of Europeans.  Meanwhile, the Irish DPA was said to have stepped up its investigation of Yahoo’s breach of the personal data of 500 million individuals, while still being in the early stages of looking into the issue of how the company’s e-mail scanning on behalf of U.S. authorities might impact Privacy Shield.

Monday, November 28, 2016

German Government Not on Same Page as DPAs

Germany has traditionally been viewed as the European country with the most rigorous data protection laws and culture.  However, privacy developments during November were of a decidedly mixed character.  On the one hand, the data protection authorities in ten German states initiated a coordinated mass audit of 500 randomly-selected companies, focusing upon their data transfer policies and practices.  Companies still relying upon Safe Harbor as a basis for data transfers to the U.S. would likely see enforcement actions brought against them.  Enforcement actions by individual DPAs also continued, for example the fining of an unnamed company by the Bavarian DPA for appointing a data protection officer who continued in his role as IT manager.

On the other hand, the German interior ministry released the draft of a bill that would prevent DPAs from investigating breaches of medical and legal records and also allow businesses to withhold notice about personal data they collected if such notice “would seriously jeopardize the business purposes of a company.”  Theo Weichert, the out-spoken former DPA for Schleswig-Holstein, called the provisions a “disaster” that would represent a “massive” erosion of privacy in Germany, while the federal DPA, Andrea Vosshoff, said they would make DPA control “in many sensitive areas, for instance health insurance companies, job centers, or other social service operators, almost impossible, and is not acceptable." Other criticisms of the draft bill were prominent in an analysis published by federal and state DPAs on November 11.  Finally, in a sign of what appears to be a growing cultural bifurcation, Chancellor Angela Merkel called upon EU member states to take “a pragmatic approach” to the application of data protection laws, balancing the need to prevent the mis-use of personal data with the need to enable the development of big data projects.

Data Localization Taking Root in China, Russia

Significant developments relating to data localization occurred in both China and Russia during November.  In China, the National People’s Congress Standing Committee enacted the final draft of the Network Security Law (also referred to as the Cybersecurity Law) on November 7, with an effective date of June 1, 2017.  The Law requires enterprises providing “key information infrastructure” to store critical data and personal information collected and generated in the course of their operations within the territory of China, irrespective of the citizenship of the data subjects. Such information may be transferred outside of China only when there is a genuine business need to do so and a favorable security assessment has been carried out.  A key issue for multi-national businesses situated outside of China will be how the State Council determines the scope of “key information infrastructure” and how stable such a demarcation will be.  In another important development, the Law establishes a broad range of privacy protections reflective of, and consistent with, the EU General Data Protection Regulation and other international standards.

In Russia, the country’s data protection authority, Roskomnadzor, ordered that access to LinkedIn’s website be blocked as of November 17, making this the first time a foreign online service has been forced to shut down for failing to comply with the Data Localization Law. Other major U.S. web giants, such as Microsoft, Apple and Google, were reported to have conformed to the Law by moving the personal data of Russian citizens to Russian-based servers, while Facebook and Twitter are under regulatory pressure to do so.  Should LinkedIn follow suit, which would be relatively easy to do utilizing data centers operating within Russia such as Microsoft’s, their service could be restored.  In an exceptionally lame excuse for non-compliance, LinkedIn argued that it failed to respond to the inquiry from Roskomnadzor that led to the website shut-down because the DPA had sent its inquiry to the firm’s U.S. office instead of to LinkedIn Ireland, which is responsible for the data of non-U.S. citizens.

Thursday, November 3, 2016

649 Companies Participating in Privacy Shield

According to HR Privacy Solution’s analysis of data on the Dept. of Commerce’s Privacy Shield website, 649 companies were listed as active participants in the EU-U.S. Privacy Shield framework as of close of business on October 31, 2016.  This is up from 107 companies participating by the end of August and 304 by the end of September.  

The analysis also revealed the following:

  • Of the 649 companies, 18 (3%) certified for HR data only, 144 (22%) certified for both HR data and non-HR data, and 487 (75%) certified for non-HR data only.
  • The 18 companies certifying for HR data only are largely not well-known:  Amplifinity, Babcock & Wilcox, CDK Global, Cornerstone OnDemand, DDB Worldwide, Edgeview Personal Care, Employment Screening Services, Fort Hill Company, HCR Software Solutions, i9Advantage, Kiran Analytica, Maseke, Perceptyx, PRO Unlimited, Recsolv (Yello), Tenneco and VWR.
  • Better-known companies on the list include:  Amazon, Avon, Babcock & Wilcox, Box, Brother, Ceridian, Cisco, Citrix, DDB Worldwide, Deloitte, Dropbox, Dun & Bradstreet, Eaton, Electronic Arts, Ernst & Young, Facebook, Google, Ingersoll Rand, Intuit, ITT, Kingston Technologies, Microsoft, Northrop Grumman, Omnicom, Oracle, Pinkerton, Salesforce, Tenneco, Tiffany, TRUSTe, Viacom and Workday.
  • Of these 32 better-known companies, all certified for non-HR data, except for Babcock & Wilcox, DDB Worldwide and Tenneco.
  • Of these 32 better-known companies, those not certifying for HR data included Amazon, Box, Brother, Cisco, Citrix, Dropbox, Dun & Bradstreet, Kinston Technologies, Oracle, Salesforce, Tenneco and TRUSTe.
  • There were an additional 858 covered companies listed in the certifications of the 649 Privacy Shield participants.
The analysis confirms an earlier finding that Privacy Shield is being used as a transfer mechanism overwhelmingly by smaller niche companies to legalize the import of non-HR data from Europe.  Only 5% of participating companies are better-known and only 25% are using Privacy Shield to import HR data.

The design of the DOC website makes analysis difficult and impractical.  For example, determination of the distribution of industry segments of participants would require inspection of each certification on an individual basis.  In addition, three months after launch, the website remains unstable and bug-ridden.  Seventeen companies are listed out of alphabetical order when searching letter-by-letter under Advanced Search.  Some companies, such as etleap, are not found at all when searched for individually.  Session history influences the results displayed when searching. The site disables a browser’s Back key, forcing a user to exit and re-enter the list when attempting to locate particular companies.  Is this the best that can be expected of government work?