News Archives

Friday, December 8, 2017

WP29 Sets Deadlines for Privacy Shield Improvements

At a plenary meeting on November 28, the Article 29 Working Party adopted a 38-page opinion on the effectiveness of the Privacy Shield program, following the first annual joint review conducted by the European Commission in Washington DC in September 2017.  Eight representatives of the Working Party took part with the Commission in the review, including both DPAs and expert staff.  The Commission issued its own report on the review on October 18, finding that Privacy Shield continued to ensure an adequate level of protection, while noting a number of recommendations for improvements.

As might be expected, the Working Party opinion, while noting that Privacy Shield represented a significant advance over the invalidated Safe Harbor framework, was more forceful in calling for these and other improvements to be instituted by the U.S. government within specific time frames:
  • May 25, 2018 was set as the deadline for development of an action plan (a) to demonstrate that all of the Working Party's concerns will be addressed; (b) to appoint the independent Ombudsperson and clarify the rules of procedure of this office; and (c) to fill the vacancies in the Privacy and Civil Liberties Oversight Board (PCLOB).
  • The second joint annual review was set as the deadline for addressing the remaining concerns of the WP29.
Barring remediation of its concerns within these time frames, the opinion states that members of the Working Party "will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling."  It is worth noting that: (a) the track record of the WP29 with respect to previous warnings of imminent enforcement actions is less than compelling; and (b) while this latest deadline-setting ups the ante by threatening the existence of Privacy Shield itself as opposed to targeting particular companies, the reference to the CJEU is likely to take a considerable amount of time, as witnessed by the Irish High Court's current referral of the Schrems case.

Of particular interest in the WP29 opinion is the prominence it gives to concerns about HR data. The Department of Commerce began operations of the Privacy Shield program by allowing companies acting as data processors for EU companies with respect to employee data to certify that they were processing HR data and relied upon EU data protection authorities as their independent recourse mechanism.  After a few months, the DOC changed course and began treating such transferred data as commercial data, requiring public disclosure of the relevant privacy policy and not requiring that EU data protection authorities be the independent recourse mechanism.  The WP29 rejects this interpretation of "HR data" and calls for rectification by the DOC.  Where this leaves companies certifying or re-certifying HR data under Privacy Shield is unclear, but a conversation with the DOC Privacy Shield team - said to be ten in number - would be advisable.

Wednesday, October 4, 2017

Irish High Court to Ask CJEU to Rule on Model Contracts

On October 3, after a hearing which ran for 21 days, Ireland's High Court announced that it would refer the challenge brought by Max Schrems to Facebook's use of standard contractual clauses as the legal basis for transferring personal data to the US to the Court of Justice of the European Union.  An earlier complaint by Schrems led to the CJEU's October 2015 finding that the Safe Harbor adequacy decision reached by the European Commission was invalid.  The Irish DPA, Helen Dixon, had asked the High Court to make the referral, after concluding that Schrems had raised "well-founded" objections to the transfer of his personal data to the US.  Both Schrems and Facebook had argued that no CJEU referral was necessary, albeit for different reasons.  On the one hand, Schrems held that standard contractual clauses are "perfectly valid" and that Dixon had sufficient information and powers to suspend the data transfers herself.  Facebook, on the other hand, contended that there are sufficiently robust protections in place under standard contractual clauses and US law to provide adequate protection to transferred data.   The formal referral to the CJEU will occur only after High Court has determined the precise questions to be put before the EU's highest court.

Monday, August 28, 2017

Indian Supreme Court Finds Privacy to be a Fundamental Right

On August 24, a special nine-judge bench of India’s Supreme Court ruled unanimously that privacy is a fundamental right under Article 21 of the country’s Constitution and a part of the freedoms guaranteed by Part III of that Constitution. The landmark judgment came in a case entitled Justice K S Puttaswamy (Retd) vs Union of India.  The case began in 2012 when Justice Puttaswamy filed a petition in the Supreme Court challenging the constitutionality of the government’s Aadhaar biometric scheme on the grounds that it violated the right to privacy.  Successive Indian governments argued that there was no such constitutional right.  As in the US, the word privacy is not found in the Indian Constitution and Indian courts had given conflicting opinions on whether one existed. The massive 547-page judgment, a veritable treatise on privacy, resolved this controversy in a definitive manner and is expected to lead to further challenges to the Aadhaar scheme and to Indian laws banning homosexuality, alcohol consumption and other matters.  Intensified challenges can also be anticipated to tech giants such as Uber, Google and Facebook, as well as to the country’s own start-up industry.

Anticipating the ruling, the Modi Government on August 2 formed a ten-member panel under Justice B N Srikrishna (Retd) with representatives of government, academia and industry tasked with drafting a comprehensive data protection bill.  A few days after the ruling, Minister for Law and IT Ravi Shankar Prasad said that he hoped the new law would be in place by December. While this target date may appear over-ambitious, consultations and work on a comprehensive privacy bill have been ongoing in India since at least 2011 (see the April 2014 report in this blog’s News Archive).  The government, in its response to the ruling, emphasized the court’s finding that privacy is not an absolute right but one in which an appropriate balance must be struck.  Asked whether the stringent privacy requirements that would be forthcoming could scuttle innovation within India, Prasad said: "I am happy that the court has marked innovation as an important criteria where reasonable restrictions can be applied."

Saturday, April 29, 2017

Busy Month for German DPAs, Court, Legislators

April saw three significant privacy developments in Germany.  On April 14, the federal and state data protection authorities released a draft Standard Data Protection Model, developed to assist data controllers by providing a practical approach to fulfilling their data security obligations under German law and the General Data Protection Regulation.  An English translation of the 47-page guidance, prepared by the North Rhine-Westphalia DPA, is available here.  Without being prescriptive, the Model contains a catalog of data security measures and a methodology for applying them. It structures legal requirements in terms of data protection goals, such as data minimization, availability, integrity, confidentiality, transparency, unlinkability and intervenability. 

On April 25, the Hamburg administrative court upheld the September 2016 order by Hamburg DPA Johannes Caspar that Facebook stop sharing the data of German WhatsApp users with Facebook, agreeing with him that consent of the 35 million users for such transfers had not been obtained.  While Facebook indicated it would appeal, it has for some time suspended such transfers of WhatsApp user data across Europe.

On April 27, the German Parliament passed a new Data Protection Act, designed to adjust current German data protection laws with the requirements of the GDPR and replace the current Federal Data Protection Act. Taking advantage of the GDPR’s opening clauses to exercise national discretion in certain areas, the Act contains provisions on such matters as the rights of data subjects, data protection officers, data processing in the employment context, and exceptions for processing special categories of personal data.  The Act was passed in spite of considerable criticism, with the European Commission expressing dissatisfaction with it as late as one week prior to its passage.  According to the Commission, the opening clauses were not intended to be used in this manner and doing so undermines the harmonization goals of the GDPR.   For example, while the GDPR sets significant penalties for non-compliance by companies, the Act creates rules allowing for the sanctioning of individuals, leading to potential liability by managers, employees and data protection officers, including the possibility of prison terms of up to three years.

Friday, April 28, 2017

Indian DP Law Anticipated Once Again

Pressure for, and the likelihood of, a new data protection law in India has been waxing and waning for many years.  Although there were reports in May 2016 that the government was drafting new legislation, by the end of the year, with a ruling still pending in Justice K.S. Puttaswamy (Retd.) & Another v. Union of India & Others on whether a right to privacy exists under the Indian constitution, the prospects for a new law appeared to be minimal. However, on April 19 came news that the Modi government had decided to enact a new law to protect digital privacy before the end of October. The law was described by the Indian Attorney General as “a data protection framework…in line with US law on this subject.” Prior to Modi, the new law under consideration was said to be modeled upon European precedents. Government interest in a more comprehensive privacy law was also cited in a report on the country’s Guidelines for Government Departments on Contractual Terms Related to Cloud Services, released the following day.

China Plans Expansion of Data Localization, Security Review Requirements

On April 11, the Cyberspace Administration of China issued draft rules, entitled the Measures for the Security Assessment of Personal Information and Critical Data Leaving the Country, designed to guide the implementation of the country’s Cybersecurity Law, slated to come into effect on June 1.  Whereas previously requirements for data localization appeared to be restricted to “key information infrastructure operators,” the proposed measures expand their scope to all “network operators.”  Insofar as “network operators” are defined as “those entities that own or administer a network, and to network service providers,” this would appear to impose data residency requirements on all technology/online companies, along with any company that uses its own IT networks or infrastructure.  Having a website directed to Chinese users might be sufficient to qualify an organization as a “network operator.” 

A second major problem for multi-nationals operating in China lies is the requirement in both the Cybersecurity Law and the Measures that a security assessment be conducted before personal data is transferred out of the country.  This assessment can be conducted internally, unless one of a number of conditions exist, such as with data transfers that involve more than 500,000 individuals or more than one terabyte of data; that relate to critical and sensitive facilities or infrastructure; or that impact the country’s national security or public interest.  Should one of these conditions apply, the security assessment would need to be carried out by an industry regulator. 

The draft measures, issued for public comment until May 11, contain many ambiguous terms and are subject to revision as a result of the public consultation.  Hogan Lovells has prepared a detailed analysis of the measures, available here, while an English translation released by Hunton & Williams may be found here.  The high-level brevity of the measures, considering their potentially profound impact upon businesses operating in China, is striking.

Friday, April 14, 2017

Swiss-U.S. Privacy Shield Open for Business

On April 12, the U.S. Dept. of Commerce announced that the recently agreed-upon Swiss-U.S. Privacy Shield Framework had begun accepting self-certifications. Companies already participating in the EU-U.S. Privacy Shield framework can log into their Privacy Shield website account and add coverage for personal data transfers from Switzerland to those from the EU via a parallel and accompanying certification.  The Swiss Privacy Shield re-certification date will be adjusted to correspond to that of the EU-U.S. Privacy Shield certification. A separate annual fee, geared to a company’s annual revenue, will be required in order to participate. FAQs addressing key points relating to the Swiss-U.S. Privacy Shield Framework have been published on the Privacy Shield website.

In other Privacy Shield developments, a week earlier the EU Parliament backed a proposal by its LIBE committee urging the European Commission to investigate whether the data transfer agreement adequately protects the privacy rights of European citizens in the face of U.S. surveillance. The MEPs, who voted 306 to 240 in favor of the resolution, also expressed concerns about many recent developments previously noted in this blog, such as the sharing of NSA data with 16 other agencies, the roll back of FCC privacy rules, cooperation of service providers with security agencies, and the inoperability of the Privacy and Civil Liberties Oversight Board.  The first annual joint review of the Privacy Shield framework is scheduled to take place this coming September.

Monday, April 10, 2017

Working Party Issues GDPR Guidance

In early April, the Article 29 Working Party issued finalized versions of three documents providing guidelines to organizations on the proper interpretation of key topics in the General Data Protection Regulation, which will come into effect on May 25, 2018.  The guidelines cover the right to data portability, Data Protection Officers, and the lead supervisory authority.  In addition, the Working Party launched a public consultation, running through May 23, on draft guidance on data protection impact assessments and determining whether processing is “likely to result in a high risk.”  According to its 2017 GDPR Action Plan, issued in January, the Working Party will also complete work underway  on administrative fines, setting up the European Data Protection Board (EDPB), the one stop shop and the EDPB consistency mechanism. Other topics to be addressed in 2017 include consent and profiling, transparency, data transfers to third countries and data breach notifications.

Friday, March 31, 2017

House Committee Passes Controversial Wellness Bill

A controversial bill that would give employers greater leeway in obtaining genetic and other sensitive health information from employees and increase the financial incentives for employees to participate in workplace wellness programs was passed by the House Committee on Education and the Workforce along party lines on March 8, 2016.  Critics of the Preserving Employee Wellness Programs Act contend that it will gut key protections in the Americans with Disabilities Act (ADA) and the Genetic Information Non-Discrimination Act (GINA), coerce employees into giving up genetic and health information, and weaken the role of the EEOC in overseeing wellness programs.  Opposition to the bill has been expressed by a wide range of consumer, health and privacy advocacy groups, including the AARP, the American Diabetes Association, the American Academy of Pediatrics, the Epilepsy Foundation, the March of Dimes, the National Association for Rare Disorders, the American Society for Human Genetics and the ACLU.  HHS Secretary Tom Price reportedly is among those expressing concern about the bill, which still needs to be taken up by the House Ways and Means Committee before it could advance to the full House and the Senate.   

Human Factors Play Major Role in Data Breaches

According to Verizon’s recent 2017 Data Breach Digest, a 99-page report by the company’s data breach investigation team, breaches are becoming more complex and now touch every part of an organization. The Digest describes 16 common breach scenarios, divided into four clustered groupings:  (1) the human element; (2) device misuse or tampering; (3) configuration exploitation; and (4) malicious software.  Verizon data indicates that the human element was the major vulnerability relied upon in one-third of confirmed data breaches, ranking behind hacking and malware, while also being a factor in up to one-half of all breaches. Tactics and techniques used to exploit the human element include phishing (92%), pretexting (42%) and bribery/solicitation (3%).  Email is overwhelmingly the primary means of communicating with targets, highlighting the importance of employee education and training across the organization, as well as the need for multi-factor authentication.

Friday, March 24, 2017

Privacy Shield Update: EU Parliament Restive, No Complaints

On March 23, the EU Parliament’s civil liberties, justice and home affairs committee (LIBE) passed a resolution declaring Privacy Shield to be inadequate and calling upon the European Commission to examine the following deficiencies when it carries out its first annual review this summer:
  • Continued U.S. bulk surveillance of Europeans, in violation of the Schrems ruling by the CJEU
  • The viability of redress mechanisms, which are all U.S.-based
  • The lack of an independent oversight by the U.S. ombudsman 
  • Data retention provisions
The resolution includes explicit references to Yahoo’s October 2017 admission that it created software at the request of the NSA to scan users’ email and the decision of the Obama administration to share raw SIGINT data with 16 other agencies without court order.

The vote by the LIBE committee passed by a narrow margin of 29 to 25.  The resolution is expected to be taken up by the full EU Parliament during the first week of April.

Earlier, the U.S. Dept. of Commerce administrator for the Privacy Shield framework, Catlin Fennessy, stated at a recent IAPP seminar in London that over 1800 companies had certified compliance with the Privacy Shield framework, with another 300 companies in the pipeline. Confirming an earlier analysis by HR Privacy Solutions, Fennessy reported that participants are largely small-to-medium-sized enterprises, with some 70% having fewer than 500 employees.  In addition, participants are heavily slanted towards the technology and consulting sectors.  Perhaps most significantly, no complaints about Privacy Shield from data subjects have reached the FTC, the Commerce Department or the special arbitration mechanism set up as a last-resort option.

Thursday, March 2, 2017

Advocacy Groups Call on EU to Re-evaluate Privacy Shield

On February 28, two prominent advocacy groups, the American Civil Liberties Union (ACLU) and Human Rights Watch, called upon European officials to re-examine assurances about privacy protection they received from the U.S. government, assurances that form the foundation of both the Privacy Shield agreement and the U.S.-EU umbrella agreement concerning exchanges of information for law enforcement purposes.  The letter, sent to key officials in the European Commission, the EU Parliament and the Article 29 Working Party, argued that the assurances had been undermined by President Trump’s executive order on enhancing public safety and by the deterioration and lapse of the Privacy and Civil Liberties Oversight Board (PCLOB).  Although former and current FTC Commissioners have contended that the executive order does not impact recently-extended Privacy Act protections for Europeans, the advocacy groups offer a detailed analysis of three ways in which these protections have been significantly reduced by the order.  They also contended that oversight by a fully-functioning PCLOB was clearly an important factor in the European Commission’s adequacy decision with respect to Privacy Shield.

Two days later, in an interview with Bloomberg, EU Justice Commissioner Vera Jourova said she "will not hesitate" to suspend the Privacy Shield framework if the Trump administration makes significant changes in the understandings that underpin the agreement.  Jourova will be meeting with U.S. officials in Washington later this month, seeking reconfirmation and reassurances about these understandings.  According to Johannes Caspar, the Hamburg DPA, “the disruptive political style of the new U.S. administration fills anyone working in the field of privacy with concern,” adding that “You don’t need to gaze into a crystal ball to see that the air surrounding the Privacy Shield is becoming thinner.”

Tuesday, February 28, 2017

National DP Laws Now in 120 Countries

Since 1973, when Sweden became the first country to enact comprehensive data protection legislation at a national level, an accelerating number of countries have followed suit. According to the latest compilation and analysis by Prof. Graham Greenleaf, published by Privacy Laws & Business, some 120 countries now have omnibus laws at the national level. In addition, another 31 countries have formulated and are considering such laws.  The only major countries at this point without comprehensive national data protection legislation, either enacted or drafted, are India, China and the U.S., with China taking incremental steps towards adoption of internationally-accepted privacy standards. The growing isolation of the U.S. with respect to its approach to privacy protection can also be seen in the fact that the U.S. is the only member of the OECD, which currently has 35 members, to lack comprehensive data protection legislation.   How the U.S.’s targeted, fix-it-later-maybe approach to privacy protection will play out in President Trump’s new world of America First and trade protectionism remains to be seen. To the extent that transfers of personal data become a trade issue, the leverage resides with the 120 countries hewing to a common standard.

Sunday, February 26, 2017

Implementation of POPI Proceeds in South Africa

Progress in the implementation of South Africa’s Protection of Personal Information Act, passed in 2013, continues, albeit at a slow pace.  The supervisory authority, known as the Information Regulator, has finally been established and funded, and recently launched its dedicated website.  On February 13, during a briefing in Cape Town, the Regulator announced that work on implementing regulations for POPI (or POPIA, as it calls the Act) was underway, with a goal of introducing them to the Parliament in six months or so and then setting a POPI commencement date that would occur before the end of 2017. Recognizing that this may be an ambitious schedule, the Regulator indicated that the commencement date might be sometime in 2018.  Given the one-year grace period that follows the commencement period, POPI is unlikely to come into effect until 2019 or even 2020.

Tempting as it may be to conclude that development of data protection and other laws moves more slowly in Africa than elsewhere, it is worth remembering that the first consultation on the reform of the EU Data Protection Directive was held in 2009.  The outcome of the reform process, the General Data Protection Regulation, will come into effect in May 2018, some nine years later. And how long has an update to the Electronic Communications Privacy Act (ECPA) been pending in the U.S.?  Time may indeed move more slowly in Africa, but you wouldn’t necessarily know this from the history of POPI.  

Japan Tightening Data Protection Law in May

Last year, as Japan’s 2003 Act on the Protection of Personal Information fell increasingly behind advancing technology and international privacy standards, the Diet passed a number of significant amendments to the Act to bring it up to date.  While many details of how the amendments will be translated into practice remain to be fleshed out by the newly-established Privacy Protection Commission, their relevance for international businesses is quite clear.  Most prominently, while any extra-territorial applicability of the Act had been conspicuously missing, this will no longer be the case, with the Act now explicitly applying to any business that processes the data of Japanese citizens.  Secondly, the current exemption from coverage by the Act for businesses that process the data of less than 5,000 individuals will disappear.  Thirdly, the definition of personal data will be expanded to bring it into line with European standards, including the introduction of the concept of “sensitive” information requiring a higher level of protection. Fourthly, data transfers will require the express consent of the individual unless a business relies upon one the “opt-out” exemptions specified in the amendments and notifies the Privacy Protection Commission accordingly.  Finally, “opt-out” exemptions will not be available unless the data transfer is made to a country having an adequate and similar level of protection; such transfers will require both express consent and special contractual safeguards.  The new amendments come into effect on May 30, 2017.

Protect Employee Data? Not Necessary in Pennsylvania

The Pennsylvania Superior Court, ruling in Dittman v. University of Pittsburgh Medical Center, held that under state law an employer is not responsible for protecting employee data, even where the breach of such data causes economic harm. The case stemmed from a 2014 data breach that exposed the data of 62,000 UPMC employees and resulted in at least 788 of them becoming victims of tax fraud.  According to the court, employees had no reasonable expectation that their data would be held securely when they turned it over to the UPMC, since data breaches are all too common and there is no way to prevent them. Laws to protect the privacy of individuals in the digital age have notably lagged in Pennsylvania, since the same fact pattern would likely lead to a quite contrary ruling in many other states.  Dittman v. UPMC is a good illustration of the patchwork nature of privacy protections prevalent in the United States.

Friday, February 24, 2017

Irish High Court Hears Challenge to Model Contracts

On February 2, the High Court of Ireland began hearing a case brought by the country’s Data Protection Commissioner, Helen Dixon, urging the court to request a ruling from the Court of Justice of the European Union (CJEU) as to the validity of standard contractual clauses as a mechanism for the transfer of personal data to the U.S. from the EU.  The case first arose as a complaint to the Commissioner from privacy activist Maximillian Schrems about access by U.S. government security agencies to information in his Facebook account that had been transferred from Ireland utilizing standard contractual clauses.  Through his attorney, Schrems has argued that the Commissioner, having made a draft finding in May 2016 that his objections were well-founded, has the authority to suspend the data transfers and that there is no need to send the matter to the CJEU.  An attorney for Facebook contended that the Commissioner’s draft finding was deeply flawed and overtaken by developments such as the conclusion of the Privacy Shield framework agreement.  Submissions to the court were also made by the U.S. government, a US privacy law expert, EPIC, the ACLU, the Business Software Alliance and Digital Europe.  The proceedings, originally expected to run for three weeks, appear to be headed for at least five.

Invalidation of standard contractual clauses would have a profound, if not devastating, impact upon nearly a trillion dollars of trans-Atlantic trade, since model contracts are by far the primary data transfer mechanism used by U.S. companies.  Should the High Court refer the issue of the validity of model contracts to the CJEU, that court may decide to first take up the challenge to Privacy Shield pending before it by Digital Rights Ireland.  Since the EU Data Protection Directive was enacted 22 years ago, there has never been a more turbulent and uncertain regulatory environment around data transfers to the U.S.

Friday, January 13, 2017

Surveillance Developments May Doom Privacy Shield

As the clock ticks towards to the first annual joint review of how U.S. surveillance activities can be reconciled with the EU-U.S. Privacy Shield framework, recent developments are hardly promising:
  • On December 1, the government received new hacking powers when Congress failed to block the changes to Rule 41 of Federal Criminal Procedure that were approved by the Supreme Court in April. Sen. Ron Wyden (D-OR) called this “one of the biggest mistakes in surveillance policy in years,” with one judge being able to use a single warrant to hack thousands and possibly millions of cellphones and tablets.
  • On January 11, EU Justice Commissioner Vera Jourova stated that the U.S. has not satisfied the EU’s concerns about Yahoo's scanning of all customers' incoming emails for intelligence purposes.  The European Commission had asked the U.S. in November for an explanation of the Yahoo scanning, making this a test case for how forthcoming the U.S. would be in clarifying its surveillance practices.  According to Jourova, "I am not satisfied because to my taste the answer came relatively late and relatively general, and I will make clear at the first possible opportunity to the American side that this is not how we understand good, quick and full exchange of information."
Mass and indiscriminate surveillance by U.S. authorities was what led to the invalidation of the Safe Harbor framework by the European Court of Justice in October 2015.  With President-elect Trump speaking in favor of stronger surveillance measures during his campaign, it is becoming increasingly difficult to see how the Privacy Shield framework will be able to survive its first annual joint review. 

Update:  On January 25, President Trump issued an executive order on enhancing public safety that directed agencies to exclude non-U.S. citizens from Privacy Action protections.  Since legal redress via the Privacy Act is one of the underpinnings of Privacy Shield, the order prompted broad debate as to whether it would lead to the collapse of the framework.  Most observers subsequently concluded that because of an exception made for applicable law, the order did not withdraw Privacy Act protection from personal data transferred from Europe.  Nevertheless, the European Commission was reported to be seeking written confirmation of this interpretation of the order. 

Swiss Reach Privacy Shield Agreement with U.S.

On January 11, Switzerland announced that it has reached a Privacy Shield agreement with the U.S., paralleling the one reached between the U.S. and the EU and succeeding the U.S.-Swiss Safe Harbor Framework.  The documents comprising the framework were published on the website of the Federal Data Protection and Information Commissioner (FDPIC).  According to the FDPIC:  "Following finalisation of Privacy Shield, US companies can start the certification process with the DOC within a 3-month period, during which the FDPIC will not undertake enforcement actions. The DOC will then publish a list of all certified companies on its website. The FDPIC will provide a link to this list and to all the relevant documents on its website as soon as this information is available."  In a statement released the following day, the International Trade Administration of the Dept. of Commerce indicated that it would begin accepting certifications under the new framework on April 12 and that additional information would be forthcoming on the Privacy Shield website.

Sunday, January 1, 2017

Right to Disconnect Law Enacted in France

As of January 1, French workers have the right to ignore work-related communications outside of typical working hours, courtesy of a provision in a new employment law designed to combat the intrusion of work into private life. The so-called “right to disconnect” law addresses the health and social impacts of an always-on work culture increasingly leading to “info-obesity” in the workforce. Companies with 50 or more employees will be obliged to negotiate over off-hour communications and at the very least, publish a policy making explicit the demands on, and rights of, employees outside of working hours.  While there are no penalties for companies failing to observe the law, this could change should compliance lag. Companies that had previously implemented measures to limit the role of out-of-hours messaging in worker burnout include telecom firm Orange, nuclear power company Areva and insurer Axa in France, and automakers Volkswagen and Daimler in Germany.