News Archives

Friday, January 13, 2017

Surveillance Developments May Doom Privacy Shield

As the clock ticks towards to the first annual joint review of how U.S. surveillance activities can be reconciled with the EU-U.S. Privacy Shield framework, recent developments are hardly promising:
  • On December 1, the government received new hacking powers when Congress failed to block the changes to Rule 41 of Federal Criminal Procedure that were approved by the Supreme Court in April. Sen. Ron Wyden (D-OR) called this “one of the biggest mistakes in surveillance policy in years,” with one judge being able to use a single warrant to hack thousands and possibly millions of cellphones and tablets.
  • On January 11, EU Justice Commissioner Vera Jourova stated that the U.S. has not satisfied the EU’s concerns about Yahoo's scanning of all customers' incoming emails for intelligence purposes.  The European Commission had asked the U.S. in November for an explanation of the Yahoo scanning, making this a test case for how forthcoming the U.S. would be in clarifying its surveillance practices.  According to Jourova, "I am not satisfied because to my taste the answer came relatively late and relatively general, and I will make clear at the first possible opportunity to the American side that this is not how we understand good, quick and full exchange of information."
Mass and indiscriminate surveillance by U.S. authorities was what led to the invalidation of the Safe Harbor framework by the European Court of Justice in October 2015.  With President-elect Trump speaking in favor of stronger surveillance measures during his campaign, it is becoming increasingly difficult to see how the Privacy Shield framework will be able to survive its first annual joint review. 

Update:  On January 25, President Trump issued an executive order on enhancing public safety that directed agencies to exclude non-U.S. citizens from Privacy Action protections.  Since legal redress via the Privacy Act is one of the underpinnings of Privacy Shield, the order prompted broad debate as to whether it would lead to the collapse of the framework.  Most observers subsequently concluded that because of an exception made for applicable law, the order did not withdraw Privacy Act protection from personal data transferred from Europe.  Nevertheless, the European Commission was reported to be seeking written confirmation of this interpretation of the order. 

Swiss Reach Privacy Shield Agreement with U.S.

On January 11, Switzerland announced that it has reached a Privacy Shield agreement with the U.S., paralleling the one reached between the U.S. and the EU and succeeding the U.S.-Swiss Safe Harbor Framework.  The documents comprising the framework were published on the website of the Federal Data Protection and Information Commissioner (FDPIC).  According to the FDPIC:  "Following finalisation of Privacy Shield, US companies can start the certification process with the DOC within a 3-month period, during which the FDPIC will not undertake enforcement actions. The DOC will then publish a list of all certified companies on its website. The FDPIC will provide a link to this list and to all the relevant documents on its website as soon as this information is available."  In a statement released the following day, the International Trade Administration of the Dept. of Commerce indicated that it would begin accepting certifications under the new framework on April 12 and that additional information would be forthcoming on the Privacy Shield website.

Sunday, January 1, 2017

Right to Disconnect Law Enacted in France

As of January 1, French workers have the right to ignore work-related communications outside of typical working hours, courtesy of a provision in a new employment law designed to combat the intrusion of work into private life. The so-called “right to disconnect” law addresses the health and social impacts of an always-on work culture increasingly leading to “info-obesity” in the workforce. Companies with 50 or more employees will be obliged to negotiate over off-hour communications and at the very least, publish a policy making explicit the demands on, and rights of, employees outside of working hours.  While there are no penalties for companies failing to observe the law, this could change should compliance lag. Companies that had previously implemented measures to limit the role of out-of-hours messaging in worker burnout include telecom firm Orange, nuclear power company Areva and insurer Axa in France, and automakers Volkswagen and Daimler in Germany.