News Archives

Tuesday, February 28, 2017

National DP Laws Now in 120 Countries

Since 1973, when Sweden became the first country to enact comprehensive data protection legislation at a national level, an accelerating number of countries have followed suit. According to the latest compilation and analysis by Prof. Graham Greenleaf, published by Privacy Laws & Business, some 120 countries now have omnibus laws at the national level. In addition, another 31 countries have formulated and are considering such laws.  The only major countries at this point without comprehensive national data protection legislation, either enacted or drafted, are India, China and the U.S., with China taking incremental steps towards adoption of internationally-accepted privacy standards. The growing isolation of the U.S. with respect to its approach to privacy protection can also be seen in the fact that the U.S. is the only member of the OECD, which currently has 35 members, to lack comprehensive data protection legislation.   How the U.S.’s targeted, fix-it-later-maybe approach to privacy protection will play out in President Trump’s new world of America First and trade protectionism remains to be seen. To the extent that transfers of personal data become a trade issue, the leverage resides with the 120 countries hewing to a common standard.

Sunday, February 26, 2017

Implementation of POPI Proceeds in South Africa

Progress in the implementation of South Africa’s Protection of Personal Information Act, passed in 2013, continues, albeit at a slow pace.  The supervisory authority, known as the Information Regulator, has finally been established and funded, and recently launched its dedicated website.  On February 13, during a briefing in Cape Town, the Regulator announced that work on implementing regulations for POPI (or POPIA, as it calls the Act) was underway, with a goal of introducing them to the Parliament in six months or so and then setting a POPI commencement date that would occur before the end of 2017. Recognizing that this may be an ambitious schedule, the Regulator indicated that the commencement date might be sometime in 2018.  Given the one-year grace period that follows the commencement period, POPI is unlikely to come into effect until 2019 or even 2020.

Tempting as it may be to conclude that development of data protection and other laws moves more slowly in Africa than elsewhere, it is worth remembering that the first consultation on the reform of the EU Data Protection Directive was held in 2009.  The outcome of the reform process, the General Data Protection Regulation, will come into effect in May 2018, some nine years later. And how long has an update to the Electronic Communications Privacy Act (ECPA) been pending in the U.S.?  Time may indeed move more slowly in Africa, but you wouldn’t necessarily know this from the history of POPI.  

Japan Tightening Data Protection Law in May

Last year, as Japan’s 2003 Act on the Protection of Personal Information fell increasingly behind advancing technology and international privacy standards, the Diet passed a number of significant amendments to the Act to bring it up to date.  While many details of how the amendments will be translated into practice remain to be fleshed out by the newly-established Privacy Protection Commission, their relevance for international businesses is quite clear.  Most prominently, while any extra-territorial applicability of the Act had been conspicuously missing, this will no longer be the case, with the Act now explicitly applying to any business that processes the data of Japanese citizens.  Secondly, the current exemption from coverage by the Act for businesses that process the data of less than 5,000 individuals will disappear.  Thirdly, the definition of personal data will be expanded to bring it into line with European standards, including the introduction of the concept of “sensitive” information requiring a higher level of protection. Fourthly, data transfers will require the express consent of the individual unless a business relies upon one the “opt-out” exemptions specified in the amendments and notifies the Privacy Protection Commission accordingly.  Finally, “opt-out” exemptions will not be available unless the data transfer is made to a country having an adequate and similar level of protection; such transfers will require both express consent and special contractual safeguards.  The new amendments come into effect on May 30, 2017.

Protect Employee Data? Not Necessary in Pennsylvania

The Pennsylvania Superior Court, ruling in Dittman v. University of Pittsburgh Medical Center, held that under state law an employer is not responsible for protecting employee data, even where the breach of such data causes economic harm. The case stemmed from a 2014 data breach that exposed the data of 62,000 UPMC employees and resulted in at least 788 of them becoming victims of tax fraud.  According to the court, employees had no reasonable expectation that their data would be held securely when they turned it over to the UPMC, since data breaches are all too common and there is no way to prevent them. Laws to protect the privacy of individuals in the digital age have notably lagged in Pennsylvania, since the same fact pattern would likely lead to a quite contrary ruling in many other states.  Dittman v. UPMC is a good illustration of the patchwork nature of privacy protections prevalent in the United States.

Friday, February 24, 2017

Irish High Court Hears Challenge to Model Contracts

On February 2, the High Court of Ireland began hearing a case brought by the country’s Data Protection Commissioner, Helen Dixon, urging the court to request a ruling from the Court of Justice of the European Union (CJEU) as to the validity of standard contractual clauses as a mechanism for the transfer of personal data to the U.S. from the EU.  The case first arose as a complaint to the Commissioner from privacy activist Maximillian Schrems about access by U.S. government security agencies to information in his Facebook account that had been transferred from Ireland utilizing standard contractual clauses.  Through his attorney, Schrems has argued that the Commissioner, having made a draft finding in May 2016 that his objections were well-founded, has the authority to suspend the data transfers and that there is no need to send the matter to the CJEU.  An attorney for Facebook contended that the Commissioner’s draft finding was deeply flawed and overtaken by developments such as the conclusion of the Privacy Shield framework agreement.  Submissions to the court were also made by the U.S. government, a US privacy law expert, EPIC, the ACLU, the Business Software Alliance and Digital Europe.  The proceedings, originally expected to run for three weeks, appear to be headed for at least five.

Invalidation of standard contractual clauses would have a profound, if not devastating, impact upon nearly a trillion dollars of trans-Atlantic trade, since model contracts are by far the primary data transfer mechanism used by U.S. companies.  Should the High Court refer the issue of the validity of model contracts to the CJEU, that court may decide to first take up the challenge to Privacy Shield pending before it by Digital Rights Ireland.  Since the EU Data Protection Directive was enacted 22 years ago, there has never been a more turbulent and uncertain regulatory environment around data transfers to the U.S.