News Archives

Friday, August 31, 2018

What’s Happening with GDPR Enforcement?

Three months have passed since the EU’s General Data Protection Regulation came into effect, without any reports of significant enforcement actions or fines.  Yes, Google was hit with a whopping $5.1 billion fine on July 18, which would come close to wiping out their profits for the most recent quarter.  However, while the fine was testament to the willingness of EU regulators to maximize the leverage at their command, the violations involved were of antitrust rather than data protection law. 

It is worth noting that the Google fine came two years after charges were filed against the company, and even longer after an investigation into its practices was initiated.  Enforcement by EU data protection authorities often follows similar time frames – drawn out by US standards – in which attempts at education about compliance are followed if necessary by official warnings, the filing of charges if the warnings are not effective, a further period of time to allow a response to the warnings, and only then the issuance of an enforcement order and penalty.  David Meyer describes this more tolerant and collegial approach to enforcement in an IAPP Privacy Advisor article on why GDPR fines could be months away.

Of course, not all GDPR enforcement actions take years to progress.  When confronted with egregious data processing, more fully-empowered DPAs now have the power to order the suspension of such processing.  And even where some aeration of complaints is appropriate, it is worth considering what’s in the pipeline.  According to a poll of DPAs conducted by IAPP, several thousand complaints about violations of the GDPR were received within the first month.  According to  European Data Protection Board Chair Andrea Jelinek, as of July 19 there were around 100 cross-border cases under investigation in the Internal Market Information System (IMI).  According to Giovanni Buttarelli, the EU’s data protection supervisor, as of August 14, an additional 30 alleged violations of the GDPR were being actively investigated by the EU’s independent DPAs.

Furthermore, not all GDPR enforcement is initiated by DPAs.  Max Schrems filed the first legal cases against Google and Facebook under the GDPR just hours after the Regulation came into effect.  The possibility of collective action lawsuits for privacy violations was introduced by the GDPR and one is said to be brewing against Facebook in the UK. 

GDPR enforcement may be slow, but experts have never expected otherwise.  What is clear is that the enforcement is coming.  Companies that still adopt a “show me the money” approach to gauging and responding to risks – and what US privacy consultant hasn’t encountered these – will be ill-prepared for what is to come.

Wednesday, August 29, 2018

Obstacles in Second Annual Review of Privacy Shield

On July 4th, the EU Parliament called for the suspension of the of EU-US Privacy Shield framework if a number of deficiencies in US compliance with its commitments were not remedied by September 1st.  As the second annual EU-US review of the framework, slated for October, draws closer, it is worth considering the obstacles the two parties will need to contend with.  

Here are a half-dozen major concerns the Europeans have: 

1. The failure of the US to have a functional Privacy and Civil Liberties Oversight Board (PCLOB) in place.  While President Trump finally nominated two individuals to the Board on August 7, the US Senate has failed to move forward with the nominations. Earlier in the summer a coalition of major tech companies urged governmental action on the issue.  In late August, a coalition of 31 privacy groups pressed the Senate to act without delay, while Cameron Kerry, former General Counsel and Acting Director of the Department of Commerce, wrote in Lawfare that “The status of the PCLOB is the biggest issue in the annual review underway of the Privacy Shield framework”, adding that “The European Commission counted heavily on independent PCLOB oversight of intelligence surveillance in initially approving the Privacy Shield and, in its first review last year, called for ‘swift appointment of the missing members’ before the next review.” 

2. The refusal of the Trump administration to make public even unclassified portions of a 2014 PCLOB report on NSA surveillance completed for President Obama in December 2016, which prompted an ACLU FOIA request on July 12 that notes the importance of the report’s release to the EU for the Privacy Shield review.

3.  Adding additional fuel to this fire was the May 4 report in the New York Times that the NSA had tripled its collection of data from US phone companies and the August 13 report of the Inspector General of the NSA, which detailed numerous privacy concerns with the agency’s open source intelligence collection process.

4.  The failure of the Trump administration to appoint the permanent and independent Ombudsperson called for under the Privacy Shield framework.

5. Revelations concerning massive abuses of personal information by Facebook and Cambridge Analytica, even though both were participants in the Privacy Shield framework.

6. Concerns about the newly-enacted CLOUD Act creating potential conflicts with EU data protection laws.

As far as is known, the US has no complaints with Europe about the operation of Privacy Shield; the complaints all run the other way.   How tolerant the EU will be of the US failure to live up to its Privacy Shield commitments remains to be seen.

Friday, August 17, 2018

Eight Years Later, Brazil Enacts General Data Privacy Law

On August 14, following passage by the Federal Senate a month earlier and years of false starts, President Michel Temer signed into law Brazil’s General Data Privacy Law, a comprehensive data protection bill which will come into effect in early 2020.  Aligning closely with the EU’s General Data Protection Regulation, the law lays the foundation for the pursuit of an adequacy decision from the EU.  Key provisions include requirements for data protection officers; documentation and registration of the legal basis for processing; strict requirements for consent; data breach notification; requirements for privacy by design and privacy impact assessments; restrictions on cross-border data transfers; and fines for violations of up to 2% of gross sales.  The cross-border restrictions even go beyond the requirements found in the GDPR, by applying to any processing conducted solely outside Brazil that affects or targets Brazilian citizens.  President Temer exercised his right to carry out line-item vetoes by rejecting several provisions of the bill passed by the Senate, including one calling for creation of an independent supervisory authority.  However, Temer attributed the rejection to procedural defects and pledged to send Congress a separate bill establishing a national DPA that would remedy the problem.

Tuesday, July 31, 2018

Omnibus Data Protection Bills Continue to Spread

July was a busy month for anyone tracking the spread of comprehensive data protection legislation around the globe.  Besides the momentous development of the government of India publishing a draft bill closely aligned with the EU’s General Data Protection Regulation, and Brazil being on the cusp of enacting its GDPR-inspired General Data Protection Law, progress towards omnibus data protection legislation was reported in five other countries.  In Barbados, the Ministry of Small Business, Entrepreneurship and Commerce launched a public consultation on the draft Data Protection Act 2018.  In Ecuador, the Ministry of Telecommunications and Information Society issued a position paper on the urgent need for data protection legislation, setting a goal of having a bill submitted to the National Assembly by the end of the year.  In Iran, the Minister of Communications announced that the government had prepared a draft data protection act for consideration by the Parliament and was interested in discussing data protection issues with the EU.  In Kosovo, the Government submitted a draft Personal Data Protection Law to the Assembly modeled upon the GDPR.  In Pakistan, the Ministry of Information Technology and Telecommunications released a draft Personal Data Protection Bill for public consultation.

Omnibus data protection bills in India and Brazil, and now in Iran and Pakistan.  China adopting comprehensive protections across a number of laws.  Hmm, perhaps when word emerges of a comprehensive data protection bill in North Korea, Congress will figure out that our increasingly exceptional piece-meal sectoral approach to privacy protection is not fit for purpose in the digital age.

Monday, July 30, 2018

Gov’t of India Publishes Draft Data Protection Bill

On July 27, India’s Ministry of Electronics and Information Technology (MEIT) published the country’s long-awaited draft data protection bill, prepared by the committee chaired by former Supreme Court Justice B.N. Srikrishna.  A lengthy commentary on the nature of privacy and the draft legislation, released at the same time, described the approach taken in the bill as a “template for the developing world” and a “Fourth Way” triangulating between the data protection models advanced by the US, the EU and China. At the same time, the draft appears to be closely aligned with the GDPR, being comprehensive rather than sectoral; establishing a data protection authority; requiring the appointment of data protection officers; requiring data protection impact assessments when needed; including cross-border data transfer restrictions; requiring notification of data breaches to the DPA and if warranted to individuals; including the right to data portability and the right to be forgotten; and setting fines of up to 4% of annual turnover.  A notable divergence from the GDPR is the bill’s requirements for data localization with respect to financial and health data.  Following a period of public consultation and likely adjustments as a result, the Personal Data Protection Bill will be submitted to the Parliament of India.

Friday, July 20, 2018

EU and Japan Announce Plans for Reciprocal Adequacy Findings

On July 17, the European Commission announced that the EU successfully concluded talks with Japan, begun in January 2017, with an agreement to recognise each other's data protection systems as equivalent.  The announcement was unusual in that it acknowledges that Japan has a number of significant additional safeguards to put in place before the Commission will be able to adopt an adequacy decision.  This unprecedented pre-approval reflects the EU’s close cooperation with Japan as evidenced in the same day’s announcement of the EU-Japan Economic Partnership Agreement, a pact which will create the world’s largest open trade zone covering over 600 million people.

A report that both the EU and Japan expect the Commission’s adequacy decision to be adopted in the autumn of this year seems optimistic.  An detailed analysis by Prof. Graham Greenleaf, published by Privacy Laws & Business, describes the Commission’s “many rivers to cross” on the EU side, including a favorable opinion from the European Data Protection Board and the approval of the 28 EU member states, while on the Japanese side, the nation’s DPA will need to formulate and adopt a very complex and customized set of Supplementary Rules under its Protection of Personal Information Act (PPIA).  The new requirements to be met by Japan will need to be completed before the half-dozen review processes required for an adequacy decision by the EU can proceed. 

Thursday, July 5, 2018

European Parliament Calls for Suspension of Privacy Shield

On July 4, the European Parliament voted in favor of a resolution advanced by its LIBE Committee urging the European Commission to suspend the EU-U.S. Privacy Shield framework if the U.S. government does not fully comply with its obligations under the agreement by September 1, 2018.  The vote on the resolution was 303 to 223, with 29 abstentions, a result only marginally different than the vote on a similar resolution in April 2017, which was 306 to 240, with 40 abstentions.  Amongst the concerns driving passage of the resolution was enactment of the Clarifying Lawful Overseas Use of Data Act (or CLOUD Act; failure to appoint a permanent Ombudsperson; failure to re-establish the Privacy and Civil Liberties Oversight Board (PCLOB); and the fact that both Facebook and Cambridge Analytica were Privacy Shield participants when the scandal surrounding their data massive data breach and misuse came to light.  

Responding to the vote, the European Commission stated that it intends to continue to work with the U.S. to improve the implementation of Privacy Shield, noting that some 4,000 companies are currently using it.  The second joint annual review of Privacy Shield is scheduled for this October.  If history is any guide, progress will be reported by both the EU and the U.S., the Commission will endorse the outcome, the European Data Protection Board will express its lack of satisfaction, and Privacy Shield will muddle along, until struck down, like Safe Harbor, by the CJEU.  Deja-vu all over again.

Saturday, June 30, 2018

Council of Europe Updates Convention 108

On May 18, following a process lasting seven years, the Council of Europe formally updated its Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108) via an amending Protocol, and issued an explanatory report on the new provisions.  The changes were prompted by new information and communication technologies, as well as by the need to strengthen the implementation components of the Convention.  According to the Council, the modernized convention “provides a robust and flexible multilateral legal framework to facilitate the flow of data across borders while providing effective safeguards when personal data are being used. It constitutes a bridge between different regions of the world and different normative frameworks.”  Fifty-three countries have adopted the legally binding international treaty, which is open to any country in the world as a unique global standard.  On June 29, Mexico became the 53rd country to accede to Convention 108.  Other non-European parties to the Convention include Uruguay, Senegal, Mauritius, Tunisia and Cabo Verde.

Wednesday, June 27, 2018

Complaints Under the GDPR Begin to Mount

Within hours of the General Data Protection Regulation coming into effect, Max Schrems and his non-profit advocacy group, None of Your Business, filed four complaints - one against Facebook, another two against its subsidiaries Instagram and WhatsApp, and a fourth against Google – all claiming that the tech companies coerced their users into accepting their terms and conditions.  The complaints were filed with DPAs in Austria, Belgium, France and Hamburg and could lead to fines of €7.6 billion.  Later in the month, the French advocacy group La Quadrature du Net filed similar charges with the French DPA against Facebook, Google, Apple, Amazon and LinkedIn.  Notably, this is the first time that non-profit organizations are asserting claims to represent data subjects under Article 80 of the GDPR, and also the first time that complaints have being filed in the data subjects’ member states rather than in a company’s European headquarters.

Other reports about complaints came from regulators and the International Association of Privacy Professionals.  Accordingly to a June 18 statement by Andrea Jelinek, Chair of the European Data Protection Board, she and her colleague DPAs are investigating 24 cross-border complaints involving forced consent. An IAPP survey of regulators found that as of June 25, some 2,944 complaints had been received by 15 DPAs since the GDPR came into effect.  However, a break-out of how many of these complaints related to new requirements under the GDPR was not available. 

Vietnam Adopts Restrictive Cybersecurity Law

On June 12, the Vietnamese Ministry of Information and Communications announced that the National Assembly had approved, by an overwhelming majority, a cybersecurity law designed to protect national security.  Amongst its provisions are requirements for companies providing telecom and internet services to users in Vietnam for data localization, the establishment of local headquarters and making information about users judged to be engaged in anti-state activities available to authorities.  Vietnam has one of Asia’s fastest growing digital economies, but companies such as Google and Facebook may need to cease operations there, since compliance would be incompatible with their global privacy policies. How the new requirements apply to other multi-national companies remains to be determined.  The new law comes into effect on January 1, 2019.

Thursday, June 14, 2018

LIBE Calls for Suspension of Privacy Shield

On June 11, the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) voted, by 29 to 25, to ask the European Commission to suspend the EU-U.S. Privacy Shield framework unless the U.S. government meets its obligations under the framework by September 1.  A similar resolution was approved by the identical margin by the LIBE in March 2017.  Of particular concern to the LIBE was the non-functioning of the U.S. Privacy Civil Liberties Oversight Board (PCLOB), the failure to appoint a permanent Ombudsperson, and the recent adoption of the Clarifying Lawful Overseas Use of Data Act or CLOUD Act.  According to LIBE Chair Claude Moraes, “the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. It is therefore up to the US authorities to effectively follow the terms of the agreement and for the Commission to take measures to ensure that it will fully comply with the GDPR."  The non-binding resolution will be taken up by the full Parliament in July; even if passed, as is likely, any decision about Privacy Shield will remain with the European Commission.

Thursday, May 31, 2018

Monitoring Brainwaves of Employees Growing in China

According to a report in the South China Morning Post, use of brain-reading technology to detect changes in the emotional states of employees is increasingly common in Chinese factories, public transport, state-owned companies and the military.  Wireless sensors concealed in safety helmets or uniform hats stream brainwave data to computers that use AI algorithms to detect emotional spikes, such as depression, anxiety, rage of fatigue.  Use of the technology in safety-sensitive positions, such as high-speed train operators or airline pilots, or amongst workers on a high-tech assembly line, where a single over-stressed employee could bring down an entire production line, has evident value.  The same can be said of using it to monitor employee responses in virtual reality training sessions.

However, where to draw the line between appropriate and inappropriate usage of the technology is a challenge.  Should it be used to increase the speed of a production line to the maximum its workers can tolerate?  To sideline, demote or discipline employees?  To assess the response of employees to company pronouncements?  There is clearly a slippery slope from reasonable usage to that which is not, conjuring up Orwell’s thought police.  Are workers surrendering their autonomy when their brainwaves are being read?  Do they have any protections against abuse of the technology?  Furthermore, according to a note in the MIT Technology Review, what can be reliably detected about human emotions from over-the-skin EEG sensors is still fairly unclear. 

Tuesday, May 29, 2018

General Data Protection Regulation Arrives, Ready or Not

On May 25, after advance notice that gave companies two years to bring their practices and policies into compliance, the EU’s General Data Protection Regulation came into effect.  From all reports, the majority of US firms still have a lot of work to carry out to achieve compliance.  At the same time, EU member states were equally lax, with only 11 meeting the deadline for enacting legislation reconciling their Directive-era data protection laws with the Regulation.  Only Germany, Austria, Slovakia, Denmark, Sweden, UK, the Netherlands, Poland, Belgium, Ireland and Croatia met the deadline; France did adopt a new DP law but it was immediately placed under constitutional review.  The 16 member states failing to implement the Regulation are technically subject to infringement proceedings by the European Commission, although such proceedings are unlikely given the fact that the Regulation itself came into immediate effect in each member state.  Rounding out the unreadiness of US firms and member state legislators was the lack of preparedness of regulators.  Seventeen of 24 DPAs responding to a Reuters survey in early May said they lacked the necessary funding, or would initially lack the powers, to fulfill their GDPR responsibilities.   GDPR compliance and enforcement are clearly works-in-progress.

Monday, May 28, 2018

Support for Privacy Shield Waning in the EU

During the week prior to the General Data Protection Regulation coming into effect two of the top EU officials responsible for data protection matters expressed their declining acceptance of the Privacy Shield framework as a viable mechanism for cross-border data transfers.  Giovanni Buttarelli, the European Data Protection Supervisor, was quoted as saying “Privacy Shield is still there but is less relevant for me because the entire set of standards, including the transfer, should be subject to higher standards.”  With the GDPR in place, he said, US firms will no longer be able to use Privacy Shield as a “free pass” to use data as they see fit.  A few days earlier, Vera Jourova, the EU Justice Commissioner, who had unsuccessfully pressed the Trump administration to live up to its commitments with respect to an ombudsman and the Privacy and Civil Liberties Oversight Board, stated “I made clear that my patience is running to an end.”  The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) scheduled a vote on a report on the functioning of Privacy Shield for May 24.  Earlier in the month, the Irish High Court rejected Facebook's attempt to stop the Court's referral of questions about the legality and sufficiency of both Privacy Shield and standard contractual clauses to the Court of Justice of the European Union.

Tuesday, April 17, 2018

Supreme Court Drops Microsoft-Ireland Case

On April 17, the US Supreme Court dismissed the Microsoft-Ireland case on the grounds that Congressional enactment of the Clarifying Lawful Overseas Use of Data (CLOUD) Act in March rendered the case moot.  Microsoft had objected to complying with a search warrant for data stored in Ireland that was based upon the 1986 Stored Communications Act, contending that the Act did not address judicial accessibility to data stored abroad.  The Cloud Act resolved this matter by providing an explicit legal basis for warrants to obtain data stored on foreign servers.  After the dismissal of the case, which both the Department of Justice and Microsoft supported, the DOJ served Microsoft with a new warrant for the Irish data.  Microsoft indicated that it is reviewing the warrant, although compliance with it is not a foregone conclusion.  During five years of litigation in the case, the company had argued that warrants should only be issued on the basis of relevant bi-lateral agreements with foreign countries; none have been negotiated between the US and Ireland.

Both Privacy Shield and SCCs on the Block in Schrems Facebook Case

On April 12, the Irish High Court set forth eleven questions it intends to put to the Court of Justice of the European Union (CJEU) stemming from the complaint against Facebook lodged by Max Schrems with the Irish Data Protection Commissioner in 2013.  A separate complaint by Schrems, it will be recalled, had led to the CJEU’s invalidation of the European Commission’s Safe Harbor adequacy decision in 2015. While most observers believed that the adequacy of protections provided through standard contractual clauses would be the sole focus of what has come to be known as Schrems II, the High Court’s CJEU referral included bombshell questioning of the validity of the Privacy Shield Framework as well.  A CJEU ruling eliminating both standard contractual clauses and Privacy Shield as viable legal bases for personal data transfers from the EU to the US could severely disrupt data transfers from Europe and the U.S. businesses that depend upon them.  The Irish High Court gave Facebook until April 30 to appeal the intended referral to the CJEU, although this appears to be largely a formality.

Much of the early analysis of the Court’s ruling (for example, here) has focused on the magnitude of its potential impact upon Facebook, which is already under enormous pressure in both the U.S. and Europe because of its Cambridge Analytica data breach.  Serious as Facebook’s problems may be, they pale in comparison with the economic upheaval that might attend a near collapse of transatlantic data flows. Two mitigating factors should be noted however.  In the first place, businesses using consent or binding corporate rules as the legal basis for data transfers are unlikely to be impacted by any invalidation of standard contractual clauses and Privacy Shield. Secondly, as Max Schrems suggests in his excellent summary of the case, the CJEU might rule that only “electronic communication service providers,” would be impacted by such a CJEU ruling, since the surveillance law at the heart of its Safe Harbor case, namely FISA sec.702, only applies to them.  This would of course have enormous impact upon companies such as Facebook, Google, Amazon, Twitter, Microsoft and Apple, but might spare thousands of US companies primarily trading in goods and services.

Wednesday, March 14, 2018

CNIL Shows Pragmatic Flexibility on GDPR Enforcement

With the EU General Data Protection Regulation coming into full force and effect on May 25, 2108, the French data protection authority has announced its plans for enforcement activity once that date arrives.  Even though the adopted text of the GDPR was released nearly three years ago, in principle giving companies ample time to come into compliance, the CNIL has recognized the reality that many companies are still struggling to understand and execute the many new measures that will be required.  Demonstrating flexibility, the CNIL says that it will distinguish between two types of obligations:  the fundamental principles of data protection found in the current Data Protection Directive, and the new obligations or rights found in the GDPR, such as the right to data portability and privacy impact assessments.  

According to the CNIL, it will continue to “vigorously enforce” the fundamental principles, while focusing on helping companies understand and implement the new rights and obligations. Where companies are making “good faith” efforts to comply with the new rights and obligations, the CNIL states that sanction procedures will normally not be instituted “in the first months.”  The very concept of a “transitional period” during which the potential for significant sanctions will be held in abeyance, while vaguely defined, is both pragmatic and generous.  The February 19 guidance also waives the need for the immediate completion of a privacy impact assessment by companies whose processing was previously approved by the CNIL and addresses issues faced by companies awaiting CNIL response to their registrations. 

Tuesday, March 13, 2018

Update on Data Protection Enforcement in Russia

English-language information on data protection in Russia is hard to come by, thanks to the latest iteration of the Cold War, so an update by Hogan Lovells is worth highlighting.  The Russian DPA, Roskomnadzor, held a recent open house to publicize its 2017 enforcement activities.  If there was ever any doubt that Russian entities were paying attention to DP law, Roskomnadzor reported that over 400,000 data operators had registered with the authority through the end of 2017.  The majority of data subject complaints received by the DPA were directed against banks, housing services providers and debt collection agencies, with general website operators also a significant focus of complaints.  In a uniquely Russian approach to the latter, Roskomnadzor maintains a register of websites that violate data subjects rights.  In 2017, 453 websites were added to the register, with 176 blocked because of the seriousness of their violations, an increase in enforcement activity consistent with Roskomnadzor’s shift to systemic monitoring of entities as opposed in individual inspections.

Of particular note to US-based companies operating in Russia, the Roskomnadzor clarified that data operators should obtain separate written consent for each purpose of processing.  Such guidance is consistent with the GDPR’s requirements around granular consent, although compelling it to be in writing is not.  Finally, in contrast with the weaker protections provided by US law, Roskomnadzor stated that personal data posted by social media users should not be treated as publicly available data and should only be processed on the basis of a lawful ground.

Thursday, March 1, 2018

US Supreme Court Hears Arguments in Microsoft-Ireland Case

On February 27, the US Supreme Court heard oral arguments in United States v. Microsoft Corp., where the issue is court-described as “whether a United States provider of email services must comply with a probable-cause-based warrant…by making disclosure in the United States of electronic communications within that provider's control, even if the provider has decided to store that material abroad.”  Legal proceedings began in 2013 when Microsoft challenged a warrant by law enforcement issued under the 1986 Stored Communications Act to turn over email of a target account that was stored in Ireland, a position that was upheld by the US Court of Appeals for the Second Circuit in 2016.  Dozens of amicus briefs in the case were filed by tech companies, industry associations, advocacy groups, scholars, legislators on both sides of the Atlantic, EU member states, the European Commission and attorney generals in 35 US states.

According to a report by Reuters, Supreme Court justices appeared to be divided during the hearing, with some, like Roberts and Alito, expressing sympathy for the government’s position and others, like Ginsburg and Sotomayor, questioning whether the court should act given that Congress is considering bipartisan legislation to resolve the issue.  A more extended analysis in the Lawfare blog suggests that a decision is unlikely to be made along ideological lines, that current Congressional deliberation on the CLOUD Act may be very influential, and that issues relating to sovereignty of foreign nations and global responses to any definitive ruling were only partially addressed.  A ruling in the case is expected in June.

Tuesday, February 27, 2018

Spread of National DP Laws Continues

February brought news of progress by a number of nations towards adoption of comprehensive data protection laws.  

In Brazil, the National Congress is debating two separate bills, one in the Senate and one in the House.  The House Bill on the Protection of Personal Data is strongly influenced by the EU’s General Data Protection Regulation, even updating and strengthening GDPR requirements in a number of areas.  While the bill may secure passage in 2018, comprehensive bills have been debated in Brazil on and off since 2010 (see the December 2010 report in this blog) and the current political and economic turmoil in the country may lead to further delays.

In South Africa, the country’s Information Regulator is now expected to put the Protection of Personal Information (POPI) Act into effect in the second half of 2018.  POPI was signed into law by President Jacob Zumi in 2013, but its implementation delayed while regulatory infrastructure, capability and guidance were developed.

In India, Electronics and IT Minister Ravi Shankar Prasad stated that a report from the 10-member Srikrishna Committee on data protection was expected shortly, after which a comprehensive bill would be prepared.  In a hearing challenging the Aadhaar near the end of January, the country’s Attorney General informed the Supreme Court that a draft bill would be ready by March 2018.

In Thailand, a public consultation on a revised Personal Data Protection Bill, which incorporates a number of concepts from the GDPR, concluded on February 6.  The next steps for the bill will be its advancement to the country’s Cabinet for approval, then to the National Legislative Assembly and finally to the country’s King for final approval.

Finally, definitive effective dates for previously enacted comprehensive DP laws were reported for Bermuda and the Cayman Islands.  Bermuda’s Personal Information Protection Act, passed in July 2016, will come into full force in December 2018.  Cayman’s Data Protection Law, passed in March 2017, will come into effect a month after Bermuda's, in January 2019.

Thursday, February 22, 2018

ECHR Upholds Search of Employee Work Computer

On February 22, the European Court of Human Rights upheld the termination of a French employee on the basis of discovery of pornography on his work computer.   Eric Libert, a regional director of surveillance for SNCF, was fired in 2008 after a search of his computer revealed a large number of files containing pornographic content and what was described as forged certificates for third parties.  Libert had appealed to French courts, claiming that his employer had violated his “right to respect for private and family life,” a right guaranteed in Article 8 of the European Convention on Human Rights.  However, the courts ruled that while he had marked the files as “personal,” he should have marked them as “private,” which under French law would have prevented scrutiny by his employer.  The ECHR agreed, adding that SNCF ““had pursued a legitimate aim of protecting the rights of employers, who might legitimately wish to ensure that their employees were using the computer facilities which they had placed at their disposal in line with their contractual obligations and the applicable regulations.”  It is curious that so little consideration was given by the courts to Libert’s evident intent to keep access to certain files to himself, with the ruling apparently turning upon his use of the wrong file descriptor.

The ECHR has been active in recent years in cases involving workplace monitoring, threading the needle on this issue by deciding cases with close attention to the facts involved.  As reported in this blog, the ECHR backed the monitoring of chats and webmail accounts of a Romanian employee in January 2016, but just last month ruled against what turned out to be partially covert video surveillance of Spanish employees.  As noted in the earlier case, ECHR rulings, unlike those of the Court of Justice of the European Union, are only applicable in the member state in which the case originates.

Sunday, February 11, 2018

Next Frontier for the Labor Movement: Data Privacy & AI

A recent report by Sarah O’Connor in The Financial Times (“Algorithms at work signal a shift to management by numbers”) provided a well-balanced and thoughtful overview of the benefits and risks associated with the use of artificial intelligence in the workplace.  Of particular interest is her highlighting of two new sets of principles a major international union has issued focusing upon data privacy and AI in the workplace.  On December 17, 2017, the UNI Global Union issued ten principles in each domain that it contends should be incorporated into collective bargaining agreements and international labor standards.  The Swiss-based UNI Global Union represents 20 million skills and services workers in over 900 trade unions located in 150 countries.  According to UNI’s General Secretary:  “Data collection and artificial intelligence are the next frontier for the labour movement. Just as unions established wage, hour, and safety standards during the Industrial Revolution, it is urgent that we set new benchmarks for the Digital Revolution.”

The data privacy principles, drawn from the GDPR, Council of Europe Recommendation CM/Rec (2015) and the Article 29 Working Party Opinion 2/2017, address familiar data protection concepts, such as data subject access, data security, minimization, transparency, accountability, and notification.  The ethical AI principles, drawn from half a dozen sources, include transparency; equipping AI systems with an “ethical black box;” making AI serve people and planet; adopting a human-in-command approach; ensuring genderless, unbiased AI; establishing global governance mechanisms and banning the attribution of responsibility to robots.

While the rights and interests of workers on matters relating to data protection and automation have a well-established and familiar platform within Europe, namely through workers councils, the same cannot be said elsewhere.  If unions and other employee organizations outside of Europe have been active around these issues, they have kept it a closely-guarded secret, one that the UNI Global Union and its Future of Work project hopes to put an end to.  

Thursday, February 1, 2018

Corporate Use of Social Networking Media Continues to Grow

In a recent article, CIO Journal provided an update on corporate adoption of social media platforms as collaboration tools.  As reported in this blog, Facebook entered the enterprise social networking market in October 2016, after beta testing a product called Workplace with companies such as the Royal Bank of Scotland, Danone, Starbucks, Telenor and  According to Facebook, Workplace is now used by 30,000 organizations, within which over a million user groups have formed.  Newer adopters include Wal-Mart, Stanley Black & Decker and Virgin Atlantic.  Microsoft launched its networking and collaboration tool, Teams, in March 2017, as a free component of the enterprise and small-business versions of Office 365. According to Microsoft, Teams is now used by 125,000 organizations.  With a large and ever increasing number of competitors to both Workplace and Teams, the overall market for corporate social networking tools is forecast to be worth $3.2 billion by 2021, representing an average annual growth rate of 11%.  Obstacles remain, however, with trust, security and siloization caused by the profusion of product choices continuing to be major issues.

Monday, January 29, 2018

China Issues Personal Information Security Specification

On January 2, the Standardization Administration of China published the final text of its Information Security Technology – Personal Information Security Specification, which will come into effect on May 1, 2018. While the data protection standard it establishes is not strictly obligatory, it sets forth a set of best practices that regulators will clearly reference as they audit companies, with drafts of the specification already used for this purpose.  The specifications incorporate the comprehensive privacy principles found in most omnibus data protection laws, addressing the collection, use, disclosure, retention and safeguarding of personal information, as well as data subject rights.  The specification closely aligns with the General Data Protection Regulation in many areas, such as:  the definition of personal information; the data controller-data processor distinction; obligations relating to consent; the principles of transparency, purpose limitation, minimization and proportionality; notice requirements; data breach notification; and privacy impact assessments.  At the same time, it deviates from the GDPR in a number of regards, such as:  a broader definition of sensitive data; the absence of legitimate interests as a basis for processing; a stronger right to be forgotten; requirements of separate notices for collection and for sharing of personal data; and more granular security requirements.  Notably, the specification leaves details about international data transfers to separate regulations and standards expected in the future.

We now are witnessing watershed moments in the development of comprehensive privacy protections in the EU, with the May 2018 implementation of the General Data Protection Regulation; in India, with its Supreme Court’s recognition of a constitutional right to privacy; and in China, with its steady adoption of internationally accepted principles of information privacy.  The contrast with the lack of legislative progress at the national level in the US could not be starker.

Tuesday, January 23, 2018

Irish High Court Preparing Model Contract Questions for CJEU

After four days of hearings ending on January 18, which included submissions from the Irish DPA, Facebook, Max Schrems, the US government and other interested parties, High Court Justice Caroline Costello will decide exactly what questions and statements of fact will be put before the Court of Justice of the European Union with respect to the adequacy of standard contractual clauses as a safeguard when transferring personal data from Europe to the US. Justice Costello had previously expressed the hope that the parties to the case brought by Schrems would work together and agree upon the precise language of the questions to be brought to the CJEU, but there was no indication that any such agreement had been reached.  With legal challenges already pending against the EU-US Privacy Shield framework, a CJEU ruling against reliance upon model contracts could completely disrupt trans-Atlantic data flows and trade.  No date was set for when the High Court’s referral to the CJEU would be finalized.

Friday, January 19, 2018

ECHR Rules Against Covert Video Surveillance of Employees

On January 9, the European Court of Human Rights found that the privacy rights of five employees of a Spanish supermarket had been violated when their employer used evidence of their participation in theft of merchandise obtained via covert video cameras to justify their firing.  In its ruling in López Ribalda v. Spain, the court based its decision largely upon the fact that while employees had been informed about the location of some video surveillance cameras, others were secretly installed without their knowledge.  Furthermore, the court found that blanket surveillance of all employees when only some were suspected, plus the employer’s apparent intention to leave the hidden cameras in place on a permanent basis, violated the principle of proportionality.  While the Spanish High Court of Justice had found the evidence of theft to have been lawfully obtained, the ECHR ruled that Spanish courts had failed to strike a fair balance between the employees’ right to privacy and the employer’s property rights.  While the employees were not awarded back pay, since their terminations were upheld, the court did grant them compensatory damages totaling €4,000.  Late in 2017 the ECHR also ruled, in Antović and Mirković v Montenegro, that video surveillance at multiple locations in the University of Montenegro, while not covert but without sufficient grounds for its installation and use, constituted an unjustified interference with the right to privacy as guaranteed by Article 8 of the European Convention on Human Rights.

Friday, January 12, 2018

EC: Post-Brexit UK Will Become a Third Country

On January 9, the European Commission issued a Notice to Stakeholders that states that after March 30, 2019 the UK will become a “third country” with respect to transfers of personal data from the EU.  Barring a change in the withdrawal date or the achievement of an adequacy decision as part of a ratified withdrawal agreement, the Notice states that organizations transferring personal data from the EU to the UK will need to provide “appropriate safeguards” for the data, utilizing standard contractual clauses, binding corporate rules, approved codes of conduct or approved certification mechanisms, or justify the transfer on the basis of one of the standard derogations, such as consent.  Unfortunately for businesses, uncertainty about the timing and substance of the withdrawal agreement may compel the needless expenditure of resources on the development of alternative data transfer mechanisms that prove to be unnecessary.

Data transfers from the UK to the US will also need a new legal underpinning once the country’s separation from the EU occurs, since the UK will no longer be eligible to utilize the EU-US Privacy Shield framework.  Presumably a new UK-US Privacy Shield framework could be developed without great difficulty, as was the case with the creation of the Swiss-US Privacy Shield framework.