News Archives

Sunday, February 11, 2018

Next Frontier for the Labor Movement: Data Privacy & AI

A recent report by Sarah O’Connor in The Financial Times (“Algorithms at work signal a shift to management by numbers”) provided a well-balanced and thoughtful overview of the benefits and risks associated with the use of artificial intelligence in the workplace.  Of particular interest is her highlighting of two new sets of principles a major international union has issued focusing upon data privacy and AI in the workplace.  On December 17, 2017, the UNI Global Union issued ten principles in each domain that it contends should be incorporated into collective bargaining agreements and international labor standards.  The Swiss-based UNI Global Union represents 20 million skills and services workers in over 900 trade unions located in 150 countries.  According to UNI’s General Secretary:  “Data collection and artificial intelligence are the next frontier for the labour movement. Just as unions established wage, hour, and safety standards during the Industrial Revolution, it is urgent that we set new benchmarks for the Digital Revolution.”

The data privacy principles, drawn from the GDPR, Council of Europe Recommendation CM/Rec (2015) and the Article 29 Working Party Opinion 2/2017, address familiar data protection concepts, such as data subject access, data security, minimization, transparency, accountability, and notification.  The ethical AI principles, drawn from half a dozen sources, include transparency; equipping AI systems with an “ethical black box;” making AI serve people and planet; adopting a human-in-command approach; ensuring genderless, unbiased AI; establishing global governance mechanisms and banning the attribution of responsibility to robots.

While the rights and interests of workers on matters relating to data protection and automation have a well-established and familiar platform within Europe, namely through workers councils, the same cannot be said elsewhere.  If unions and other employee organizations outside of Europe have been active around these issues, they have kept it a closely-guarded secret, one that the UNI Global Union and its Future of Work project hopes to put an end to.  

Thursday, February 1, 2018

Corporate Use of Social Networking Media Continues to Grow

In a recent article, CIO Journal provided an update on corporate adoption of social media platforms as collaboration tools.  As reported in this blog, Facebook entered the enterprise social networking market in October 2016, after beta testing a product called Workplace with companies such as the Royal Bank of Scotland, Danone, Starbucks, Telenor and  According to Facebook, Workplace is now used by 30,000 organizations, within which over a million user groups have formed.  Newer adopters include Wal-Mart, Stanley Black & Decker and Virgin Atlantic.  Microsoft launched its networking and collaboration tool, Teams, in March 2017, as a free component of the enterprise and small-business versions of Office 365. According to Microsoft, Teams is now used by 125,000 organizations.  With a large and ever increasing number of competitors to both Workplace and Teams, the overall market for corporate social networking tools is forecast to be worth $3.2 billion by 2021, representing an average annual growth rate of 11%.  Obstacles remain, however, with trust, security and siloization caused by the profusion of product choices continuing to be major issues.

Monday, January 29, 2018

China Issues Personal Information Security Specification

On January 2, the Standardization Administration of China published the final text of its Information Security Technology – Personal Information Security Specification, which will come into effect on May 1, 2018. While the data protection standard it establishes is not strictly obligatory, it sets forth a set of best practices that regulators will clearly reference as they audit companies, with drafts of the specification already used for this purpose.  The specifications incorporate the comprehensive privacy principles found in most omnibus data protection laws, addressing the collection, use, disclosure, retention and safeguarding of personal information, as well as data subject rights.  The specification closely aligns with the General Data Protection Regulation in many areas, such as:  the definition of personal information; the data controller-data processor distinction; obligations relating to consent; the principles of transparency, purpose limitation, minimization and proportionality; notice requirements; data breach notification; and privacy impact assessments.  At the same time, it deviates from the GDPR in a number of regards, such as:  a broader definition of sensitive data; the absence of legitimate interests as a basis for processing; a stronger right to be forgotten; requirements of separate notices for collection and for sharing of personal data; and more granular security requirements.  Notably, the specification leaves details about international data transfers to separate regulations and standards expected in the future.

We now are witnessing watershed moments in the development of comprehensive privacy protections in the EU, with the May 2018 implementation of the General Data Protection Regulation; in India, with its Supreme Court’s recognition of a constitutional right to privacy; and in China, with its steady adoption of internationally accepted principles of information privacy.  The contrast with the lack of legislative progress at the national level in the US could not be starker.

Tuesday, January 23, 2018

Irish High Court Preparing Model Contract Questions for CJEU

After four days of hearings ending on January 18, which included submissions from the Irish DPA, Facebook, Max Schrems, the US government and other interested parties, High Court Justice Caroline Costello will decide exactly what questions and statements of fact will be put before the Court of Justice of the European Union with respect to the adequacy of standard contractual clauses as a safeguard when transferring personal data from Europe to the US. Justice Costello had previously expressed the hope that the parties to the case brought by Schrems would work together and agree upon the precise language of the questions to be brought to the CJEU, but there was no indication that any such agreement had been reached.  With legal challenges already pending against the EU-US Privacy Shield framework, a CJEU ruling against reliance upon model contracts could completely disrupt trans-Atlantic data flows and trade.  No date was set for when the High Court’s referral to the CJEU would be finalized.

Friday, January 19, 2018

ECHR Rules Against Covert Video Surveillance of Employees

On January 9, the European Court of Human Rights found that the privacy rights of five employees of a Spanish supermarket had been violated when their employer used evidence of their participation in theft of merchandise obtained via covert video cameras to justify their firing.  In its ruling in López Ribalda v. Spain, the court based its decision largely upon the fact that while employees had been informed about the location of some video surveillance cameras, others were secretly installed without their knowledge.  Furthermore, the court found that blanket surveillance of all employees when only some were suspected, plus the employer’s apparent intention to leave the hidden cameras in place on a permanent basis, violated the principle of proportionality.  While the Spanish High Court of Justice had found the evidence of theft to have been lawfully obtained, the ECHR ruled that Spanish courts had failed to strike a fair balance between the employees’ right to privacy and the employer’s property rights.  While the employees were not awarded back pay, since their terminations were upheld, the court did grant them compensatory damages totaling €4,000.  Late in 2017 the ECHR also ruled, in Antović and Mirković v Montenegro, that video surveillance at multiple locations in the University of Montenegro, while not covert but without sufficient grounds for its installation and use, constituted an unjustified interference with the right to privacy as guaranteed by Article 8 of the European Convention on Human Rights.

Friday, January 12, 2018

EC: Post-Brexit UK Will Become a Third Country

On January 9, the European Commission issued a Notice to Stakeholders that states that after March 30, 2019 the UK will become a “third country” with respect to transfers of personal data from the EU.  Barring a change in the withdrawal date or the achievement of an adequacy decision as part of a ratified withdrawal agreement, the Notice states that organizations transferring personal data from the EU to the UK will need to provide “appropriate safeguards” for the data, utilizing standard contractual clauses, binding corporate rules, approved codes of conduct or approved certification mechanisms, or justify the transfer on the basis of one of the standard derogations, such as consent.  Unfortunately for businesses, uncertainty about the timing and substance of the withdrawal agreement may compel the needless expenditure of resources on the development of alternative data transfer mechanisms that prove to be unnecessary.

Data transfers from the UK to the US will also need a new legal underpinning once the country’s separation from the EU occurs, since the UK will no longer be eligible to utilize the EU-US Privacy Shield framework.  Presumably a new UK-US Privacy Shield framework could be developed without great difficulty, as was the case with the creation of the Swiss-US Privacy Shield framework.