News Archives

Monday, January 29, 2018

China Issues Personal Information Security Specification

On January 2, the Standardization Administration of China published the final text of its Information Security Technology – Personal Information Security Specification, which will come into effect on May 1, 2018. While the data protection standard it establishes is not strictly obligatory, it sets forth a set of best practices that regulators will clearly reference as they audit companies, with drafts of the specification already used for this purpose.  The specifications incorporate the comprehensive privacy principles found in most omnibus data protection laws, addressing the collection, use, disclosure, retention and safeguarding of personal information, as well as data subject rights.  The specification closely aligns with the General Data Protection Regulation in many areas, such as:  the definition of personal information; the data controller-data processor distinction; obligations relating to consent; the principles of transparency, purpose limitation, minimization and proportionality; notice requirements; data breach notification; and privacy impact assessments.  At the same time, it deviates from the GDPR in a number of regards, such as:  a broader definition of sensitive data; the absence of legitimate interests as a basis for processing; a stronger right to be forgotten; requirements of separate notices for collection and for sharing of personal data; and more granular security requirements.  Notably, the specification leaves details about international data transfers to separate regulations and standards expected in the future.

We now are witnessing watershed moments in the development of comprehensive privacy protections in the EU, with the May 2018 implementation of the General Data Protection Regulation; in India, with its Supreme Court’s recognition of a constitutional right to privacy; and in China, with its steady adoption of internationally accepted principles of information privacy.  The contrast with the lack of legislative progress at the national level in the US could not be starker.

Tuesday, January 23, 2018

Irish High Court Preparing Model Contract Questions for CJEU

After four days of hearings ending on January 18, which included submissions from the Irish DPA, Facebook, Max Schrems, the US government and other interested parties, High Court Justice Caroline Costello will decide exactly what questions and statements of fact will be put before the Court of Justice of the European Union with respect to the adequacy of standard contractual clauses as a safeguard when transferring personal data from Europe to the US. Justice Costello had previously expressed the hope that the parties to the case brought by Schrems would work together and agree upon the precise language of the questions to be brought to the CJEU, but there was no indication that any such agreement had been reached.  With legal challenges already pending against the EU-US Privacy Shield framework, a CJEU ruling against reliance upon model contracts could completely disrupt trans-Atlantic data flows and trade.  No date was set for when the High Court’s referral to the CJEU would be finalized.

Friday, January 19, 2018

ECHR Rules Against Covert Video Surveillance of Employees

On January 9, the European Court of Human Rights found that the privacy rights of five employees of a Spanish supermarket had been violated when their employer used evidence of their participation in theft of merchandise obtained via covert video cameras to justify their firing.  In its ruling in López Ribalda v. Spain, the court based its decision largely upon the fact that while employees had been informed about the location of some video surveillance cameras, others were secretly installed without their knowledge.  Furthermore, the court found that blanket surveillance of all employees when only some were suspected, plus the employer’s apparent intention to leave the hidden cameras in place on a permanent basis, violated the principle of proportionality.  While the Spanish High Court of Justice had found the evidence of theft to have been lawfully obtained, the ECHR ruled that Spanish courts had failed to strike a fair balance between the employees’ right to privacy and the employer’s property rights.  While the employees were not awarded back pay, since their terminations were upheld, the court did grant them compensatory damages totaling €4,000.  Late in 2017 the ECHR also ruled, in Antović and Mirković v Montenegro, that video surveillance at multiple locations in the University of Montenegro, while not covert but without sufficient grounds for its installation and use, constituted an unjustified interference with the right to privacy as guaranteed by Article 8 of the European Convention on Human Rights.

Friday, January 12, 2018

EC: Post-Brexit UK Will Become a Third Country

On January 9, the European Commission issued a Notice to Stakeholders that states that after March 30, 2019 the UK will become a “third country” with respect to transfers of personal data from the EU.  Barring a change in the withdrawal date or the achievement of an adequacy decision as part of a ratified withdrawal agreement, the Notice states that organizations transferring personal data from the EU to the UK will need to provide “appropriate safeguards” for the data, utilizing standard contractual clauses, binding corporate rules, approved codes of conduct or approved certification mechanisms, or justify the transfer on the basis of one of the standard derogations, such as consent.  Unfortunately for businesses, uncertainty about the timing and substance of the withdrawal agreement may compel the needless expenditure of resources on the development of alternative data transfer mechanisms that prove to be unnecessary.

Data transfers from the UK to the US will also need a new legal underpinning once the country’s separation from the EU occurs, since the UK will no longer be eligible to utilize the EU-US Privacy Shield framework.  Presumably a new UK-US Privacy Shield framework could be developed without great difficulty, as was the case with the creation of the Swiss-US Privacy Shield framework.