On Dec. 19, Spain became the first of six European governments taking enforcement actions against Google to fine the Internet giant over its consolidation of user data across all its products and services. The fine, $1.24 million, is the maximum permissible under current Spanish data protection law; fines in the other five countries are expected to be roughly similar. Under the proposed new General Data Protection Regulation, Google could be fined up to 5% of its total revenues, or as much as $750 million, presumably in each member state.
Dip in HR Data Breaches in December
Perhaps it was a combo NSA/Santa effect (i.e., awareness that someone is watching), but only four breaches of employment-related personal information were reported in December: Actelis Networks (an undisclosed number of employees impacted by the theft of two safes containing password-protected human resources files); Washington Post (servers hacked for at least the third time in three years, revealing an unknown number of employee user names and passwords; apparently basic employee records were not compromised); State of Colorado (18,800 current and former employees placed in jeopardy by the loss of a USB drive containing their personal data, including SSNs); and Metropolitan Nashville Public Schools (6,300 teachers impacted by discovery that a state IT worker had downloaded their data to a personal account, allegedly to be able to work on the files at home).
Progress on EU Data Protection Regulation Falters at Council Meeting
During a meeting on December 6, the Council of the EU failed to make any progress towards the adoption of an agreed negotiating position on the proposed General Data Protection Regulation. The key stumbling block was the concept of a one-stop-shop for regulatory oversight of multi-national companies, with Germany, the Czech Republic, Hungary and Denmark all opposed to the concept. A German official at the rancorous meeting was quoted as saying “Harmonization, yes, but not at any price,” while the head of the legal service for the Council argued that the one-stop-shop rule would undermine citizens’ right to legal protection under EU treaties. Commission VP Viviane Reding acknowledged that it was “a disappointing day for data protection” but vowed to press onward, even as the May election of a new EU Parliament loomed on the horizon. The incoming Greek Presidency seems equally committed to concluding discussions and finalizing the regulation before May.
Draft LIBE Report Calls for Suspension of Safe Harbor and TFTP
On December 18, the Civil Liberties Committee of the EU Parliament released the preliminary conclusions of its months-long inquiry into surveillance of EU citizens by the NSA. The draft calls upon the European Commission to suspend the Safe Harbor framework and the Terrorist Financial Tracking Program, urging that the former be re-negotiated. The draft also calls for the swift development of an EU data storage “cloud” to protect EU citizens' data, for judicial redress for EU citizens when their data is transferred to the U.S. and for stronger protection for whistleblowers. In addition, noting the co-operation of Canada and New Zealand as “Five Eyes” surveillance partners with the NSA, the draft calls upon the Commission to revisit and possibly revoke its adequacy findings for the two countries. A vote on the draft resolution by the LIBE Committee is expected by the end of January and by Parliament as a whole in late February.
UN Votes to Protect Privacy in the Digital Age
On December 18, 193 members of the UN General Assembly unanimously approved a Brazilian-German resolution entitled “The right to privacy in the digital age,” which asserts that individuals should not be denied human rights simply because they live in another country from the one that is surveilling them. Responding to reports of mass surveillance, the resolution calls on all countries to take measures to end activities that violate privacy, which is described as a “fundamental tenet of a democratic society.” The resolution also calls upon the UN High Commissioner for Human Rights to submit recommendations for steps that can be taken to ensure that privacy rights secured in the offline world are not lost in the online world.
Ikea Spying on Employees Stir Outrage in France
A regional court in Versailles is examining whether twelve Ikea executives in France broke the law by hiring private investigators to investigate the private lives of dozens of its employees for a variety of reasons, some more understandable than others. Agents of the court have searched the offices and homes of several former Ikea employees, private investigators and even police officers suspected of having provided privileged information from government databases. The case was brought by a former deputy director of communications and merchandising for the chain’s 44 store in France, who was fired for allegedly falsifying the extent of her illness during a medical leave.
GAO Calls for Strengthening Current Privacy Framework
The Government Accountability Office issued a 61-page report on information resellers that urges Congress to consider legislation that would strengthen privacy protections for consumers and bring existing federal law more into line with the Fair Information Practice Principles. The GAO's conclusion echoes Administration reports released by the Commerce Department in February 2012 that called for a consumer privacy bill of rights and the Federal Trade Commission's report a month later. While the report recommends a legislative approach, it does not specify whether the new privacy law should be comprehensive or sector-specific.
ALJ Upholds Ban on Audio Recordings in the Workplace
An Administrative Law Judge upheld a prohibition set by Whole Foods Markets against the use of smartphones or other devices to record conversations in the workplace, rejecting the claim by the NLRB’s Acting General Counsel that employees have a legally protected right to record their co-workers and managers and finding no violation of the National Labor Relations Act by the policy. The ALJ’s decision is not binding on the National Labor Relations Board and is likely to be appealed to it.
Tech Firms Tightening Encryption in Response to NSA Spying
Following disclosure of NSA interception of fiber-optic cables linking the data centers of companies such as Google and Yahoo, many Internet firms were reported to be tightening their security to better protect user data. Yahoo announced that it would encrypt the user traffic flowing between its data centers in 2014, while Google, which had already initiated such an undertaking, said it would accelerate these efforts. On November 20, following similar announcements by Google, Mozilla and Facebook, Twitter announced that it would add Perfect Forward Secrecy to its arsenal of security measures. Perfect Forward Secrecy encrypts each web session with an ephemeral key that is discarded once the session is over, making the communications involved much, much harder to crack. According to a Gigaom report, Snowden’s legacy may be that the open web could soon be encrypted by default.
Eight Breaches of HR Data in November
There were eight reports of breaches of employment-related data in November: City of Milwaukee (a flash drive with employee wellness data of thousands of city employees stolen from a worker's car, leading the city to file a complaint with the federal Office of Civil Rights against Dynacare, the provider of the wellness program, as well as a decision by the city to stop disclosing SSNs to contractors); Bridgemark Healthcare (names and SSNs of 800 401k plan participants accidentally mailed with a 401k update to all 800 current and former employees); Flamingo Resort and Spa (an undisclosed number of employees of the Santa Rosa hotel impacted by malware discovered on a payroll system); Kroll Background America (personal data of an undisclosed number of individuals, including 548 in California alone, exposed in a criminal cyberattack); Granite State College (an unknown number of employees jeopardized when a phishing scheme led some employee data to be sent to a Gmail account); Clarity Media Group (personal data of an undisclosed number of current and former employees and their families exposed when a laptop was stolen from an employee’s car); Fulton County, GA (hundreds of county workers fearful that their data could be misused when they found the names of strangers listed as beneficiaries of their Aetna life insurance policies during Internet-enabled open enrollment); and Baltimore County, MD (banking information for 6,000 current and former county employees found by police on the computer of a former IT contract worker).
Commission Proposes Reforms of Safe Harbor Framework
As part of its November 27 position statement, the European Commission proposed 13 reforms to the Safe Harbor framework: (1) public disclosure of participants’ privacy policies; (2) inclusion of links to the DOC Safe Harbor List in policies; (3) publishing the privacy conditions of all contracts with subcontractors; (4) DOC maintenance of a list of companies that do not renew their Safe Harbor certification; (5) privacy policies must include links to dispute resolution bodies; (6) alternative dispute resolution mechanism must be affordable and readily available; (7) DOC monitoring of the transparency and effectiveness of alternative dispute resolution bodies; (8) a certain percentage of participants should be subject to official compliance reviews each year; (9) participants found to be out compliance to be reinvestigated the following year; (10) DOC notification to EU DPAs when there are concerns about a participant’s compliance; (11) false claims of participation to continue to be investigated; (12) policies should include the potential for data to be accessed for national security and law enforcement purposes; and (13) the national security exception to allow disclosures only as strictly necessary and proportionate to address security concerns. Making clear that the Commission has the power to suspend or terminate the Safe Harbor agreement, the Commission said that it wants to have remedies identified by next summer and implemented as soon as possible. Once the remedies are in place, the Commission will conduct a comprehensive review of Safe Harbor, in consultation with the EU Parliament and council and discussions with U.S. authorities.
Supreme Court Declares Alberta’s Privacy Act Invalid
On November 15, the Supreme Court of Canada, ruling in Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, found Alberta’s Personal Information Protection Act (PIPA) invalid on the basis that it infringes the right to freedom of expression enshrined in the Canadian Charter of Rights and Freedoms. The case focused upon whether union videotaping of casino employees who crossed a picket line infringed upon their privacy. The Court suspended its declaration of invalidity for twelve months, to allow the Alberta Legislature time to revise the PIPA. Because the provisions in question are effectively identical to those in the BC and federal privacy laws, the same amendments will need to be enacted in Victoria and Ottawa to keep those laws constitutionally viable.
South African DP Act Signed into Law
Three months after it was passed by Parliament, President Jacob Zuma signed the Protection of Personal Information Act into law in South Africa. The Act, modeled upon European precedents, includes data breach notification requirements, the establishment of a data protection authority (the Information Protection Regulator, or IPR) with the power to impose fines of up to about 700,000 Euros, and the potential for criminal sanctions of up to ten years imprisonment. Section 114 of the Act states that its provisions will be effective one year after the official commencement date. This date has not yet been announced, but is expected to be sometime in 2014.
HHS OCR Issues Model Privacy Notices
In mid-September, the Office of Civil Rights of the U.S. Dept. of Health and Human Services published model Notices of Privacy Practices for health care providers and health plans to use to communicate with their patients and plan members. The notices are a useful benchmark for any organization seeking to develop a clear, layered and accessible privacy notice.
Mobile Device Users Putting Workplace at Risk
The 2013 Norton Report, released by security firm Symantec, showed that many workers are sharing corporate information with friends and families through online storage sites, allowing their kids to download games, shop and play on work devices, and engaging in other risky behavior. The report, based upon a survey of 500 workers in 24 countries, underscores the need for companies to address the risks involved in allowing employees to use mobile devices for corporate purposes.
Ten HR Data Breaches in October
Personal data of applicants or employees was breached by at least 10 organizations, according to reports published in October: Petrochem (names, SSNs, employee IDs and other data of an undisclosed number of employees compromised when a laptop was stolen from an employee’s locked car); City of Wichita (personal information of 29,000 employees and vendors exposed when the city’s website was hacked by a Turkish group claiming to have penetrated the security of a number of U.S. cities); Milwaukee Public School District (SSNs of more than 6,000 employees put in plain view in letters about prescription drug coverage sent out by a third party vendor, Express Scripts); TSYS (5,200 employees of the Columbus firm jeopardized after an employee of a benefits administration firm, subsequently arrested by the FBI, e-mailed their data to his personal Gmail account); California State University (personal data of 1,800 staff members breached by hacking); Ektron (information of 22 employees exposed through access by an unauthorized third party); Gordon Supply Company (personnel records of 400 employees of the New York company found by a woman in her backyard); Michigan State University (an undisclosed number of employees impacted by a phishing attack aiming to modify the employees’ banking information on the university’s SAP HR/Payroll system); Yusen Logistics (personal data of an unknown number of employees compromised when an unencrypted laptop was stolen from an employee’s car); and Genesis Rehabilitation Services (33 employees of the Pennsylvania firm impacted when an unencrypted thumb drive containing their information was lost).
LIBE Committee Adopts New Draft Data Protection Regulation
On October 21, the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) voted to adopt a compromise report on the draft General Data Protection Regulation and the separate Directive for the law enforcement sector. This vote sets out the Parliament’s position for its negotiations with the Council and the Commission (known as the “trialogue” stage), shifting the pressure to the Member State governments to reach agreement. The Committee aims to have a plenary Parliamentary vote in March 2014 before Parliamentary elections. Highlights of the report include increased sanctions of as high as €100 million or 5% of annual global turnover (whichever is greater); tightened conditions for consent; retention of the “right to be forgotten”; inclusion of the “one-stop-shop”; obligatory internal DPOs when the data of 5,000 or more individuals is processed within a year; data breaches to be reported ”without undue delay”; extensive new provisions on data processing in the employment context; restrictions on transfers of data to national security agencies; and use of standardized symbols to tell consumers how their data is handled. Other summaries of the Committee’s report were provided by Hunton & Williams, Field Fisher Waterhouse and MEP Jan Philipp Albrecht, the Parliament’s Rapporteur with respect to the Regulation.
China Expands Protections for Consumer Personal Data
On October 25, the Standing Committee of the National People's Congress of the People's Republic of China passed an amendment to the Law on the Protection of Consumer Rights and Interests, which will become effective on March 15, 2014. While sectoral privacy protections had previously been promulgated, initially for Internet service providers and later for telecom service providers, the new protections for the first time establish uniform, nationwide protections for all consumer personal information. Under the amendments, businesses must obtain consumer consent to the collection and use of their personal information; expressly inform the consumer of the purpose, methods and scope for the collection and use of the information; keep the information strictly confidential; not disclose, sell or illegally provide the information to others; take technical or other measures to ensure the security of the information; take steps to mitigate possible harm resulting from any actual or suspected unauthorized disclosure of the information; and not distribute commercial or marketing information without a consumer's consent or request.
South Korea Launches Ambitious Certification Scheme
The Korean Ministry of Security and Public Administration announced that the government will begin the process of issuing certifications to private and public companies that effectively comply with privacy regulations. Organizations can begin filing applications for the certifications with the National Information Society Agency (NISA) on November 28, with the agency then taking a close look at the firms’ privacy protection policies and the measures they have in place to prevent leaks of personal information. Self-employed individuals will be required to meet 35 obligations set by NISA; small- and medium-sized firms 52 items; and large businesses or state-run firms 65 items. Firms or individuals that pass the test and are granted certifications will be obligated to undergo annual inspection from the NISA to ensure continued compliance.
Court Says Street View Privacy Case Can Proceed
In a major legal setback for Google, a federal appeals court in San Francisco said that a class action lawsuit accusing the Internet giant of illegal wiretapping could proceed. Google tried to get the case dismissed, saying the Wi-Fi communications it captured were “readily accessible to the general public” and therefore not a violation of federal wiretapping laws. The lower court rejected that argument and so did the Court of Appeals for the Ninth Circuit. The unanimous, 35-page decision by a three-judge panel found little merit in Google’s legal maneuverings, stating at one critical point that the company was basically inventing meanings in an effort to declare its actions legal.
NSA Spying Sparks Race to Create Offshore Havens for Data Privacy
According to a report in the Wall Street Journal, revelations of NSA global spying have prompted many countries to aspire to becoming the Cayman Islands of data privacy, by offering cloud computing services through servers located within their own territory. For example, three of Germany's largest email providers, including partly state-owned Deutsche Telekom AG, have teamed up to offer a new encrypted email service, Email Made in Germany, while a number of European leaders are calling for a “Euro Cloud” and India is planning to prohibit government officials from using U.S. email services. U.S. Internet companies are watching such developments with trepidation.
Nine HR Data Breaches in September
The number of breaches of employment-related personal information rose in September, with nine reported: R.T. Jones Capital Equities Management (an undisclosed number of employees of the firm's clients, including 809 in Maryland alone, impacted by a cyper-attack on the corporate website); The New Teacher Project (names, DOBs, SSNs and employee ID numbers of an unknown number of former and current employees of the national non-profit compromised when a laptop was stolen from the organization’s Brooklyn, NY office); Virginia Tech (personal information of nearly 150,000 job applicants from 2003 through 2013 exposed through a hack of a server used by the school’s Department of Human Resources); State of Virginia (personal data of 13,000 employees inadvertently sent to 11 state human resource and payroll employees); AlliedBarton Security Services (an undisclosed number of employees impacted by a previously disclosed ADP coding error in payroll tax statements affecting 206 ADP clients); Sentry Life Insurance and the U.S. Dept. of Labor (an undetermined number of employees affected by the accidental disclosure of their names, SSNs and account balances by the 401k service provider to the U.S. Dept. of Labor, compounded by the DOL’s uploading of the 5500 forms with the data to a public website); Denny’s in Phoenix (job applications of 200 applicants found in a dumpster behind the restaurant); Bank of Tokyo-Mitsubishi (an undisclosed number of employees placed in jeopardy when their names and SSNs were erroneously emailed by their vendor AON Hewitt to another client of AON Hewitt); and Edgewood Partners Insurance Center (an unknown number of employees impacted by the theft of five unencrypted laptops from the company’s offices in San Francisco).
U.S. Continues to Defend Safe Harbor
Speaking at a September 17 data protection conference in Brussels, FTC Commissioner Julie Brill drew a sharp distinction between commercial privacy and national security issues. According to Brill, “In recent months, the NSA revelations have led some to ask whether the Safe Harbor can adequately protect EU citizens’ data in the commercial context. My unequivocal answer to this question is ‘yes,’” adding that the issue of the proper scope of government surveillance is “a conversation that should proceed outside of the commercial privacy context.” Brill also pointed out that FTC enforcement actions against Google, Facebook and MySpace included their failure to comply with Safe Harbor and resulted in settlements that protect EU citizens as well as Americans.
OECD Issues Revised Privacy Guidelines
The Organization for Economic Cooperation and Development has revised its Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data. While the eight basic principles of the 1980 Guidelines remain the same, a number of new concepts have been added, including the implementation of privacy management programs, mandatory data breach notification, the need for privacy enforcement authorities, national privacy strategies and improved global interoperability. Like the EU’s proposed General Data Protection Regulation, the revised Guidelines put a strong emphasis on the principle of accountability as a means to promote and define organizational responsibility for privacy protection. According to a report by Nigel Waters in the Privacy Laws & Business international newsletter, civil society representatives participating in the revision process believe the final text of the Guidelines was hijacked, undermining the importance of comprehensive privacy law as one means of regulating transborder data flows and sacrificing earlier references to mutual recognition of strong data protection laws on the altar of interoperability.
Manitoba Passes Private Sector Privacy Law
During September the Manitoba legislature quietly passed The Personal Information Protection and Identity Theft Prevention Act, which is expected to add Manitoba to the short list of Canadian provinces with private sector privacy laws that are "substantially similar" to the federal PIPEDA. Quebec, British Columbia and Alberta are the other provinces with such legislation; Ontario, Canada’s largest province, lacks such a law. The statute received Royal Assent on September 13 and awaits official proclamation to come into force.
Article 29 WP Launches Assessment of U.S. Surveillance Programs
On August 13, the Article 29 Working Party released a letter sent to European Commission Vice-President Vivian Reding indicating that it was initiating an independent assessment of American surveillance programs and seeking the Commission’s assistance in obtaining answers to a number of questions about the programs. The questions include what data is actually collected by the programs, particularly with respect to non-U.S. persons, the extent of the data collected and the safeguards that are in place before the data is accessed. A second set of questions relate to the procedures and criteria followed by the FISA Court, particularly with regard to how targeted and substantiated the requests for surveillance are. A third set of questions address the apparent incompatibility of mass-scale surveillance with the more narrow exception for national security purposes contained in the Safe Harbor Principles, with the Working Party re-iterating the point that member state DPAs have the authority to suspend data flows if the Safe Harbor Principles are being violated and there are imminent risks of grave harm. A fourth issue raised in the letter is the need for a means of redress for non-U.S. persons. Finally, the Working Party stresses that it will also be examining the intelligence programs of member states, citing the UK’s Tempora program as one example.
U.S. Cloud Computing Industry to Take Hit from NSA Surveillance
According to a report entitled How Much Will PRISM Cost the U.S. Cloud Computing Industry?, prepared by the Information Technology & Innovation Foundation, revelations about NSA surveillance “will likely have an immediate and lasting impact on the competitiveness of the U.S. cloud computing industry if foreign customers decide the risks of storing data with a U.S. company outweigh the benefits.” The report estimates that the U.S. cloud computing industry could lose anywhere from $22 to $35 billion over the next three years. Furthermore, in a rapidly-growing sector, loss of market share in the short term can have significant long-term implications for competitive advantage.
Backlash Develops Against Penn State Wellness Program
More than 2,000 faculty and staff employees at Pennsylvania State University have joined a protest against the university’s 2014 wellness program, arguing that it is coercive and unethical. Under the program, employees must complete an online wellness program from WebMD and undergo a preventive medical exam, including tests of cholesterol and glucose levels, and measurements of height, weight, and waist circumference. Employees failing to do both will be fined $100 a month, a penalty that is one of the more severe imposed by a U.S. employer, only 2% of whom use fines alone, rather than rewards, to encourage program participation. Most of the opposition to the program focuses on what its organizer calls "the ethical ramifications of coercing employees to turn over private health information" to companies running the wellness program.
Four Cyberattacks amongst Nine August Breaches of HR Data
Nine breaches of HR data were reported in August, including: U.S. Dept. of Energy (in the second breach this year, names, SSNs and other data of 53,000 current and former employees exposed via a hack of an HR/payroll system); Bonneville Power Administration (personal data of 3,100 employees of the Northwest agency compromised as part of the DOE hack); the Federal Reserve (personal information of all employees posted on the Internet by the hacker group Anonymous); McKesson (an undisclosed number of employees impacted by an ADP coding error that exposed their tax statement files to other employees); Republic Services (as many as 82,160 current and former employees jeopardized by the theft of an unencrypted laptop from an employee’s home); Argotec (an unknown number of employees affected by an unspecified type of breach); Hill Air Force Base, UT (names and SSNs of 500 employees sent by an administrative employee to their personal e-mail account, in violation of base policy); Northrop Grumman (names, birthdates, SSNs, government-issued ID numbers and contact information of an undisclosed number of linguists exposed through a cyberattack); and Bridgewater Associates (COBRA-related information of an unknown number of former employees exposed via the theft of access credentials for a database administered by Ceridian).
Texas Helps Employers Hiring Applicants with Criminal Records
Beginning September 1, 2013, employers in Texas willing to give applicants with a criminal record a second chance will benefit by a state law that limits their liability for negligent hiring. With some five million Texans having a criminal record, including hundreds of thousands no longer on probation or parole having felony convictions, the new law will clearly benefit both job applicants and employers. Employers still need to follow EEOC guidance against discriminatory screening and be able to mount successful defenses against any claims of negligent hiring.
Google Claims UK Privacy Law Doesn’t Apply
In a second legal filing raising questions about its commitment to privacy, Google urged a UK court to dismiss a lawsuit brought against it on the grounds that as an American firm, British privacy laws do not apply to it. The case, brought by a campaign group called Safari Users Against Google's Secret Tracking, charges Google with placing advertising tracking cookies on computers and devices without authorization and follows a $22.5 million penalty imposed by the FTC over the same charges. According to Google, which was reported to be constructing a $1 billion headquarters in London, British consumers should sue the company in U.S. courts.
German DPAs Halt New Data Transfers under Safe Harbor and Model Contracts
In response to revelations of massive and routine access by U.S. intelligence authorities to personal information transferred from companies in Germany to offices in the U.S., the country’s data protection commissioners issued a declaration on July 24 urging the European Commission to suspend its decisions on Safe Harbor and on standard contractual clauses. Citing their own authority to suspend data transfers when there is a “substantial likelihood” that safeguards are being violated, the commissioners stated that they “will not issue any new permission for data transfer to non-EU countries (for example also for the use of certain cloud services) and will examine whether such data transfers should be suspended on the basis of the Safe Harbor framework and the standard contractual clauses.” The commissioners were also reported to have sent a letter to Chancellor Angela Merkel asking her to push the EU to suspend the Safe Harbor regime.
Data Mining Practices of Health Sites Come Under Scrutiny
In an effort to increase industry transparency, Lisa Madigan, the Illinois Attorney General, opened an inquiry in July into the data-mining practices of eight popular online health sites, such as WebMD, the Mayo Clinic and Health.com. According to Madigan, “Health-related information, which would be protected from disclosure when said in a doctor’s office, can be captured, shared, and sold when entered into a Web site…These concerns are likely overlooked by consumers, as the disclosures about capturing and sharing their information are often buried in privacy policies not found on websites’ main pages.” Madigan’s action follows publication of a research letter in a JAMA medical journal reporting that some popular health portals leaked information about users’ health searches to third parties operating on their Web sites, such as social networks or ad networks, as well as a study of 43 mobile health and fitness apps carried out by the Privacy Rights Clearinghouse that showed “abysmal” implementation of privacy and security measures by the apps.
Mobile Device Users Mistrust Employers
A MobileIron survey of 3,000 workers in the U.S., the UK and Germany found that while 80% use their own mobile devices for work, only 30% completely trust their employers to protect personal information and not use it against them. Workers in the UK trusted their employers the most (34%), followed by those in the U.S. (30%) and in Germany (24%). Workers were most worried about employers seeing personal communications, such as e-mail and texts, with less than half flagging location information as a concern. Having clear policies, including details of how data may be monitored and how such information will be used, was said to be critical to building trust.
Seven HR Data Breaches Reported in July
Seven breaches of employment-related personal information were reported in July: Securities Exchange Commission (names, birth dates and SSNs of an undisclosed number of current and former employees inadvertently transferred by an employee moving to another unnamed agency via a thumb drive); University of Delaware (personal data of 72,000 past and present employees compromised through a hack using a vulnerability in software acquired from a vendor); Oracle (401k information of an undisclosed number of current and former employees made accessible to a plan administrator at another Fidelity Investments client); US Airways (three years of W-2 forms for an unknown number of employees accessible by other employees because of a programming error by ADP); Baltimore City (personnel records of an unknown number of DPW employees found in a box in the street); NASA Ames Research Center (benefits-related personal information of one employee erroneously sent to all employees as an email attachment to a DOMA update); and Harris County, TX (names, DOBs and SSNs of 16,000 current and former employees discovered in two electronic files in Vietnam).
China Enacts New Data Protection Rule
Continuing its sector-by-sector patchwork approach to privacy, the Chinese Ministry of Industry and Information Technology (MIIT) issued a new rule on July 16, entitled Provisions on the Protection of Personal Information of Telecommunications and Internet Users. The rule, which will take effect on September 1, implements the general requirements set forth in last December’s Resolution of the Standing Committee of the National People’s Congress Relating to Strengthening the Protection of Information on the Internet. The new rule extends data protection requirements, previously applicable only to Internet information service providers (IISPs) to telecommunication services providers (TSPs) and introduces new requirements for both sectors. An unofficial English version of the rule was made available on the China Copyright and Media website.
In Age of Ubiquitous Surveillance Employers Viewed as Most Trustworthy
According to an in-depth Allstate/National Journal poll of 1,000 adults conducted before the revelations about NSA surveillance came to light, Americans showed themselves to be highly and profoundly anxious about misuses of their personal information by a wide range of organizations and entities. Arrayed from “most trustworthy” to “least trustworthy” were the following: your employer; health-care providers; law-enforcement agencies; companies you buy things from in person; the media; the IRS; political parties and candidates; home, auto and life insurance companies; companies you but things from online; financial institutions; health insurance companies; social media websites; the government; and cellphone and Internet providers. 79% of respondents said they had a “great deal or some” trust in employers to responsibly use their information, while 19% said they had “not very much or no” trust in employers to do so. The poll results, analyzed and presented in an exemplary manner, are well worth delving into.
EEOC Files Two New Lawsuits over Criminal Background Checks
On June 11, the Equal Employment Opportunities Commission filed two new lawsuits, in South Carolina and in Illinois, alleging that employers violated Title VII by implementing and utilizing criminal background check policies that resulted in African-American candidates and employees being disproportionately screened out or terminated. According to the EEOC, criminal convictions should have an expiration date and shouldn’t be considered indefinitely by employers. The EEOC filed the new lawsuits even though it lost two similar cases, one in 2010 and another earlier this year, while a third case is currently pending with a federal court.
Two Dings for ADP in June’s HR Data Breaches
Employment-related personal data continued to be exposed in June, with seven organizations reporting breaches: U.S. Military (personal data of 40,000 soldiers, including 28,000 stationed in South Korea, compromised by hackers who also claimed to have obtained personal data belonging to two million South Korean workers); Gap (SSNs, tax forms, resignation letters, legal notices, doctors' notes and performance reviews of 20 clothing store employees accidentally mailed to a customer rather than to headquarters); City of Houston (5,000 government workers, including over 1,000 police officers, placed in jeopardy when ADP had a security breach in relation to the City's online W-2s, with the breach attributed to a software code error); Iowa Department of Human Services (700 state employees impacted when a backup tape, containing historical data no longer needed, went missing); Town of Brookhaven (SSNs and other personal data of 78 employees and beneficiaries exposed through a clerical error when it was posted on the website of the New York municipality); Calvert Internal Medicine (all active and terminated employees of the Maryland clinic jeopardized by the failure of ADP technical support staff to re-activate a firewall after taking control of a Calvert computer during online troubleshooting); and Academy Studios (sensitive information of former employees of the California firm found in a dumpster and an abandoned filing cabinet, after the firm that built exhibits for some of the world’s top museums went bankrupt and closed its doors).
PRISM Viewed as Compromising Basis for EU-US Relationship
European politicians and governments demanded details and assurances about the NSA PRISM program, which is reportedly geared to gathering foreign intelligence by indiscriminately hoovering up all electronic communications. In an initial posting on Twitter, European Commission Viviane Reding said “European citizens expect 100 percent respect for their fundamental right to have their personal data protected” and she went on to express her concerns in a meeting with U.S. AG Eric Holder and a detailed letter. According to a statement on her website stressing the importance of trust and privacy, Reding said “The respect for fundamental rights and the rule of law are the foundations of the EU-US relationship.” Referring to this foundation, Peter Hustinx, the European Data Protection Supervisor whose words are always very measured, said that this is a “foundation which currently appears compromised,” a view echoed by Digital Agenda Commissioner Neelie Kroes. According to Kroes, “The Prism debate will definitely increase calls for a European cloud, with a range of possible consequences for American companies.” The impact PRISM will have on deliberations surrounding a new DP regime in Europe remains to be seen, although it is difficult to imagine it not strengthening the hand of those pushing for a stronger level of protection.
Crucial LIBE Vote Delayed until Fall
The European Parliament’s Civil Liberties Committee (LIBE) announced on June 19 that it would not be holding its important vote on the proposed Data Protection Regulation before the summer recess. With the LIBE vote lagging behind schedule, the entire and complex legislative process now risks being further delayed. Without the LIBE vote, the Parliament’s necessary plenary vote cannot be held and no formal negotiations between the two legislative bodies, the Parliament and the Council, can begin. A new vote has not been scheduled, but is expected to be held in September or October 2013.
Supreme Court of Canada Rejects Random Alcohol Tests
The Supreme Court of Canada has overturned a company's right to impose mandatory, random alcohol testing on its unionized workers in a dangerous workplace. In a 6-3 decision released on June 14, the court ruled the policy unilaterally adopted by Irving Pulp and Paper Ltd. in Saint John in 2006 for employees in safety sensitive positions is unreasonable. According to the court, dangerousness of a workplace only justifies testing particular employees in certain circumstances: where there are reasonable grounds to believe an employee was impaired while on duty; where an employee was directly involved in a workplace accident or significant incident; or where the employee returns to work after treatment for substance abuse.
Immigration Bill Said to Require Biometric Database of All Americans
According to a report by David Kravets in Wired, the immigration reform measure being debated in the Senate would create a national biometric database of almost every adult in the U.S., in what privacy groups fear could be the first step to a ubiquitous national ID system. Buried in the bill is language mandating creation of a “photo tool” database, to be maintained by DHS, that would contain names, ages, SSNs and photos of everyone in the country with a driver’s license or other state-issued license. Employers would be obligated to use the database to verify that new hires match their photos. While one journalist, David Frum, disputes the report, Sen. Rand Paul (R-KY) shares the concerns voiced by Wired, arguing that ‘Your papers, please’ must never be heard in America. Opposition to the expansion of the E-Verify program is building in Congress and the blogosphere.
States Step Up Legislation on Perennial Employee Privacy Concerns
Unwilling to wait for Congressional action, legislatures in a number of U.S. states have passed bills addressing ongoing employee privacy issues: Colorado became the tenth legislature to pass social media password protection legislation (joining Arkansas, California, Illinois, Maryland, Michigan, New Jersey, New Mexico, Utah and Washington); Nevada became the tenth to restrict use of credit reports for employment purposes (the others being California, Colorado, Connecticut, Hawaii, Illinois, Maryland, Oregon, Vermont, and Washington); Minnesota passed a “Ban the Box” law regulating the timing of pre-employment inquiries into a candidate’s criminal past; and Virginia passed the "Keeping Employees' Emails and Phones (KEEP) Secure Act," which restricts the release of employee contact information and work schedules to third parties such as unions.
Four HR Data Breaches in May
Continuing a recent down-tick, only four breaches of employment-related personal data were reported in May: Department of Homeland Security (names, SSNs and dates of birth of an undisclosed number of DHS HQ, Customs and Border Protection, and ICE employees compromised by a vulnerability in software used by a vendor to process personnel security investigations); RentPath (personal data of at least 30,000 employees, former employees and applicants of the network of real estate websites compromised by the theft of IT equipment by an independent contractor); Godiva Chocolatier (personal data of an unspecified number of Godiva employees and applicants, including 2,638 in California alone, exposed when an unencrypted flash drive was lost in NYC); and PHH Corporation (an undisclosed number of employees of the outsourcing firm jeopardized, ironically, by the actions of a temporary worker indicted for identity fraud, with the firm rethinking its policy of giving such employees broad access to HR data.
LIBE Committee Report Recommends Separate DP Directive for HR
In a 77-page report undertaken on behalf of the EU Parliament's Civil Liberties, Justice and Home Affairs (LIBE) committee, academics Paul De Hert and Hans Lammerant recommended that a new EU Directive be drafted to set specific rules on data protection in an employment context. Article 28 of the current draft General Regulation permits member states to "adopt by law specific rules regulating the processing of employees' personal data in the employment context,” leading the Parliament’s Employment and Social Affairs committee to propose a number of “minimum standards” that member states would need to abide by in adopting such rules. De Hert and Lammerant contend that the proposed minimum standards are too ad hoc and incoherent, and that the entire topic deserves a more extensive and complete treatment. In addition, they recommend that provision be made in a new employment directive for DPAs to issue “soft law” guidance that could allow trust-building processes to occur amongst all the social partners involved in the employment context.
Number of Countries with Data Protection Laws Rises to 99
Prof. Graham Greenleaf’s count of the number of countries with data protection laws, which stood at 89 in February 2012, has now reached 99, according to his analysis in the latest Privacy Laws & Business International Report. Countries added since that time include Ghana, Georgia, Nicaragua, the Philippines, Singapore, Kosovo, Greenland, Yemen, Zimbabwe and Nepal. Of the 99 countries, six have data protection laws applicable only to the public sector, leaving 93 countries with laws applicable at least to the private sector. According to Greenleaf, enactment of DP bills in six of the 20 additional countries in which they are now pending would put the number of countries with data protection laws in the majority. In addition, the 2010s are so far the most intensive period of data protection development in its 40-year history, with an average of more than five new laws per year.
Schaar Calls Facebook Spying by Job Centers Illegal
German Federal Data Protection Commissioner Peter Schaar says job centers that search online for employees abusing unemployment benefits are breaking the law. “Job center employees are under no circumstances allowed to log into social networks or even under false pretenses become online friends with people in order to gain access to their data,” Schaar stated in an interview. According to the Commissioner, a center can turn to the Internet only if someone receiving unemployment benefits “is uncooperative and refuses to give out relevant data” - and, even then, he added, the employee must be notified of the data collection.
Retailers Blacklist Employees in Secret Databases
Labor labors and federal regulators were reported by The New York Times to be probing retailers’ use of vast databases of workers accused of stealing for the purpose of keeping such employees from working again in the industry. The databases, which have tens of thousands of subscribers, including Target, CVS and Family Dollar, often contain scant details about suspected thefts and ambiguous admissions of guilt extracted under pressure by store security officers. Some employees included in the databases have no idea they admitted committing a theft or that the information will be retained and used to deny them employment by other retailers in the future.
Colorado Ninth State to Tighten Credit Checks in Employment
Colorado became the ninth state to enact legislation restricting the use of credit reports for employment purposes, following the lead of California, Connecticut, Hawaii, Illinois, Maryland, Oregon, Vermont and Washington. Similar legislation has been introduced in several states, including Florida, New Jersey, New York and Pennsylvania, and both the EEOC and Congress continue to craft measures designed to ensure that credit information is only used where it is relevant and accurate.
HR Data Breaches Dip to Five in April
Only five breaches of employment-related personal information were reported in April: Iberdrola USA (5,100 applicants for jobs at utilities in the northeast impacted by the hacking of its Internet site used for recruitment and hiring); OptiNose US (names, SSNs and other personal data of an undisclosed number of workers at the provider of drug-delivery systems exposed when a laptop was stolen from an employee’s car); City of Berkeley, CA (SSNs of 11,000 current and former workers accidentally included in a file of public employee salary and benefit information sent to a news outlet); Weather Shield (55 employees of the Wisconsin firm experiencing ID theft discovered when they filed their tax returns, with some being repeat victims from the previous year); and Agincourt Wallboard (an undisclosed number of employees of the Maine company impacted by the hack of its payroll vendor’s system).
DOC Pushes Back on Article 29 WP Safe Harbor Caveats
The U.S. Department of Commerce issued an 8-page document in April entitled Clarifications Regarding the U.S.-EU Safe Harbor Framework and Cloud Computing. In a July 2012 opinion the Article 29 Working Party had asserted that companies exporting personal data to a cloud service could not rely upon a provider’s Safe Harbor certification without obtaining evidence that the self-certification exists and that the Safe Harbor privacy principles were being followed. The DOC now argues that DPAs in the EU cannot deem U.S. firms' self-certified compliance with the Safe Harbor framework as not offering adequate data protection in a cloud context or impose additional obligations upon them. The Department’s effort to rebut the position of the Article 29 Working Party, which it contends is “non-binding” in any event, sidesteps the problem of illusory self-certifications and ignores the fact that national laws of EU member states may contain requirements relating to the legitimate processing of personal data that go beyond those relating to data transfers. At the same time, the DOC document does clarify some complicated issues concerning how Safe Harbor applies to cloud computing and re-iterates previous assurance that the program will continue to be recognized by the European Commission as a valid basis for data transfers to the United States.
Requirement for Employee Privacy Notices Comes into Effect in Mexico
Mexico’s new Privacy Notice Guidelines, released in February, came into effect on April 17, 2013. To comply with the Federal Law on the Protection of Personal Data Held by Private Parties, employers must provide all current and prospective employees and applicants with a full privacy notice that incorporates seven required components. No company is "grandfathered" in or otherwise exempted from compliance. The Federal Institute for Access to Information and Data Protection (IFAI), Mexico’s DPA, began enforcing the law’s notice requirements even before the Guidelines were issued, by fining a pharmaceutical company $162,000 in December for deficiency in its privacy notice.
CVS Pharmacy Healthcare Policy Draws Criticism
ABC News reports that a new policy by CVS Pharmacy requires all employees covered by its health plans to submit personal health data, including their weight, body fat and glucose levels, or pay a monthly penalty. Those who decline to submit the information will see an increase of $50 per month in their health insurance premiums. Critics are calling the policy coercive, with Deborah Peel of Patient Privacy Rights describing it as “technology-enhanced discrimination on steroids.” CVS said it would not have access to the test results, but there was no indication how the test results might be used.
Article 29 Working Party Issues Opinion on Mobile Apps
On February 28 the Article 29 Working Party issued “Opinion 02/2013 on Apps in Smart Devices,” which begins by asserting that the 1995 Data Protection Directive applies to all mobile apps available to European users, regardless of where the application developer is located. The Opinion states that mobile operating system and device manufacturers, app store operators and developers of apps all share responsibility for compliance, with device manufacturers having ultimate backstop responsibility. It also argues that two types of consent are needed, one relating to the placement of cookies and the other to the processing of data accessed and collected via such cookies, and that a one-click “install” button is insufficient to obtain such consent. Finally, the Opinion explicitly concurs with the call for greater transparency made by the FTC in its guidance on mobile apps.
Eight HR Data Breaches Reported in March
The number of breaches of HR data reported during March returned to a more normal level, including: Black & Decker (personal information of an undisclosed number of employees, possibly including direct deposit details, compromised by the theft of a laptop); Unisys (an unknown number of employees placed in jeopardy when the Prudential Insurance Company accidentally e-mailed a file containing their SSNs, dates of birth and salary information to the wrong recipient); U.S. Dept. of Energy (personal information of 12,000 employees at the Savannah River facility near Aiken, SC compromised in an undisclosed manner; last month DOE had a separate breach involving the hacking of dozens of workstations and servers); Salem State University (personal information of 25,000 current and former employees exposed via a virus on the college’s computer servers); City of Jacksonville (SSNs of every city employee hired after 2005 found unprotected on an internal website); Allen County, Ohio (confidential information of all 1,152 employees unintentionally exposed on the Internet); OCS America (an undisclosed number of employees impacted by a phishing attack); and Inova Health Systems (W-2s for all employees from 2009 to 2012, contained in the Lawson eProfile application, accessible via the Internet because of a setting being left open).
Survey Finds One Internal Data Breach Per Week
A study of internal fraud events by Ponemon Institute on behalf of Attachmate found that on average, organizations had approximately 55 employee-related incidents of fraud in the past 12 months. It takes an average of 87 days to first recognize that insider fraud has occurred, and more than three months (105 days) to get at the root cause of the fraud, the study found. One of the biggest problems to occur, as indicated by 79% of respondents, is co-workers' credentials being used to gain elevated rights or bypass separation-of-duty controls. Another 79% said they have had instances in which a privileged user altered application controls to access or change sensitive information, and then reset the controls. The breaches are not incidental: 74% said employee malfeasance has caused "financial loss and possibly brand damage".
Brussels Reported to Soften New Data Protection Rules
The Financial Times reported that Brussels will be forced to water down its proposed tough data protection rules after many of the EU’s member states called for a softer approach to privacy reform. At least nine countries have said they are opposed to several measures that could add heavy burdens to businesses and a number of member states disagree with the level of prescriptiveness found in the draft regulation. A report by the Irish Presidency to the EU Council of Ministers, calling for a more risk-based approach, appears to be the primary source for the report. U.S. tech firms, which have lobbied hard against the draft proposal, were said to be relieved by the apparent climb-down by Brussels. However, while the European Commission has already indicated that it is willing to introduce flexibility in some areas, it will be some time before the exact nature of any changes to the proposal can be identified. Separately, over 80 professors from computer science, law, economics and business administration disciplines joined in signing an online petition to support the European Commission’s draft data protection regulation and protest industry lobbying to weaken it.
Costa Rica Publishes Implementing Regulations
Following a timeline nearly identical to that in Peru, Costa Rica published regulations implementing its 2011 Law on Personal Data Protection (No. 8968) in its official gazette on March 5, 2013. The Regulations, which entered into force the same day, establish the Costa Rican data protection authority (Prodhab), a five-day data breach notification period, and a maximum data retention period of 10 years. They also establish the scope of the Law and applicable penalties and fees in case of violation of protected rights. The Law introduces the concept of informational self-determination and requires express written consent for processing of personal data, except where required by law.
Immigration Reform Re-focuses Attention on E-Verify, National ID Card
Proposals for comprehensive immigration reform have re-surfaced the need for mandatory employment eligibility verification and identity vetting requirements. However, attempts to establish the equivalent of a national ID card, such as through the driver’s licenses mandated by the Real ID Act of 2005, have floundered. Furthermore, as recently as last year the President himself has described the E-Verify system as error-prone and said it could not be used as an immigration enforcement tool until problems were resolved. Whether non-forgeable and tamper-resistant identification documents can be developed as proof of authorization to work in the U.S., as called for both by the White House and a bi-partisan group of senators, remains to be seen.
NIST Issues Final Draft of Security and Privacy Controls
The National Institute of Standards and Technology released the final draft of its Security and Privacy Controls for Federal Information Systems and Organizations (Special Publication 800-53) for public comment. The 455-page draft is a solid primer of the risk management process landscape for privacy and data security, and a comprehensive and valuable reference even for those without frontline responsibility for implementing infosec measures, risk management or legal compliance.
Security Pioneer Introduces Encryption Service for Smartphones
Phil Zimmermann, the creator of Pretty Good Privacy and widely considered the godfather of encryption software, has introduced a new encryption service for Android and iPhone smartphone users. Called Silent Circle, the service allows users to make encrypted phone calls, send text messages and do videoconferencing. Messages are scrubbed completely from the phone after a predetermined amount of time. Communications are secured using a new, peer-reviewed open-source encryption technology. Zimmermann noted that law enforcement would not be able to eavesdrop on Silent Circle users and, for that matter, neither would Silent Circle.
Only Two HR Data Breaches Reported in February
February was a very quiet month for reports of HD data breaches, with only two coming to light: U.S. Dept. of Energy (an undisclosed number of employees impacted when their personal information was compromised by hackers who breached 14 servers and 20 workstations); and Schneider-Electric (an undisclosed number of employee of the Illinois firm received a mailing from a vendor that exposed their SSNs, names and addresses).
False Alarm on Undermining of Safe Harbor
According to a report by DataGuidance, a February 27 statement issued by the Article 29 Working Party threatens the viability of the EU-U.S. Safe Harbor Program. In the statement, the Working Party contends that self-assessment mechanisms should only be used in international data transfers on an exceptional basis for non-massive and non-repetitive transfers. Leading privacy attorneys for Hunton & Williams and Hogan Lovells are quoted as pointing out that such a restrictive approach would jeopardize Safe Harbor, which allows companies to self-assess their compliance with European requirements. However, a close reading of the Working Party’s statement, and of Opinion 1/2012 which it references, shows that its remarks are directed to the context in which an adequacy decision has not been reached by the European Commission. The Commission reached an adequacy decision for companies participating in the Safe Harbor Program in 2000.
Mexico Issues Privacy Notice Requirements
Equifax Sale of Salary Information May Provoke Backlash
Equifax, with the cooperation of employers, has assembled one of the largest private databases of Americans’ personal information ever created, containing 190 million employment and salary records covering more than one-third of U.S. adults. Besides pay-stub data, the database includes information about health care providers, dental insurance and unemployment claims. Companies provide the data to The Work Number, an Equifax-owned company, in order to outsource employment verification of former workers. However, some of the information is also sold to debt collectors, financial service companies and other entities. Larry Ponemon, a privacy expert who heads the Ponemon Institute, expressed surprise and shock when informed of the resale, calling it “unbelievably scary” and “really depressing.” Other experts called it “a betrayal of trust” that may compel employers to stop sharing the data with Equifax when it becomes known.
Social Media Found to Erode Workplace Privacy
A Digital Diaries survey of 4,000 adults worldwide by AVG Technologies revealed that 53% of respondents believe that privacy in the workplace has been eroded due to the open nature of social media networks. 10% said that social networks were used to have secret discussions about them by colleagues, 11% have had to deal with embarrassing photos being taken of them at work events and uploaded online and 6% said social networking brought them unwanted romantic attention. 9% reported that a manager had used information found on social media sites against them or a colleague, a practice most common in the U.S. (13%).
Dip in HR Data Breaches in January
Only four breaches of employment-related personal data were reported in January, three of which were in the public sector: Antioch Unified (an undisclosed number of current and former employees of the California school district impacted by a misdirected e-mail containing their SSNs and worker compensation claim information); University of North Carolina (personal information of 3,500 employees and others compromised by hackers last May); Florida Department of Juvenile Justice (records of more than 100,000 employees and youths impacted by the theft of a mobile device that was not encrypted or password-protected as required by DJJ’s technology policy); and Oldcastle APG (personal information of 5,083 of the Atlanta-based firm’s employees, including names, SSNs and bank account information, exposed when a laptop was stolen from an employee's car).
EU Parliament Says Draft DP Regulation Needs Strengthening
A draft report on the European Commission’s proposed regulation on data protection, by Jan Albrecht, the rapporteur for the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, was released to the public in January. The 215-page report, containing a total of 350 amendments to the original proposal, largely embraces the European Commission’s approach but argues for even stricter requirements in a number of areas. For example, the Parliament is considering expanding the territorial scope of application to non-EU-based data controllers; broadening the concept of personal data to cover information relating to someone who can be singled out (not just identified); enlarging the role of consent; and limiting the reliance upon the “legitimate interest” of the data controller as a basis for processing personal data. The Parliament is also considering a stricter statement of the right to be forgotten, expanding it to include the “right to erasure and to be forgotten.” Once the Parliament finalizes its position in March and April, negotiations with the Council of the EU, the European Commission and other stakeholders will ensue.
Major Employee Privacy Bill Moves Forward in Germany
While an employee privacy bill has been under consideration in Germany for over three years, the coalition partners in Angela Merkel’s government are now actively moving it towards passage by the German Parliament, as early as February. The comprehensive employee privacy bill will likely require significant changes in the data privacy compliance programs and practices of most companies operating in Germany. Amongst concerns to employers are requirements to limit the utility of works council agreements as a justification for data use; impose a new balancing test will make it more challenging to establish a basis for HR data use; mandatory data breach notification to employees, regardless of harm; and reliance upon employee consent only it involves a use of the data favorable to the employee. Secret surveillance of employees will also be largely prohibited, although some critics, such as DPA Thilo Weichert, say the draft law weakens data protection in favor of employers.
China Issues National Standard on Handling Personal Data
Following December’s announcement of new rules for the operation and use of the Internet, China’s Ministry of Industry and Information Technology (MIIT) set out non-binding guidelines for handling personal information, effective February 1, that promote adherence to a number of internationally-recognized principles of fair information practice. The guidelines distinguish between sensitive personal data and general personal data, requiring express consent of data subjects for processing of the former and opt-out consent for processing of the latter. In addition, organizations must have "specific and clear purposes" for collecting personal information, only collect data they need for the purposes of the collection, and delete the data when it is no longer needed for those purposes. Finally, transfer of personal data outside the country requires express consent from data subjects. A fuller summary of the guidelines, prepared by Covington and Burling LLP, may be found here.