News Archives

2014

News Archive
December 2014

EU Council of Ministers Advances DP Reform Package
Meeting in Brussels on December 4, the EU Council of Ministers reached a conclusive agreement on a “partial general approach” to member state flexibility with respect to data protection in the public sector.  While final agreement was not reached on proposals by the Italian presidency of the Council regarding the contentious issue of the “one-stop shop” and the associated “consistency mechanism,” the issues involved were laid out in a way suggesting that a resolution at the Council’s March meeting could be achieved.  The sense of optimism that the reform, while delayed, was still on track was confirmed a few days later by Věra Jourová, the EU Justice Commissioner, speaking at a conference in Brussels.  According to Jourová, "The proposed Data Protection Regulation will do away with 28 differing national laws, and provide a single set of rules on data protection valid across the EU," removing unnecessary administrative requirements and increasing legal certainty for businesses.

French Voice Concerns about Safe Harbor
In a dialogue with the members of the American Chamber of Commerce’s Digital Economy Committee in France, Florence Raynal, the CNIL’s chief for international affairs, described some of the key concerns the CNIL has with the Safe Harbor framework. In the first place, transfers from an EU-based data controller to a U.S.-based data processor cannot be based upon Safe Harbor alone, but need to be supplemented with a data processing contract.  Secondly, Safe Harbor should not be used as a cover for direct transfers from the EU to places such as India, where contractual safeguards should be employed.  Thirdly, Safe Harbor does not currently specify the type of contracts needed for onward transfers to third countries, but should.  And lastly, the Safe Harbor exemption for “publicly available information” needs to be revisited in light of the European belief that data protection does not lapse when information is available on the Internet.

Working Party Streamlines Approval Process for Contractual Clauses
On November 26, the Article 29 Working Party created a cooperation procedure, modeled upon its mutual recognition process for binding corporate rules, to streamline the process of obtaining DPA approval of contractual clauses.  At the present time, a dozen member states (Austria, Bulgaria, Cyprus, Denmark, Estonia, France, Lithuania, Luxembourg, Malta, Romania, Slovenia and Spain) require advance approval of data transfer contracts by DPAs, even when the contacts involved are Model Clauses approved by the Commission.  Data controllers also are permitted to prepare their own ad hoc clauses, or amend the Model Clauses, provided they are approved by the relevant DPAs.  As with the BCR procedure, a Lead DPA will be identified, as well as one or more reviewers, who will analyze and shepherd a proposed contract through the group of relevant DPAs.

Guidance on Cross-Border Transfers Issued in Hong Kong
On December 29, Hong Kong’s Privacy Commissioner published guidance on the cross-border transfer of personal data, to help data users prepare for the implementation of Section 33 of the 1995 Hong Kong Personal Data (Privacy) Ordinance (PDPO).  While the Legislative Council discussed implementation of Section 333 in March 2014, there is no indication that implementation is imminent or that Section 33 would be unchanged, leaving the 19-page guidance as advisory rather than obligatory.  According to the guidance, personal data may only be transferred from Hong Kong under one of the following conditions:  (i) the receiving jurisdiction has been included in an official "White List"; (ii) the data user has reasonable grounds to believe that the receiving jurisdiction has in force a law equivalent to the PDPO; (iii) the data subject has freely consented to the transfer; (iv) the transfer is for the avoidance or mitigation of adverse action against the data subject and it is not practicable to obtain consent; (v) the personal data is exempted by the PDPO; or (vi) the data user has taken reasonable precautions and exercised due diligence to ensure that the protections provided by the PDPO will not be breached.  With respect to the last condition, the guidance includes an appended model contract, while allowing that such a contract would not be required with respect to intra-group transfers governed by effective group policies.  The guidance does not address the issue of whether data subject consent is a viable option in the employment context.

Russian Data Localization Law to Come into Effect in September 2015 
On December 31, Russian President Vladimir Putin signed legislation to move the deadline for compliance to September 1, 2015, for Federal Law No. 242-FZ, which requires companies to store the personal data of Russian citizens in databases located in Russia. The bill had been adopted by the lower chamber of Russian Parliament in July 2014 with a compliance deadline of September 1, 2016. The compliance deadline was then moved to January 1, 2015, before being changed to September 1, 2015.  Amongst the many questions raised by the law is whether it applies to companies that collect personal data from Russian customers but have no physical presence in Russia. 

November 2014

FTC Settlement with TRUSTe Another Blow to Safe Harbor
On November 17, the FTC announced that it had reached a settlement with TRUSTe, a major provider of privacy certifications, over charges that TRUSTe had deceived consumers about its recertification program for company’s privacy practices and misrepresented itself as a non-profit entity.  The FTC’s complaint alleges that from 2006 until January 2013, TRUSTe failed to conduct annual re-certifications of companies holding TRUSTe privacy seals in over 1,000 incidences, despite providing information on its website that companies holding TRUSTe Certified Privacy Seals receive recertification every year.  Given TRUSTe’s long-standing role in promoting self-regulation and in helping companies assess and recertify compliance with Safe Harbor requirements, the news that TRUSTe was untrustworthy doubtlessly was not lost on European critics who believe that Safe Harbor is not safe.

Garante Issues Guidelines for Use of Biometrics in the Workplace
On November 12, the Italian data protection authority, the Garante, issued a decision, along with a set of guidelines, to regulate the application of biometric technologies by employers.  Prior checking with the Garante will not be required when biometrics are used for automated authentication or to control access to physically sensitive areas or dangerous equipment, as long as a number of safeguards are in place, such as automatically deleting raw biometric data and encrypting any transmissions of biometric data.  Other uses of biometric technologies in the workplace will require prior approval by the DPA.  The Garante’s decision also introduced a 24-hour data breach notification obligation in the event the security of biometric data is compromised.

Russian Officials Expound on Data Localization Law
On November 5, the Russian Data Protection Authority, Roskomnadzor, held its fifth annual conference on “Personal Data Protection,” with officials from both the DPA and the Parliament offering their understanding of the emerging requirements in Russia’s new data localization law.  Representatives of the Parliament made clear that the purpose of the new law is to protect the personal data of Russian citizens in the face of Snowden’s revelations about NSA surveillance and developments in the current international situation.  Key points from the conference were as follows:  (1) personal data of Russian citizens, and possibly residents as well, will have to be stored within the territory of the Russian Federation; (2) the ability to effect cross-border data transfers will remain unchanged, as long as it is in accordance with the Council of Europe Convention 108 and Russian DP law; (3) transfers would have to be conditioned on and connected with a legitimate purpose under Russian DP law beyond mere storage; (4) mirroring abroad of a database maintained in Russia would not be allowed; (5) the processing of employee data would be covered by the new law; and (6) the law also applies to the storage of personal data collected prior to its effective date.  At the time of the conference, the effective date of the data localization law was set as September 1, 2016, although acknowledgement was made that an earlier date was likely.

Data Protection Commission Officially Launched in Ghana
Two years after Ghana’s Data Protection Act came into force in October 2012, and its Data Protection Commission was “inaugurated” the following month, the Ministry of Communications presented the names of its nine members and announced that the Commission would be officially launched and registration opened on November 18, 2014.  According to Deputy Ministry of Communication Ato Sarpong, “our ability to seclude ourselves or share our information selectively is under threat” and the Ministry will be guided “by the need to ensure fairness, legality of data captured and maintained, purpose for keeping someone’s data, accountability for it, individual rights and protocols for capturing and accessing someone’s data.” 

October 2014

No Let Up in EU Threats to Suspend Safe Harbor
In early October, Andrus Ansip, replacing Neelie Kroes as one of three vice presidents of the European Commission, went on record contending that because of violations, the Safe Harbor agreement may not technically exist.  According to Ansip, "Safe harbor is not secure. The Agreement has yet to live up to its name. If the U.S. Government does not make a clear statement, we must consider suspending the Agreement."  Ansip, the former prime minister of tech-savvy Estonia slated to become the Commission’s point person for its Digital Agenda, was also quoted as saying  “We have to protect everyone’s privacy….Trust is a basic principle. If people can’t trust e-services, they will never use them.”  The Czech Republic’s Vera Jourova, Ansip’s soon-to-be partner in the vice-presidency and replacement for Viviane Reding, was somewhat more circumspect during her confirmation hearings, indicating that she expects new Safe Harbor commitments from the U.S., absent which “alternative options” will need to be explored.  However, she also stated that "trust in the US has been destroyed by the Snowden scandal," adding that she “will always be in favour of data protection and privacy" and would not make any concession on data protection rights even "across the ocean".  To round out the picture, the new President of the European Commission, Jean-Claude Junker, was quoted as saying that “I will not sacrifice the European standards of safety, health, social norms, standards of data protection or our cultural diversity on the altar of free trade," adding that the protection of personal data is non-negotiable.  Juncker has called for the conclusion of negotiations on the reform of Europe’s data protection rules and Safe Harbor within six months.  The European Commission recommended 13 changes to Safe Harbor in November 2013, and the European Parliament called for immediate suspension of Safe Harbor in March 2014.

EU Council of Ministers Debates Proposed DP Regulation
Meeting on October 10 in Luxembourg , the Justice and Home Affairs Committee of the EU's Council of Ministers again debated the draft General Data Protection Regulation advanced by the European Commission and the European Parliament.  While the Council has previously indicated broad support for much of what has been proposed, a number of issues continue to divide the Ministers, the interlocking nature of which has led the Council to make it clear that no single part of the proposal is agreed until every part is agreed.  Amongst the issues being debated is whether the appointment of Data Protection Officers should be mandatory or voluntary; whether the “right to be forgotten” needs to be circumscribed to some extent to achieve the proper balance with freedom of expression; whether member states can set a higher level of protection than that established by the Regulation; and how to structure the “one stop shop” oversight authority in a manner that doesn’t significantly disadvantage either data subjects or multi-national companies.  One area in which at least temporary agreement was reached was that organizations would have 72 hours within which to make notifications of data breaches, with no notification needed with respect to breaches of encrypted data.  Once the Council has reached internal agreement on the Regulation as a whole, trilogue discussions with the Commission and the Parliament can begin.

Companies with Approved BCRs Reach 60
The European Commission list of companies that have completed the Binding Corporate Rules cooperation procedure and consequently have approved BCRs reached 60 by the end of October.  16 U.S.-headquartered firms are on the list, including Accenture, American Express, Bristol Myers Squibb, Cardinal Health, Cargill, Citigroup, e-Bay, First Data, General Electric, Hewlett Packard, IMS Health, Intel, Motorola Mobility, Motorola Solutions and Schlumberger.  The list also identifies which DPA served as the lead authority in the BCR approval process; the CNIL shepherded through the most BCR applications, with 21, the UK ICO came in second, with 17, and the Dutch DPA was third, with 11.

Belgium Government Elevates Privacy to Cabinet Level
On October 10, the recently formed Belgian coalition government announced the creation of a new cabinet position of Secretary of State for Privacy, appointing the former Flemish Minister for Media, Bart Tommelein, to the position.  As an indication of the importance of privacy to the government, the word “privacy” appears 20 times in the coalition agreement, on a par with other key issues such as health and immigration.  The agreement also calls for modernizing the Belgian privacy law, strengthening the independence of the Privacy Commission and achieving harmonized EU privacy laws.  However, the vagueness of the text of the agreement, and the fact that its reference to increased privacy protection for individuals appears to be mostly made in relation to government decisions to increase data mining and profiling, led at least one local lawyer to wonder whether the new focus on privacy is but window dressing preceding expanded government surveillance.

Data Protection Taking Root across Africa
According to a report from Privacy Laws & Business, Ghana and Senegal were each granted full member status at the Privacy Commissioners’ International Conference, which met in mid-October for the first time in Africa, in Mauritius and which is tentatively planning to hold its 2016 conference in Morocco.    In another sign of the extent to which African nations have rallied to the cause of data protection, the African Union, representing all 54 African nations except Morocco, adopted a Convention on Cyber-security and Personal Data Protection at its summit meeting in Equatorial Guinea in late June.  Nations that accede to and ratify the Convention are committed to establishing a legal framework based upon its provisions.  While the Convention will require accession by 15 states before it is in force, Africa is now the first region outside of Europe to adopt a data protection convention.  There are currently 14 African nations with comprehensive data protection laws in place.

Japan to Amend Personal Information Protection Act
On October 28, the Japanese Ministry of Economy Trade and Industry (METI) ended a public consultation on draft amendments to the country’s data protection law, with an eye towards amending the law early in 2015.  As in South Korea, massive data breaches have driven the government’s policy agenda, including the theft and sale of personal data of over 48 million customers of a correspondence education provider, Benesse Corporation.  Amongst the proposed amendments are obligations to strengthen oversight of subcontractors through audits and inspections, appoint a senior executive as Chief Privacy Officer, and institute appropriate measures to safeguard personal data transferred beyond the borders of Japan.  An analysis by Dr. Graham Greenleaf of a 29-page position paper by the government’s “IT Strategic Headquarters” finds that internal dissension within the government as to the nature of the new amendments is evident.  According to Graham, a number of the proposals outlined are positive, such as the establishment of an independent data protection authority, the elimination of the small business exemption and institution of a right of individuals to obtain damages from either the DPA or a court, but a number of others, such as a large carve-out for “reduced identifiability” data about individuals, would significantly weaken the level of data protection currently in place.  Japan’s current Personal Information Protection Act (PIPA) was said to have the weakest privacy principles of any Asia-Pacific country that has a data privacy law.

September 2014

Google Remains under Regulatory Pressure in Europe
European regulators continued to press Google on several fronts.  In the first, leading DPAs scoffed at the company’s series of Advisory Council meetings, scheduled for several European venues, to gather input on its implementation of the CJEU’s right to be forgotten ruling.  Isabelle Falque-Pierrotin, Head of the CNIL and the Article 29 Working Party, described the meetings as a “PR war.”  Regulators are particularly unhappy with the company telling websites about the removals it makes, and the Working Party is reported to be preparing guidelines for the removal process.  On the second front, the Working Party gave Google a package of measures and guidelines to bring the way it collects and stores user data into conformance with EU law, following its consolidation of 60 privacy policies into one and the construction of user profiles with data drawn from all its online services.  Finally, the appointment of Günther Oettinger as the European commissioner for digital economy and society could represent a nightmare for Google, since Oettinger has trumpeted his role in derailing the company’s proposed settlement of the Commission’s anti-trust investigation with relatively light consequences last March.

New Members of European Commission Take Charge
On September 10, Jean-Claude Juncker, President-elect of the European Commission, nominated his team of Commissioners, spreading responsibility for data protection matters amongst at least three Commissioners who will need to work in a coordinated and collaborative manner.  Vera Jourova, previously the Czech Minister for Regional Development, succeeded Viviane Reding as Commissioner for Justice, with consumer policy added to her portfolio.  Günther Oettinger of Germany, previously European Commissioner for Energy, will coordinate with Jourova on the data protection reform and will take the lead on the reform of the e-privacy Directive and cyber security issues.  Both Jourova and Oettinger will be under the oversight of Andrus Ansip, previously the Prime Minister of Estonia, who will assume the newly-created Vice-Presidency of the Commission for the Digital Single Market.  Reactions to the appointments from two politicians leading the efforts to enact the General Data Protection Regulation, MEP Jan Phillip Albrecht and LIBE Chair Claude Moraes, were critical, with the former stating that Oettinger was completely unqualified and the latter finding Jourova lacking privacy experience and concurring with other observers that there would be “too many cooks” in the data protection area. 

German Bill Gives Judicial Recourse for DP Violations to Consumer Groups
Following up on its announcement in February 2014, the German Federal Ministry of Justice finally presented a new draft bill allowing qualified consumer protection associations, as well as trade associations and chambers of commerce, to take businesses to court for data protection law violations.  At present only individual data subjects can pursue judicial recourse for unlawful collection or use of their personal data. In order to exercise the new legal remedies of issuing warnings to businesses and of taking them to court with an action for injunction or removal, consumer protection associations and other eligible entities will need to meet certain requirements and be included in a register of qualified organizations.

Russia Steps Up Data Localization Requirements
On September 25, The Moscow Times reported that the State Duma was poised to enact a bill moving the deadline for data localization from September 2016 to January 1, 2015.  The very next day, it was reported that Russia’s media watchdog, Roskomnadzor, had sent notifications to Google, Facebook and Twitter, demanding they register as "organizers of information distribution" under a law that requires them to store information about Russian users on servers located inside the country.  The move prompted one of Russia’s most respected Internet experts, Anton Nossik, to say that he was confident that websites like Facebook, Twitter, and Google will soon be things of the past in Russian cyberspace.

August 2014

Advocacy Group Calls for FTC Investigation of 30 Safe Harbor Companies
On August 14, the Center for Digital Democracy (CDD) filed a 22-page complaint with the Federal Trade Commission asking for an investigation of 30 data marketing and profiling companies for violating their commitments under the U.S.-EU Safe Harbor Framework.  According to the CDD, the companies do not adequately disclose their actual data collection practices in their privacy policies and Safe Harbor declarations; inaccurately classify themselves as data processors instead of data controllers; are insufficiently transparent about changes to their corporate structures that impact consumers; fail to provide meaningful, easy-to-find opt-out mechanisms that EU consumers can utilize to stop the collection and use of their personal data; and create a false impression that, because the companies may not collect a consumer’s name or government-issued ID number, they are only collecting and using “anonymous” or non-personal data.  In announcing the complaint, CDD Legal Director Hudson Kingston called for sanctions, stating that “the fundamental privacy right of 500 million Europeans has been ignored and must be acknowledged and protected going forward.”

Garante Bans Publishing of Reasons for Absences
In August the Garante, the Italian data protection authority, announced that it had prohibited a local public transport company from making information about the reasons for absences from work available to all employees.  The Company had posted the reasons, which included such causes as “illness,” “disability” and “union permission,” alongside the absent employee’s name and shift on bulletin boards and on the company intranet.  The authority found the disclosure of reasons for absences, some of which conveyed personal data of a sensitive nature, to be excessive and in violation of the Privacy Code and the Guidelines on the treatment of workers' private personal data.


Alberta Adjudicator Finds Managing Employees Not a “Commercial Activity”
On July 16, Alberta’s Office of the Information and Privacy Commissioner issued an order in which an Adjudicator upheld the right of a non-profit organization to withhold certain information in an employee’s personnel file.  The Adjudicator found that the province’s Personal Information Protection Act (PIPA) only applied to non-profits, as well as to for-profit entities, when the personal information in question is collected, used or disclosed in connection with a commercial activity of the organization.  He also ruled that no organization collecting and using an employee’s personal information for employment purposes does so as a part of a commercial activity.   A similar ruling was made by the Ontario Labour Relations Board in 2003 with respect to the federal Personal Information Protection and Electronic Documents Act (PIPEDA).

OAIC Issues Information Security Guide
The Office of the Australian Information Commissioner (OAIC) released comprehensive revised guidance on the information security provisions it expects organisations to have to comply with the new Privacy Act.  Organizations suffering data breaches can be held in violation of the Act if they failed to take “reasonable steps” to secure the data, and can be fined up to $1.7 million, making the OAIC’s views on the matter very important.  While the guidance is not binding, the OAIC said it is the checklist it plans to use when assessing whether an entity is liable for a data breach.   The guidance includes privacy impact assessments, clear lines of accountability, a data breach and notification plan, a data destruction plan, and numerous good common sense security practices such as having an information asset register, keeping software patches up to date, maintaining an intrusion detection log, penetration testing, assessing compliance of third party contractors and the like.  “Human error is regularly claimed as the cause of privacy incidents, however it usually only occurs where entities do not have a privacy culture, training and appropriate practices, procedures and systems,” the OAIC advised in its guidelines.

South Korea Tightens PIPA Data Security Provisions
On July 28, after an audit of 1,234 state-run agencies and 191 private sector firms found excessive collection of personal information and insufficient management of crucial data, the South Korean government announced plans to further amend privacy laws with stricter punishments for organizations failing to protect personal data adequately. The new amendments, expected by the end of the year, will impose punitive damages of up to three times that caused by data breaches, and will also include compensation for victims of data breaches.  The new amendments to the Personal Information Protection Act (PIPA) will build on the stricter measures passed by the National Assembly in May, which came into effect on August 7. These measures included penalties of up to approximately $100,000 and/or 10 years’ imprisonment.  Some observers, particularly in the financial sector, expressed skepticism as to how effective the August 7 measures would prove to be, since they were introduced quickly, without, for example, addressing how My-PIN numbers would be protected or how resident registration numbers in existing systems should be handled.


July 2014

Delays on Data Protection Reform Continue
The European Council, composed of justice and home affairs ministers, was able to reach only a partial consensus on the proposed General Data Protection Regulation during its June meeting in Luxembourg.  Significantly, agreement was reached on the extra-territorial reach of the Regulation, meaning that companies based outside the EU, such as Google and Facebook, will be explicitly obligated to adhere to the new regime.  The main controversy, over whether there should be a “one stop shop” for multinational companies operating in multiple European member states, remains unresolved, with some states, such as Germany, concerned that it could dilute the strength of their data protection law and lead to forum-shopping.  Whether the Council will be able to reach a final consensus before the end of 2014 remains to be seen.  In another setback for the reform, Viviane Reding, the EU Justice Commissioner who has been a driving force behind the proposed regulation for the last two years, resigned on July 11 and returned to her position in Parliament, following the election of a new government in Luxembourg.

CNIL Addresses Privacy of Employees in a Digital Age
On July 18, the CNIL issued its seventh Innovation & Prospective newsletter, this one a four page document entitled  “Intimacy and privacy of the connected employee: BYOD, sensors, data security in the digital enterprise”, exploring how employers can balance their needs for confidentiality and managing performance against the competing privacy interests of employees.  With technology increasingly enabling the continuous monitoring of employees, including their performance, their actions and even their moods, the CNIL argues that it is time to build an ethical and legal framework to address these challenges.

Russia Moves to Ban Exports of Personal Data
During the summer, the Russian Parliament passed new rules, signed into law by President Vladimir Putin, requiring personal data of Russians to be stored in Russia.  This could require Internet companies and businesses servicing Russian consumers to invest in local IT storage and chill criticism on foreign social networking sites like Facebook and Twitter.  However, the applicability of the law to foreign data operators has yet to be determined by Roskomnadzor, the Russian DPA.  Typically, Russian data protection legislation applies only to Russia-based data operators and foreign data operators having a legal presence in Russia that process personal data in Russia. Apart from its applicability to foreign data operators, the law could also cause problems for Russian companies such as tourism websites and airlines that rely on foreign-based online booking services. Russia's Association of Electronic Communication, a group that lobbies on behalf of internet companies, warned that "many global internet services would be impossible" under the new law.  The law does not come into effect until September 2016.

Study Finds Major Faults in Korean Job Screening Practices
On July 22, The Korea Herald reported that according to a study by Vladimir Hlasny, Associate Professor at Ewha Womans University, published in the Journal of Labor Research, screening of job candidates by firms on the basis of criteria that are discriminatory and irrelevant to job performance is endemic in South Korea.  Many job application forms request applicants’ height, weight, eyesight, blood type, family finance and background, smoking and drinking habits, real estate ownership, health status and religion, with only 16% of firms asking no intrusive questions at all.  The remedies that are needed, according to Hlasny, include stronger and better-enforced EEO laws; educating applicants as to their self-determination and data protection rights; decriminalizing untruthful answers to intrusive questions; and encouraging whistle-blowing.

June 2014

Obama Pledges to Recognize EU Citizens’ Privacy Rights in the U.S.
U.S. Attorney General Eric Holder announced on June 26 that the Obama administration was committed to seeking legislation that would give EU citizens “the same right to seek judicial redress for intentional or willful disclosures of protected information, and for refusal to grant access or to rectify any errors in that information, as would a US citizen under the Privacy Act”.  The European Commission welcomed the commitment, which was a key component in a set of demands made in the wake of revelations about NSA spying.  However, as EU Justice Commissioner Viviane Reding noted, “words only matter if put into law".

ECJ to Determine if Commission Safe Harbor Decision Binds DPAs
On June 18, the Irish High Court decided to refer a number of questions in the case brought against Facebook by privacy activist Maximillian Schrems to the European Court of Justice (ECJ).  The ECJ will be tasked to determine whether national data protection authorities must abide by the 2000 Safe Harbor adequacy decision of the European Commission or whether they can reach their own conclusions about adequacy based upon new information, such as revelations about NSA surveillance.  Attorneys for Schrems had argued that the Irish DPA, Billy Hawkes, had wrongly refused to investigate Edward Snowden’s claims that Facebook passed on its EU users’ data to the NSA as part of its PRISM surveillance program.  The European Commission itself had previously expressed concern that PRISM exposed a loophole in the Safe Harbor agreement.

Czech DPA Publishes Guidance on Workplace Guidance
In June, the Office for Personal Data Protection of the Czech Republic issued a 38-page publication entitled Protecting Privacy in the Workplace.  The document is the outcome of a multi-year Leonardo da Vinci project the Office carried out in cooperation with privacy regulators from Poland, Bulgaria and Croatia.  The aim of the project was to compile a comprehensive, clear and practical guide that would raise awareness of employees about their privacy rights and the issues they face in the workplace.

Canadian Supreme Court Bars Warrantless Disclosure of Subscriber Data
In a landmark ruling on June 11, the Supreme Court of Canada unanimously barred internet service providers from disclosing the names, addresses and phone numbers of their customers to law enforcement officials voluntarily in response to a simple request, something ISPs have been doing hundreds of thousands of times a year.  The ruling in R. v. Spencer also means that significant parts of the cyberbullying and digital privacy bills (C-13 and S-4) that are currently before the House of Commons are likely to be unconstitutional.

Government Plans to Crack Down on Lax Data Protection in South Korea
Although South Korea has one of the strongest data protection laws in the world, enforcement has lagged far, far behind.  Government data released on June 29 showed that the majority of South Korean public agencies and businesses do not implement proper measures to safeguard the personal data they hold.  According to the Ministry of Safety and Public Administration, over 85% of the 754 organizations inspected in 2012 and 2013 were slapped with administrative penalties for violating the rules aimed at protecting personal information.  Furthermore, 97% percent of 2,000 private business owners said they do not set aside budget for protecting the personal information of their customers, according to an inspection conducted last year by the Ministry and the National Information Society Agency, while over half of public sector organizations also do not have budgets for data protection measures.  Government officials subsequently stated that a cross-government task force had decided to implement stricter penalties for companies that fail to protect customer data, though laws to be revised later this year

May 2014

EU High Court Affirms “Right to be Forgotten”
In a landmark ruling issued on May 14, the European Court of Justice (ECJ) held that search engines can be forced to remove certain search results if they link to web pages that contain information infringing the privacy of EU citizens.  The case began in 2009 when Mario Costeja, a Spanish lawyer, objected that entering his name in Google’s search engine led to legal notices that he said were no longer relevant. According to the court, search engines play a role as data controllers, must be accountable for the links they provide, and as a general rule should place the right to privacy over the right of the public to find information.  The ECJ also extended jurisdiction under European data protection law to include non-EU companies that have a branch or subsidiary in the EU and that collect data in the context of business activities in the EU, raising significant issues for foreign companies.  The ruling spurred extensive worldwide commentary, including questioning as to whether it posed a threat to freedom of expression, denied the public’s right to know, paved the way to Internet censorship and sanctioned the whitewashing of history.  Much of the criticism appeared ill-informed and over-blown.

Officials Claim Revisions to Safe Harbor are Nearly in Hand
Officials in both the US and Europe offered comforting words to companies concerned about the future of the Safe Harbor framework, following calls for 13 measures to strengthen the program made by the European Commission last year.   In the US, a senior Commerce Department official said on May 12 that the new rules being developed will not place a much heavier compliance burden on US companies. Speaking at a US Chamber of Commerce event, Ted Dean, Deputy Assistant Secretary for Services at the DOC, said that “What we are aiming for at the end of this process is going to be, if I can offer some assurance, fairly recognizable to what you are doing now."  In the EU, Justice Commissioner Viviane Reding subsequently stated that as a result of US-EU discussions, “95% of what could be agreed – has been,” with the last sticking point being judicial redress for European citizens in the US.

Selection of New Federal Privacy Commissioner Met with Criticism
Prime Minister Harper’s selection of Daniel Therrien, the federal government’s top lawyer on national defense and public safety, to succeed Jennifer Stoddart as Privacy Commissioner of Canada, was met with political opposition and considerable unease and consternation in the privacy community.  In spite of calls for a re-think of the nomination by a substantial coalition of privacy experts and advocates, Therrien was confirmed by Parliament on June 5. 

Hong Kong Privacy Commissioner Publishes Workplace Privacy Guidance
On May 28, Hong Kong’s Privacy Commissioner, Allan Chiang, issued a 7-page guide to protecting privacy in common situations encountered in the workplace, including the pre-employment stage, the in-employment stage and the post-employment stage.  The guidance includes high-level summaries of eight complaints, their outcomes and the lessons that should be learned from them.  Chiang noted that with respect to the 517 employment-related complaints lodged with his office in the last four years, most were concerned with excessive collection of personal data and disclosure to third parties without the employee’s consent. According to Chiang, “employers generally tend to over-emphasise their administrative and operational convenience, without due regard to the employees' right to privacy and data protection,” adding his perspective that “privacy management starts at work. An employee whose privacy is respected within the organisation is more likely to respect the privacy of the organisation's customers or clients". 

Japan Planning to Revise and Strengthen its DP Law
On May 15, a Japanese law firm reported that the Personal Data Related Systems Division, established in the Cabinet Secretary IT General Strategy Office, planned to set forth the fundamental principles of a bill revising the 2003 Act on the Protection of Personal Information by June 2014, and to receive public comments and submit the bill to the ordinary session of the National Diet in the beginning of 2015.  The driver behind the plan was said to be “the rapid development of information systems and resulting threat to personal rights and interests as well as international trends for establishing data protection laws.”  One of the revisions under consideration is removing the exemption for organizations processing the personal data of less than 5,000 individuals.  Another likely revision is changing the manner in which Japanese laws and regulations are applied to overseas enterprises, including restrictions on the transfer of data to countries with less developed personal data protection systems.

April 2014

EU Parliament Overwhelmingly Approves DP Regulation
On March 12, the European Parliament voted overwhelmingly in favor of the draft General Data Protection Regulation, by a vote of 621 to 10, with 22 abstentions.  As a further sign of strong support, while the European Commission had proposed fines of up to €1 million or 2% of worldwide annual turnover, the Parliament raised these limits to €100 million or 5% of worldwide annual turnover.  The MEPs also amended the rules to require any firm, such as a search engine, social network or cloud service provider, to seek the prior authorization from a DPA before disclosing any EU citizen’s personal data to a third country and also to inform the individual concerned of the request.  According to Viviane Reding, the EU Justice Commissioner, the parliamentary vote shows unequivocally that the reform is “irreversible.” The next step for the Regulation will be the approval of the Council of the EU, whose next meeting will be held in June.  Past meetings of the Council on the proposed reform, such as the one held on March 4, have been marked by significant disagreements, but the Council will now be under considerable pressure to reach a common position of its own, in order to begin trilateral reconciliation discussions with the Commission and the Parliament.

Article 29 WP Ups the Ante on Safe Harbor Reforms
In a letter to EU Justice Commissioner Viviane Reding dated April 10, the Article 29 Working Party affirms the 13 recommendations for Safe Harbor reform made by the European Commission on November 27, 2013 and reiterates that the framework should be suspended if improvements are not made.  More significantly, the Working Party also makes some 37 additional recommendations for changes in both the Safe Harbor Principles and the administration of the framework by the U.S. Department of Commerce.  Unlike the “high-level” changes proposed by the Commission, those advanced by the Working Party are far more informed, practical and consequential. Taken collectively, the recommendations amount to a call for a far-ranging renegotiation of the Safe Harbor agreement.

CNIL Expands Legal Framework for Whistleblowing Schemes
On January 30, the CNIL amended its single authorization AU-004, which allows self-certification by companies implementing whistleblowing schemes, in two significant ways.  In the first of these, the scope of whistleblowing schemes was expanded to include issues such as workplace discrimination, harassment, compliance with health, hygiene and safety measures, and the protection of the environment.  In the second, the CNIL revised its opposition to anonymous reporting to allow it under exceptional circumstances, as long as certain specified protocols were followed.  The CNIL’s decision should enable companies to use their whistleblowing schemes more consistently across jurisdictions and to streamline the reporting process in areas that are commonly recognized as fraudulent or unethical.

Harper Government Introduces PIPEDA Reforms
On April 8, the Harper government introduced Bill S-4, the "Digital Privacy Act,” in the Senate.  The Act is largely a re-tabling of two previous Bills introduced in the House of Commons to amend PIPEDA.  The bill follows the lead of Alberta and British Columbia in allowing for the collection, use and disclosure of personal information in the employment context without consent, and also includes exemptions for business contact information and personal data in business transactions.  Most prominently, it introduces the long-discussed obligation to notify the Privacy Commissioner of data breaches, and to also notify individuals where there is a real risk of significant harm.  A new section of the Act would give the Privacy Commissioner the authority to enter into “compliance agreements” with organizations that have breached, or are likely to breach, the law.  Without a few news cycles, criticisms began to reverberate that some relatively obscure  language in the Act could massively expand warrantless disclosure of personal information to the government.

Indian Govt Finally Moving on Right to Privacy Bill
On February 10, the Standing Committee on Information Technology of the Indian Parliament slammed the government for not coming up with a comprehensive privacy law. In an 88-page report entitled “Cyber-Crime, Cyber Security and Right to Privacy”, the committee stated that it was “extremely unhappy to note that the government is yet to institute a legal framework on privacy.”  The Department of Personnel and Training has been drafting a Bill for the past three years.  One week later, it was reported that the Government had redrafted the Right to Privacy Bill and that it would be placed before the secretaries of the ministries concerned within a week.  According to a subsequent report by The Economic Times, the draft bill will restrict the right to privacy to residents of India and will require the establishment of a Data Protection Authority to oversee implementation and enforcement of the law.  Experts believe the bill, modeled upon European precedents, is unlikely to be introduced before parliamentary elections in April and the installation of a new government in May.

Employee Records Exemption Misunderstood in Australia
Employers who believe that their having a policy and the employee records exemption immunizes them from compliance risks under the new Australian privacy amendments are in for a shock, according to attorneys with DLA Piper Australia.  The employee records exemption only applies to personal information collected and used as part of the employment relationship (current or former), or contained in an 'employee record.'  The hidden risk here is that individuals like contractors and job candidates are not covered by the exemptions. Many employers hold, use and even disclose personal information of individuals who are not exempt, placing them at risk.  Another critical but frequently overlooked risk is where a member of a corporate group collects personal information of a subsidiary's employee assuming the employee record exemption applies. Only the legal employer has the benefit of the exemption. Therefore, the notification requirements and other privacy obligations of the APPs will need to be considered before any such collection occurs.

March 2014

Self-Destructing Text Messages Pose Challenge for Employers
A new app called Confide, available in the  iTunes store, creates self-destructing mobile messages that are designed for “off the record” conversations or situations where two parties want to have candid and private discussions without fear of text messages being permanently stored or inadvertently shared.  While the app could be beneficial in many employment contexts, its use might also violate record retention requirements of numerous laws and be used for nefarious purposes as well, such as sexual harassment, insider trading or leaking confidential or trade secret information.  TigerText is another self-destructing message app that is making inroads in the healthcare industry.

HR Data Breach Floodgates Open in March
A record number of HR data breaches, 14, were reported during March, fueled in part by tax return frauds and breaches by an unnamed payroll vendor that may have affected multiple clients:  Syracuse Personnel Department (personal data of 300 retired police officers compromised by the inadvertent attachment of information to an e-mail); Metropolitan Transportation Authority (15,000 NYC transit workers jeopardized when their information was found on a CD inside a refurbished CD drive sold by a retailer); Sorenson Communications (an undisclosed number of employees impacted by a breach at the firm’s payroll vendor); Weather Shield (hundreds of employees of the Wisconsin firm falling victim to ID theft in the form of fraudulently claimed tax returns); Atlanta’s Watershed Management (dozens of employees hit by tax refund fraud); Richmond Fire Department (SSNs of all city firefighters exposed online); McKenna Long & Aldridge (sensitive personal information of 441 current and former employees of the international law firm compromised in a breach by a payroll vendor); Arcadia Home Care & Staffing (an undisclosed number of employees impacted when a former affiliate company took their personal information to start a competing business); IRS (20,000 employees jeopardized when an employee took a thumb drive containing their names, SSNs and addresses and plugged it into an insecure home network); University of Pittsburgh Medical Center (up to 322 employees falling victim to tax return fraud); The Timken Company (personal information of 5,000 employees exposed on an insecure server); Assisted Living Concepts (over 43,000 employees impacted by the hack of a database at a payroll vendor); Thermo Fisher Scientific (93 employees impacted by the theft of a laptop containing their unencrypted names and SSNs); EMC (an unknown number of employees affected when a vendor mistakenly e-mailed an unauthorized party an Excel file containing their information in hidden fields); and the City of Detroit (1,700 fire and EMS employees impacted by computer hacking).

Officials Vow to Strengthen Safe Harbor by Summer
Commitments to increase privacy protection and strengthen Safe Harbor by this summer were included in a joint statement released after an EU-US Summit meeting in Brussels on March 26. The commitments follow a threat from the European Parliament to veto any future trade agreement between the EU and US, and to suspend Safe Harbor, unless safeguards for EU citizens' privacy rights were improved by the US.  Meetings between the Department of Commerce and their European counterparts to address the European Commission’s recommendations for Safe Harbor reforms began in March.

Spanish Court Rules Employer May Not Compel Use of SMS/Email Communications
The Spanish Central Labour Court has deemed abusive the inclusion of a clause in an employment contract that would allow the employer to make communications to its employees by means of SMS or email.  The court determined that the mobile phone number and email address of an employee are personal data and could be processed only with the consent of the employee or in situations where such information is deemed essential to the maintenance or development of the employment relationship.  In the case in hand, the employer had failed to obtain valid consent and had not proved the necessity of collecting the phone number and data for the maintenance and development of the employment relationship.

Industry Canada Plans to Modernize the Privacy Regime during 2014-15
After years in which the government of Canada has failed to carry out legally mandated reviews and reforms of PIPEDA, the country’s national privacy law, Industry Canada announced on March 7 that amongst its digital economy priorities for 2014-15 was “modernizing the privacy regime to better protect consumer privacy online.”  The Industry Canada report suggests that some legislative action to reform PIPEDA may finally be on the way.

Employee Records Exemption a Slim Reed for Australian Companies
Employers who believe that their having a policy and the employee records exemption immunizes them from compliance risks under the new Australian privacy amendments are in for a shock, according to attorneys with DLA Piper Australia.  The employee records exemption only applies to personal information collected and used as part of the employment relationship (current or former), or contained in an 'employee record.'  The hidden risk here is that individuals like contractors and job candidates are not covered by the exemptions. Many employers hold, use and even disclose personal information of individuals who are not exempt, placing them at risk.  Another critical but frequently overlooked risk is where a member of a corporate group collects personal information of a subsidiary's employee assuming the employee record exemption applies. Only the legal employer has the benefit of the exemption. Therefore, the notification requirements and other privacy obligations of the APPs will need to be considered before any such collection occurs.

February 2014

Use of Data Analytics in HR Surging Worldwide
According to a survey by the Economist Intelligence Unit, more than half of HR departments around the world report an increase in the use of data analytics compared with three years ago.  At the same time, many employees are unaware of how information they may deem private is being analyzed by their managers.  Expanding measurements of how employees behave, who they interact with and what makes them productive is a cornerstone of what is being called the Quantified Workplace movement.  A leader in this arena, a San Francisco-based firm named Evolv, collects and analyzes more than half a billion “employee data points” from across 13 countries, seeking to identify patterns across companies and industries.

Wearable Tech Devices Heading for Workplaces
Wearable tech devices, such as smart glasses, fitness bands and watches were prominent at this January’s Consumer Electronics Show in Las Vegas and are expected to create a market worth $50 billion by 2018.  With many of the device sellers now targeting businesses, as well as employees bringing their own wearable devices to work, employers will need to craft policies and practices that comply with privacy expectations and requirements, particularly in the 100 and more countries with comprehensive privacy laws.

Dozen Breaches in February Capped by Arrest of Three HR Employees
Twelve breaches of HR-related data were reported during February, including the most egregious, at Home Depot:  University of Pittsburgh Medical Center (dozens, and possibly hundreds, of employees victimized by the opening of fraudulent accounts in their names and the filing of fraudulent tax returns); Kenerson Associates (data of 18 current and former employees of the Massachusetts firm accessed in a breach involving BenefitMall, their payroll processor); California Dept. of Resources Recycling and Recovery (names and SSNs of an unknown number of employees sent electronically to unauthorized recipients); Arizona Public Safety Personnel Retirement System (personal data of 52,000 retired  police officers, firefighters, politicians and corrections officers exposed when files with their data were downloaded by a senior manager prior to his departure); TSYS and Kelley Manufacturing (personal data of thousands of employees of the Ohio firms e-mailed by a temporary employee of Paragon Benefits to his personal account); Las Vegas Sands Corp. (names and SSNs of an unknown number of employees posted on the websites of the world’s biggest casino operator, apparently in retaliation for anti-Iran comments attributed to the firm’s CEO); Oakland University (an undisclosed number of employees of the Michigan school victimized by identity theft involving fraudulent tax return filings); Home Depot (names, SSNs and birthdates of between 10,000 and 20,000 employees stolen for the purpose of opening fraudulent credit cards, leading to the arrest of three corporate HR employees); Freeman Company (an undisclosed number of employees of the Texas firm receiving other employee’s W-2 forms because of a glitch by a mailing vendor used by ADP); Bank of the West (personal data of an unknown number of job applicants exposed by hacking of a retired Internet application database); Olmsted Medical Center (personal data of an undisclosed number of workers at the Minnesota health care facility exposed through hacking); and Nielsen (personal data of an unknown number of employees mistakenly circulated within the company by a mass e-mail mistakenly sent by an HR staff member).

CNIL Amends Legal Framework for Whistleblowing Schemes
On January 30, the CNIL amended its single authorization AU-004, which allows self-certification by companies implementing whistleblowing schemes, in two significant ways.  In the first of these, the scope of whistleblowing schemes was expanded to include issues such as workplace discrimination, harassment, compliance with health, hygiene and safety measures, and the protection of the environment.  In the second, the CNIL revised its opposition to anonymous reporting to allow it under exceptional circumstances, as long as certain specified protocols were followed.  The CNIL’s decision should enable companies to use their whistleblowing schemes more consistently across jurisdictions and to streamline the reporting process in areas that are commonly recognized as fraudulent or unethical.

Mexican DPA to Increase Investigations and Enforcement in 2014
On February 4, the Mexican Institute of Access to Information and Data Protection (IFAI) announced that it anticipates issuing an abundance of fines in 2014 following an unprecedented increase in violations of Mexico’s Federal Law on the Protection of Personal Data in the Possession of Private Parties.  Fines can range from $480 to $1.5 million and three months to three years imprisonment may also be imposed upon offenders, with both fines and jail time potentially doubling when sensitive data is involved.  The IFAI issued fines totaling $3.7 million in 2013.

Indian Government Finally Moving on Right to Privacy Bill
On February 10, the Standing Committee on Information Technology of the Indian Parliament slammed the government for not coming up with a comprehensive privacy law. In an 88-page report entitled “Cyber-Crime, Cyber Security and Right to Privacy”, the committee stated that it was “extremely unhappy to note that the government is yet to institute a legal framework on privacy.”  The Department of Personnel and Training has been drafting a Bill for the past three years.  One week later, it was reported that the Government had redrafted the Right to Privacy Bill and that it would be placed before the secretaries of the ministries concerned within a week.    According to a subsequent report by The Economic Times, the draft bill will restrict the right to privacy to residents of India and will require the establishment of a Data Protection Authority to oversee implementation and enforcement of the law.  Experts believe the bill, modeled upon European precedents, is unlikely to be introduced before parliamentary elections in April and the installation of a new government in May.

January 2014

Federal Judge and Supreme Court Uphold Laptop Search Policy at Borders
In late December, U.S. District Judge Robert Korman dismissed a lawsuit brought by Pascal Abidor, a dual U.S.-French citizen, challenging the government’s right to inspect his laptop at the border, on the grounds that Abidor lacked standing because he didn’t seek damages.  At the same time, Korman affirmed past rulings that border officials do not need to have “reasonable suspicion” when they conduct cursory inspections of computers, although such grounds would be required if they wanted to carry out a forensic examination.  According to the judge, the chances that a U.S. citizen’s computer will be searched at a border crossing are less than five in a million.  A few weeks later, the U.S. Supreme Court let stand a Ninth Circuit ruling, in United States vs. Cotterman, that extended and sophisticated forensic analysis of a digital device requires a reasonable suspicion of wrongdoing.

Privacy Regulators in Four Nations Crack Down on Google
During January, Google was fined in two countries, France and South Korea, and found to be in violation of privacy laws in two others, the Netherlands and Canada.  In France, the CNIL fined Google 150,000 euros (about $203,500) over its March 2012 privacy policy changes, the maximum fine allowed under current French law; the company immediately appealed the fine.  In South Korea, the Korea Communications Commission imposed a fine of 210 million won (about $196,000) on the Internet giant over its data collection associated with Street View.  In the Netherlands, the Dutch DPA found that Google's combining of user data under its revised privacy policy violates the country’s Data Protection Act. In Canada, the Federal Privacy Commissioner said that Google violated the country's privacy laws in using a person's Internet searches about personal health matters to tailor advertisements the individual would see when surfing online.  This was the second formal ruling against Google by the Privacy Commissioner; the first was in 2010 over its Street View program.

New Year Starts with Surge in HR Data Breaches
Nine breaches of employment-related data were reported in January, including:  Coca-Cola (74,000 current and former employees impacted by the theft of unencrypted laptops by a former employee); Dartmouth-Hitchcock (an undisclosed number of employees of the New Hampshire healthcare system notified that their names and direct deposit bank account information were compromised by an employee who fell for a phishing scheme); State Industrial Products (an unknown number of current and former employees of the Phoenix company informed that the FBI had discovered their personal information in the hands of a criminal ring seeking to grab workers’ income tax returns); Apex Systems (an undisclosed number of employees jeopardized by the accidental attachment of a spreadsheet with their personal information to a mis-sent e-mail); Sidney Regional Medical Center (applicants for jobs at the Nebraska center informed that their information had been stored on a server without  proper settings to block indexing by search engines); Veterans Administration (at least 5,351 of the VA eBenefits portal’s 3.38 million users impacted by a website glitch that allowed users to temporarily see benefits information of other individuals); SC Dept. of Employment and Workforce (more than 4,600 current and former employees impacted by the discovery that a former employee had downloaded their personal information to a flash drive); Pee Dee Regional Transportation Authority (personal information of 50 current and former employees exposed through an open port in a networked scanning machine); and PCC Structurals (an undisclosed number of employees of the Portland firm jeopardized when documents containing their sensitive information were found in a restaurant).

Reding Announces New Timetable for Data Protection Reform Package
On January 28, EU Justice Commissioner Viviane Reding announced a revised and more precise timetable for the adoption of the EU’s data protection reform package:  the Council of the EU will agree upon a formal negotiating mandate by the end of June 2014, with a view to inter-institutional negotiations concluding by the end of 2014.   In the meantime, the EU Parliament plenary session in April 2014 is expected to approve the recommendations of its LIBE committee and adopt them as its formal negotiating position, prior to the election of new MEPs in May.  Reding also reiterated the Commission’s threat to suspend the U.S.-EU Safe Harbour framework in the event that it is not strengthened by this summer.  The heated tenor of debates in Europe over the future of Safe Harbor is captured well in a Covington & Burling E-Alert issued on January 22.

Dutch Retailer Breaks DP Law by Secretly Filming Employees
The Dutch data protection agency (CBP) announced that consumer electronics retailer Media Markt violated the country’s privacy laws when it used mystery shoppers equipped with hidden cameras to film shop staff and then used the results in personnel evaluations.  Images from security cameras were also used to judge staff performance.  The CBP has not yet decided whether to fine the company.  Employers can film staff using secret cameras only if there is widespread theft or fraud and then only under strict conditions.

Australian Industry in Dark on New Privacy Law
Half of all Australian organizations are not even aware of amendments to the Privacy Act and the possibility of fines of up to $1.7 million being imposed upon them after it comes into effect in March, according to Shane Lonergan, Capgemini Australia’s testing services director.  DLA Piper partner Alec Christie agrees with the assessment that 50% to 60% of corporate Australia will not be compliant by March 12, as does Australian Privacy Foundation vice-chairman David Vaile.  Vaile said that reasons for ignorance of the new law were the low profile of the Privacy Commissioner's office, its absorption into the Office of the Australian Information Commissioner and the fact that it rarely makes any actual determinations.  Christie added that given the current widespread unawareness of privacy concerns by industry and government, the new law meant that corporate Australia will have to have “a complete change in attitude towards consumer privacy.”