March 2015ECJ Hears Arguments in Schrems' Challenge to Safe Harbor
On March 24, the European Court of Justice heard arguments in the case brought by Austrian privacy activist Max Schrems challenging the position of Ireland's DPA that it was bound by the European Commission’s adequacy decision in 2000 with respect to the EU-US Safe Harbor framework, and therefore could not consider his claim that NSA surveillance made Safe Harbor invalid. The impact of the case could be wide-ranging, with some 4,000 US-based organizations currently relying upon Safe Harbor as their legal basis for importing personal data from the EU. Notably, the Commission admitted during the hearing that it cannot guarantee EU citizens’ fundamental right to privacy when their data is transferred to the US under Safe Harbor. Arguments supporting Schrems were advanced by Austria, Belgium, Poland, Slovenia, the European Parliament, the European Data Protection Supervisor and Digital Rights Ireland. Former French public prosecutor Yves Bot will render the Advocate-General opinion for the case, likely by June 24, with the final opinion of the full 15-member bench of the ECJ to follow.
Major Data Protection Rulings in the UK and France
Court rulings in March in two EU member states affirmed the jurisdiction of European courts over foreign companies accused of violating national data protection laws. In the UK, the England and Wales Court of Appeal (EWCA) handed down a historic judgment in Google Inc v. Vidal-Hall & Ors, in a case brought by three users of Apple’s Safari web browser who claimed that Google ignored their privacy settings to profile them and deliver personalized ads. The EWCA, besides finding found foreign companies to be subject to UK data protection law, recognized a new tort of misuse of private information and found that the UK Data Protection Act 1998 failed to correctly implement several sections of the EU Data Protection Directive (95/46/EC) into UK law. In France, the Paris Court of First Instance found that jurisdictional provisions in Facebook's Terms & Conditions notwithstanding, French courts have jurisdiction against foreign companies that collect, process and transfer personal information in France. Both cases underscore how defenses based upon jurisdiction clauses are unraveling.
CNIL Eases Trans-Border Notification Requirements
The French data protection authority, the CNIL, streamlined international data transfers for companies with Binding Corporate Rules (BCRs), replacing the practice of requiring notification of each type of data transfer with a new procedure under which only one authorization will be needed by the group, with affiliates then submitting a simplified registration indicating that their data transfers outside the EU fall under that authorization. As a sign of their support for BCRs, the CNIL will be directly contacting each of the 60 or so multi-nationals with BCRs to explain the new procedure. Separately, the CNIL issued guidelines on March 4 for companies regarding Bring Your Own Device (BYOD) policies, appropriate safeguards for protecting the privacy of employees and notification of BYOD activities.
Brazilian Government Releases Draft Data Protection Bill
Brazilian Government Releases Draft Data Protection Bill
On January 28, the Brazilian government issued a preliminary draft of its Bill for the Protection of Personal Data. The bill applies to all companies that process personal data via automated means, provided that the processing occurs in Brazil or the personal data is collected in Brazil. The bill has many features of European-style comprehensive data privacy laws, including requirements for free, express, specific and informed consent to process personal data; a prohibition on processing sensitive personal data, except in limited circumstances; reporting of data breaches to the competent authority; data subject access and correction rights; restrictions on transfers of personal data to countries not providing a similar level of protection; and an obligation to implement data security measures proportionate to the risks involved in the processing. Public consultation on the bill ran through February 27.
Austrian Court OKs Class Action Lawsuit against Facebook
In a landmark ruling, an Austrian court has approved a privacy-based class action law suit against Facebook, brought by activist Maximillian Schrems on behalf of 25,000 users in Europe, Asia, Latin America and Australia. Amongst the accusations made in the lawsuit are invalid privacy policies; illegal collection and forwarding of user data; surveillance of users via ‘like’ buttons and apps; and participation in NSA’s PRISM surveillance program. An initial hearing is to be held in Vienna on April 9. Last summer, an issue raised in Schrems’ similar lawsuit filed in Ireland, namely whether national DPAs are bound by the Safe Harbor decisions of the European Commission, was referred to the European Court of Justice.
Google Agrees to Onsite Inspections by the Garante
Arbitrator Rules against Repeat Background Checks in Canada
A labor arbitrator in Quebec ruled that Canada Post cannot require current employees to provide their consent to criminal and credit checks. While the Union of Canadian Postal Employees did not object to the investigations being carried out on a pre-employment basis or when an employee is transferred to a position requiring security clearance, it argued that a broader use infringed the privacy rights of employees. The arbitrator, citing a 1988 grievance that prohibited Canada Post from fingerprinting its employees, concurred that the new background check policy was an inappropriate invasion of privacy.
New Accountability Framework Coming in Australia
Faced with lagging compliance with the country’s new privacy law, the Australian Privacy Commissioner, Timothy Pilgrim, announced on February 11 that his office would introduce a new privacy management framework in May. The framework will flesh out the more high-level guidance the OAIC has previously provided on how organizations can comply with Privacy Principle 1 on the open and transparent management of personal information. Topics to be covered include planning and strategy, risk assessment, breach, incident management and regular evaluation, with an emphasis upon the embrace of best practices and the adoption of a culture of privacy.
EDPS Reports Progress, New End Date for Safe Harbor Talks
In an interview with Privacy Laws & Business conducted at the end of January, Giovanni Buttarelli, the new European Data Protection Supervisor, stated that considerable progress had been made in talks between the U.S. and the EU over Safe Harbor. According to Buttarelli, of the 13 improvements in the program recommended by the European Commission in November 2013, only one, albeit a very important one, remained open: the redress mechanism. Buttarelli added that he fully supports the Commission’s position to have a solution on Safe Harbor within six months. Details about progress in the talks remain sketchy, with the Commission opposing open discussion of the negotiations within the EU Parliament.
DP Reform Package Expected to be Finalized by End of 2015
Early in January, MEP Jan Philipp Albrecht, the vice-chairman of the Parliament's civil liberties committee, warned that issues raised by Germany, France and the UK could delay the finalization of the draft reform package until sometime in 2016. However, two weeks later he expressed optimism that all negotiations on the legislation could be completed by the end of the year. In spite of challenges noted by Chris Pounder, Eduardo Ustaran and David Smith, by the end of January the European Commission and most observers concurred that the Council of Ministers should be able to complete the development of its position on the data protection reform package by the end of June. This would allow trilogue negotiations amongst the Council, the Parliament and the Commission to begin immediately and be concluded by the end of the year. Under this time frame, with a two-year grace period to follow agreement on the text, the new General Data Protection Regulation would come into effect on January 1, 2018.
CNIL Focuses on Accountability and Helping Companies Achieve Compliance
On January 13, the CNIL published a standard defining what accountability in data protection matters means in practice. Companies that satisfy the 25 requirements set forth in the standard will be able to obtain and display an “accountability seal” from the CNIL. While an obligation to implement some kind of accountability or governance program is expected to be included in the future General Data Protection Regulation, it is unlikely to include details about what such a program must look like. The CNIL also showed its new focus on implementation of obligations by creating a compliance directorate and by issuing the first of a planned series of compliance toolkits for companies in particular sectors, the initial one being the insurance industry. The CNIL also announced a simplified norm on monitoring and recording phone calls in the workplace.
BC Government Reigns in Police Record Checks
Successfully capping a multi-year campaign by BC’s Information and Privacy Commissioner, Elizabeth Denham, the provincial government issued a policy in December that prohibits police forces across British Columbia from revealing unnecessary and embarrassing details in police record checks. Under the new policy, police will not be able to disclose suicide attempts, mental health apprehensions, incidents that don't result in either charges or convictions, or other records that are irrelevant to employment or volunteering. The new policy has been endorsed by all municipal and RCMP forces in the province, according to Denham.
Security Guidelines Updated in Australia
On January 19, the Office of the Australian Information Commissioner updated its list of the IT security measures it expects organisations to have in place to protect user data, adding new guidance to address risks associated with the trusted insider and cloud computing. The 46-page guide replaces guidance issued last August which clarified what the OAIC regards as the "reasonable steps" needed to protect data under the Privacy Act. It contains more details than the previous guide and places greater emphasis on privacy by design, risk assessments, the increased likelihood that information may be mishandled when it has been collected unnecessarily, and the importance of both designing security measures that factor in human error and insider breaches while driving a culture of privacy and security from the board level.
Link to Previous Years:
Link to Previous Years: