Archives: Legislation

Two days ago, we heard that Target Corporation has brought in an information security heavy hitter to oversee the company’s post-breach data security and technology operations.  Now we learn that its home base of operations, Minnesota, is the latest state to propose a legislative reaction to the Target data breach.

The Minnesota legislature has introduced an expansive bill to amend the state’s data breach notification law to effectively create a 50-state notification requirement for entities doing business in Minnesota.  The bill would:

  • Broaden the breach notification requirement to require that all individuals be notified, rather than only residents of Minnesota
  • Require notification to affected individuals or the owners/licensees of the information within 48 hours of discovery or notification of the breach
  • Require that the business required to give notice make available one year of free credit monitoring services to all affected individuals and that such services must be made available within 30 days of the breach
  • Require that breached retailers or wholesalers of consumer goods or services provide each affected individual with a $100 gift card for future use, valid for at least one year
  • Reimburse individuals who incur any charges or fees as a consequence of the breach

We will be following the progress of this amendment closely.

 

On Wednesday, the House Homeland Security Committee passed a substitute bill for H.R. 3696, the National Cybersecurity and Critical Infrastructure Protection Act of 2013.  The committee substitute bill was broadly supported by both parties.  As it presently stands, H.R. 3696 delegates to the Department of Homeland Security  the responsibility for civilian cybersecurity research and development, incident detection and response, and facilitating the exchange of cyberthreat information between government and the private sector.  It calls for the establishment of industry sector coordinating councils under a so-called public-private partnership model.  In response to requests from industry, it expands the tort liability immunity provisions of the SAFETY Act by adding cybersecurity technologies to the anti-terrorism technologies covered by that statute.

Of concern to privacy advocates is the inclusion of a provision that appears to immunize private electronic communications services from liability for selling information about their customers’ communications to the government.  Under the bill, DHS is authorized to enter into contracts or other agreements to obtain “the assistance of private entities that provide electronic communication services, remote computing services, or cybersecurity services to acquire, intercept, retain, use, and disclose communications and other system traffic . . . . No cause of action shall exist against private entities for assistance provided to the Secretary in accordance with this subsection.”

 

 

Written by Jake Romero

The California Senate has passed a bill restricting the information that certain online retailers can collect in connection with consumer purchases.  Senate Bill 383 would amend Sections 1747.02 and 1747.08 of the California Civil Code to address the collection of customer information in connection with credit card purchases in online transactions for downloadable products.  The bill aims to close a perceived gap in the data privacy protections afforded to California residents, by placing these types of transactions within the scope of California’s Song-Beverly Credit Card Act, which prohibits retailers from requiring certain customer personally identifiable information as a condition to accepting credit card payment.

Does this all sound vaguely familiar?  If so, that is likely because SB 383, in its current form, is just the latest development in a series of efforts to adapt Song-Beverly, a law that pre-dates the modern internet, to current retail and data collection practices.  Continue Reading California Moves to Restrict Collection of Consumer Personal Information Online: the Process, History and Politics Behind Senate Bill 383

Written by Susan Foster, Solicitor England & Wales/Admitted in California

(LONDON) The European Commission announced yesterday that it is working towards a revised timeline for the adoption of a definitive Data Protection Regulation by the end of 2014.

While Commissioner Viviane Reding’s press release about finalizing the Regulation by the end of 2014 has been reported by some as a new deadline, it is really more of an aspirational date.  In fact, the “new deadline” is consistent with comments made by the Commission at the end of 2013.  So it’s not really news, but the Commissioner’s comments are certainly worth reading as a summary of where we are with this critical legislation from the Commission’s perspective.  In Commissioner Reding’s own words, “[a]n agreement on the reform is possible before the end of this year.”

What might make Dec. 31, 2014 a difficult date to achieve?   Certainly the Commission and the European Parliament are keen to expedite adoption of the Regulation, and the difference in their views are relatively minor in the “big picture” sense.  However, the Council of the EU (the forum for the views of the national governments of the Member States) still needs to weigh in on the Parliament’s version of the draft Regulation.

Interestingly, Commissioner Reding’s press release was silent concerning the Council’s retraction last December of its support for the crucial “one-stop shop” that would give companies one regulator to deal with rather than 28 – although she did link to her December 6, 2013 speech chiding the Council for backsliding on the one-stop shop.  This is just one of several important issues that need to be resolved, and the complexity of the EU legislative process will make it a challenge to tie off all of the major issues and relatively minor loose ends by the end of 2014.  That said, we should see a huge push from the Commission and Parliament to make headway in the coming months – so this is a critical time for the national governments of the Member States, businesses and individuals to engage with the ongoing debates over privacy regulation in Europe.

. . .  a delayed delivery notice for the biggest package of the holiday season!

Written by Susan Foster, Solicitor, England & Wales/Admitted in California, CIPP-E

(LONDON) Major changes are on the way in Europe that will have a significant impact on companies anywhere in the world that collect or process personal data of residents of the EU.  But what will the precise nature of those changes be . . . and when will they arrive?  The draft Data Protection Regulation is still being negotiated by the various political institutions of the EU.  While there is a slim chance that the final version will be promulgated before the next EU parliamentary elections in 2014, many commentators think that’s unlikely.  If the Regulation is not finalized before the elections, it will be subject to further discussion by the new parliamentary members and will roll into 2015.  (The political process is recapped below.)

However, even without a final draft of the Regulation, we can be reasonably certain about a number of features of the new legislation. And 2014 will almost certainly see changes to the US Safe Harbor regime in response to the EU’s pointed criticisms and recommendations that need to be addressed (under the threat that the Safe Harbor regime could be revoked by the EU).  See our previous commentary on potential Safe Harbor changes and recommendations for action here.

What should US companies who deal with EU personal data do now (well, as soon as the holidays are over)?

Without a definitive draft of the Regulation or confirmation as to how Safe Harbor will change, the best way to prepare for the new Regulation and potential changes to Safe Harbor is to get a very thorough knowledge of data flows within your organization and to or from third parties.  Companies should have a comprehensive grasp of what  personal data is collected, where it came from, how it is used and for what purposes, whether any consents have been obtained, and how it is stored (including security measures).  What contractual protections are in place to govern how data is used and protected when there are transfers between companies (either within a corporate group or outside of a group)?  Is any of the data “sensitive” personal data under the current EU Directive?  Can you articulate “legitimate purposes” for your use of the data (again, per the current Directive)?  Do you have good records of consent that can be tied to particular data?

In other words, if you audit your company’s compliance with the current Directive (and Safe Harbor, if you are registered) and get a thorough understanding of your data flows, it will be much easier to figure out what you might need to change under the new Regulation.  Perhaps a good New Year’s resolution for 2014.

After all of the political wrangling of 2013, what’s likely to be in the new Regulation?

The negotiations aren’t over yet, but here are some key principles upon which the Parliament and the Commission seem to generally agree.

  • Substantial fines for non-compliance.  The Parliament wants fines of up to 5% of global turnover.  The Commission had proposed 2%.  Even if the final percentage is between those two figures, the fact that fines can be levied on global turnover means that we are talking about potentially huge fines.
  • Expansion of definition of “Personal Data.” As explained by the Commission, “personal data” is defined as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, your bank details, your posts on social networking websites, your medical information, or your computer’s IP address.”  Genetic and biometric data will be specifically addressed in the Regulation.
  • One-Stop Shop.  The latest draft of the Regulation keeps the concept of allowing companies to sign up with a single national regulator in the EU, which would greatly simplify compliance in terms of logistics.  However, this key pro-business principle was recently attacked by the legal advisor to the Council of the European Union (which is effectively the voice of the individual governments of the Member States) as potentially contrary to European human rights.  If the one-stop shop is not included in the Regulation, one of the primary pro-business benefits of the new law will be lost.
  • Express Consent Requirement To Process Personal Data – but you may not be able to rely on consent in many situation.  Data controllers (e.g., any company that collects personal information) are required to obtain (and not assume) the express consent of the data subject to the processing of his/her personal data for one or more specific purposes, unless processing is required for certain limited purposes such as compliance with a legal obligation of the business or to protect the vital interests of the individual. However, the individual may withdraw the consent at any time and consent is essentially not valid where there is an “imbalance” between the position of the individual and the business.
  • Breach Notification Requirement: Businesses must notify the supervisory authority (i.e., the public authority established by each Member State) of a personal data breach “without undue delay,” which, per the Parliament’s draft, generally means not later than 72 hours after becoming aware of the breach. 
  • Requirement to Adopt Policies and Implement Measures to Ensure and Demonstrate Compliance with the Regulation. Businesses must adopt policies and implement appropriate measures to ensure and be able to demonstrate that their processing of personal data is performed in compliance with the Regulation, including maintaining documentation of processing activity. The key principle is a high level of transparency so data subjects will know what data are to be collected, and by whom, how and where the data will be used or stored.
  • Binding Corporate Rules. Under the new Regulation, Binding Corporate Rules (“BCRs”), the tool used by companies with global operations to transfer personal data of EU residents within their corporate group to entities located in countries which do not have an adequate level of data protection, will no longer need to be approved by each Data Protection Authority in each applicable EU Member State (unless the “one-stop shop” concept is not adopted, as discussed above). Under the proposed regime, BCRs that meet the requirements described in the Regulation will need to be approved by one authority and, once approved, the BCRs will be recognized by the rest of the authorities in each applicable Member State. More importantly, the approved BCRs would also cover third parties that process personal data of EU residents on behalf of the business, such as cloud service providers.
  • Data Security Obligations.  Businesses are required to implement appropriate technical and organizational measures “to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation.”
  • Data Protection Impact Assessment Requirement.   Businesses with processing operations that “present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes” are required to conduct a data protection impact assessment.
  • Requirement to Appoint Data Protection Officer.   Businesses with more than 250 employees and certain other organizations are required to appoint a data protection officer responsible for monitoring data processing activities.  The Parliament’s draft requires even small businesses to appoint a Data Protection Officer if they process the data of more than 5000 individuals.
  • Transfers of Personal Data to Third Countries. Although the restriction on the transfer of personal data to  third countries that do not offer an adequate level of protection (as determined by the Commission) remains in place, under the proposed Regulation, transfers based on standard data protection clauses adopted by the Commission or based on binding corporate rules will require approval by just one supervisory authority instead of multiple national authorities.

What needs to happen before we know for sure what the new law is in Europe?

To recap the legislative process very briefly, the Commission was responsible for generating the initial draft.  The European Parliament then proposed and discussed over 3,000 amendments, ultimately producing a revised draft with increased protections for individuals and a higher burden on business.  Now a parliamentary committee will negotiate with the Council (the forum for the views of the national governments of the Member States) with the goal of having a definitive vote in April 2014.  However, there’s a very substantial likelihood that agreement will not be reached with the Council prior to the parliamentary elections in May 2014, which will introduce more uncertainty into the timeline and with respect to the substance of the final Regulation.

So, in summary, your delivery from Europe is likely to arrive sometime in 2015.  Also, we are not entirely certain what we are sending you or how much it will cost.  But it will be big (whatever we finally decide to put into the box).  We apologize for any inconvenience.

The Senate Commerce Committee released this morning its majority staff report, A Review of the Data Broker Industry: Collection, Use, and Sale of Consumer Data for Marketing Purposes, on the practices data brokers use to collect and sell personal information of consumers and how those practices affect the privacy of hundreds of millions of Americans.  The Committee held a hearing on the substance of the report this afternoon.

The Committee, chaired by Senator John D. Rockefeller IV, examined  representatives of the Federal Trade Commission, the data brokering industry and privacy advocates on the industry practices itemized in the staff report.  The staff report and a report published by the Government Accountability Office earlier this year, Information Resellers:  Consumer Privacy Framework Needs to Reflect Changes in the Technology and Marketplace, both highlight the absence of any general federal statute that gives consumers the right to know what information is collected and shared about them and for what purposes.

The Committee staff report finds data brokers collect massive amounts of detailed health, financial, political and consumption information on hundreds of millions of consumers, and use this information to assemble packages of contact information for consumers that fit specific profiles, which are then sold to advertisers.  The growth of this industry is illustrated by the fact that one data broker reported to the staff that it has multi-sourced data on more than 700 million individuals worldwide.  Another reported that its database includes almost every U.S. household, while a third claimed that it has data points for more than 80% of all U.S. consumer email addresses.

During the Senate hearing this afternoon, Senator Rockefeller stated that the staff investigation is continuing.  He said that the Committee he is putting several of the largest data brokers “on notice” that the Committee intends pursue answers to its questions about their practices, implying that he would use the Committee’s subpoena power if necessary.

Written by Amy Malone, CIPP/US
In 2013 geolocation and biometrics were hot topics.  Apple included a fingerprint reader on the new iPhone which was either really cool or an epic fail depending on your viewpoint, and Google and the NSA are tracking our every move.

While Edward Snowden’s revelations may have been eye opening (and headline-grabbing), the government has long been first in line to develop and use technology like geolocation and biometrics.  Homeland Security insists that biometrics are essential in national defense – identify and stop the bad guys.  The feds have also pushed biometrics in immigration reform bills for over a decade and continue to push that legislation forward.  And your location?  Well, law enforcement has been conducting warrantless geolocation tracking for years!

States have also been active in this area – passing legislation to allow the storage of the high resolution photos they take of you at the DMV in a searchable data base.  Many states allow federal and state law enforcement officials to search those databases.  Most legislation is aimed at limiting government use of this information, but the winds may be turning…

Biometrics

Currently, no federal law limits a private entity’s ability to collect, use or disclose biometric information.  Cybersecurity has been a hot button issue over the last few years and legislation has been introduced, but no legislation regarding private use of biometric data has been passed.  The Cyber Privacy Fortification Act has been introduced a few times and was reintroduced in March.  This legislation could be passed in 2014; it would require covered entities to provide notice to the FBI or the United States Secret Service of “major” security breaches of “sensitive personally identifiable information,” which by definition in the legislation includes unique biometric data.

Despite the current lack of proposed legislation, legislators are definitely paying attention to this area.  Senator Franken has repeatedly taken aim at the use of biometrics and recently questioned Apple about their use of fingerprint readers on the iPhone and urged the Department of Commerce to develop best practices for facial recognition technology.  The National Telecommunications and Information Administration responded to Franken’s request by announcing the kick-off of a privacy multistakeholder process to implement the Consumer Privacy Bill of Rights in the field of facial recognition.

With Senator Franken pushing and the multistakeholder process moving forward, there’s a good chance we will see new legislation aimed at regulating biometric information in 2014.

As this technology has flowed into our everyday lives we’ve seen some states take action by regulating the collection and use of biometric information.  Both Illinois and Texas have laws restricting a private entities use and disclosure of biometric information and several other states have laws governing the disposal of biometric information.  A few states also include biometric data in their definition of “personal information” and require notice to data owners in the event of a data breach involving that information.

In 2014 Alaska may pass its proposed House Bill No. 144, which is similar to the laws in Illinois and Texas.  The law requires covered entities to provide notice and obtain written consent from individuals prior to the collection of their biometric information and provides for an individual cause of action.    It would not be a surprise to see other states move forward in the biometric regulation area in 2014.

Geolocation

With the advent of smartphones came the love-hate relationship with geolocation.  We love when Siri gives us the name of a great restaurant that is up the street, but we are creeped out when we discover she’s been tracking our every move, even when we aren’t trying to locate that hip hangout.

Like with biometrics, the government has been all over geolocation technology for some time now and courts are playing catch up.  The big question today is whether police need warrants to obtain the location information of suspects.  Decisions around the country have been all over the map.  In July the New Jersey Supreme Court overturned an appellate decision and ruled that the use of cell phone information obtained by police without a warrant from a wireless provider violates the suspect’s constitutional rights under the Fourth Amendment of the New Jersey Constitution.  It’s possible that in 2014 the US Supreme Court will take this matter up for review.

Most legislation in this area has focused on limiting the government’s ability to collect and use geolocation information.  The Geolocation Privacy and Surveillance Act was reintroduced in 2013, and the bill requires government agencies to obtain a warrant to obtain geolocation information in the same way they currently get warrants for wiretaps.

On the state level, both Maine and Montana have laws requiring law enforcement agencies to get a warrant before they can obtain location information of an electronic device.  Texas, Maryland Ohio, Colorado, California, and Illinois introduced similar bills this year, and we expect to see more state legislative activity in this area in 2014.

In the private sector, geolocation is an exploding industry.  In an attempt to compete with online competitors (who can easily track your every move) brick and mortar retailers use geolocation tracking via your mobile device to gather specific information on your shopping habits – like how long you stayed in the store, whether you went to the register, how long you waited in line and where the store hotspots are located.  In 2013 we saw this type of tracking blow up in Nordstrom’s face, but  that did not stop Apple from rolling out its iBeacon in its own company stores in the U.S., or Macy’s from piloting the iBeacon technology in a few of its stores this holiday season.  We expect that 2014 will bring more new and creative technology to retailers who will use that to find new ways to find us — and monetize mobile location information.

Mobile app providers are also trying to get your geolocation information to improve their bottom line.  The New Year rings in with Twitter tapping into its location data.   Twitter just entered into an agreement with a provider for location intelligence technology which Twitter will use to support location sharing in tweets.  A news source reports, “Twitter will have an option to combine that location data for tweets with buying patterns, behaviors, preferences and influencers, and cross-reference it with nearby stores or other mobile users within an individual’s social network. It uses a smartphone’s GPS signal to pinpoint a location.”

Although we have not seen laws regulating the private sector’s collection of geolocation information, we blogged recently about the release of the Mobile Location Analytics Code of Conduct.  The Code is a self-regulatory framework of seven principles for services provided to retailers by mobile location analytic companies.

If a voluntary framework doesn’t ease your worried mind, maybe an app to block location tracking will?   Android users can now download an app  to do just that!

 

Well, the headlines don’t exactly work with the traditional tune, but blame the editor for that…..

Written by Jake Romero, CIPP/US

2013 was a busy year for California.  We passed a budget with a surplus, let Kim and Kanye get engaged in one of our stadiums and panicked over possibly losing Sriracha sauce.  At the same time, we also passed a number of significant pieces of legislation related to data privacy, the effects of which will be felt throughout the year.

  • Happy New Year!  Consumer Notification Laws Effective as of January 1, 2014 – “Do Not Track” and Data Breach Notification

Two laws going into effect on the first of the year will require additional notifications to consumers.  The first, A.B. 370, amends Section 22575 of California’s Business and Professions Code to require any operator of an online service to disclose in its privacy policy (1) how it responds to “Do Not Track” signals or similar tools and settings and (2) whether third parties are permitted to collect personally identifiable information about consumer online activities over time and across different websites when a consumer uses that online service.

As we discussed earlier this year, the absence of a universal industry standard for “Do Not Track” (which is not defined in the statute), may create pitfalls for unwary online service operators as they attempt to comply with the law’s requirements.  A full, clear and accurate description of an online service’s interpretation of Do Not Track signals will likely require significant review and diligence by, among others, that service’s operational and technical managers and support staff.  An online service that inaccurately describes the additional disclosures required by A.B. 370, or fails to update those disclosures in a timely manner following operational changes, may incur liability for engaging in deceptive practices.  On the other hand, a blanket disclosure stating that the service does not honor Do Not Track signals may ward off potential customers and damage the service’s reputation.

Under A.B. 370, online service operators are deemed to have satisfied the requirement to disclose the service’s interpretation of Do Not Track signals (but not the required disclosure regarding tracking by third parties), by linking to a description of a program or protocol that the operator follows that allows the consumer to exercise choice regarding collection of personally identifiable information.  Note that this option is only effective if the operator follows and complies with the protocol to which it directs consumers.  This may be problematic because many protocols, including the Digital Advertising Alliance (previously discussed here), require that all third party advertisers on the service be members of the program.  An online service operator hoping to take advantage of this option will need to have policies in place to assess compliance on an ongoing basis, including with respect to its third party advertisers.

The other consumer notification law going into effect is S.B. 46, which expands California’s data breach notification requirements to include incidents involving certain types of online data.  S.B. 46 amends Sections 1798.29 and 1798.82 of the California Civil Code to expand the definition of “personal information” to include “[a] user name or email address, in combination with a password or security question and answer that would permit access to an online account.”

As we previously discussed, this expansion of California’s notification requirement could significantly increase the number of reportable incidents in two ways.  First, California’s data breach notification requirements will apply to many more online service providers, as this type of online account information is commonly collected by websites.  Second, websites that only collect online account information may not have the type of robust safeguards and policies that an online service that collects other types of personal information, such as social security numbers, driver’s license numbers or credit card, medical or health insurance information, has already put in place.  We recommend that online services that collect “personal identification” as defined under that term’s expanded definition review our recommendations for preparing to comply with the new law here.

  • Sector-Specific Regulations Effective as of January 1, 2014 – Medical Information and Customer Electrical or National Gas Usage Data

In addition to the generally applicable laws described above, two pieces of industry-specific legislation will also go in effect.  A.B. 658 amends Section 56.06 of the California Civil Code, which is part of the “Confidentiality of Medical Information Act” (or “CMIA”).  The CMIA prohibits providers of health care or recipients of individually identifiable medical information from using or disclosing medical information for any purpose not necessary to provide health care services to patients, without first obtaining authorization.  A.B. 658 will expand the definition of “provider of health care” so that this prohibition will also apply to “[a]ny business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information . . . in order to make the information available to an individual or a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment, or management of a medical condition of the individual . . .”  This change to the CMIA should be of particular concern to mobile application developers and operators.  With the use of mobile applications generally on the rise, health care related applications are expected to play a part in promoting wellness and addressing a number of issues, including rural access to health care.  However, as compared to the average website, mobile applications typically require a more complex system of third party service providers that may have access to data, and can be an inherently challenging platform for displaying notices.

As of January 1, we will also see new regulations applicable to businesses that use “smart meter” data.  For the past three years, utilities have been prohibited from sharing or disclosing data regarding individual consumption or use of electricity or natural gas by an individual without that individual’s prior consent.  A.B. 1274, extends this prohibition to non-utility businesses, and requires that such businesses disclose any third parties with whom they share such information and how it will be used.  In addition, A.B. 1274 requires businesses to use reasonable security procedures and practices to protect usage data from unauthorized access or disclosure, and put in place contractual requirements with any third parties who receive usage data requiring those third parties to do the same.  A.B. 1274 also requires certain steps to be taken when disposing of usage data, and prohibits businesses from offering incentives to consumers who allow their information to be accessed without prior consent.

  • Looking Ahead – Children’s Privacy Rights

The supporters of the ballot initiative known as the California Personal Privacy Initiative may have dropped their efforts, but we expect that in 2014 California will continue its aggressive push to increase data privacy regulation and enforcement.  We will also be tracking preparations for S.B. 568, which goes into effect on January 1, 2015.  S.B. 568 prohibits operators of online services directed toward minors under the age of 18 (as well as online services not directed toward minors, if the operator of the service has actual knowledge of a minor using the service and advertisements are specifically directed to that minor based on information the minor has provided) from marketing certain products (including alcoholic beverages, firearms, ammunition, spray paint, cigarettes, fireworks, tanning devices, lottery tickets, tattoos, drug paraphernalia and obscene materials).  S.B. 568 also requires that these types of online services permit minors to remove or request the removal of content or information posted by that minor and provide certain specific disclosures regarding deletion of online information.  We discuss S.B. 568 in further detail and provide recommendations for preparing to comply with the new requirements here.

 

 

Written by Susan Foster, Solicitor England & Wales/Admitted in California

(LONDON) The European Commission, which has the authority to make changes to the US Safe Harbor program, has published a paper titled “Rebuilding Trust in EU-US Data Flows” that sets out the changes that the Commission would like to see the US adopt.  While it would be a bit premature to start revising your company’s privacy policy and preparing for surprise audits by the US government, the paper sends some strong signals as to what to expect in perhaps a year’s time.

As most readers will know, the US Safe Harbor program is a voluntary program under which US companies agree to assume various legal obligations, and in turn are permitted by EU data protection laws to receive the personal data of EU residents.

The Commission’s recommendations are obviously in response to the revelations concerning the US’s intelligence activities involving the collection, via US internet services providers and others, of vast quantities of data transmitted by, or concerning, EU residents.  The Commission cannot comment, of course, on the intelligence activities of its own member states, since, as the Commission notes, “whilst the EU can take action in areas of EU competence, in particular to safeguard the application of EU law, national security remains the sole responsibility of each Member State.”  This means that the Commission’s interests in restricting surveillance of the online activities of EU residents may not be entirely congruent with the interests of its member states, which will need to take into account their own intelligence activities and intelligence sharing arrangements as well as their concerns for the privacy of their citizens.  That said, the Commission does not appear at all reluctant to recommend changes to US intelligence programs and the powers of the Foreign Intelligence Surveillance Court.

The other key context for the recommendations is the ongoing trade talks between the US and EU, known as the Transatlantic Trade and Investment Partnership (T-TIP).  The Commission pointedly states in today’s communication that the EU views T-TIP and data protection laws (including Safe Harbor) as separate matters, and that the T-TIP negotiations will not affect its views on Safe Harbor:  “For this reason, data protection standards will not be negotiated within the Transatlantic Trade and Investment Partnership, which will fully respect the data protection rules.”  That seems rather a brave statement at this stage of the T-TIP negotiations (which are not due to be concluded until sometime in 2014).  It remains to be seen whether the Commission will be successful in completely separating the two issues, given the fundamental commercial value of personal data.

But let’s assume for now that neither EU national security interests nor the T-TIP talks will have any influence on the discussion about Safe Harbor.  What is the Commission proposing?  Broadly, the following:

  • a broad review of the functioning of Safe Harbor
  • improving the US government’s supervision and monitoring of compliance of Safe Harbor participants
  • ensuring that the national security exception that is currently available under Safe Harbour is used only “to an extent that is strictly necessary and proportionate”
  • EU citizens must receive the same level of protection (due process and judicial redress) as US citizens in intelligence-gathering operations
  • The US government should commit that “personal data held by private entities in the EU will not be accessed directly by US law enforcement agencies outside of formal channels of co-operation, such as Mutual Legal Assistance agreements and sectoral EU-US  . . .  authorising such transfers under strict conditions, except in clearly defined, exceptional and judicially reviewable situations.”
  • US intelligence collection programs should be “improved by strengthening the role of the Foreign Intelligence Surveillance Court  and by introducing remedies for individuals.”

The Commission also provided a summary of 13 specific recommendations in a separate press release today.  The following selections from these 13 requirements are slightly paraphrased – see the EC’s memo for the full recommendations.

  • Requiring the Safe Harbor website to list all companies that are NOT current member of Safe Harbor (which would be in the hundreds of thousands, if not more, as there are only some 3,000 plus participants today)
  • Privacy policies on companies’ websites should include a link to an alternative dispute resolution (ADR) provider
  • The Department of Commerce should monitor more systematically ADR providers regarding the transparency and accessibility of information they provide concerning the procedure they use and the follow-up they give to complaints
  • The US government should conduct proactive compliance investigations (not contingent on complaints or any signs of non-compliance)
  • Privacy policies of self-certified companies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbour
  • Companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Principles to meet national security, public interest or law enforcement requirements

The Commission’s Communication and related press releases should have the positive effect of making the discussion around Safe Harbor more specific in light of the Commission’s concrete suggestions.  Meanwhile, the larger context of sweepingly ambitious trade treaty negotiations, citizens’ reactions (on both sides of the Atlantic) to government surveillance programs (and not just by the USA), and national interests in intelligence-gathering and counterterrorism may make it difficult to negotiate the changes to Safe Harbor in isolation.  But that’s not really a bad thing.  Data protection laws don’t exist in a vacuum, after all.

 

 

Written by Susan Foster, Solicitor England & Wales/Admitted in California

(LONDON) As widely expected, the European Parliament’s Committee on  Civil Liberties, Justice and Home Affairs (LIBE) voted today in favor of a revised, even tougher draft of the Data Protection Regulation that will (if finally adopted) replace the EU’s current laws regarding the collection and use of personal data of EU residents.  Broadly speaking, LIBE’s approach favors individual rights over commercial interests.  Changes introduced by LIBE include raising the ceiling for fines from 2% to 5% of a company’s global turnover.  Notably, LIBE has retained the highly controversial “right to be forgotten.”

The next step in the legislative process is for LIBE to negotiate with the Council of Ministers of the European Union.  A meeting is scheduled for early December.