On Friday, June 24, the UK electorate voted through a referendum to leave the European Union by a 52% majority. The mechanics of leaving the European Union will be complex, given that the referendum question did not spell out what relationship the UK would have with the EU once it has left, and there is widespread disagreement within the UK government around how and when the United Kingdom’s separation from the European Union should be implemented. One question is what effect Brexit will have on the continued application of the EU General Data Protection Regulation (GDPR) in the UK.
The United States and the European Union reportedly have agreed on changes to the EU-US Privacy Shield. A revised agreement has been sent to EU Member States, and a vote is expected to be held early next month, in early July 2016. If approved by the EU Member States, companies will be able to subscribe to the Privacy Shield shortly thereafter.
Although the revised agreement is not yet available publicly, the Wall Street Journal reports that the European Commission has addressed the Article 29 Working Party’s concerns regarding the first draft. Fortune reports that the revised agreement clarifies US “mass surveillance powers, the role of the ‘ombudsperson’ who will adjudicate complaints from EU citizens about their data being abused, and the transfer of EU citizens’ data to other companies.”
The agreement is a positive step in bringing the Privacy Shield closer to reality. There is a need for a functional, workable cross-border data transfer mechanism that will have broad support on both sides of the Atlantic. This need is even greater now that the Irish data protection authority has referred a question on the validity of Standard Contractual Clauses to the Court of Justice of the European Union
We will update the Data Protection Report when the revised draft is published.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.
On June 15, 2016, the U.S. Department of Homeland Security (“DHS”) and Department of Justice issued Final Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government (“Final Procedures”) that provide information on how DHS will implement the Cybersecurity Information Sharing Act of 2015 (“CISA”). The Final Procedures were accompanied by Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities Under the Cybersecurity Information Sharing Act of 2015 (“Guidance”). These documents represent finalized versions of interim guidance and procedures which, as we have previously reported, were issued in February.
A recently-reported court case in the United Arab Emirates has highlighted the importance of establishing and implementing good privacy practices, even in the absence of specific data protection legislation.
In late 2014, the UAE public prosecutor charged three officials from a federal authority – the general director, a branch manager and an IT manager – with violating privacy laws and breaching public security by placing CCTV cameras in a female customer service centre. The men argued that they had installed the cameras for security purposes and that the female employees were aware of the cameras. The men were initially held in custody, but an Appeals Court judge ordered that they be released after the men spent more than two months in prison prior to the first court hearing.
In March 2015, the Misdemeanour Court of First Instance cleared the defendants of the public security violation but found them guilty of breaching the privacy of their female colleagues. The three men were each sentenced to six-month suspended jail sentences, and one of the defendants was sentenced to be deported.
The defendants appealed and were subsequently found not guilty by the Appeals Court.
The public prosecutor appealed their acquittal to the Court of Cassation on the basis that the verdict contradicted Article 21 of the UAE Cyber Crimes Law. The relevant article provides that any person who uses a computer network, electronic information system or any other IT means for the invasion of privacy of another person is guilty of a crime punishable by a fine and imprisonment unless the act is permitted by law. The Cyber Crimes Law also states that privacy can be invaded by the capture of audio visual recordings or photographs.
Upon further appeal, the Court of Cassation determined in November 2015 that there were “vague and contradictory elements” in the Appeal Court’s verdict and that it did not clarify the basis on which the defendants were acquitted. It referred the case back to the Appeals Court.
A second Court of Appeal decision again found the three defendants guilty of the privacy charge and upheld the first instance ruling. This verdict was also appealed.
A final ruling by the Court of Cassation cleared the men of all charges. The Court ruled that they were not guilty of breaching female employees’ privacy by setting the cameras at the federal authority’s women’s branch. It was sympathetic to the claims of the defendants, who had argued that the cameras had been introduced for lawful purposes and that the security reasons for installing the cameras overrode any privacy issues.
While the case ultimately established the innocence of the defendants, it highlights the risk of employees in the UAE committing potentially criminal offences by engaging in certain data processing activities. The Cyber Crimes Law, Penal Code and other legislation in the UAE contains offences based on the violation of personal privacy. All businesses operating in the country should be aware of the serious consequences of breaching privacy rights and adopt suitable processes to mitigate the risk of criminal actions.
On June 6, 2016, Johannes Caspar – the Hamburg Commissioner for Data Protection – announced that the Hamburg Data Protection Authority (“DPA”) fined three companies for relying on the invalidated Safe Harbor framework to transfer data from the European Union to the companies’ operations in the United States. The DPA imposed the fines on Adobe, Punica and Unilever, in the amounts of 8,000, 9,000 and 11,000 Euro, respectively.
Since the invalidation of the Safe Harbor framework by the Court of Justice of the European Union (“CJEU”) in October 2015, German DPAs have taken an active role in questioning cross-border data transfer mechanisms, including the validity of the Standard Contractual Clauses and the Binding Corporate Rules, neither of which the CJEU addressed in the Safe Harbor Schrems decision. As part of this effort, the Hamburg DPA made inquiries of 38 global companies that had previously relied on the Safe Harbor framework and have operations in Hamburg to determine whether the companies had updated their cross-border data transfer practices to reflect the invalidation of Safe Harbor. This inquiry has, in turn, resulted in the enforcement action against the three companies.
On May 25, 2016, Austrian law student Max Schrems issued a press release stating that he has been informed that the Irish Data Protection Commissioner (DPC) is planning to refer a question to the Court of Justice of the European Union (CJEU) as to whether the EU model clauses remain a valid data transfer mechanism to the US, given the issues raised by the CJEU in its Schrems v. Facebook ruling last October, on mass surveillance of communication by US intelligence agencies and the lack of legal redress where this is disproportionate for EU data subjects. Such a referral would require the DPC to seek a declaratory judgement in the Irish High Court, which would in turn request a ruling from the CJEU.
We do not know the exact terms of the question that is being referred at this stage.
As unwelcome as this latest challenge is for organisations whose operations rely on personal data flows to the US, there is a certain inevitability about it following the Article 29 Working Party’s negative reaction to the EU/US Privacy Shield, the proposed replacement to the US/EU Safe Harbor Agreement, which was invalidated by the Schrems ruling. The referral will put further pressure on the EU/US negotiators to find an acceptable political solution that meets the CJEU requirements in the first Schrems decision. The referral also could provide an opportunity for the CJEU to specify less demanding criteria that the US surveillance practices and redress mechanisms must meet.
The CJEU ruling, if and when it comes, could have many nuances and is by no means certain to conclude that EU model clauses are invalid for all types of data transfers. In the meantime, use of the EU model clauses (together with compliance with local prior authorisation and data subject notice requirements) will remain a valid export method to the US and other non-EEA countries which have not been deemed to have adequate data protection regimes. They also remain the least onerous export route if other derogations (e.g., the data subject has consented or the transfer is necessary for the performance of a contract) are not available.
We will be tracking this challenge and the results of the Article 31 Committee vote on whether the Commission will adopt the EU/US Privacy Shield as presented by the Commission or as amended as a result of the current EU/US discussions. This committee, made up of EU Member State representatives, must approve the EU/US Privacy Shield before the Commission can adopt it. It is scheduled to meet on June 6th and 20th and a vote could be taken at either of these meetings or not taken at all.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.
With infrastructure cybersecurity becoming a growing concern for businesses globally, it is not surprising that yet another industry association – the International Association of Drilling Contractors (“IADC”) – has issued cybersecurity guidelines for its members. IADC’s Guidelines for Assessing and Managing Cybersecurity Risks to Drilling Assets address the cyber risks affecting the “digital oilfield” – including wireless offshore technologies and automated drilling assets and drilling control systems.
The Hong Kong Monetary Authority (HKMA) is taking action to tackle cyber security in the banking sector in Hong Kong through the Cybersecurity Fortification Initiative (CFI) – a new comprehensive initiative announced on May 18, 2016, which aims to raise the level of cybersecurity of the banks in Hong Kong. This follows the Hong Kong Securities and Futures Commission’s (SFC) similar initiative of issuing the Circular to All Licensed Corporations on Cybersecurity (see our previous post).
Over the past month, Hong Kong Courts and the Securities and Futures Commission (“SFC”) have taken action under the Personal Data (Privacy) Ordinance (“PDPO”) against an insurance agent, a marketing company and a licensed individual for improper handling of personal data, resulting in a Community Service Order, a fine, and an SFC disciplinary action. These cases demonstrate increased citizen awareness of privacy rights, industry focus on the PDPO, and foreshadow further enforcement activity.
The EU Network & Information Security Directive (NISD) (also known as the “Cyber Security Directive”) got one step closer to adoption today when, on May 17, 2016, the EU Council confirmed at first reading the agreement reached with the European Parliament in December 2015. To be enacted, the text must be approved by the European Parliament at second reading. A press release from the European Council states that the NISD is expected to enter into force in August 2016.
The NISD establishes minimum obligations for all Member States on the prevention of, handling of, and response to, risks and incidents affecting networks and information systems; creates a cooperation mechanism between Member States; and establishes security requirements for certain market operators and public administrations. The NISD will impose new security-related obligations on market operators providing “essential services” in a wide range of industries. Providers of digital services (online marketplaces, cloud computing services and search engines) will also be covered by the NISD.
Once adopted, EU Member States will have 21 months to adopt the necessary national provisions to comply with the NISD.
For further details of the contents of the NISD please see our December 2015 post on the agreed text.