International Privacy Law

The General Data Protection Regulation is coming, and along with it, a significant expectation of increased harmonization in the privacy rules across the EU. Considering the 60-plus articles which directly impose obligations on controllers and processors, this isn’t an unreasonable sentiment. However (as is often the case with the EU), reality is a bit more complicated than what the expectations reflect.

The reason for the retained level of complexity even under the GDPR are what are known as “opening clauses”. These clauses permit a Member State to modify the provisions of the Article in which the clause resides. In effect, the opening clauses permit the Member State to introduce a more restrictive application of the GDPR obligation via local legislation.

These opening clauses are particularly important to note as there are a number of them (around 30% of the directly applicable Articles have opening clauses), and many of them address an already complicated area of data protection law – employment. While there are a number of companies who have a large consumer impact in the EU, there are just as many (if not more) who have workers in the EU, or have clients who have workers in the EU. As a consequence, the implementation of the GDPR doesn’t fully mitigate the patchwork quilt of local law when it comes to labor & employment law. This is both because of the opening clauses in a number of related Articles, as well as the plain text of Article 88.

The lack of consistency in HR-related data protection is particularly concerning with the advances in workforce management, monitoring, and the use of personal devices in the workplace (e.g. Bring Your Own Device, or “BYOD” environments). One of the ways that the regulators have attempted to address this very real issue around inconsistent GDPR obligations is with an update to the 2001 Article 29 Working Party opinion on data protection of employees. The new opinion, published on 23 June 2017, provides an update to the recommendations which were put in place prior to the age of social media and pervasive computing (i.e. Internet of Things).

While not mandatory, the Opinion does operate somewhat as a roadmap to the way regulators in the EU will consider enforcement – both in breach situations, as well as in accountability situations (i.e. when an entity has to “show” how they are compliant). The Opinion is also instructive as much of the analysis revolves around the concept of “proportionality”.

This balancing of the legitimate interests between employees and employers was not a commonly used method of legitimizing processing under Directive 95/46/EC and its local implementing legislation. However, it seems that this is the direction the Working Party is taking.  This may be seen as both a good and bad situation. On one hand, it indicates that the regulators are starting to understand the complexity of the modern workplace, and how rigid bright-line rules won’t really work. On the other hand, it would seem to require a significant amount of analysis by data protection experts (which is subsequently documented) showing the balance of interests doesn’t harm the employee.

In any event, at least in the realm of employment law, the GDPR isn’t going to be quite the panacea that many of us were hoping for. It is still going to be a complex, difficult to manage, area of law for the foreseeable future.

Sedona-Conference-Header


When:           Monday, April 24, 2017
Where:          Offices of Seyfarth Shaw LLP, Chicago, IL
Sign in:          5:00 – 5:30 pm
Event:            5:30 – 6:30 pm
Reception:    6:30 – 7:30 pm

Topic: Interactive Dialogue concerning The Sedona Conference® International Litigation Principles (Transitional Edition): Practical Help for Companies with the EU General Data Protection Regulation and Privacy Shield

Please join us for a Working Group 6 (WG6) Membership-Building event at Seyfarth Shaw on Monday, April 24, 2017, [Sign in: 5:00 pm; Event: 5:30 pm; Reception: 6:30 pm]. A distinguished panel, including panel moderator Jim Daley of Seyfarth Shaw, Jennifer Hamilton of Deere & Company, Cameron Krieger of Latham & Watkins, and Laura Kibbe will lead a dialogue on The Sedona Conference® International Litigation Principles (Transitional Edition).

The International Litigation Principles was first published in 2011. In the intervening years, there have been important Developments in data protection law world-wide, including the passage of the EU General Data Protection Regulation (GDPR), the replacement of the Safe Harbor Data Transfer Framework with the new “Privacy Shield” framework, and the emergence of the APEC data privacy framework in the Asia-Pacific region. The situation is still fluid, particularly the implementation of the EU GDPR between now and its effective date of May 2018. Despite this, the six Sedona International Principles have remained relevant and useful. The Transitional Edition updates the commentary and analysis of the original Principles document, and includes two new model court orders to facilitate cross-border transfer of personal data for discovery in the U.S. litigation.

The event is open to the entire legal community, and there is no cost to attend.

Non-members in attendance that are interested in becoming WG6 members will receive a $100 discount for a Working Group Series (WG6) membership. Please be sure to remind any friends, colleagues or clients who are interested in joining. WGS membership is in-for-one, in-for-all. Once a WGS member, one is eligible to become a member and take part in the activities of all Working Groups, including WG6.

FACULTY

James Daley Jennifer Hamilton Laura Kibbe Cameron Krieger
James Daley Jennifer Hamilton Laura Kibbe Cameron Krieger

Carlson_Scott BW bio

Seyfarth Host: Scott Carlson

AGENDA — APRIL 24, 2017

TIME SESSION PANELISTS
5:00 – 5:30 pm Sign In
5:30 – 6:30 pm Interactive Dialogue Daley, Hamilton, Kibbe, Krieger
6:30 – 7:30 pm Reception

Seyfarth Shaw LLP is an approved provider of Illinois Continuing Legal Education (CLE) Credit.  This event is approved for 1.0 hours of CLE credit in CA, IL, NJ and NY.  CLE credit is pending for GA, TX and VA.

TO REGISTER WITH THE SEDONA CONFERENCE® FOR THIS EVENT

SPONSORS

Seyfarth logo

Consilio logo

shutterstock_196544378Cross Posted from Carpe Datum Law.

China has finalized a broad new Cyber Security Law, its first comprehensive data privacy and security regulation.  It addresses specific privacy rights previously adopted in the European Union and elsewhere such as access, data retention, breach notification, mobile privacy, online fraud and protection of minors.

There is plenty in the new law to irritate international businesses operating in China.  It requires in general that Chinese citizens’ data be stored only in China, for starters, possibly requiring global corporations to maintain separate IT systems for Chinese data.  Most of the privacy enhancements benefiting citizens align with those required in the European Union, but it is unclear how the Chinese will expect compliance, particularly since, as with many Chinese laws, its language is vague as to its scope, application and details.  This vagueness leaves interpretation to the State Council, the chief administrative authority in China, headed by Premier Li Keqiang.

The law expands Chinese authorities’ power to investigate even within a corporation’s Chinese data systems, and provides for draconian penalties for non-compliance by business entities or responsible individuals  include warnings, rectification orders, fines, confiscation of illegal gains, suspension of business operations or the revocation of the entity’s business license. Continue Reading China Finalizes New Cyber Security Law

The clock is now ticking. On May 4th the European Parliament published the final text of the General Data Protection Regulation (“GDPR”), and the rules of the game have significantly changed – at least in the context of EU data protection law. First, the GDPR changes the underlying approach to data protection law, with a new emphasis placed on accountability and risk-based approaches. “Privacy by Design” and “Privacy by Default” have been included in the regulatory ecosystem. Second, significant changes have been made to the obligations of “controllers” and “processors”. These include specific criteria for having compliant privacy notices and vendor management contracts. Third, enforcement is now a very real, and potentially risky, thing. With the possibility of administrative fines being up to 4% of a business’ global gross revenue, private rights of action by individuals, and non-profit privacy watchdog groups (also known as “Civil Society”) having the right to complain of a company’s privacy practices directly to the local Data Protection Authorities; compliance with the GDPR will now be one of those risks that any business who touches EU data will need to seriously consider. Fortunately, the GDPR won’t go into effect until May 25th 2018. However, businesses with significant data from the EU need to start considering how to comply now. Continue Reading Europe Is Shifting, And It’s a Big Deal – The New GDPR

It is the beginning of 2016, and American companies are anxiously awaiting news of whether or not a new “Safe Harbor 2.0” will emerge. In October of 2015, the European Court of Justice declared invalid Safe Harbor 1.0 in the Schrems decision. This had an immediate effect on any American company collecting personal data from the EU by removing the legal basis for this kind of data transfer. As of October 2015, consumer, client, and even employee data cannot be legally transferred to the US under the Safe Harbor Framework.

Fortunately, the data protection regulators (“DPAs”)recognized the turmoil this decision created within the business community on both sides of the Atlantic. As a result, the Article 29 Working Party (which is the convention of DPAs from each of the EU Member States) issued an enforcement moratorium on enforcement actions until the end of January 2016, so that they could assess the effectiveness of data transfer tools available. As part of this moratorium, the Working Party called on “…Member States and European institutions to open discussions with U.S. authorities in order to find legal and technical solutions”; and that the “current negotiations around a new Safe Harbor could be part of the solution.” Continue Reading Safe Harbor 2.0 – Is It Happening?

The U.S. Financial Crimes Enforcement Network (FinCEN) and the China Anti-Money Laundering Monitoring and Analysis Center (CAMLMAC) recently signed a Memorandum of Understanding (MOU) to create a “framework to facilitate expanded U.S.-China collaboration, communication, and cooperation” between each agency’s financial intelligence units (FIUs). News Release (December 11, 2015).

In announcing the MOU, FinCEN Director Jennifer Shasky Calvery stated that “this MOU provides an important foundation for a reciprocal exchange of extremely valuable financial information to help thwart terrorism and money laundering in these perilous times…. Building this mutually beneficial bridge of cooperation will serve each country’s vital interests and help protect the citizens of both of our countries from the damage that criminals and terrorist financiers can inflict.”

As an increasing amount of business is conducted between the United States and China, the MOU serves important investigative interests shared by both countries, namely, to allow for the sharing of “extremely valuable information to provide leads, expose criminal networks, and help thwart illicit activity in the vast and interconnected global economy,” as stated by the FinCEN press release.  For China, signing the MOU is also an important action to push forward its domestic anti-corruption campaign, internationally.

Those with questions about any of these issues or topics are encouraged to reach out to the authors, your Seyfarth attorney, or any member of the White Collar, Internal Investigations, and False Claims Team.

Last week, the government of Australia released an “Exposure Draft” of a bill that, if passed into law, would amend Australia’s Privacy Act to require notification to the government and affected individuals in the event of a data breach. Currently, although Australian law requires government agencies and businesses subject to the Privacy Act to take reasonable steps to protect personal information, it does not mandate notification following a data breach.  The proposed Australian law requires notification only in the event of a “serious data breach,” which is defined as unauthorized access to, or disclosure/loss of, personal and certain other information that results in a “real risk of serious harm” to any of the individuals to whom the information relates.  Continue Reading Australia’s Proposed Data Breach Notification Law: What’s The Harm In A “Real Risk of Serious Harm” Standard?

The annual conference of the world’s data protection regulators is a three day exercise, with half of the conference being “closed door” for the regulators only, and the other half being a series of side meetings and presentations, which report out to interested attendees the results of the closed door meetings. This is a good meeting to gain insight in the next year’s trends in data protection regulation and enforcement across the globe. While this conference happens every year, the events in the European Court of Justice and the impending completion of the new General Data Protection Regulation (“GDPR”) made this year’s conference particularly interesting. Here are some of the insights which were developed during the conference: Continue Reading The 37th International Conference of Data Protection & Privacy Commissioners – Some Observations

Today the European Court of Justice (“ECJ”) issued its Judgment in the Schrems case, and in doing so, added another tremor to the ongoing seismic shift related to cross-border privacy law. The two major elements of today’s Judgment are: 1) that Commission Decision 2000/520/EC  of 26 July 2000 of the adequacy of the protection provided by the US Safe Harbor Framework (the “Safe Harbor Decision”) is invalid, and 2) even if the Safe Harbor Decision were otherwise valid, no decision of the Commission can reduce the authority of a national data protection authority to enforce data protection rights as granted by Article 28 of Directive 95/46/EC (the “DP Directive”).

Clearly, the first element brings a more immediate concern for all the companies participating in the Safe Harbor framework. However, the second element will have much longer term consequences for the stability of US-EU commerce and privacy law. Continue Reading Safe Harbor – Not so Safe After Schrems

On July 21, 2014, Russia adopted Federal Law No. 242-FZ, “On Amendments to Certain Legislative Acts of the Russian Federation for Clarification of the Procedure of Personal Data Processing in Information and Telecommunication Networks” (“Federal Law No. 242-FZ”), which introduces a number of changes to existing Russian data protection laws. Specifically, it amends Federal Law No. 152-FZ, “On personal data,” by establishing a localization requirement for personal data processing.

Effective Date

What makes Federal Law No. 242-FZ important is its effective date. It was initially scheduled to come into force on September 1, 2016. However, on December 31, 2014, Federal Law No. 526-FZ was enacted, which changed the effective date of Russia’s Data Localization Law to September 1, 2015. Continue Reading Fortress Russia – The Russian Data Localization Law