Privacy Legislation

Subscribe to Privacy Legislation

The plethora of security incidents in the news have once again put security front and center of the international agenda. Predictably, this has triggered a number of responses from governments around the world. Some of these responses seem to have been ill-considered. However, one of the more comprehensive responses came out of the US President’s address to the Federal Trade Commission last week. A series of laws were proposed to address the increasing risks which are confronting individual security and privacy rights.

The President’s remarks at the FTC gives some valuable insight into where the US regulatory environment may end up in the next year or so. As a part of this analysis, one should focus on two very different agendas: Privacy and Security. These issues, while similar, are very different. Case in point, the UK PM’s comment around banning encryption could well result in increased security. However, it will absolutely damage individual privacy (and arguably also damage commercial security).
Continue Reading Privacy & Security Are Back on the Agenda in DC

The French Answer to Flexible Working

Ever since the first laws on the 35-hour week were enacted over fifteen years ago, monitoring working time has been a headache for employers in France. With the introduction of new technology and mobile devices, the situation has worsened. The French approach to flexible working is to reaffirm that employees have the right to privacy and in some sectors the obligation to disconnect, as recently shown by the CNIL, the French Data Privacy Watchdog and the SYNTEC Federation.
Continue Reading The French Answer To Flexible Working: The Right To Privacy and To Limit Work After Business Hours

While the Supreme Court has taken some heat in the past for seeming to misunderstand technology and how it impacts the normal person’s life, with Riley v. California the Court demonstrated not only an unexpected fluency with how mobile phone technology has evolved, but also with how it has caused our daily sphere of privacy

The White House released a set of reports this month on Big Data and the privacy implications of Big Data. While a number of folks have been discussing the President’s Council of Advisors on Science & Technology (“PCAST”) report, I would offer that the Office of Science and Technology Policy (“OSTP”) report needs to be read in conjunction with the PCAST report. They do two different things. One is a report on the technical state of affairs, and the other is more of a policy direction piece, which is driven by the technologically-oriented findings. Various points-of-view have been put forth as to the relative merits of each report, but there seems to be an important element missing from both reports. Both reports discuss the need for policy decisions to be based on context and on desired outcomes. Unfortunately, neither report really gives a good taxonomy around the informatics ecosystem to allow for a clear path forward on “context” and “desired outcomes”. What I mean by this is best summed up in the comment in the PCAST report which states: “In this report, PCAST usually does not distinguish between “data” and “information”.”. “Data” and “Information” are very different things, and one really can’t have a coherent policy discussion unless the distinction between the two is recognized and managed.
Continue Reading How to Talk About Big Data: A Framework

To continue my prior post on the Article 29 Working Party’s Opinion 6/2014, it is important to take a closer look at the specifics of the notion of a Controller’s “Legitimate Interests”

Unlike all the other criteria for lawful processing, Article 7(f) is the only one which specifically articulates the idea that commercial interests should have weight in the calculus of “fair and lawful” processing. In each of the other criteria, if the criteria is met, the grounds for processing are considered a priori legitimate. In Article 7(f), each purpose for processing will need to have the balancing test engaged. This is going to require a bit more analysis than the other criteria. However, because of the fact that this analysis is internal to the business, it may well be less onerous than other options would be (e.g. having the DPA opine as to the legitimacy of the processing).
Continue Reading Legitimate Interests – Alternative to Notice & Choice?

When talking about EU privacy law many businesses bemoan the lack of a “commercially reasonable” basis for collecting and using personal information. Europe is usually seen as a consumer-protective regime which focuses on prohibiting business from doing anything with data unless the consumer has affirmatively agreed to the processing before the processing begins (e.g. the “cookie directive”). However, the Article 29 Working Party (“WP”) has just released an Opinion which signals a change in the winds. The rarely used “legitimate interest of the data controller” basis for processing now has a new importance in the realm of fair and legal criteria for processing personal information.
Continue Reading On Balance – the Legitimate Interest of a Controller

A recurring criticism of Australian privacy law has been that the Privacy Act 1988 (Cth) (the Act) lacked any real bite – the enforcement powers of the privacy watchdog, the Information Commissioner, were limited. However, recent amendments to the Act, which introduced a new set of privacy principles, have increased the Commissioner’s enforcement powers. Employers should familiarise themselves with the changes in order to ensure they are compliant with the new regime.

Background

On 12 March 2014, significant amendments to the Act came into operation. The changes affect all private sector organisations and government agencies covered by the Act, which will include most Australian employers except for “small businesses” with less than $3 million in annual turnover.

In brief, the Act deals with how organisations are to manage “personal information”. The scheme of the Act works by subjecting organisations that it covers to a series of “privacy principles” that govern how personal information is to be collected, stored, handled and used.
Continue Reading Changes to privacy law: does the “toothless tiger” finally have some bite?

The Institute of Access to Information and Data Protection (“IFAI”) has made it known that it is going to be aggressive in enforcing the Mexican data protection law. While some commentators warn about the willingness to “show its teeth”, the basic question is still how to avoid being bitten.

Considering the allowable penalties can be in excess of US$1 Million, it is worthwhile to understand how one can effectively work with the law.
Continue Reading Mexican Privacy Enforcement – Options for Compliance

And now we come to the real sticking point. It actually isn’t specific to the Safe Harbor Framework. Access to data by law enforcement and intelligence assets is outside the Safe Harbor Framework. This is also the case in the EU. The proposed General Data Protection Regulation does NOT include law enforcement and intelligence activities. In some ways, this section of the “13 Recommendations” is the least connected to the Framework, as it really focuses on a country’s rights to manage its own national security and law enforcement activities. Unfortunately, this will be where the most difficulty will be in implementation – mostly because it is not directly part of the Framework, but a policy stance on national security, which has never been a part of the basis for the need Safe Harbor fulfills.
Continue Reading Access By US Authorities – The REAL Reason Safe Harbor is at Risk