Blog – Page 2 – Global Privacy Book

Amended Draft EU Regulation Approved by LIBE Committee on October 21

Francoise Gilbert

A revised draft of the proposed EU Data Protection Regulation was approved by the EU Committee on Civil Liberties, Justice, and Home Affairs on October 21, 2013.

Overall, the amendments strengthen privacy rights of EU residents. The most significant amendment is probably that which sets the maximum fine in case of a violation of the new law. The original draft regulation had set the maximum fine at 1,000,000 Euros or 2% of a company’s worldwide income and had adopted a tiered approach. After this recent set of amendments, fines could reach up to 100,000,000 Euros or up to 5% of a company’s annual worldwide income, whichever is greater.

(more…)

Manitoba Joins the Ranks of Other Provinces in Enacting its own Private Sector Privacy Legislation

Daniel Glover, Roland Hung and Shannel Rajan

Manitoba Joins the Ranks of Other Provinces in Enacting its own Private Sector Privacy Legislation

The Government of Manitoba recently enacted the Personal Information Protection and Identity Theft Prevention Act (PIPITPA) to regulate the collection, use and disclosure of personal information by the private sector in Manitoba.^[1] The statute has not come into force, but this enactment is momentous, as it will enable Manitoba to join the ranks of Alberta, British Columbia and Quebec, which all have their own private sector privacy legislation that is “substantially similar” to the federal Personal Information Protection and Electronic Documents Act (PIPEDA).^[2] Manitoba is also the first province to move in this direction with an all‑encompassing private sector law since 2004.

Overview

This significant moment in privacy law in Canada cannot escape a historic parallel. Despite its title, the PIPITPA is almost identical to the 2009 version of Alberta’s Personal Information Protection Act (2009 Alberta PIPA), with word-for-word similarities in many places.^[3] Similar to the 2009 Alberta PIPA, the PIPITPA is organized by divisions of purpose, protection, access and care, regulation, as well as general provisions. The key differences are that the Alberta legislation takes a different approach on breach notification and on the role of the Privacy Commissioner. Accordingly, many of the experiences under the Alberta Personal Information Protection Act (Alberta PIPA)^[4] will help guide organizations in Manitoba as to their risks and obligations. Likewise, the case law in Alberta should guide Manitoba courts whenever privacy litigation arises.^[5]

This article will focus on how these two statutes compare and provide commentary on what organizations can do to prepare for the coming into force of the PIPITPA.

(more…)

US and Foreign Laws Regulating Government Access to Data

Francoise Gilbert

Cloud service providers and users are becoming aware that data or communications held in the cloud may be subject to requests for access by third parties such as a government conducting an investigation, or a party involved in a lawsuit. Requests for access by law enforcement, intelligence and secret services are governed by very complex rules, and predictably, these rules differ from country to country.

A program sponsored by Box and the Cloud Security Alliance, and held in conjunction with the RSA San Francisco 2013 Conference, featured European and North American attorneys specializing in information privacy and information security, in a discussion of the laws that regulate government access to cloud data. (more…)

Hot Issues in Data Privacy and Security

Francoise Gilbert

Data privacy and security issues, laws and regulations are published, modified and superseded at a rapid pace around the world. The past ten years, in particular, have seen a significant uptake in the number of laws and regulations that address data privacy or security on all continents. On March 1, 2013, a program held at Santa Clara University’s Markkula Center for Applied Ethics, titled “Hot Issues in Global Privacy and Security”, featured attorneys practicing on all continents who provided an update on the privacy, security and data protection laws in their countries.

The second half of the program featured a panel moderated by Francoise Gilbert, where the chief privacy counsel or chief privacy official of McAfee, Symantec and VMWare talked about how to drive a global privacy and security program in multinational organizations.

Videos of the program are available by clicking here.

The program was the second part of a two-day series of events. The first program was held in San Francisco on February 28, 2013, and was sponsored by Box, Inc. and the Cloud Security Alliance. This program focused on Government Access to Cloud Data and started with an overview of the laws that regulate US government access to data, presented by Francoise Gilbert. A panel featuring European and North American attorneys followed; they discussed the equivalent laws in effect in their respective countries. The program concluded with a presentation by the general counsel of Box, Inc., who spoke about the way in which his company responds to government requests to access to data stored by his company.

Videos of this program are available by clicking here.

Use of Spyware at the Workplace Ruled Inadmissible

Ursula Widmer

In a recent judgment the Swiss Federal Supreme Court ruled that it is inadmissible for an employer to use spy- ware to monitor employees. Evidence obtained in this way may not be used.

The case concerned the commander of a regional civil defense organization in the canton of Ticino. He was suspected of making extensive use of the Internet for private purposes during working hours. The employer therefore secretly monitored the use of the man’s workplace computer for three months using spyware. On the basis of the usage data thus obtained, it was possible to ascertain that the employee was spending a significant proportion of his working time on private matters. This led to his summary dismissal.

This action by the employer was deemed by the Federal Court to be inadmissible and the summary dismissal to be unjustified. The court considered that the employer breached employee protection laws by using spyware. These prohibit the use of surveillance and control systems designed to monitor the behavior of employees at the workplace.

Surveillance systems may be used for other purposes, but must be configured so that they interfere as little as possible with employees. For example, if room surveillance is necessary for security reasons, the field of view must be set so that, where possible, employees, e.g., working at a checkout or counter, are not recorded.

The employer’s action also contravened the requirement for proportionality. Even though it is acknowledged that the employer has a legitimate interest in monitoring work output and preventing the misuse of working time for private activities, the court considers that this can be achieved by less radical means than spyware. One possible method is to block access to certain websites. It is also permissible to log Internet use and to analyze these records with reference to individuals if there are specific reasons to suspect misuse. The Federal Data Protection and Information Commissioner has issued guidelines for this purpose, to which reference was made by the court.

Online Media are Responsible for Third-Party Content

Ursula Widmer

The Swiss Federal Supreme Court has ruled that a media provider that allows third parties to set up blogs on its website, is jointly responsible for their contents. The case specifically referred to the Geneva newspaper “Tribune de Genève”, which offers readers the facility to keep personal blogs on its website. One of these blogs be- longed to a Geneva politician who, in his articles, had violated the right of personality of a former director of the Cantonal Bank of Geneva. The person concerned consequently initiated legal action against the author of the blog and also against the newspaper, and demanded the deletion of the relevant article from the blog. The cantonal Court upheld the complaint and ordered the author and the newspaper to remove the blog article and to pay legal costs.

The newspaper appealed against this decision to the Federal Court, but without success. The court was not interested in the newspaper’s point that, in certain other countries, operators of websites that allow third parties to set up blogs cannot be held legally responsible for the content of the blog articles. The court referred to the fact that, under Swiss law, anyone who is involved in a violation of personality, and not just the author, may be subject to legal action. The operation of the website by the newspaper was judged by the court as being a relevant factor in the violation of personality.

The ruling of the cantonal court was therefore correct, in the opinion of the Federal Court. The newspaper was ordered to remove the offending blog article and to pay the costs of the proceedings. The court indicated in particular that, unlike in damages and compensation cases, there is no assumption of fault on the part of the respondent in applications for removal and injunction. It there- fore remained unclear whether the newspaper could successfully have been sued for compensation or damages, since the plaintiff had not brought any such claims against the newspaper.

Comparative Analysis of the Laws Regulating Government Access to Cloud Data

Francoise Gilbert

A program held in conjunction with the RSA San Francisco 2013 Conference and sponsored by the Cloud Security Alliance and Box – a major provider of cloud services – recently featured some of the contributors to the Global Privacy & Security Law treatise, Jean-Francois Henrotte (Philippe & Partners, Belgium), Frederic Forster (Alain Bensoussan Avocats, Paris), Raffaele Zallone (Studio Zallone, Italy) and Francoise Gilbert (IT Law Group, USA). The program presented a discussion of the US and foreign laws that regulate government access to cloud data. (more…)

Accountability and Protection of Personal Data

Alain Bensoussan

In data privacy matters, “accountability” means an obligation to report and explain, combined with principles of transparency and traceability, with a view to identify and document the measures implemented to comply with data privacy law requirements. It also implies an obligation for the data controller to assume liability and warrant a result, namely the efficacy of the data protection and the verifiability of the measures taken to this end.

Accountability thus implies for the data controller not only the obligation to comply with the applicable rules, but also the obligation to demonstrate to the authorities and/or the data subjects how such compliance is ensured. Laws and other texts will gradually integrate accountability requirements for personal data protection. (more…)

562-Page HIPAA/HITECH Final Rule Published

Francoise Gilbert

A 562-page, unofficial version of the final HIPAA / HITECH Rule was posted today. The final version of the document (“the 2013 Rule) is scheduled to be published on January 25, 2013 at http://federalregister.gov/a/2013-01073. This 2013 Rule becomes effective on March 26, 2013. Covered entities and business associates must comply by September 23, 2013.

(more…)

New FTC COPPA Rule Will Better Protect 21st Century Children

Francoise Gilbert

The Federal Trade Commission final updated COPPA Rule, published this morning (December 19, 2012), brings child protection online to the 21^st century. While most of the high level requirements, which stem directly from the Child Online Privacy Protection Act (COPPA) remain unchanged, the updated Rule contains references to modern technologies such as geolocation, plug-ins and mobile apps, and modern methods of financing websites, such as behavioral targeting.

(more…)