Posted on January 23, 2012 by Christopher Wolf

Announcement from European Commission on Comprehensive Data Protection Reform Coming Wednesday

Despite suggestions that the European Commission proposal for a comprehensive reform of EU data protection rules would be delayed until the Spring, an announcement is scheduled for this Wednesday, January 25 at 12:30 PM CET (6:30 AM EST).  The press conference with Viviane Reding, Vice-President of the European Commission in charge of Justice will be live streamed here.

It appears that the requirement for notice within 24 hours of a data security breach will be part of the proposal despite objections based on experience with the 49 jurisdictional data security laws in the United States that it is often impossible to assess much less notify within such a short time-period.  Also, the potential financial penalty of up to 5% of an entity's global world-wide turnover for violations of the privacy regulation was a subject of enormous controversy when leaked; it now appears that the upper limit of the financial penalty will be 2%, which is still a very significant amount.

In a speech on Saturday to the Digital Life Design conference in Munich, Ms. Reding previewed what the Commission's proposals will include.  (A link to a video of her speech is here.) 

Some excerpts, as reported by the Wall Street Journal Tech Europe blog --  Here, Ms. Reding speaks of the change to a regulation from a directive:

A company will have to comply with one law for the whole of the EU territory. It will only have to deal with one single data protection authority. It will be the data protection authority of the member state in which the company has its main establishment. It will not matter anymore which data protection authority deals with a case. All data protection authorities in whatever EU country will have the same adequate tools and powers to enforce EU-law.

On international data transfers:

It seems odd that data held by a European company is adequately protected whilst it is inside the borders of the European Union, but not when it is transferred to a different part of that same company in Asia or South America.

In the Internet age, data protection laws need to take account of this global dimension. If they only focus on the activities of a company within a given country, they will not reflect reality.

 

I therefore want to improve the current system of binding corporate rules to make these exchanges less burdensome and more secure.

On individual control of data:

 

First, people need to be informed about the processing of their data in simple and clear language. Internet users must be told which data is collected, for what purposes and how long it will be stored. They need to know how it might be used by third parties. They must know their rights and which authority to address if those rights are violated.

 

Second, whenever users give their agreement to the processing of their data, it has to be meaningful. In short, people’s consent needs to be specific and given explicitly.

 

Thirdly, the reform will give individuals better control over their own data. I will include easier access to one’s own data in the new rules. People must be able to easily take their data to another provider or have it deleted if they no longer want it to be used.

And on the right to be forgotten:

The right to be forgotten is of course not an absolute right. There are cases where there is a legitimate and legally justified interest to keep data in a data base. The archives of a newspaper are a good example. It is clear that the right to be forgotten cannot amount to a right of the total erasure of history. Neither must the right to be forgotten take precedence over freedom of expression or freedom of the media.

The announcement from the European Commission comes as the world marks Data Privacy Day.  On its part, the Commission produced this video which focuses on an individual's responsibility to keep certain life details private in light of the harm to career that is possible from too much information being shared. 
Tags: , , , , , , , , ,
Posted on September 1, 2011 by HL Chronicle of Data Protection

Upcoming EU Cloud Strategy Announced: Application of Local Privacy Laws Remain an Issue, To Be Explored at IAPP Navigate on September 14

GlobeThe European Commission’s Vice-President for a Digital Agenda, Neelie Kroes earlier this week indicated that the EC is aiming for a 2012 Cloud strategy that reflects the EU focus on human rights. She has recruited former federal Chief Information Officer Vivek Kundra to be an adviser in the creation of the strategy.

As reported in the Washington Internet Daily, Kroes and Kundra were speaking at Salesforce.com’s Dreamforce conference in San Francisco where Kroes said that because "this is by definition a global issue," Europe should work with the U.S. and Asia in setting policy. But she also said that privacy and other human rights considerations are central to the way Europe approaches issues like this, "even if it's taking more time" to complete policymaking, "the human rights system ... is the basis of our democracy," Kroes is reported to have said.

In this connection, recall that Viviane Reding, Vice-President of the European Commission and EU Justice Commissioner has proclaimed that as essential "pillar" of EU citizens' privacy rights is "protection regardless of location" which has obvious implications for the Cloud.

"[P]rotection regardless of data location" [] means that homogeneous privacy standards for European citizens should apply independently of the area of the world in which their data is being processed. They should apply whatever the geographical location of the service provider and whatever technical means used to provide the service. There should be no exceptions for third countries' service providers controlling our citizens' data. Any company operating in the EU market or any online product that is targeted at EU consumers must comply with EU rules.

(The EU also generally takes the position that its privacy laws cover nationals from countries outside the EU whose data is processed in the EU, but France's data protection authority, the CNIL recently exempted certain outsourcing services performed in France, a move followed by India with respect to its new privacy law, to the relief of companies performing outsourcing services in India.)

Presumably, Mr. Kundra's involvement in Vice-President Kroe's efforts to develop a Cloud strategy will help temper the rigid application of EU privacy laws to data stored in the Cloud.

The issue of whose law will apply in the Cloud and the potential conflicts will be illustrated in an upcoming session at the IAPP Navigate program in Dallas on September 14, which was created and will be co-chaired by Hogan Lovells privacy practice director Chris Wolf and Michelle Dennedy, Chief Privacy Officer of McAfee, Inc. and Founder of The iDennedy Project.

From the IAPP, in its announcement of the Navigate conference:

Cloud computing involves data and data applications stored and processed remotely, often in places far away, sometimes in multiple places, and in places with differing legal regimes. Who has authority to prescribe and enforce rules about personal data in the cloud? When does law enforcement have the right to demand access to data in the cloud?

Decide these critical questions of jurisdiction and control in a “moot court,” where you will put cloud computing on trial and deliberate on the outcome. Provocateurs will portray opposing lead counsel in a hypothetical case involving a nation within the EU requesting a preliminary ruling from the European Court of Justice (ECJ) on whether a cloud computing company with a physical presence within its borders is subject to its enforcement of national data protection laws enacted under the EU Directive. Navigate participants will be split into two groups—counsel for the Petitioner and counsel for the Respondent. Five participants will be selected as "justices" who will be free to question "counsel" about their positions. The judges will have an opportunity to deliberate and will return to deliver a verdict when the group reconvenes.

For those who are interested, a copy of the Moot Court Hypothetical is available at www.privacyassociation.org (PDF).
Tags: , , , , , , , , , ,
Posted on May 30, 2011 by Christopher Wolf

Does California Twitter Umasking Order Suggest the Application of Foreign Privacy Law in the US?

Twitter unmasks anonymous British user in landmark legal battle

California court forces site to reveal personal details of user accused of libelling local authority in north-east England

Thus read a headline in The Guardian (UK).
 
The Guardian was reporting on a recent California ruling ordering Twitter to unmask an anonymous critic of a UK local government council.  The ruling raises the question of whether foreign privacy law will be applied in the US. In this case, the ruling deprived someone of privacy (the anonymous online critic), but the outcome seeks to suggest that a US company may be subject to foreign privacy law, even if it conflicts with First Amendment principles. 

In the EU, one element of privacy law is the right to know who is making anonymous criticisms. This has made it difficult for US companies operating in the EU to use anonymous whistleblower hotlines (deemed useful in corporate governance). In the US, of course, the right to criticize anonymously has a strong degree of First Amendment protection.
 

At a time when it appeared courts were perceived to be more cautious in ordering the unmasking of anonymous online speakers in the face of requests to order their identification, according to the Guardian (UK) newspaper "Twitter has been forced [by a California court] to hand over the personal details of a British user in a libel battle that could have huge implications for free speech on the web."   A local town council in the UK made the judicial request to unmask a local critic.  These developments come at a time when a so-called "super injunction" issued by a court in the UK to prevent any mention of an ongoing legal proceeding involving a famous footballer allegedly was violated by Twitter postings (and reported upon in the press).  The litigant footballer is reported to be seeking the identity of the Twitter user in order to proceed against him or her for violating the super injunction.

Presumably, the unmasking action was commenced in California because Twitter does not yet have a foreign presence sufficient for jurisdiction in a UK court.  This raises the question of the role of the First Amendment in considering requests to unmask anonymous speakers.  Under the SPEECH Act,  28 U.S.C. 4101 et seq., judgments against businesses that are inconsistent with the First Amendment may not be enforced in the United States.  The law does not address procedural motions.  Quaere whether requests to unmask involving litigants from foreign countries should consider the First Amendment implications of the request, since it is a US court  considering the request and the entity subhect to the court order to unmask is a US company.  Moreover, until the person is unmasked, it is not clear what their nationality may be and he or she may be a US citizen.

While the Twitter unmasking case involves a loss of privacy, there could be matters where a foreigner claims that greater  privacy protections are required in the US from a US entity because of the nationality of the individual involved.  This is the theory recently floated by EU Justice Minister Vivienne Reding when she spoke of "protection regardless of the data location".

Even where US law clearly applied in a recent unmasking case, the result was forced disclosure of the identity of an anonymous online critic. In Indiana, a "Marion County judge recently ordered the Indianapolis Star and two other media outlets to turn over information that would allow a former chief executive of Junior Achievement of Central Indiana to discover who anonymously posted comments about him so that he can sue those posters for libel."

Yet, in January, a Pennsylvania court  followed the test established in 2001 in the Dendrite case from New Jersey (and widely adopted), and vacated a trial court's order for the disclosure of the identities of six  anonymous persons accused of online defamation. It employed the Dendrite four-prong test for unmasking anonymous online speakers: (1) notification to the John Doe defendants, (2) sufficiency of evidence to establish a prima facie case for all elements of a defamation claim, (3) an affidavit from the plaintiff asserting that the information is sought in good faith and is necessary to secure relief, and (4) that the court has expressly balanced the defendant's First Amendment rights against the strength of the plaintiff's prima facie case.

 

Thus, the outcomes in cases where the identity of an anonymous critic is sought appears to vary depending on the court deciding the reuqest to unmask.  The recent unmasking orders in California and Indiana have caused some to wonder whether is it the case that "the age of anonymity is over"?  The California ruling also implicates the issue of whether foreign privacy law applies in the US.
Tags: , , , , ,
Posted on July 10, 2010 by Christopher Wolf

Vice-President of the European Commission Announces Talks with US on an Umbrella Data Protection Agreement for National Security Purposes

In a speech to at Atlantic Council in Washington, DC on 9 July, Viviane Reding, Vice-President of the European Commission responsible for Justice, Fundamental Rights and Citizenship announced that she has begun exploratory talks with the United States for a comprehensive EU-US agreement for personal data protection standards to apply whenever personal data needs to be transferred across the Atlantic for the purposes of police and judicial cooperation in criminal matters.  Vice-President Reding said:  "The aim is clear: to provide legal certainty to data transfers by ensuring that all these transfers are subject to high standards of data protection on both sides of the Atlantic."

Also appearing at the Atlantic Council with Vice-President Reding was Department of Homeland Security Secretary Janet  Napolitano who, according to the Atlantic Council web site

noted that the United States has a long tradition of insisting on personal privacy — and is in some ways, such as a cultural antipathy to national identification cards and showing passports at hotel check-ins and the like, even more privacy conscious than Europe— the fact of the matter is that protection of personal data does not rise to the level of fundamental right in our society. 

That difference in approach in the US from the EU, with its Charter of Fundamental Rights which very specifically guarantees a right to personal data protection, suggests that the road to a bilateral treaty will be long.

Likewise, the path to the EU recognizing the US as a country with "adequate protections" allowing the cross-border flow of personal data without the encumbrances of model contract clauses, the EU-US Safe Harbor or Binding Corporate Rules seems distant.  Still, at a dinner this author had with Vice-President Reding with her delegation following her Atlantic Council (and her deposit of the new EU "Bill of Rights" a the National Archives), I was able to preview some of the themes of my upcoming presentation at the PLI Privacy Law Institute in Chicago on Monday, 19 July entitled "Is the Tide Turning? The Impact of the HITECH Act & Other Federal Regulation."  I conveyed to Ms. Reding that the time has come for the EU to reappraise the US level of protection given the FTC's "common law of consent decrees" through which specific rules on data protection have arisen, given the forty-six state data security breach notification laws which have prompted heightened attention to the protection of personal data, and given the application and enforcement of the many other sectoral and geographic privacy laws. 

 

Tags: , , ,