“European data protection rules will become a trademark people recognise and trust worldwide”. That is how, in January 2012, Viviane Reding – then Vice-President of the European Commission and EU Justice Commissioner – ended her announcement of the widest reform of privacy and data protection law ever attempted. Six years later, this ambitious aim is becoming a reality. Organisations from around the world and well beyond Europe are grappling with the new European General Data Protection Regulation (GDPR) and its impact on their data activities. From Australian banks and South American insurers to US universities and Asian telecoms companies, determining the applicability of the GDPR to their operations has become a critical business decision. As many global companies ponder over the right strategy to privacy compliance, a key question has emerged: which organisations, and under which circumstances, are subject to the territorial scope of the GDPR?
Malware was recently identified that appears to have been designed and deployed by a nation-state to target and shut down electric grids. According to published reports, this malware currently appears to be capable of attacking the European grids, and parts of the Middle East and Asia grids, by targeting the specific industrial control system network protocols used to operate those grids. With small modifications, the malware reportedly also appears to be capable of attacking the North American power grid, as well as other industries that use ICS networks (e.g., oil, gas, water, data) around the globe. This post discusses the malware as well as vulnerability management.
Part 11 of Future-Proofing Privacy: Data Protection in the Workplace. Modern technology offers advanced technical options to monitor employee performance and conduct. Even standard IT applications may be used to control or record personnel behaviour in the workplace. Where previously the degree of employee supervision was limited by what the technology could do, rapid technological advancements mean that data protection laws are now the principal limitation in the EU. The Regulation is due to play a major role in this respect. As a consequence, employee data privacy has been one of the most hotly debated aspects of the Regulation. This area of data privacy will remain less harmonised than other fields of data protection.
On October 22, the FTC announced a settlement with national “rent-to-own” retailer Aaron’s, Inc. on charges that it knowingly assisted its franchisees in tacitly collecting images and information about their customers. Specifically, the FTC alleges that Aaron’s “played a direct and vital role in its franchisees’ installation and use of software on rental computers that secretly monitored consumers including taking webcam pictures of them in their homes.”
Tim Wybitul, who is Of Counsel at Hogan Lovells in Frankfurt, provides an analysis of two recent German cases lessening the restrictions on employers monitoring and examining employee e-mail. This development in the law has an impact on e-discovery and internal investigations.
A draft bill circulating on the Hill would impose new regulations on companies involved in the mobile “app” ecosystem, including wireless service providers, equipment manufacturers, device retailers, operating system providers, website operators, and other online service providers.
On January 10, Peter Hustinx, the European Data Protection Supervisor, released his annual “Inventory” of issues of strategic importance for 2012, indicating that he would be focusing on, among other issues, the proposed EU data protection framework, IP rights versus privacy rights, cloud computing, and financial sector reform.
A decision by the Higher Labor Court of Berlin-Brandenburg Germany allowing an employer the right to access and review work-related email correspondence of an employee during his/her absence from work provides grounds for employers to access employees’ business-related email, even without the employee’s explicit consent, provided that the employer does not interfere with ongoing email traffic and does not access emails which are clearly private.