Israel Slated for Trial of Biometric National IDs
Dan Or-Hof, a privacy and technology partner at the Israeli law firm Pearl Cohen Zedek Latzer is reporting that new regulations and orders introduced by Israel's Ministers Committee for Biometric Applications set the ground for a two-year biometric IDs issuance trial period. The Ministry of Home Affairs is making final preparations to start issuing the IDs that will contain encoded fingerprints and facial image, and will be stored in a national database. A campaign led by privacy activists against the controversial biometric database has failed to yield a positive result so far.
Continue Reading...Russia Amends Federal Data Protection Law; Privacy Enforcement on the Rise
Last week, the upper house of Russia's federal legislature approved amendments to the country's federal data protection law. The amendments impose detailed information security requirements on businesses that process personal data and revise some of the statute's data subject consent provisions.The amended law will come into force when it is published in the official newsletter.
Russia originally enacted a comprehensive federal data protection law in 2006, but the statute has faced major headwind. While the law is similar in its approach to the EU Data Protection Directive 95/46/EC, it is much more restrictive regarding personal data processing. After several delays, the law came into effect on July 1, 2011. Commentators, however, continue to view the law unfavorably, arguing that it's unworkable.
The amended security provisions include the requirements to:
- Conduct an assessment of threats to the safety of personal data and the effectiveness of the measures that the business has in place to safeguard personal data;
- Employ only verified methods of protecting personal data;
- Implement controls for access to personal data;
- Log all actions takes with respect to personal data;
- Detect and record incidents of unauthorized access to personal data; and
- Implement measures to restore information that is lost, destroyed or damages as a result of an information security breach.
The amended law directs the government to develop regulations that will set forth appropriate levels of information security protections. The regulations will also establish the security requirements for processing biometric data.
The federal law's privacy provisions were amended to allow individuals to consent to the processing of their personal data through a representative. When this occurs, the recipient of the consent will need to verify the consent. Similarly, businesses will be able to obtain personal data from third parties on the condition that they verify that the third party had a valid basis for obtaining and sharing the information.
While the privacy enforcement picture in Russia has been at most oblique, the country's data protection authority -- the federal agency for oversight of communications, information technology and mass media (in Russian, "Роскомнадзор") -- has shown strong interest in privacy enforcement. It is being reported this week that the agency is investigating the circumstances surrounding the exposure on the web of mobile text messages from the customers of the Russian carrier Megafon. Initial investigation suggests that an error on the carrier's website made the messages publicly accessible. The data protection agency stated that it's investigating whether the incident violated the federal data protection law.
InfoLawGroup Says:
With privacy enforcement in on the rise throughout the world, businesses should be prepared to review and adjust as necessary their privacy and data security practices in the markets in which they operate. In the past, some of the strict foreign data protection laws have not been rigorously enforced, giving businesses breathing room. The enforcement landscape is likely to tighten in the near future, however, increasing the risk of investigations and sanctions for privacy violations.
Cookie-Cutter: UK Announces New Rules for Website Cookies
The United Kingdom Information Commissioner’s Office (ICO), which oversees compliance with privacy laws, announced this week new rules governing the use of website “cookies” that will come into effect on May 26, 2011, possibly following an as-yet unidentified grace period. The new rules will effectively require opt-in consent to use most kinds of cookies, and they will be particularly difficult to manage in the context of third-party cookies such as those employed by advertisers and advertising networks.
Since the new British rules are meant to implement amendments to the European Union’s ePrivacy Directive, this is an issue that will have to be addressed across Europe and is likely to impact any website aimed at a European market.
Continue Reading...A Privacy Checklist for Global Enterprises
Nymity, a provider of international compliance resources, recently interviewed me about managing risk and compliance in a global enterprise that handles protected personal information about customers, employees, website visitors, and other individuals in multiple jurisdictions. Based on experience with many multinationals, large and small, I came up with a discovery checklist that a company might find useful in identifying and prioritizing these data flows. We also discussed several issues of common concern to global organizations:
- enforcement and litigation trends
- the moving target of "sensitive" data
- the role of privacy commissions and other data protection authorities
- the increasing interest of trade unions and works councils in employee privacy issues
- the value of referring to information security standards
- the practicalities of using cross-border compliance vehicles such as model contracts, Safe Harbor, and binding corporate rules.
The full interview is available here.
European Reservations?
German state data protection authorities have recently criticized both cloud computing and the EU-US Safe Harbor Framework. From some of the reactions, you would think that both are in imminent danger of a European crackdown. That’s not likely, but the comments reflect some concerns with recent trends in outsourcing and transborder data flows that multinationals would be well advised to address in their planning and operations.
In April, the Düsseldorfer Kreis, an informal group of state data protection officials that attempts to coordinate approaches to international data transfers under Germany’s federal system, called on the US Federal Trade Commission to increase its monitoring and enforcement of Safe Harbor commitments by US companies handling European personal data. On July 23, Dr. Thilo Weichert, head of the data protection commission in the northernmost German state of Schleswig-Holstein (capital: Kiel), issued a press release provocatively titled “10th Anniversary of Safe Harbor – many reasons to act but none to celebrate.” Dr. Weichert cites an upcoming report by an Australian consultancy (Galexia) asserting that hundreds of American companies claiming to be part of the Safe Harbor program are not currently certified, and that many Safe Harbor companies fail to provide information to individuals on how to enforce their rights or refer them to costly self-regulatory dispute resolution programs. Dr. Weichert urges a radical solution: “From a privacy perspective there is only one conclusion to be drawn from the lessons learned – to terminate safe harbor immediately.”
Dr. Weichert also attracted international attention with another press release issued this summer, entitled (translating loosely) “Data protection in cloud computing? So far, nil!” The press release refers to his recently published opinion on “Cloud Computing und Datenschutz,” which is deeply skeptical about the ability of cloud customers to assure compliance with European data protection laws.
Mexico's New Data Protection Law
Mexico has joined the ranks of more than 50 countries that have enacted omnibus data privacy laws covering the private sector. The new Federal Law on the Protection of Personal Data Held by Private Parties (Ley federal de protección de datos personales en posesión de los particulares) (the “Law”) was published on July 5, 2010 and took effect on July 6. IAPP has released an unofficial English translation. The Law will have an impact on the many US-based companies that operate or advertise in Mexico, as well as those that use Spanish-language call centers and other support services located in Mexico.
Like the EU Data Protection Directive and the Canadian federal PIPEDA legislation, Mexico’s data protection statute requires a lawful basis, such as consent or legal obligation, for collecting, processing, using, and disclosing personally identifiable information. There is no requirement to notify processing activities to a government body, as in many European countries, but companies handling personal data must furnish notice to the affected persons. Individuals have rights of access, correction, and objection (on “legitimate grounds”) to processing or disclosure. In the event of a security breach that would significantly affect individuals, those persons must be promptly notified. The Law also addresses data transfers, both within and outside Mexico.
Continue Reading...Do the New EU Processing Clauses Apply to You?
A new set of EU standard contract clauses (“SCCs” or “model contracts”) for processing European personal data abroad came into effect on May 15, 2010. Taken together with a recent opinion by the official EU “Article 29” working group on the concepts of “controller” and “processor” under the EU Data Protection Directive, this development suggests that it is time to review arrangements for business process outsourcing, software as a service (SaaS), cloud computing, and even interaffiliate support services, when they involve storing or processing personal data from Europe in the United States, India, and other common outsourcing locations.
Continue Reading...Social Networking: Setting Boundaries in a Borderless Brave New World
The explosive growth and morphing applications of social media such as Facebook and Twitter create new opportunities and challenges for individual users, parents, employers, organizations, governments, and marketers. Where a social phenomenon has such a wide and unpredictable impact, it almost inevitably attracts a retinue of lawmakers and regulators, as well as lawyers and HR managers struggling to craft appropriate policies for employees. And given the globalization of social media, those policies have to take account of the evolving rules in multiple jurisdictions.
Continue Reading...Information Security Standards and Certifications in Contracting
When organizations contract for outsourced IT services, they look for assurances that the vendor will provide adequate security, often in the form of a security schedule or annex to the contract, or by reference to a widely accepted information security standard. In some cases, the customer insists as well on a certification or audit by an expert third party.
Business managers and lawyers often have only the vaguest notions of what these schedules, standards, and certifications mean. They rely on the organization’s IT staff or consultants for “the technical stuff.” But in the end it is the business managers and lawyers who determine what the organization needs, operationally and contractually. To do that well, they should have at least a basic understanding of the more common information security standards and certifications.
Information Governance
When it comes to creating policies for handling personal data in an organization, who decides? How are those policy decisions made and kept up to date?
These are questions of governance – I would call it “information governance.” Most large enterprises have established responsibilities and procedures for information technology governance and specifically for IT security policies, procedures, procurement, management, and training. In many cases, however, these have not been fully mapped to personal data compliance and risk management requirements, which should be defined and monitored by a somewhat different group of people, from departments beyond IT and security. Unless privacy issues are visible in the internal governance process, the organization – and the individuals that deal with it -- may be exposed to some nasty surprises.
Live from the IAPP Global Privacy Summit in Washington, DC, It's Monday Afternoon
This week, I will be providing short updates from the IAPP Global Privacy Summit in Washington, DC. The conference will be in full swing tomorrow, and I will report on various panels and topics of interest. In the meantime, as I prepare to see old and new friends at the Welcome Reception this evening, a few thoughts on what I expect to see and hear a lot over the next few days:
- How can we harmonize the EU Data Protection Directive and EU member country privacy laws with the flow of data in today's global economy? It is unfortunate that a number of IAPP participants from the EU will not make it to DC for the Summit this year due to the Icelandic volcano. Nonetheless, I expect active dialogue regarding cross-border data transfers, safe harbor v. standard contractual clauses v. binding corporate rules, and, in particular, the impact of the growth of cloud computing and other outsourcing arrangements (or, at least, the growth of the hype around cloud computing). It would also be nice to hear more about the EU Cookie Consent law - there is a panel scheduled to take place, but unknown if that will happen in light of the volcano debacle.
- HIPAA/HITECH and Medical Identity Theft: Health care privacy topics are hotter than ever, especially with the growing number of reported security breaches affecting more than 500 individuals under the new HHS breach notification rules promulgated pursuant to the HITECH Act.
- "Reasonable Security": What does Massachusetts think? What does the FTC think? What in the world is it and how in the world can organizations comply?
- On a related note, FTC Enforcement, with a focus on behavioral marketing issues and evolving notions of notice and consent. What trends will we see over the next several years, particularly with the growth of social media and online behavioral advertising?
- Social media: how it affects the workplace, corporate policies and procedures, and "reasonable expectations" of privacy.
- The forecast for federal legislation - not just on breach notification, but security requirements, online behavioral marketing and, getting lots of media attention these days, potential revisions to ECPA (being driven, once again, by the cloud computing explosion).
- Breaches, breaches, and more breaches. Of course.
A few things that appear to be missing from this year's agenda - the FTC's current review of the rules under the Children's Online Privacy Protection Act (COPPA), enforcement of the Red Flags Rule (the FTC will start enforcing the Rule June 1), and the growing number of state laws (Washington, Nevada, Minnesota) requiring compliance with the PCI Standard.
Stay tuned, I will endeavor to post developments on a daily basis.
European Court Hands Google a Keyword Victory but Warns Online Advertisers
The European Court of Justice ruled this week in cases brought against Google France by Louis Vuitton Malletier and Viaticum that Google is not liable for selling advertising keywords (Google AdWords) based on brand names to the competitors of the brand owners. However, the court noted that advertisers themselves may violate trademark and unfair competition laws if they create confusion as to the source of advertised products, and a search provider may be liable if it does not act promptly to remove abusive advertising once it becomes aware of it.
Continue Reading...Security Breach Notices for Canadian Data
There’s some Canadian data on that lost laptop or hacked server. Do you have to notify individuals or authorities in Canada, as you are often required to do in the United States?
The US model of security breach notice laws has not been widely emulated abroad, although several jurisdictions are considering similar measures. Nevertheless, a duty to give notice of significant security breaches has been inferred in some cases from general principles found in comprehensive privacy and data protection laws in Europe, Canada, Japan, and elsewhere. Privacy commissioners in Canada have applied such general principles in publishing guidelines for companies suffering a data leak involving personal information. In addition, the province of Ontario expressly requires notice to individuals if their personal health information is compromised.
More recently, Special Commissions at the federal level and in the provinces of Alberta and British Columbia have recommended amending privacy legislation to mandate notification of material security breaches. Alberta is the first to act on this recommendation. Bill 54, amending Alberta’s Personal Information Privacy Act, will soon require organizations to notify potentially harmful security breaches to the Alberta Privacy Commissioner – who may then dictate the terms of notice to affected individuals.
EU Adopts New Standard Contract Clauses for Foreign Processors
Last Friday, the European Commission adopted new "controller-processor" standard contractual clauses ("SCCs" or "model contract") to protect personal data transferred from Europe to a data processor located outside the EU/ EEA. Existing contractual arrangements are grandfathered, but any new contracts with data processors must include the new version of the SCCs.
The principal change from the 2002 controller-processor SCCs is that processing contractors are now obliged to obtain prior written consent from the customer before subcontracting any of the processing, and the subcontractor must be contractually bound to the same obligations that apply to the contractor.
Continue Reading...Information Security Clauses and Certifications - Part 1
Outsourcing business and IT functions often means outsourcing compliance and liability risks as well. When a service contract involves protected categories of personal information, both parties need to understand the security requirements and risks. The contract should allocate responsibilities to prevent and respond to security breaches. The contract may also set expectations more precisely by incorporating a written security policy or referring to a widely accepted information security standard, sometimes accompanied by a requirement for a third-party security audit or assessment.
What contractual information security provisions should you consider, as a customer or as a vendor or business partner, when the contract contemplates the exchange of protected information? What do security standards and audits entail for a vendor, and what do they offer for a customer?
Continue Reading...
