Archive for October, 2015

Israel Revokes is Acceptance of Safe Harbor

Posted by fgilbert on October 20th, 2015

In early October 2015, the Court of Justice of the European Union (CJEU) in the Schrems and Facebook case, declared the EU-US Safe Harbor invalid. The CJEU ruling stunned many businesses and organizations throughout the world. For the past 15 years, the Safe Harbor Program had made it easy for businesses established in the United States and the European Economic Area (EEA) to exchange personal data in the ordinary course of business. It was the simplest and most business friendly method for addressing the prohibition against cross-border data transfers to countries that do not offer adequate protection of privacy rights and personal data, a prohibition that is common to all data protection laws of EEA member states.

Since the issuance of the ruling, a flurry of activity has occurred. Numerous reactions and comments have been published. Two of the most notable statements issued by the Article 29 Working Party and by the Israeli Law, Information and Technology Authority require that US companies involved in international exchanges of personal data with the EMEA Region react promptly to the invalidation of the Safe Harbor Program, so that they establish alternative measures to address the void left by this invalidation.

On October 15, 2015 the Article 29 Working Party (A29) – the umbrella organization that encompasses the Data Protection Commissioners of the 31 EEA Member States – published its initial reaction to the CJEU ruling. The A29 confirmed that the invalidation of the Safe Harbor Program is effective immediately. In addition, it warned that if, by January 2016, the United States and the European Union have not reached a satisfactory agreement that incorporates certain elements identified in the A29 statement, the EEA Data Protection Authorities will commence enforcement actions against illegal cross border data transfers.

Israel Revokes its Acceptance of the Us EU Safe Harbor

Now, on October 19 2015 the Israeli Law, Information and Technology Authority (ILITA), the country’s data protection authority, announced that, in view of the CJEU ruling invalidating the EU-US Safe Harbor, it would cease treating a US company’s self-certification under the EU–US Safe Harbor as a ground for granting derogations to its own prohibition against crossborder data transfers out of Israel. In other words, Israeli companies that relied on the fact that a US company was listed on the Safe Harbor List of the US Department of Commerce can no longer do so to justify the legality of their transfer of data to the United States.

In a long statement analyzing the CJEU case, the ILITA announced that it revoked its prior authorization permitting the transfer of personal data from Israel to those organizations in the United States that certified under the EU-US Safe Harbor. In keeping with the data protection legislation enacted throughout the EEA, the Israel Privacy Protection Regulations (Transfer of Data to Databases Abroad) 2001 restricts the transfer of personal data outside the country unless the recipient country ensures a level of data protection that is no lesser than that provided under Israeli law, or one of the derogations in Section 2 of the 2001 Regulations applies.

Up until very recently, the ILITA had found that those US organizations certified under the EU-US Safe Harbor provided an adequate level of protection for personal data and, as such, fell under the derogation, provided under Section 2(8)(2) of Israel’s 2001 Privacy Protection Regulations, authorizing data transfers from Israel. However, with the recent CJEU decision in the Schrems case, the position of the ILITA has changed. It has stated that organizations can no longer rely on the aforementioned derogation as the basis for the transfer of personal data between Israel and the United States. The ILITA has advised organizations to assess whether they can legitimize the transfer of personal data between Israel and the United States under one of the other derogations provided in Section 2 of the 2001 Regulations. The ILITA has also advised that it continues to assess the implications of the Schrems decision and that it will publish information and additional clarifications if necessary.

Israel is one of the few counties whose data protection law has been deemed to meet the stringent criteria required under the EU Data Protection Directive 95/46/EC. Under Commission Decision 2011/61/EU, Israel is considered as providing, an adequate level of protection for personal data transferred from the European Union. This adequacy finding ensures that personal data can be transferred from the European Union to Israel, without companies having to rely on other legal methods, such as contractual clauses, to effect the data transfer. It is likely that Israel’s decision to follow the determination in the CJEU ruling invalidating the Safe Harbor Program was prompted by its concern to keep its privileged status vis-à-vis European entities in good standing.

While Israel’s reaction is understandable under the circumstances, it may be a sign that other countries throughout the world that also have the privilege of having been deemed by the European Commission to offer “adequate protection”, countries such as Argentina, Uruguay, Canada or Switzerland, might soon adopt the same approach as Israel. This would isolate further the United States, and create additional pressure for the United States government to modify its course of action and its strategies regarding international commerce

What to do Next?

The activities of US law enforcement agencies remain of great concern to the rest of the world. In its statement, the A29 points out that the question of massive and indiscriminate surveillance is a key element of the CJEU’s analysis. It believes that such surveillance is incompatible with the EU legal framework, and that existing transfer tools are not the solution to this issue.

It is becoming clear that the repeated assertions of the CJEU in its ruling, that personal data when on the US territory is subject to massive surveillance, and that the current legal regime in the United States requires companies to “disregard … without limitation” the prospective rules laid down by the Safe Harbor when they conflict with US national security and public interest are affecting the reasoning of the EEA Data Protection Commissioners and may also be getting traction outside the European Economic Area. The CJEU opinion also points at other deficiencies in the US legal regime, such as a lack of access and correction rights.

The invalidation of the 2000/520 Safe Harbor Decision does not solve these fundamental issues. It is hard to see how data transferred from the EEA to the United States under BCRs or Standard Contractual clauses would not suffer the same fate. The next few months will be very busy and will see extensive activities in the United States, throughout Europe, and probably in other parts of the world. Hopefully the wake-up call provided by the CJEU ruling will pave the way to effective and productive negotiations that find a solution that help revive commerce and exchanges between the affected countries.

In the meantime, US companies must urgently evaluate their situation and take appropriate remedial measures to meet the data protection standards in the countries in which they currently do business. The January 2016 deadline, set by the A29 Working Party, is a very important deadline. US companies should take the time, this Fall, to reshape their crossborder data transfer solutions to address the significant challenges created by the invalidation of the EU-US Safe Harbor, and the associated ramifications such as the Israeli decision.

Amendments to California Security Breach Law

Posted by fgilbert on October 19th, 2015

The Fall season often brings changes to California laws, and this year is no exception. Once again, the California Security Breach Disclosure Laws have been amended. During the first half of October, California Governor Jerry Brown signed three bills amending the State’s Security Breach Disclosure Laws. These amendments will be effective as of January 1, 2016.

New Category of Protected Information

The amendment resulting from the signature of SB 34 adds license plate information – specifically, “information or data collected through the use or operation of an automated license plate recognition system” – to the list of information deemed “personal information” protected under the Security Breach Disclosure Laws codified as Civ. Code Sections 1798.29 and 1798.82.

The amendment also creates Civ. Code Sections 1798.90.50 to 1798.90.55. New Section 1798.90.50 will require “automated license plate recognition end-users” or “ALPR end-users” to implement a usage and privacy policy in order to ensure that the collection, use, maintenance, sharing and dissemination of the ALPR information is consistent with California’s respect for individuals’ privacy and civil liberties. The resulting usage and privacy policy must be made available to the public in writing, and be posted conspicuously on the website (if any) of the ALPR end-user.

SB 34 identifies minimum requirements for the content of the required privacy policy. Among other things, the privacy policy must identify the methods used to ensure the security of the information and compliance with privacy laws.  Individuals who have been harmed by violations of these provisions, including breach of security and unauthorized access to, or use of, their information, are granted a private cause of action giving them the right to bring civil action against any person who knowingly caused the harm.

Definition of Encryption

Assembly bill AB 964, also signed into law by Governor Jerry Brown in early October, clarifies the meaning and scope of the term “encryption” used in the Security Breach Disclosure Laws. This is a welcome clarification, thirteen years after the enactment of the original law. During that period, the most common interpretation of the term “encryption” in the context of security breach disclosure laws was that it was intended to mean “strong encryption” as opposed to the use of passwords to limit access to a server.

The term “encrypted”data, under the AB 964 amendment, is defined as data that is “rendered unusable, unreadable or undecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” There is no indication of what criteria will be used to determine the extent to which a particular technology or methodology will be deemed “generally accepted” in the field of information security. Companies may consider turning to relevant publications by NIST, the US National Institute of Standards and Technology or standards established by well known organizations such as the International Organization for Standardization (ISO), an international standard setting body.

Required Format for Breach Notices

Finally, SB 570 amends the California Security Breach laws to require that a specific outline be used when preparing a Breach Disclosure Notices. While prior amendments to the California Security Breach Laws did specify the type of information that should be included in a breach notice, this amendment focuses on the readability of the document, provides a sequence in which the information must be provided, and the titles to be used for each section of the disclosure. The notice must be titled “Notice of Data Breach”. It must be broken into prescribed sections titled:

  • “What happened”;
  • “ What information was involved”;
  • “What we are doing”;
  • “ What you can do “; and
  • “For more information”.

The affected entities are given the freedom to supplement this information.

The amendment also requires, among other things, that the format of the notice be designed to call attention to the nature and significance of the information that it contains. The font used must be not smaller than 10-point type. A sample form is provided in the bill.

These amendments will be effective as of January 1, 2016. That leaves ten weeks to companies subject to California disclosure laws to update their security incident response plans and forms, and adjust their practices to the new amendments.

 

Safe Harbor Invalidation – Article 29 Working Party Sets January 2016 Deadline

Posted by fgilbert on October 16th, 2015

The long awaited reaction of the Working party to the ruling of the Court of Justice of the European Union (CJEU) in the Schrems and Facebook case in now public. Late on October 15, the Article 29 Working Party published a statement outlining its first response to the landmark ruling. The Working Party’s statement summarizes the group’s evaluation of the first consequences to be drawn at European and national level.

The Working Party point out that the data protection authorities, EU institutions, Member States, and businesses are collectively responsible for finding sustainable solutions to implement the Court’s judgment. It stresses that businesses, in particular, should reflect on the eventual risks they take when transferring data to the United States, and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection principles.

Transfers under Safe Harbor Unlawful

Regarding the practical consequences of the CJEU judgment, the Working Party states that it is clear that transfers from the European Union to the United States can no longer be framed based on Safe Harbor mechanism and “transfers that are still taking place under the Safe Harbor after the CJEU judgment are unlawful.”

Standard Clauses and Binding Corporate Rules

Until the Working Party has completed its analysis of the impact of the CJEU judgment on other transfer tools, data protection authorities will consider that Standard Contractual Clauses and Binding Corporate Rules can still be used. However, during this transition period, the Working Party warns that data protection authorities will continue to exercise their right to investigate particular cases, and to exercise their powers in order to protect individuals.

January 2016 Deadline

The Working Party’s press release sets a January 2016 deadline. If, by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities may start taking all actions that they may deem necessary, including coordinated enforcement actions.

Massive Surveillance an issue

The activities of US law enforcement agencies remain of great concern to the Working Party. The Working Party points out that the question of massive and indiscriminate surveillance is a key element of the CJEU’s analysis. It believes that such surveillance is incompatible with the EU legal framework, and existing transfer tools are not the solution to this issue.

Intergovernmental Agreement Suggested

While progress has been made with the recent signature of the Umbrella Agreement and the ongoing negotiations regarding Safe Harbor 2.0, the Working Party believes that more needs to be done. A new Safe Harbor agreement would only a part of the solution; more is necessary.

The Working Party urges Member States and the European institutions to open discussions with US authorities in order to find political, legal and technical solutions enabling cross Atlantic data transfers that respect fundamental rights. In particular, it suggests that such solutions could be found through the negotiation of an intergovernmental agreement providing stronger guarantees to EU data subjects.

The Working Party identifies key points that should be addressed in these intergovernmental negotiations. In the Working Party’s opinion, these solutions should always be assisted by clear and binding mechanisms and include at least obligations on:

  • Oversight of access by public authorities;
  • Transparency;
  • Proportionality;
  • Redress mechanisms; and
  • Data protection rights.

Shared Responsibility

The Working Party views it as a shared responsibility between data protection authorities, EU institutions, Member States, and businesses to find sustainable solutions to implement the Court’s judgment. It states that, in the context of the CJEU judgment, businesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection laws and principles.

Safe Harbor Invalidation – What Consequences?

Posted by fgilbert on October 16th, 2015

 

In a 35-page ruling, published on October 6, 2015, the Court of Justice of the European Union has declared the EU-US Safe Harbor invalid. This means that the data transfers between European companies and the 4500+ US companies that have self-certified to their adherence to the EU-US Safe Harbor principles no longer have a legal basis and are exposed to the scrutiny of 31 Data Protection Authorities of the European Economic Area (EEA) Member states.

The CJEU ruling comes after lengthy proceedings initiated by an Austrian law student against Facebook, arguing that the transfer of his personal information from Austria to Facebook’s California servers under the protection of the Safe Harbor violates his rights. The original complaint argued that, based on the information provided by Edward Snowden regarding the mass surveillance powers of US National Security Agency, the United States offers no legal protection against data surveillance, and the powers of the US law enforcement agencies supersede the promises made in a company’s Safe Harbor self-certification.

The CJEU went beyond the specific question that had been raised in the Facebook case. It held that Article 3 of Decision 2000/520 (which allowed for the creation of the Safe Harbor) is invalid. And, because Article 3 of Decision 2000/520 is inseparable from the other provisions of Decision 2000/520, the invalidity of Article 3 invalidates Decision 2000/520 in its entirety.

As put simply and very concisely in the last line of the CJEU 35-page ruling: “Decision 2000/520 is invalid.”

What does this mean for US companies and their subsidiaries and trading partners located in the 31 Members States of the European Economic Area?

It means great uncertainty. There are long term and short term issues:

  • What to do immediately;
  • Whether this means a future with a series of data localization restrictions resulting in countries or regions adopting a silo approach to data storage.

Immediate Consequences

First, the legal basis of the EU-US Safe Harbor on which EEA companies had relied to transfer data to the United States has been declared invalid. However, the decision does not affect the Switzerland-US Safe Harbor. Thus transfers between Switzerland and the United States can continue under the existing Swiss-US Safe Harbor regime.

In the meantime, EEA data protection laws continue to prohibit the transfer of personal data outside the EEA territory unless there is a legal basis to show that the data, when on the US territory will benefit from the same protection as in the EEA.

There may be temporary work around. There are other approved methods to achieve the “adequate protection” required by the EEA data protection laws. For example, EU and EEA companies may decide to enter into contracts based on Standard Contractual Clauses approved by the European Commmission. This might be the fastest and most efficient way to react in the short term. But before this solution may be implemented, significant due diligence must be performed, and many parties must agree to the applicable terms. The terms of the Standard clauses crease stringent restrictions and significant liabilities for which US companies may need additional insurance coverage. Multi-national entities may attempt to obtain approval of BCRs (“Binding Corporate Rules”) for their internal transfers. But there are significant hurdles. For example, currently, only 21 out of the 31 EEA countries recognize Binding Corporate Rules.  Further, the process for approval of a set of BRCs may take one to two years from beginning to end..

Long Term Issues

A much more fundamental question remains. What happens to EEA data when they are stored on US territory? And will the NSA surveillance activities continue to create heartburn for EEA citizens and institutions?

The argument initially raised in the Facebook case was that the Snowden revelations raised concern about whether, in spite of a series of laws regulating government access to data and communicants, the US legal framework offers no actual protection against excessive surveillance by US law enforcement agencies.

In its 35-page analysis, the CJEU repeatedly asserts that personal data when on the US territory is subject to massive surveillance, and that the current legal regime in the United States requires companies to “disregard … without limitation” the prospective rules laid down by the Safe Harbor when they conflict with US national security and public interest. The CJEU opinion also points at other deficiencies in the US legal regime, such as a lack of access and correction rights.

The invalidation of the 2000/520 Safe Harbor Decision does not solve this issue. Data transferred from the EEA to the United States under BCR or Standard Contractual clauses would suffer the same fate.

A world of silos?

The CJEU Decision in the Facebook case raises a much more fundamental question regarding cross border data transfers. It is not just the Safe Harbor program that is at stake.  It is the entire framework of model clauses, binding corporate rules and other methods that are currently used to address the “adequate protection” requirement under EU Member State data protection laws that is at stake.

Will the special powers granted to – or used by – law enforcement agencies in the US create such an obstacle to crossborder data transfers between the EEA and the US that US companies will have no choice but setting up data centers in the EEA, in order to store their EEA customers’ data within the EEA territory in an attempt to reduce the risk of being within the reach of the long arm of US law enforcement agencies?

And will this trend, combined with other data localization laws, such as the one in Russia, create a world of data silos? Will localization laws become the norm?

Is it already too late?