The overview of interesting Data & IT Law articles and news in September 2015!
Safe Harbour framework status challenged
The Court of Justice of the European Union (CJEU) Advocate General Yves Bot had stated, that the Safe Harbour framework does not satisfy EU’s Data Protection Directive requirements, due to the surveillance carried out by the NSA (for more information, follow the Opinion in Case C-362/14). Safe Harbour is a framework, which should ensure, that the data transfers between the EU and US are legal pursuant to European Data Protection Law.
If the European Court of Justice agreed with the opinion of the Advocate General, it might have a serious effect on many companies. “US companies (would) have to play by rules that are equal to those their competitors already play by and that they cannot aid US mass surveillance.”
The right to be forgotten and its application globally – France rejects Google’s appeal
French data protection authorities demanded that EU citizen should have had a right to demand the application of the right to be forgotten also outside of EU borders. French Office proposes to fine Google, if it does not comply with the French regulator’s demands.
Google refuses the argument, claiming that “(a)s a matter of principle, we respectfully disagree with the idea that a single national Data Protection Authority should determine which webpages people in other countries can access via search engines.”
The modifications of data protection legislation in Japan
In next two years, several changes of Japanese Personal Information Protection Act will become effective. The changes include several important issues for businesses operating in Japan.
Some of the changes: “Anonymized” personal data may be transferred to third parties without the subject’s consent. New restrictions will be imposed on particularly sensitive information, including race, medical history and criminal history. Any disclosure of personal data to third parties, or change to the proposed use of personal data, will require a report to the Personal Information Protection Committee, and the report will become public information (most likely on the Internet). Personal information databases cannot be transferred to a party outside of Japan unless the recipient has adequate data protections in place, or its country has been recognized as having adequate privacy laws.”
Russia: Apple rented data space in Russia, Microsoft won its case
In order to comply with the changes in Russian data protection legislation, Apple had rented a space at a data center in Russia. It is one of the first major technology players, which starts to store data about Russian citizens inside the country. “Only 10% of customers in some of the country’s largest data centre providers had successfully moved data as of September 1, with the slow implementation being blamed on a lack of clear understanding of the new legislation by data centre clients.”
In the meantime, the Federal Service for Consumer Rights Protection failed to find any non-compliance violations of the data protection law in Microsoft’s activity. The reason for the complaint was Microsoft’s new operating system Windows 10 and its treatment of personal data. However, the Agency found that “users give their personal consent to data collection by accepting the license agreement”.
10 steps for a Cybersecurity audit
The article gives an overview of steps, which are necessary for an improvement of company’s cybersecurity. It might work as a basis, from which it is possible to develop a company-specific checklist.
Among other things, the checklist includes: ”Review policies and procedures. Inventory digital assets. Conduct a risk assessment. Assign responsibility. Invest in cyber insurance. Raise awareness. Create an incident response plan. Protect consumers and customers. Assess third-party risk. Secure the perimeter.”
US data protection law obsolete?
Authors often describe that data protection legislation of United States of America has many problems. One of the most commonly referenced negative features is that the law was obsolete of the law. For example, the act influencing email communication (Electronic Communication Privacy Act) was ratified in 1986, without its serious adjustments to present state of technology.
Some articles argue, that this might change in 2015. “The Electronic Communications Privacy Act Amendments Act of 2015 has 23 cosponsors in the U.S. Senate. The Email Privacy Act has 292 cosponsors in the House, making it one of the most popular bills in the lower chamber.” On the other hand, there are always public officials, who argue that the changes in legislation might damage their capacity to investigate. It is necessary to find a solution for these issues, as they complicate the everyday life of companies (for example the case against Microsoft about its emails in Ireland).