22. February 2017
On February 6, 2017 the House of Representatives in the United States of Amerika passed by voice vote the Email Privacy Act, which amends the existing online communications law, in particular the Electronic Communications Privacy Act (ECPA) of 1986.
The most outdated regulations of ECPA should be reformed with the Email Privacy Act.
With the ECPA Emails stored on a third party’s server for over 180 days are considered to be abandoned. Because of this justification it was enough, when law enforcement agencies provide a written statement certifying that the requested information are relevant to an investigation in order to obtain the content of stored Emails. The Email Privacy Act requires authorities to obtain a warrant to access emails, data in cloud storage and other digital communications, which are more than 180 days old.
Meanwhile it is the third try for a new law in this field. The last proposal for a regulation also passed the House in the last Congress, but it could not pass the Senate. The first try failed already in the House. It remains to be seen if the current proposal of the Email Privacy Act also passes the Senate or if it is rejected again.
The Email Privacy Act won the backing of Google, Microsoft and other big players based in the USA.
There still exists a European data protection authorities´ concern on the data collection practices in Windows 10. Even though the letter to Microsoft has been sent by the Article 29 Working Party (or WP29), the UK Information Commissioner’s Office (ICO) has expressed its serious worries.
Microsoft was therefore asked to explain in a very clear way the purposes and kinds of personal data, which are under processing, as this is still an issue, which remains unclear.
Last July even France`s CNIL has demanded Microsoft to “halt the excessive collection of data and the tracking of users’ browsing without their consent”, as it accused Microsoft of numerous data protection laws infractions, such as too wide personal data collection under the telemetry programme and tracking tool default activation (intended to the targeted advertising delivery) without consent or user knowledge.
As a response Microsoft has released to the market (in January) a new Windows 10 update – so called “Creators Update”. It includes a dashboard based on web, which allows users to choose the desired data-sharing level.
At the conference in Australia, which took place this Monday, Microsoft has also announced a second major Windows 10 release this year (with the Neon user-interface design elements project).
According to the WP29 though: “Even considering the proposed changes to Windows 10, the Working Party remains concerned about the level of protection of users’ personal data”.
“Microsoft should clearly explain what kinds of personal data are processed for what purposes. Without such information, consent cannot be informed, and therefore, not valid.”
Apart from Windows, the WP29 has also taken Facebook, WhatsApp and Yahoo under its magnifier, which are being suspected of data-protection laws violations.
21. February 2017
The German Federal Network Agency took the “My friend Cayla” doll off the market due to privacy concerns. The doll, which is equipped with a microphone, can answer children’s questions by the use of the Internet. Thus it was deemed as “concealed listening device” in accordance with section 90 Telecommunications Act (“Telekommunikationsgesetz”).
The Agency stated that the doll could be used for recording and transmitting children’s conversations without parents’ knowledge. Besides, it shall be possible to listen to children’s conversations by connecting with the doll via an unsecured radio link (Bluetooth).
After complaints were also filed in the US, the Federal Trade Commission decided not to take any action.
Meanwhile, the doll’s German distributor stated that “My friend Cayla” is not an espionage device and that they will challenge the Agency’s decision in court.
14. February 2017
Last month, the Pennsylvania Superior Court dismissed a class action lawsuit, which was filed against the University of Pittsburg Medical Center and ruled that the University has no responsibility in protecting employee data.
In this incident, the following data was compromised: dates of birth, names, social security numbers, addresses, salary, tax and bank information.
According to the court documents, the University had a breach in 2014, which finally resulted in approximately 788 tax fraud victims by compromising the information of nearly 62,000 UMPC employees.
Even though the University of Pittsburg Medical Center has been ruled not to have any legal duty to protect the personal and financial information of its employees under state law, the ruling is contradictory to a similar case of Texas hospital, which was penalized $3.2 million after a breach of data.
Last week Google contacted millions of app developers informing them about their apps violation of Google’s User Data policy.
10. February 2017
On January 10, the European Commission published a proposal for an ePrivacy Regulation. After the adoption of the General Data Protection Regulation (‘GDPR’), a new ePrivacy Regulation would be the next step in pursuing the European Commission’s Digital Single Market Strategy (‘DSM’).
If adopted, the ePrivacy Regulation will replace both the ePrivacy Directive (2002/58/EC) and the Cookie Directive (2009/136/EC). In contrast to a Directive that has to be implemented into national law by each EU Member State, a Regulation is directly applicable in all Member States. Thus a Regulation would support the harmonisation of the data protection framework.
Since 2009, when the ePrivacy Directive was revised last, important technological and economic developments took place. In order to adapt the legal framework to the reality of electronic communication, the scope of the proposed Regulation is widened to apply to the so called ‘over-the-top’ (‘OTT’) service providers. These OTT providers, such as WhatsApp, Skype or Facebook, run their services over the internet.
By ensuring the privacy of machine-to-machine communication, the Regulation also deals with the Internet of Things and thus seems not only to consider the current situation of electronic communication, but also to prepare for upcoming developments within the information technology sector.
Electronical communications data (metadata as well as content data) cannot be processed without complying with the requirements of the Regulation. Metadata can be processed, if necessary for mandatory quality of service requirements or for billing, calculating interconnection payments, detecting or stopping fraudulent, or abusive use of, or subscription to, electronic communication services.
Content data can be used for the sole purpose of the provision of a specific service to an end-user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content or if all end-users concerned have given their consent to the processing of their electronic communications content for one or more specified purposes that cannot be fulfilled by processing information that is made anonymous, and the provider has consulted the supervisory authority.
In contrast to the draft of the Regulation leaked in December 2016, the official proposal does not contain the commitment to ‘Privacy by default’, which means that software has to be configured so that third parties cannot store information on or use information about a user’s device.
The Commission’s proposal of the Regulation just demands that software must offer the option to prevent third parties from storing information on or using information about a user’s device.
ePrivacy Regulation and GDPR
Both the ePrivacy Regulation and the GDPR are part of the above mentioned ‘DSM’. Several commonalities prove this fact. For instance, the fines in both Regulations will be the same. Furthermore, the EU Data Protection Authorities responsible for the enforcement of the GDPR will also be responsible for the ePrivacy Regulation. This will contribute to the harmonisation of the data protection framework and increase trust in and the security of digital services.
After being considered and agreed by the European Parliament and the Council, the Regulation could be adopted by May 25th, 2018, when the GDPR will come into force. It is to see whether this schedule is practicable, considering how long the debate about the GDPR took.
9. February 2017
Lately, Google has lost a court case (in Philadelphia) on e-mail data storage on foreign server, so that, according to the judgement, from now on the data should be sent to the US FBI security service.
The Court diverges from the existing case-law since, in a recent case, Microsoft has successfully denied the publication of data stored on servers in the European Union, and referred to the legal requirements in the EU.
As a reason for Google’s publishing obligation, the judge argued that Google is constantly copying data between its data centers, so that it should be only needed a further transfer of the data requested by the FBI to the US, in order for the FBI to access it. Although this could be a violation of the rights of the user, this violation would take place in the USA and because of that again covered by the law. According to the court, the data transfer therefore does not represent any access to foreign data anyway.
Following the proclamation of the judgment, Google has already commented on the procedure and announced to appeal against the decision, and continue to oppose to all official demands that go too far. Google has also explained that data is distributed on the servers around the world for technical reasons and in some cases it is not at all clear where the data is being stored. The verdict shows that each year Google receives from the US investigators somewhat 25,000 information requests.
8. February 2017
The Court of Justice of the European Union has invalidated the U.S.-EU Safe Harbor framework (October 2015), which was replaced by the Privacy Shield on 12 July 2016.
“Enhancing Public Safety in the Interior of the United States” (Executive Order) was issued by the US President Donald Trump on 25th January 2017. This act’s main aim was the immigration laws enforcement in the U.S.
In its Section 14 we may read: “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”
The so-called “Umbrella Agreement” (signed on 2nd December 2016) between the U.S. and EU, ensured the personal data transfers for law enforcement purposes. This agreement applies also to the pre-existing agreements between the U.S. and EU along with the various Mutual Legal Assistance Treaties (“MLATs”), Passenger Name Records Agreement, and Safe Harbor framework.
Part 19 of the Umbrella Agreement enables every European citizen to seek judicial review in case of an unlawfully disclosure individual’s personal data or denial of the right to access or amend the personal data in agency’s possession.
Before the Umbrella Agreement, there was no such legal possibility, although the Privacy Act of 1974 extended those rights to permanent residents of the U.S. and its citizens. EU would only agree with the Umbrella Agreement once U.S. extends protections to the European citizens under the Privacy Act, so that the U.S. is expected to comply with the Umbrellas Agreement Art. 19.
Moreover, in February 2016 the Judicial Redress Act was passed as the U.S. and EU got along with each other, which extended protections of the Privacy Act (disclosure, access, amendment) to citizens of “covered countries’’ (as named in the Judicial Redress Act).
On 17th of January 2017 Loretta Lynch (new former U.S. Attorney General) designated “covered jurisdictions’’ (as named in the Judicial Redress act) to include in the Judicial Redress Act all the EU Members apart from Denmark and the UK, which has become effective on 1st February.
The Attorneys General designation however, is not subject to administrative or judicial review (within the Judicial Redress Act).
Donald Trump’s Executive Order is believed not to affect the Judicial Redress Act (which is applicable law in the context of data transfers for law enforcement purposes) in terms of the Privacy Act rights to the European citizens extension, so as to say that the Executive Order should not impact Privacy Shield Framework’s legal viability.
Unresolved is still an aspect of “covered countries’’ designation, as the Judicial Redress Act includes a “covered countries’’ designations removal process, which is still subject of a dispute.
27. January 2017
The Russian data protection authority “Roskomnadzor” sent on November, 17 2016 an order to the telecommunication companies to block access to LinkedIn within Russia. The reason for this step was, according to Roskomnadzor, that LinkedIn does not protect subjects’ data rights in a way that complies with the Russian data protection law.
The order of Roskomnadzor refers to a Moscow District court decision from August, 4 2016.
The case of LinkedIn is the first major test of the Russian law, which is on effect since September, 1 2015.
Roskomnadzor judges, that LinkedIn not only violates against the data localization requirement furthermore LinkedIn also violates a number of other requirements such as collecting personal data from non-users without their consent before they complete the registration process.
Now LinkedIn can take action against this decision within the six-month period to the Moscow Court and then appeal to the Russian Supreme Court. However, LinkedIn has not announced its intentions yet.
18. January 2017
A new law for telecommunication monitoring entered into force in the New Year´s Eve in Germany. This law grants the German federal intelligence service (BND) extensive monitoring powers. The BND gets a legal basis for the strategic telecommunication monitoring. The BND is allowed to collect, process and store the dates for six month. Also allowed is a targeted monitoring in hazardous situations, like feared terrorist attacks. The collected data must have an international reference, this means, that the data must been send by foreigners abroad.