Coverage this month includes an update on Safe Harbor, Russia's "Right to be Forgotten" law and the news that the French Government has rejected a proposed amendment to its Digital Republic Bill. In our cybersecurity section, we note a recent US cybercrime case in the sports industry and recent steps taken by the UK hedge fund industry to help protect itself against cyber-attacks. We also include an overview of the latest actions taken by the ICO.
Reports of an exchange between EU and US representatives at the annual Computers, Privacy and Data Protection Conference in Brussels suggest that an announcement will be made on Monday 1 February as to whether an agreement between EU and US authorities over the so-called "Safe Harbor 2.0" has been reached. This would mean that the deadline of 31 January will be missed.
The 31 January deadline was set last year by the Article 29 Working Party of EU data protection authorities in the wake of the Schrems judgment, which ruled the Commission decision behind Safe Harbor invalid. As previously reported in our October 2015 update, the members of the Working Party are committed to taking all necessary action if no appropriate solution is found by the deadline, which may include coordinated enforcement action.
The Article 29 Working Party is expected to meet on 2 February to decide whether any agreement announced on Monday is acceptable and to adopt a common approach on issues relating to transfers between the EU and US. If a political agreement can be reached, the European data protection authorities may decide to refrain from taking enforcement action.
A key additional concern for European negotiators is the fate of the proposed US Judicial Redress Act which, if enacted, will allow EU citizens certain rights to file civil actions against US government agencies for unlawful data disclosures under the US Privacy Act. Such a right of judicial redress does not currently exist in the US. The Act was voted through by the Senate Judiciary Committee on 28 January and will now progress to the full Senate. This is likely to take some time. In addition, the Senate Judiciary Committee voted the Act through with certain amendments. These amendments include that an EU citizen's right to sue will be subject to additional conditions, namely that the EU or relevant EU member state permits the transfer of personal data to the US for commercial purposes and that the US Attorney General has certified that the personal data transfer policies and "related actions" of the EU or relevant EU member state do not materially impede the national security interests of the US. This amendment may cause friction between the EU and US in their negotiations towards "Safe Harbor 2.0".
However, one development which supports suggestions that a new Safe Harbor framework may in fact be imminent, is the announcement by the Israeli data protection authority, ILITA, on 21 January that it is postponing any review or enforcement actions on data transfers from Israel to the US which are based on the Safe Harbor framework. Safe Harbor is relied on in Israel as its privacy laws allow transfers of personal data to a country to which the EU permits transfers. ILITA had previously stated that it would not permit such transfers following the Schrems judgment.
An amendment to Russian Federal Law No. 149-FZ of 27 July 2006, on Information, Information Technology and Information Protection (the "Amended Law") came into force on 1 January. The Amended Law introduces the so-called "Right to be forgotten" into Russian law. This allows individuals to apply to search engines targeting a Russian audience to remove information about them which has been unlawfully disseminated or is untrustworthy, outdated, or irrelevant (with certain exceptions regarding conviction records or criminal liability). Search engines then have 10 days to consider and act on a request (which can include complying or refusing the request, or asking for more information). A separate bill is currently passing through the Duma which will provide sanctions for breaches of the Amended Law.
The French Government has rejected a proposed amendment to the Digital Republic Bill that would have required computer and hardware companies to build "backdoor" access into their encrypted systems or provide encryption keys to the police. The proposals, made by Republican MP Nathalie Kosciusko-Morizet earlier this month, would have allowed authorities to access individuals' devices through what has been called "vulnerability by design" on the grounds that encryption should not impede a police investigation. The proposed amendment constitutes one of a number of attempts to legislate against encryption in light of speculation that the perpetrators of the November 2015 Paris attacks used encryption methods to coordinate the attacks.
On 12 January, the European Court of Human Rights held in Bărbulescu v Romania that there was no violation of Article 8 of the European Convention on Human Rights (right to respect for private and family life, the home and correspondence) in circumstances where an employee was dismissed by his employer for having used his business Yahoo Messenger e-mail account for personal purposes.
We provide a fuller account of the case in our recent employment and Data Protection alert, which can be accessed here.
As outlined in our December alert, on 15 December 2015, nearly four years after the publication of the first draft, the proposed text of the EU General Data Protection Regulation was agreed by the main institutions of the European Union. The Regulation constitutes a radical overhaul of Europe's data protection laws and will replace the existing Directive and all national implementing laws, including the UK's Data Protection Act 1998. The proposed text now needs to be put to the full European Parliament for formal approval, which is expected to take place early this year. The Regulation will then come into force with direct effect two years thereafter.
Baseball scout pleads guilty to hacking
On 8 January, Chris Correa, the former Scouting Director for the US Major League Baseball team the St. Louis Cardinals, pleaded guilty to five counts of unlawfully accessing the computers and emails of employees of a competitor team, the Houston Astros.
Mr Correa's target was the contents of the Astros' "Ground Control" private database, in which the team kept private player and scouting information, knowledge, strategies, notes and evaluations. Much of the information was highly confidential and was valued in court at US$1.7m, although its value to the team was likely far more.
Access to the network was gained by manipulating an old password of an ex-Cardinals employee.
The case highlights the prevalence of cyber-crime across different industries.
Hedge Fund Standards Board cyber attack simulation
The UK Hedge Fund Standards Board reported on 19 January that it had held its first table top cyber attack simulation for fund managers in London.
The simulation's objective was to explore the response of hedge fund managers when faced with three cyber-attack scenarios: data theft and leakage of internal sensitive data; a financial infrastructure attack; and "crypto ransomware".
The Standards Board has indicated three key insights following the simulation. These include (i) given the legal, compliance, investor relations and reputational issues involved, managers should not consider cyber security just as an “IT” problem; (ii) managers should be prepared to quickly access external legal and IT expertise if required; and (iii) having a cyber-security incident response plan in place helps to establish responsibilities, pre-identify external resources and speed up decisions should there be a cyber attack.
We outline below a selection of recent ICO actions.
The Alzheimers Society
On 5 January, the ICO issued an Enforcement Notice against the Alzheimers Society. The ICO had issued an Undertaking to the Society in 2010 following a data breach, followed by audits in 2013 and 2014. A second breach, discovered in April 2015, prompted a further investigation by the ICO.
The ICO found that the Society had breached the 5th and 7th data protection principles (keeping personal data for no longer than necessary and implementing appropriate technical and organisational measures against unauthorised or unlawful processing and accidental loss or destruction of, or damage to, personal data). The Enforcement Notice requires the Society to take various steps, including implementing training and encryption measures.
A copy of the Enforcement Notice can be found here.
Telegraph Media Group
Late last year, the ICO fined Telegraph Media Group £30,000 for sending an email to "hundreds of thousands" of people on the day of the general election which included a letter from the editor urging readers to vote Conservative.
On election day, an email with editorial content had been prepared to send to readers on the editorial subscription list. However, at the last moment, a letter from the editor was included in the email which appeared to urge its readers to vote for the Conservative Party. This changed the nature of the email to a marketing email. As such, the newspaper should have changed the email's audience through the use of its marketing permission flag system to ensure that no recipients who had opted out of receiving marketing emails received the letter. The soft opt-in rule under Regulation 22(3) PECR does not apply to political campaigning and as such, many recipients of the email had not provided specific consent to marketing communications.
A copy of the Monetary Penalty Notice can be found here.