The territorial reach and enforcement jurisdiction of European Union’s data protection law has become a lot more important these days following the decision of the Court of Justice in the Schrems case. In a case decided just a few days before Schrems, the same court gave Directive 95/46/EC a broad reading holding that the laws of a Member State apply to data controllers in another Member State who operate a website that processes data of residents of the first Member State. The Court, however, construed the enforcement jurisdiction of supervisory authorities narrowly ruling they do not have the ability to impose penalties on controllers not established in the Member State. The judgment of the Court in Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, Case C‑230/14, October 1, 2015 has significant repercussions for EU and non-EU businesses that operate websites that target residents of a Member State and potentially for the territorial reach of the “right to be forgotten”.
Archive for the ‘Privacy’ category
Schrems, what the CJEU decided and why it is a problem for Canadian and other non-EU businesses (updated)October 12th, 2015
On October 6, 2015 the Court of Justice of the European Union (CJEU) released a bombshell, but not completely unexpected judgment, invalidating a decision of the European Commission that underpinned the EU-US privacy safe harbor. In Schrems v. Data Protection Commissioner  EUECJ C-362/14 (06 October 2015), the CJEU held that supervisory data authorities in Member States have the joint right with the EU Commission to review whether non-EU countries provide adequate protection to personal data transferred to them from the EU despite a decision by the EU Commission that such protection is provided. It also invalided Commission Decision 2000/520 which had found that transfers of personal data to the US from the EU provided adequate protection where the recipient complied with the EU-US Safe Harbour Principles.
EU’s highest court struck a major blow to the EU-US safe harbour earlier today in the closely watched case, Schrems v. Data Protection Commissioner  EUECJ C-362/14 (06 October 2015). The decision of the CJEU, which followed the earlier opinion of the Advocate General, is the worst privacy nightmare that could have been imagined by the thousands of US and EU based companies that rely on the safe harbour to transfer personal data to the US for processing. It affects giant social networks like Facebook, search engines like Google, cloud hosting providers, and thousands of other companies that do business in the EU and that transfer personal data to the US.
The Digital Privacy Act was given a quick third reading in the House yesterday and was speedily given royal assent to become law earlier today. This law, which has been in the making since 2007, updates Canada’s comprehensive federal privacy legislation PIPEDA in quite significant ways. I previously summarized salient aspects of the law in my blog posts, Digital Privacy Act: Important work still to be done by the INDU Committee and Cyber threats, information sharing and The Digital Privacy Act.
I gave my annual presentation today to the Toronto computer Lawyers’ Group on “The year in review in Computer, Internet and E-Commerce Law”. It covered the period from June 2014 to June 2015. The developments included cases from Canada, the U.S. the U.K. and other Commonwealth countries.
The developments were organized into the broad topics of: Online Agreements, Licensing/Technology Contracting, Privacy, Online Liability, Cyber-security and Copyright.
The cases referred to are listed below. My slides can be viewed after the case listing.
Nguyen v. Barnes & Noble, Inc., 763 F. 3d 1171 (9th.Cir. 2014)
This morning, Ryerson University and Deloitte announced a new certification framework based on Privacy by Design principles. Privacy by Design is a set of principles that builds privacy into the design, operation and management of a given system, business process or design specification. It is based on 7 Foundational Principles developed by Dr Ann Cavoukian, Executive Director of Ryerson’s Privacy and Big Data Institute and the former Information and Privacy Commissioner of Ontario.
Under the Privacy by Design framework, Ryerson will be responsible for certifying organizations that meet the necessary privacy criteria. Organizations must first undergo an assessment by Deloitte, Ryerson’s exclusive assessment arm for the certification framework, against the 7 Foundational Principles.
The ‘Safari workaround’ has cost Google millions. In 2012, it paid a civil penalty of US$22.5 million to settle charges brought by the US FTC that Google misrepresented to users of the Safari browser that it would not place tracking cookies or serve targeted advertisements to those users. In 2013 it paid US$17 million to settle US state consumer-based actions brought by State AGs.
Cyber security is top of mind these days in corporate boardrooms, governments, and with consumers. Last week was exemplary with more reports of hacks and governments moving forward with measures attempting to address the growing threats.
The New York Times reported that bank hackers stole millions using malware in a scam that allegedly involved an attack on more than 100 banks and other FIs in 30 nations. This followed a series of seemingly unending reports of attacks against other organizations.
In the landmark ruling in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (case no. C-131/12, May 13, 2014), the Court of Justice of the European Union (CJEU) recognized that search engines are controllers of the personal information they process and have the obligation, in appropriate cases, to de-list links to personal information in their search results. A recent decision in Mosley v Google Inc & Anor  EWHC 59 (QB) (15 January 2015) has recognized that a right to get a blocking order against a search engine might also exist in the United Kingdom under the UK Data Protection Act 1998. The case also illustrates the challenges individuals have in vindicating their privacy interests in the Internet context.
A divided Supreme Court ruled that individuals cannot be secure that their most personal information will be protected from warrantless searches when arrested. In a 4 to 3 ruling, in R v Fearon, the Court held that if a person is lawfully arrested, a search is conducted that is incidental to the arrest, the search is tailored to its purpose, and the police take detailed notes, police may search the person’s cell phone.