On October 6, 2015 the Court of Justice of the European Union (CJEU) released a bombshell, but not completely unexpected judgment, invalidating a decision of the European Commission that underpinned the EU-US privacy safe harbor. In Schrems v. Data Protection Commissioner  EUECJ C-362/14 (06 October 2015), the CJEU held that supervisory data authorities in Member States have the joint right with the EU Commission to review whether non-EU countries provide adequate protection to personal data transferred to them from the EU despite a decision by the EU Commission that such protection is provided. It also invalided Commission Decision 2000/520 which had found that transfers of personal data to the US from the EU provided adequate protection where the recipient complied with the EU-US Safe Harbour Principles.
Archive for the ‘Privacy’ category
EU’s highest court struck a major blow to the EU-US safe harbour earlier today in the closely watched case, Schrems v. Data Protection Commissioner  EUECJ C-362/14 (06 October 2015). The decision of the CJEU, which followed the earlier opinion of the Advocate General, is the worst privacy nightmare that could have been imagined by the thousands of US and EU based companies that rely on the safe harbour to transfer personal data to the US for processing. It affects giant social networks like Facebook, search engines like Google, cloud hosting providers, and thousands of other companies that do business in the EU and that transfer personal data to the US.
The Digital Privacy Act was given a quick third reading in the House yesterday and was speedily given royal assent to become law earlier today. This law, which has been in the making since 2007, updates Canada’s comprehensive federal privacy legislation PIPEDA in quite significant ways. I previously summarized salient aspects of the law in my blog posts, Digital Privacy Act: Important work still to be done by the INDU Committee and Cyber threats, information sharing and The Digital Privacy Act.
I gave my annual presentation today to the Toronto computer Lawyers’ Group on “The year in review in Computer, Internet and E-Commerce Law”. It covered the period from June 2014 to June 2015. The developments included cases from Canada, the U.S. the U.K. and other Commonwealth countries.
The developments were organized into the broad topics of: Online Agreements, Licensing/Technology Contracting, Privacy, Online Liability, Cyber-security and Copyright.
The cases referred to are listed below. My slides can be viewed after the case listing.
Nguyen v. Barnes & Noble, Inc., 763 F. 3d 1171 (9th.Cir. 2014)
This morning, Ryerson University and Deloitte announced a new certification framework based on Privacy by Design principles. Privacy by Design is a set of principles that builds privacy into the design, operation and management of a given system, business process or design specification. It is based on 7 Foundational Principles developed by Dr Ann Cavoukian, Executive Director of Ryerson’s Privacy and Big Data Institute and the former Information and Privacy Commissioner of Ontario.
Under the Privacy by Design framework, Ryerson will be responsible for certifying organizations that meet the necessary privacy criteria. Organizations must first undergo an assessment by Deloitte, Ryerson’s exclusive assessment arm for the certification framework, against the 7 Foundational Principles.
The ‘Safari workaround’ has cost Google millions. In 2012, it paid a civil penalty of US$22.5 million to settle charges brought by the US FTC that Google misrepresented to users of the Safari browser that it would not place tracking cookies or serve targeted advertisements to those users. In 2013 it paid US$17 million to settle US state consumer-based actions brought by State AGs.
Cyber security is top of mind these days in corporate boardrooms, governments, and with consumers. Last week was exemplary with more reports of hacks and governments moving forward with measures attempting to address the growing threats.
The New York Times reported that bank hackers stole millions using malware in a scam that allegedly involved an attack on more than 100 banks and other FIs in 30 nations. This followed a series of seemingly unending reports of attacks against other organizations.
In the landmark ruling in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (case no. C-131/12, May 13, 2014), the Court of Justice of the European Union (CJEU) recognized that search engines are controllers of the personal information they process and have the obligation, in appropriate cases, to de-list links to personal information in their search results. A recent decision in Mosley v Google Inc & Anor  EWHC 59 (QB) (15 January 2015) has recognized that a right to get a blocking order against a search engine might also exist in the United Kingdom under the UK Data Protection Act 1998. The case also illustrates the challenges individuals have in vindicating their privacy interests in the Internet context.
A divided Supreme Court ruled that individuals cannot be secure that their most personal information will be protected from warrantless searches when arrested. In a 4 to 3 ruling, in R v Fearon, the Court held that if a person is lawfully arrested, a search is conducted that is incidental to the arrest, the search is tailored to its purpose, and the police take detailed notes, police may search the person’s cell phone.
In the landmark ruling in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (case no. C-131/12, May 13, 2014), the Court of Justice of the European Union (CJEU) recognized that search engines are controllers of the personal information they process. As such, they have the obligation, in appropriate cases, to de-list links to personal information in their search results.
The Gonzales decision left open questions about the scope of the duty and the criteria to be used in determining what links must be delisted, something which Google, data protection authorities, and others had disagreed about. The Article 29 Data Protection Working Party has now released a Guideline addressing these controversial issues.