Tag Archive | "privacy"

Internet graphic

Critical Analysis: Determining the Boundaries of the Internet

Cloud Computing and Internet Surveillance

Since the rise of the internet, lawmakers and courts have struggled to create legal rules for a computer network that disregards geographical boundaries. Issues concerning internet governance have only grown more complex with the recent trend towards cloud computing and revelations of internet surveillance by government agencies. U.S. companies host massive amounts of data from customers around the world, with much of that information being stored overseas. These same U.S. companies have come under fire for giving U.S. government agencies access to customer data. Many countries responded to these revelations by enacting legislation designed to protect the privacy of their citizens’ data. Now we are left with a segmented, country-by-country approach, to govern an internet that has no borders. The lack of a unified international framework for data protection has made it impossible for global internet companies to comply with all of the contradicting demands of their various stakeholders.

global network graphic

Image Source: wonderfulengineering.com

Microsoft Refuses to Give Foreign Hosted Data to U.S. Authorities

A court decision determining the circumstances under which U.S. law enforcement agencies may obtain digital information stored outside the U.S. has become the most recent example of the difficulty in reconciling the notion of sovereignty with a globally distributed network. During the summer of 2014, a United States court ordered Microsoft to produce the content of email-data stored on servers in Dublin, Ireland. Microsoft complied with the warrant to the extent of producing the metadata of the email stored on U.S. servers but has refused to turn over the foreign hosted content. Microsoft claims that U.S. courts do not have the power to issue warrants for extraterritorial search and seizure. In the courts view, extraterritoriality does not apply to warrants issued pursuant to the Stored Communications Act (SCA) because the information is within the control of Microsoft.

Stored Communications Act (SCA)

Part of the purpose of the SCA was to address the difficulty in applying Fourth Amendment protections to information communicated and stored electronically. The court argues that a section 2703(a) SCA warrant operates like a hybrid between a subpoena and a warrant. With a subpoena the test for compulsory production of information is whether or not the information is in the possession, custody, or control of the subpoena recipient. Extraterritoriality does not apply because, like a subpoena, an SCA warrant does not involve government agents entering the premises of the ISP to search its servers and seize information. One of the problems in allowing the SCA warrant hybrid to defy jurisdictional boundaries is that it creates a situation where Microsoft cannot comply with both the order and the laws of the host country simultaneously.

The Business of International Internet Companies

Microsoft, with the support of several other tech giants (including AT&T, Apple, Cisco, and Verizon among others), is claiming that this court order could set a precedent that might encourage Europeans to avoid using Microsoft products out of a fear that expansive U.S. discovery rules could expose all of their information. To maintain its European customers and avoid possible liability abroad, Microsoft has a very strong incentive to push back against this order. Microsoft has argued that if it complied with this order, it could decimate the U.S. cloud computing industry – which would cost both jobs and massive tax revenue. To protect its growing business in countries outside the U.S. Microsoft is urging the U.S. government to abide with its mutual legal assistance treaties, or MLATs. This approach would allow for more cooperation between the requesting and host countries, ensuring that the local laws of the host country are not disregarded in the process of acquiring the requested information.

Internet graphic

Image Source: techpolicydaily.com

The Cloud Computing Industry Fights Back

While this case has played out in the court systems members of the United States Congress have been working to find an appropriate solution to the issues presented by U.S. based companies hosting data abroad. On September 18, 2014 a bipartisan group of senators introduced the Law Enforcement Access to Data Stored Abroad Act, or LEADS Act. The LEADS Act would implement the warrant-for-content rule, meaning that the account of a U.S. citizen held overseas would only be accessible to law enforcement with a judicial warrant. The goal of the bill is to balance the needs of U.S. law enforcement with consumer privacy rights. Microsoft is supportive of the new bill as a way to continue the conversation over the control of data, but was adamant that it would not be the conversation’s conclusion.

Matthew Aeschbacher is a 4LE law student at the University of Denver Sturm College of Law and a staff editor for the Denver Journal of International Law & Policy.

 

Posted in DJILP Staff, Matthew Aeschbacher, TVFA PostsComments (0)

privacy professionals

One Size Won’t Fit All: Multinational Corporations’ Compliance with Privacy Regulations (Part 3 of 3)

Part 3: Proposed Solutions

This is the third and final post in a three-part blog post examining privacy issues confronting multinational corporations in a global economy. The first post explored privacy generally by analyzing privacy as the concept is understood and applied in the European Union, in China, and in the United States. The second post assessed the experiences of Google and McDonald’s in adhering to privacy regulations while operating on a global level in attempting to comply with the three privacy regimes described in the first post.  This post will provide recommendations on privacy strategies companies can implement to mitigate some of the issues identified in the second post. These posts do not attempt to provide an exhaustive list of privacy issues multinational corporations encounter, but they are intended to show the importance of privacy concerns and to highlight the need to confront compliance issues in a proactive manner.

 

Introduction

“The establishment of good privacy and data security practices, backed by a commitment of resources, and assignment of responsibility for implementing such practices, may be some of the best insurance the company can buy.”- Steven Bennet.[1]

Target breach

The recent breach at Target shows how vulnerable large companies are to hackers (USA Today)

The recent high-profile privacy breaches at Target and at Neiman Marcus demonstrate the consequences of failing to take privacy issues seriously. Companies with greater presence on the world stage expose themselves as even greater targets for privacy attacks. Similarly, companies operating in multiple jurisdictions have to comply with varied privacy regimes. The Google and McDonalds examples from the second post in this series indicate how difficult it can be to adhere to multiple privacy demands. As these examples illustrate, privacy is a difficult, but essential, component to any company’s operations. This final post seeks to provide some proposals companies operating on a global level should consider when implementing or reviewing their privacy policies.

Proposals

Understanding

The most important thing for any multinational corporation to do is to have an understanding of privacy in every jurisdiction in which it operates. The thorough understanding of privacy laws I propose is multifaceted. It is, or should be, obvious that companies must adhere to privacy regulations that currently exist; to have a good compliance program, “one must first know the rules.” Whether it is the Sarbanes-Oxley (“SOX”) requirements McDonald’s was attempting to comply with or Google executives being found guilty for not adequately protecting an individual’s privacy rights, companies must have an understanding of the privacy laws that are presently in place in the jurisdictions in which they operate. Google’s timely action of removing the video helped to ensure its executives were ultimately relieved of liability. Similarly, McDonald’s France’s request for approval of its professional integrity plan came prior to implementation, which was prudent given the fact that the plan was found to be in violation of France’s privacy policies. The two cases illustrate the necessity of complying with laws and regulations that are currently in place.

In tandem with compliance of existing laws, companies also have to stay current on any new regulations or laws that come into force. This is likely axiomatic to most companies, but it is well worth consideration. A globalized economy requires that companies keep up to date with any new regulations in every country in which they operate. For instance, the SOX requirements of providing whistleblower hotlines and ensuring anonymity of whistleblowers definitively apply to American companies operating exclusively in the U.S. It is unclear, however, if those same requirements apply to every country in which U.S. companies operate.[2] Because the SOX requirements might apply in every country in which they operate, companies have to be alert to any new amendments to the SOX requirements in the U.S. as well as any new developments in foreign jurisdictions, such as France, in which SOX compliance might violate privacy laws. What this means for multinational companies is that being up to date on the latest privacy regulations requires keeping abreast of privacy developments both domestically and abroad.

The greatest difficulties in keeping up-to-date with both domestic and foreign developments in privacy laws are undoubtedly the expertise required and the costs associated with maintaining that expertise. One way to offset these costs involves the third facet of a thorough understanding of privacy concerns; understanding the cultures in which privacy laws develop.

Brandeis and Privacy

From the first post, Louis Brandeis was one of the first jurists to write about the concept of privacy in the law

Laws reflect society’s values.[3] Privacy laws have developed out of cultural norms that contrast according to a wide variety of actors, including philosophy, religion, history, and culture. Thus, it comes as no surprise that no two privacy regimes are identical. In the U.S., the sectoral model of privacy laws traces its development to a strong mistrust of a strong central government. In the E.U., on the other hand, privacy is equated to personal dignity, and personal dignity is manifest when all Europeans are treated equally before the law. The concept of personal equality lends itself toward omnibus regulations that exist in the E.U. and China. However, the omnibus regulations in China stem from its socialist development. Because of the different contexts from which modern privacy regimes arose, it is important to understand privacy regimes in their greater cultural context. Understanding the bigger picture in how particular privacy regimes evolved will allow for a degree of predictability in how the regimes will develop.

The fact that it is best to incorporate a privacy policy in a prospective rather than a reactive manner is largely agreed upon to be the best course for companies to take. Yet, pursuing such a course is fraught with difficulty because of the changing nature of today’s changing marketplace. However, a thorough understanding of how a privacy regime has developed in the past will provide insight into how it will evolve in the future.

The Google case provides a perfect example of how understanding where privacy law developed from will help predict how it will evolve. Google may or may not have been aware that an Italian court would find that its activities in China exposed its executives to liability, but Google certainly knew that such a decision was not in keeping with E.U. privacy laws. Knowledge that the E.U. privacy directive precluded content providers from liability unless the content provider controlled the information, Google was able to successfully argue that, despite its activities in China arguably to the contrary, it did not host the content. As a result of Google’s thorough understanding of where the E.U.’s privacy laws stem from, it was therefore able to convincingly show that it was not liable.

A thorough understanding of privacy regimes takes three forms: knowledge of what the laws currently are, an up-to-date knowledge of laws as they develop, and comprehensive knowledge of how the laws advanced in the past to help predict how they will progress in the future. This understanding should form the bedrock of a company’s approach to privacy; without it, a company is missing vital pieces of the picture that could have severe implications.

Nuanced Policies

After a thorough understanding of the privacy regimes in which a company operates, the next logical step is to develop nuanced privacy policies. As both the Google and McDonald’s experiences highlight, a company cannot simply develop a one-size-fits-all mentality when it comes to privacy. Google’s censorship activities in China created complications for its operations in Italy. SOX compliance in the U.S. was potentially implicated by McDonald’s activities in France. These are but two examples of how privacy policies must be narrowly tailored to comply with each jurisdiction’s privacy laws. The privacy regimes in world’s largest economies are simply too divergent to allow for a single prophylactic privacy compliance program.[4]

The simple solution to divergent privacy schemes is to create privacy policies specific to each jurisdiction, or a common approach to jurisdictions with similar privacy policies like the E.U., in which the company operates. This allows for adopting privacy policies that adhere to each jurisdiction’s unique privacy regulatory system, including the powers of each jurisdiction’s regulatory bodies.[5] Adopting a whistleblower hotline in France that meets that nation’s whistleblower directive permitted McDonald’s France to comply with French law while still following the SOX requirements in the U.S. Similarly, Google was able to filter the content accessible in China while still providing unfiltered material elsewhere.

Companies operating in multiple jurisdictions have to think domestically before they think globally. Each jurisdiction requires adherence to their privacy laws, and such adherence requires nuanced privacy policies that apply a thorough understanding of each jurisdiction’s privacy scheme. Companies likely view complying with every jurisdiction’s particular laws as natural as breathing, but compliance with each jurisdiction’s regulations is impossible if obedience to the laws of one nation creates violations in a second country. Both the McDonald’s and Google examples illustrate this point; it can be seemingly impossible to obey laws if doing so violates another. The solution requires a global awareness in terms of thinking about privacy policies.

Global Awareness

Crafting nuanced privacy policies in each jurisdiction creates the potential for conflict with the regulations of a second state. To overcome this conflict, companies need to have an awareness of how privacy policies developed for compliance with U.S. or E.U. laws will be interpreted in China or vice versa. Developing nuanced privacy policies while considering their global ramifications is a tight line to walk to be sure, but it is essential in today’s globalized market.

viviane reding

European Justice Commissioner Viviane Reding – The E.U.’s stricter data protection laws require companies to pay greater attention to compliance

Each jurisdiction in which a multinational company operates will have different requirements for privacy. When Google altered its search algorithm in order to comply with China’s “Great Firewall,” it moved itself from being in a position of a passive purveyor of information to a content provider. This approach allowed Google access to China’s massive population of internet users, but it also exposed Google to liability in Italy. It is debatable whether Google could have prevented this occurrence; Google likely could not have perceived that an Italian court would deviate from the commonly understood interpretation of the E.U. Privacy Directive based on Google’s activities in China. The debate over the efficacy of potential preventative measures should not take away from the need for a global awareness of privacy regimes, however; only through an awareness that its actions in China could have ramifications in other jurisdictions would allow Google to more ably predict the best policies to implement. Such an awareness of the risks involved in filtering the content available in China allowed Google to weigh the potential compliance issues against the potential benefits of access to the Chinese market.

McDonald’s France’s experience in attempting to comply with SOX regulations reinforces the need to have a global awareness of privacy regimes. Attempting to comply with U.S. whistleblower hotlines and protections by requiring every McDonald’s subsidiary to implement a one-size-fits-all global whistleblower hotline scheme would have resulted in privacy violations in France if it had been executed. Although McDonald’s would have been relieved of any SOX liability in the U.S., the potential damages in France could have been severe. Breaking consumer trust from privacy breaches or violations from mishandling personal information can cost millions and the loss of goodwill associated with such mishandling is “immeasurable.” This is especially true in places where data collection is carefully scrutinized and where regulators are willing to impose hefty fines for improper data collection practices.

Understanding the current privacy context in every jurisdiction is obviously necessary for every multinational company, but the benefits of such understanding are diminished unless companies think globally. As the Google and McDonald’s examples illustrate, actions in one country will have ramifications in others. As a result, multinational companies should implement nuanced privacy policies for each jurisdiction while simultaneously ensuring that the policies will not fun afoul of competing privacy regulations. Balancing nuanced privacy strategies with global awareness of privacy regulations requires creativity and meticulousness. Such a juggling act nearly mandates that multinational companies retain one or more privacy experts.

Increased Reliance on Privacy Experts

Privacy has increasingly become a “C-Suite issue” for many companies, highlighting privacy’s role in the broader context of a company’s business strategy. The proposals outlined above—a thorough understand of privacy regimes, nuanced privacy policies, and a global awareness of privacy policy implications—are meaningless if there is not some person or group of individuals responsible for overseeing a company’s privacy program. This is where the importance of privacy experts comes in.

For privacy and data protection professionals to obtain a certificate in privacy matters, the International Association of Privacy Professionals (“IAPP”) requires an understanding of the following topics: (1) the U.S. legal system: definitions, sources of law and sectoral model for privacy enforcement; (2) U.S. federal laws for protection of personal data: FCRA and FACTA, HIPAA, GLBA, COPPA and DPPA; and (3) U.S. federal regulation of marketing practices: TSR, DNC, CAN-SPAM, TCPA and JFPA. And that list is only to become certified as an Information Privacy Professional for the U.S.; it does not entail certification as an expert on other privacy regimes. The IAPP certification process simply shows how much information there is to cover in each jurisdiction. If a company wishes to operate on the global stage and to implement a privacy policy that is thorough, nuanced, and globalized, companies cannot afford to not hire privacy experts.

privacy professionals

Privacy professionals meet for a summit in 2012 (U.S. Dept. of Commerce)

Privacy experts are critical to any global company. The Google and McDonald’s cases focus specifically on how essentially important it is for companies to know not only what the laws are, but how those laws affect companies’ operations. A privacy expert blends knowledge of the legal aspects of privacy with the demands of the particular business. Further, privacy experts, working in conjunction with security experts, can help make or break a company’s reputation; the loss of goodwill resulting from security breaches or non-compliance with privacy regulations has the potential of creating “major backlash from customers.”

Privacy experts also allow for a focal point of privacy responsibility. Complying with the numerous existing and evolving laws, not to mention any future compliance issues resulting from increases in technology or changes in the economy, is difficult. Ensuring compliance in a piecemeal fashion, with each department myopically focusing on their own compliance issues, is nearly impossible. A privacy expert allows for a single, comprehensive source for all of the privacy issues a company confronts. Further, a single repository for privacy issues allows that expert to assist the company in making the most economically desirable decisions. The decision to ask the French privacy agency’s permission before enacting whistleblower hotlines likely saved McDonald’s France from a disaster, and a privacy expert can help facilitate that discussion.

Conclusion

The proposals outlined in this blog post represent some common sense steps multinational companies can take to maximize privacy compliance. The first step is to thoroughly understand what the laws are, to keep up to date with any new laws that might impact a company’s business, and to know the context from which privacy laws and regulations result. A thorough understanding of the laws then allows for the next step, which should be to create nuanced privacy policies tailored to each jurisdiction in which a company operates. The nuanced privacy policies company’s implement cannot be viewed in isolation, but must instead be viewed holistically with a mind toward how they impact the privacy regimes in other jurisdictions. Such a global awareness will save the company time and, most importantly, will shield the company from liability. It is incumbent on privacy experts to guide companies through this process and to be the focal point of a company’s privacy strategy.

Rather than shying away from privacy in the hopes that their privacy compliance procedures are adequate, companies should take a proactive role in embracing privacy. It is undoubtedly better to think in advance of how a company will ensure compliance with privacy regulations than to suffer the consequences of learning that its privacy policy is inadequate after the fact. And privacy cannot be ignored; the high profile cases of McDonald’s and Google, not to mention other instances of privacy breaches, indicate how serious an issue privacy currently is as well as how critical it will be in the future. As one vice president of information protection and privacy stated, “[g]ood privacy is good business.” Bad privacy is, by implication, bad business.

 

Greg Henning is a 3L at the University of Denver Sturm College of Law and a General Editor for the View From Above.

 

[1] Partner of Jones Day’s New York office and  professor of Privacy Law at Hunter College. 53 No. 1 Prac. Law. 17, 19.

[2] There has been an administrative law decision that found SOX to have no extraterritorial reach. See Villanueva v. Core Labs. NV, ARB No. 09-108, ARB’s Final Decision and Order (Dept. of Labor, Dec.22, 2011), available at http://www.oalj.dol.gov/PUBLIC/ARB/DECISIONS/ARB_Decisions/SOX/09_108.SOXP.HTM. For an analysis of the implications of this decision, see Anthony J Oncidi & Jeremy M Mittman, New US Decision Limiting Extraterritorial Scope of ‘Whistleblowing’ Provides Welcome Clarification to US Multinationals, 22 No. 1 Emp. & Indus. Rel. L. 15 (2012).

[3] Francisco M. Ugarte, Reconstruction Redux: Rehnquist, Morrison, and the Civil Rights Cases, 41 Harv. C.R.-C.L. L. Rev. 481, 507 (2006).

[4] See Dennis D. Hirsch, In Search of the Holy Grail: Achieving Global Privacy Rules Through Sector-Based Codes of Conduct, 74 Ohio St. L.J. 1029, 1035 (2013)  (“The important differences among national systems occur, not with respect to these broad principles, but in how countries interpret and apply them. Examples abound. Some nations define “personally identifiable information” (PII) more broadly than others. Some exclude certain types of personal information, even if it falls within the definition of PII. Countries disagree on what constitutes adequate notice.”) (citations omitted).

[5] See Joel R. Reidenberg, Resolving Conflicting International Data Privacy Rules in Cyberspace, 52 Stan. L. Rev. 1315, 1334 (2000) (“Oversight of information privacy is also handled in many different ways. Data protection supervisory agencies are a common feature in democracies, but agency powers are often specific to each country. Some countries, for example, established regulatory enforcement agencies and licensing boards, while others adopted an ombudsman position.”) (citations omitted).

Posted in DJILP Staff, Greg Henning, TVFA PostsComments (1)

One Size Won’t Fit All: Multinational Corporations’ Compliance with Privacy Regulations (Part 2 of 3)

Part 2: Privacy Approaches Applied

This is the second post in a three-part blog post examining privacy issues confronting multinational corporations in a global economy. The first post explored privacy generally by analyzing privacy as the concept is understood and applied in the European Union, in China, and in the United States. This post will assess the experiences of Google and McDonald’s in adhering to privacy regulations while operating on a global level in attempting to comply with the three privacy regimes described in the first post.  The third post will provide recommendations on privacy strategies companies can implement to mitigate some of the issues identified in the second post. These posts do not attempt to provide an exhaustive list of privacy issues multinational corporations encounter, but they are intended to show the importance of privacy concerns and to highlight the need to confront compliance issues in a proactive manner.

 

Introduction

“[I]n times of globalized business operations, a company’s business strategy in one market might affect the standard against which the company is measured in other markets and jurisdictions.”[1]

 As the first post in this series discussed, privacy regimes vary according to geography, societal values, and historical contexts. Companies operating in multiple jurisdictions have to function in these varied privacy regimes, and it is not always a simple task. As the following case illustrations demonstrate, compliance with one privacy scheme raises the possibility of violating the privacy regulations in another jurisdiction. The first case illustration depicts Google’s troubles in Italy following its activities in China. The second case illustration explores McDonald’s struggles in complying with mandatory whistleblowing requirements in the U.S. that were in violation of E.U. privacy laws.

Unexpected Consequences: Google in Italy and China

The Setting

google office

Google execs were convicted for sharing of information related to a video (Bloomberg)

On February 24, 2010, three Google executives were found guilty of violating the privacy of a child. The controversy started in 2006 when a video was uploaded to a site owned Google featuring a group of teenagers insulting and assaulting an autistic boy, specifically calling the boy a “mongoloid.”[2] After it was uploaded, the video became popular enough that it was ranked as “the funniest video on Google Italia. It was rated 29th of the most downloaded videos on Google Italia.”[3] Although Google removed the video within hours after being notified that it infringed on the victim’s privacy, the damage was already done.

During the trial, the Google executives were charged with, among others, violating the victim’s privacy rights, though the Google employees were only found guilty of the privacy charge. At the heart of the ruling was Google’s AdWords program, which placed advertising on the side of the screen when users watched videos on the Google-operated site. The court found that the video contained personal information based on the use of the word “Mongoloid.” According to Directive 95/46/EC of the European Parliament and of the Council, discussed in Part I, personal information is prohibited from being shared without the subject’s unambiguous consent. Because Google permitted the content of the video to be shared and derived a profit from sharing such information in the form of revenue generated from the AdWords program, the court determined that Google had violated the victim’s right to privacy.

The Google executives unsuccessfully argued that they fell under an exemption for personal liability found in the Directive 95/46/EC of the European Parliament and of the Council. Paragraph 47 of Directive 95/46/EC excuses liability for those who merely serve as a vehicle to transmit personal data, as opposed to those providers who actually control the transmission of personal data.[4] The court dismissed this argument, finding that Google has increasingly taken on a more active approach in the services it provides.[5] The Court relied primarily on the fact that Google’s revenue from its AdWords program is proportionate to the popularity of a given video. Because the video was popular and because Google had the potential of deriving greater profits based on that popularity, the court reasoned that Google obtained profit, through it AdWords program, at the expense of a violations of the victim’s privacy rights.[6] Google’s active approach to providing services, rather than simply its role as a passive vehicle for the transmission of data, is evidenced by its activities in China, on which the prosecution rested its case.[7]

Google as a Content Provider

When Google launched its services in China in 2005, the company modified its search algorithm to exclude controversial topics, such as information relating to Tiananmen Square or the Falun Gong movement. The main draw of the Chinese internet market is its colossal size; the population of internet users in China was estimated at 384 million in 2010, which was more than the entire population of the United States at the time. In order to tap into such a massive market, Google had to comply with China’s internet censorship protocol, known colloquially as “the Great Firewall.” The Great Firewall is but a part of the Chinese government’s attempts to censor information domestically and abroad, and tens of thousands of Chinese workers are employed to ensure that sensitive information is restricted from general access. In order to adhere to such China’s censorship regime, search engines in China, like Google, are prevented from linking to sensitive information. In 2010, Google moved its services for operations in China to Hong Kong, which allowed Google to stop its self-censorship, though the content accessed through Google’s services was still filtered in mainland China. The move to Hong Kong was seen as a partial retreat from Google’s stance of filtering the content it provided. Thereafter, Google actively sought to promote freedom of information on the internet by informing the Chinese population that they would likely experience short breaks in their connection when searching for prohibited content, although this practice was quietly abandoned in January 2013.

Although there was general disagreement with Google’s censorship policy in China, resulting in claims that Google’s modifications in China contradicted Google’s core value of “don’t be evil,”[8] the decision to restrict user access to the content Google provided also had another, more insidious component; it pushed Google’s activities from a “mere conduit of information” toward becoming a “full-fledged media company.”[9] Google has a long-standing tradition of insisting that it “is not a media company, that its [sic] organizes and manages content, but stays away from producing it.” This mantra is being tested, however, as Google expands into offering more services and products. “[I]t may be time to retire the trope,” says a Forbes article, indicating that any argument over Google’s media company status is now moot. Google’s image as a passive conduit for unfiltered media has been questioned when it attempted to buy a social-networking site, its launch of a magazine, and its operating of a recipe-sharing site. However, it was Google’s censorship activities in China that raised serious questions to the Italian court about Google’s passive role in the provision of internet content.

The Court Decision and the Aftermath

David Thorne, the American ambassador to Italy during the time of the 2010 case against the Google executives, stated in response to the Italian court’s decision that he disagreed with the idea that “Internet service providers are responsible prior to posting for the content uploaded by users . . .” During the case, Google argued in its defense that their and other search engines’ activities would be significantly impacted if an internet company could be liable to for the content uploaded by third parties. The winning argument for the prosecutors took a contrary view; if Google was able to filter the content it provided in China, it could do the same in Italy to “protect human dignity.” Alfredo Robledo, prosecutor against Google, stated that the case was not about the freedom of the internet, but rather human dignity; “[t]he rights of a business enterprise cannot take precedence over the dignity of the individual.”

The Italian court’s decision finding the Google executives guilty was overturned in December 2012. The initial guilty verdict had raised concerns about internet freedom in Italy. Under E.U. law, internet service companies that merely serve as a conduit for information are exempt from liability for the content uploaded by third parties.[10] Under the lower court’s decision, this exemption from liability would be significantly narrowed to those few internet service companies who do absolutely nothing more than provide access to information. The appeals court rejected the narrow reading of the hosting exemption and instead adopted a position imposing liability only for companies that “host user-generated content” and fail to act once illegal content had been uploaded to the provider’s site. In the Google case, this meant that the executives would only be liable if they failed to remove the video despite having received notice that it violated the victim’s privacy rights. Because Google removed the offensive video within hours of receiving notice of a violation of the victim’s privacy, the appeals court reasoned that Google was not liable. The reasoning of the appeals court was upheld by Italy’s highest court in December 2013.

Clash of Regulatory Schemes: McDonald’s in France

The Setting

mcdonalds france

Le McDonald’s (Alamy)

In January 2005, McDonald’s France, the French division of McDonald’s global operations, sought an opinion from France’s privacy regulatory body, the Commission Nationale De L’informatique et des Libertés (“CNIL”), in regard to creation of a system of “professional integrity.”[11] The professional integrity plan would have permitted McDonald’s France employees to report any misconduct anonymously. Any reported misconduct, including questionable accounting practices and internal control over accounting or auditing methods, would have been processed in the U.S. and reported to the general counsel of McDonald’s France. McDonald’s France requested the opinion for its professional integrity plan at the behest of its U.S. parent corporation in an attempt to comply with provisions of the Sarbanes-Oxley Act (“SOX”). Although McDonald’s France requested the opinion before it had actually implemented its proposed professional integrity plan, the CNIL refused to authorize any such “whistleblower” hotline. The CNIL’s decision to reject McDonald’s France’s proposal made it impossible for its U.S. parent corporation to comply with its obligations under SOX.

Sarbanes-Oxley

To truly understand the obstacles McDonald’s France was facing, it is important to explore SOX in more depth. Following the Enron and WorldComm scandals, Congress enacted SOX in order to improve the accuracy and reliability of corporate disclosures. Among the many provisions Sox introduced, of particular importance to McDonald’s was the SOX requirement that companies must create and apply procedures for the confidential, anonymous reporting of questionable accounting or auditing controls.[12] Further, SOX mandates that employees reporting on such practices must be protected from retaliation for their disclosure activities.[13] That these requirements apply to U.S. companies is apparent, but it is far less certain whether these requirements apply extraterritorially as well.[14] Because of this uncertainty, many multinational corporations, such as McDonald’s, determined that it would be prudent to act as if SOX applied to all of their operations, including subsidiary operations in foreign jurisdictions.[15] Therefore, McDonald’s France’s professional integrity plan, calling for anonymous reporting of confidential information regarding misconduct, is best understood in the context of an American parent corporation, McDonald’s in the U.S., attempting to comply with the SOX requirements in every geographic region of its operations.

French Agency’s Determinations

The CNIL review of McDonald’s France’s proposed professional integrity plan found that the plan involved the collection of personal information and that McDonald’s France was a “controller” of personal data. According to Article 2(d) of the E.U. Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data and French law implementing the Directive, controllers of personal data are permitted to “collect and process personal data in order to satisfy legal obligations to which they are subject.”[16] Because McDonald’s France employees participated in the professional integrity plan, the CNIL determined that McDonald’s France was a controller of personal data and that the CNIL had authority to make findings on whether the professional integrity plan complied with the law.[17]

The CNIL ultimately concluded that McDonald’s France’s professional integrity plan involved violations of the law. Of primary concern to the CNIL was that individuals alleged to have participated in misconduct, as disclosed by whistleblowers, would be unable to “hear or reply to the accusations made against them.” The CNIL determined that the policy behind French data protection laws, and the E.U. laws by extension, are to ensure that citizens know who possesses their personal information, to be informed about who has access to that information, and that citizens can take remedial measures to correct any false information. Because anonymous and confidential reporting of personal information would not allow for the requisite transparency in regard to personal information, the CNIL determined that the professional integrity plan “could lead to an organized system of professional denunciation.”

The CNIL also determined that McDonald’s France’s system was disproportionate to the objectives it sought to accomplish. Noting that “other legal means exist to guaranty [sic] compliance with legal provisions and company rules,” the CNIL found that the risk of professional denunciation and the “stigmatization of employees” was greater than the need for the professional integrity plan’s reporting system.[18] Although the CNIL was aware of the obligations imposed by the SOX provisions when it denied McDonald’s France’s application for permission to implement the professional integrity plan, the decision did nothing to ameliorate McDonald’s conundrum of seeking to comply with SOX and French privacy laws.

Aftermath of Determination

After the McDonald’s France ruling, the CNIL attempted to provide some guidance in how to comply with SOX whistleblowing requirements and French privacy laws. In November 2005, the CNIL indicated that whistleblowing procedures may be implemented but only as long as they are voluntary and are a supplement to other means of communication within a corporation. Further, the November 2005 guideline document stated that “a whistleblowing system may only be considered as legitimate if it is necessary to comply with a legal obligation.” Because the November 2005 guidance document was limited and left important issues unresolved, the CNIL released a whistleblowing directive in December 2005. The directive explains that whistleblowing procedures are permissible so long as they strictly comply with the directive’s requirements. Among the many items addressed in the December directive, one important requirement is that whistleblowers are obligated to identify themselves, and that this identification remains confidential.[19] The directive also allows for two instances where a whistleblower may remain anonymous: when precautions are properly taken in processing the information and when the company does not promote anonymous whistleblowing.[20] Although the December 2005 directive obviates some of the confusion surrounding compliance with French laws while still adhering to the SOX requirements, McDonald’s France still must ensure that the SOX compliant whistleblower procedure it adopts is similarly compliant with French regulations concerning privacy.

Conclusion

Both Google’s and McDonald’s experiences illustrate the complications that arise when operating in a global marketplace. In Google’s experience, its actions in China had a direct impact on the liability it faced in Italy for privacy issues entirely unrelated to its operations in China. In McDonald’s experience, its attempts to comply with U.S. regulations resulted in a direct conflict with the privacy regulations in France. Although both of these examples have been ameliorated to a certain extent, Google’s executives were relieved from liability by Italy’s highest court and McDonald’s is able to better comply with French privacy regulations due in large part to clarifications of the law, these examples serve to illustrate the complexities inherent to operating in multiple jurisdictions with many varied, sometimes even competing, privacy regulations. This dilemma, encountered by every company multinational corporation, must be addressed, and the final installment in these blog posts will offer potential methods for addressing privacy issues in an effective manner.

 

Greg Henning is a 3L at the University of Denver Sturm College of Law and a General Editor for the View From Above.



[1] David Scheffer & Caroline Kaeb, The Five Levels of CSR Compliance: The Resiliency of Corporate Liability Under the Alien Tort Statute and the Case for a Counterattack Strategy in Compliance, 29 Berkeley J. Int’l L. 334, 394 (2011).

[2] See Raul Mendez, Google Case in Italy, Int’l Data Privacy L., Feb. 25, 2011, http://idpl.oxfordjournals.org/content/early/2011/02/25/idpl.ipr003.full#xref-fn-1-1.

[3] Id.

[4] See Council Directive 95/46/EC, ¶ 47, 1995 O.J. (L 281) 31, 36.

[5] See Mendez, supra note 2.

[6] See id.

[7] See Sheffer & Kaeb, supra note 1.

[8] Google has limited its activities in China but still complies with Chinese authorities in restricting content. See Mic Wright, Google Shows China the White Flag of Surrender, The Telegraph (Jan. 7, 2013),  http://blogs.telegraph.co.uk/technology/micwright/100008624/google-shows-china-the-white-flag-of-surrender/

[9] Sheffer & Kaeb, supra note 1.

[10] See Council Directive 95/46/EC, ¶ 47, 1995 O.J. (L281) 32, 36.

[11] Marisa Anne Pagnattaro & Ellen R. Peirce, Between a Rock and a Hard Place: The Conflict Between U.S. Corporate Codes of Conduct and European Privacy and Work Laws, 28 Berkeley J. Emp. & Lab. L. 375, 411 (2007).

[12] See 15 U.S.C. § 78j-1(m)(4)(B) (2010).

[13] See 18 U.S.C. § 1514A (2010).

[14] See Donald C. Dowling, Jr, Sarbanes-Oxley Whistleblower Hotlines Across Europe: Directions Through the Maze, 42 Int’l Law. 1, 7 (2008) (“But our SOX hotline question here is international: Whether SOX’s mandate of “confidential, anonymous” employee reporting “procedures” extends as well to “employees” of SOX-regulated companies (and their subsidiaries) who work and live abroad.”).

[15] See id. (“But contrary to the widespread assumption of countless U.S.-based multinationals examining this issue, a viable argument exists that the Section 301 “complaint procedure” mandate is confined to “employee” populations working on U.S. soil.”).

[16] See Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data art. 2(d), Jan. 28, 1981, E.T.S. 108.

[17] See Pagnattaro & Pierce, supra note 10, at 412.

[18] See id. at 413 (“In other words, the harm that could be caused by a slanderous accusation–to which the employee may not be able to adequately respond–was too great a burden and outweighed the justifications for the hotlines.”).

[19] See id. at 421.

[20] Id.

Posted in DJILP Staff, Greg Henning, TVFA PostsComments (1)

bush signs Sarbanes oxley

One Size Won’t Fit All: Multinational Corporations’ Compliance with Privacy Regulations (Part 1 of 3)

Part 1: What Does “Privacy” Mean?

This is the first post in a three part series examining the issues multinational corporations face in complying with privacy regulations in the U.S. and abroad. This post will explore privacy generally by analyzing privacy as the concept is understood and applied in the European Union, in China, and in the United States. The second post will review two case studies to introduce specific issues multinational corporations have run into in attempting to comply with the three privacy regimes described in the first post. The third post will provide recommendations on privacy strategies companies can implement to mitigate some of the issues identified in the second post. These posts do not attempt to provide an exhaustive list of privacy issues multinational corporations encounter, but they are intended to show the importance of privacy concerns and to highlight the need to confront compliance issues in a proactive manner.

 

Introduction

Privacy is a value so complex, so entangled in competing and contradictory dimensions, so engorged with various and distinct meanings, that I sometimes despair whether it can be usefully addressed at all.” – Robert C. Prost

The amount of personal data that is available via the internet is astounding, and that data is valuable. Stores are eager to employ “predictive analytics” in order to understand “not just consumers’ shopping habits but also their personal habits, so as to more efficiently market to them.” The more information a store can obtain about an individual, the easier it is to send them individualized advertisements geared specifically to that person’s needs. For instance, it is now possible, based off consumer purchasing habits, to track an individual’s pattern of purchases and predict when that individual is experiencing a major life change. Once an individual’s purchasing patterns change, the company can respond with targeted advertising to the changed circumstances. Another example is how GPS information in your car has the potential to be shared with businesses to provide targeted advertisements for nearby restaurants.

brandeis

Louis Brandeis, circa 1890, was one of the first scholars to attempt to define the principle of privacy

Although businesses are eager to use information on consumer habits, many people view this kind of information gathering and dissemination as an invasion of privacy. Unsurprisingly, legislators in the U.S. have sought to introduce laws curtailing the ability to collect consumer information without the consumer’s permission. But laws aimed at protecting consumer information must first answer a fundamental question: what exactly is “privacy”? Although it is beyond the scope of these posts to provide an exhaustive list of the ways in which scholars have defined “privacy,” it is important to understand the context in which debates over privacy occur in order to better understand the conflicts multinational corporations face in complying with differing privacy regimes.

Definitions of “Privacy”

One of the earliest and most influential attempts to define privacy in the U.S. was The Right to Privacy, authored by Samuel Warren and Louis Brandeis. Published in 1890, The Right to Privacy attempted to discern whether the law recognized a “principle which can properly be invoked to protect the privacy of the individual . . .”[1] The article broadly defined privacy to include those things which “concern the private life, habits, acts, and relations of an individual,” those things which do not concern an individual’s fitness for a public office, and those things which do not concern an individual’s acts performed in a public place.[2] Privacy was defined in terms of a right, the “right to be left alone.”[3]

The definition of privacy has greatly expanded since The Right to Privacy was first published. One scholar has recently claimed that “[c]urrently, privacy is a sweeping concept, encompassing (among other things) freedom of thought, control over one’s body, solitude in one’s home, control over information about oneself, freedom from surveillance, protection of one’s reputation, and protection from searches and interrogations.”[4] Other interests identified as falling under the privacy umbrella include the protection of consumer data, credit reporting, workplace privacy, discovery in civil litigation, the dissemination of personal images, or shielding criminal offenders from public exposure.[5]

Privacy is so broad because “[c]onceptualizing privacy not only involves defining privacy but articulating the value of privacy. The value of privacy concerns its importance – how privacy is to be weighed relative to other interests and values.”[6] Such a balancing of competing interests contemplated by the term “privacy” is going to depend on the cultural and historical context in which the interests are examined.[7] For example, a right to privacy for most Americans would include the right to choose the names of their children without any interference. In contrast, it is permissible for French and German courts to determine that a name given to a newborn is contrary to the child’s best interests.[8] Similarly, Americans cleave tightly to the notion that a “broadly defined freedom of the press assures the maintenance of [America’s] political system and an open society.”[9] In China, in contrast, the notion of an independent press is absent; the majority of “print media, broadcast media, and book publishers were affiliated with the [Chinese Communist Party] or a government agency.”[10] Whether privacy means ensuring parents’ ability to name their own children or the right to an independent press, how privacy is defined is largely dependent on cultural influences.

Same Principle, Different Approaches: Privacy in the E.U., China, and the U.S.

The European Union

Privacy laws in Europe have been shaped by the continent’s social and political history. According to James Whitman, a professor of comparative and foreign law at Yale University, the European privacy regime is a direct product of the hierarchical structure of society endemic to Europe’s past.[11] Whitman argues that Europe’s privacy laws are a “form of protection of a right to respect and personal dignity,” focusing on the “rights to one’s image, name, and reputation . . . [and] the right to informational self-determination–the right to control the sorts of information disclosed about oneself.”[12]

The E.U.’s basic regime for protecting privacy rights is found in the European Convention for the Protection of Human Rights and Fundamental Rights (“E.U. Convention”) of 1953. Article 8 of the E.U. Convention provides that “[e]veryone has the right to respect for his private and family life, his home and his correspondence.” The Article further states that:

There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

European privacy rights were expanded by the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (“E.U. Data Convention”). Mindful “that it is desirable to extend the safeguards for everyone’s rights and fundamental freedoms, and in particular the right to the respect for privacy,” the E.U. Data Convention sought to ensure that every individual was afforded “respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him.”

eu commissioner reding

E.U. Commissioner Viviane Reding, circa 2012, defends a bill meant to improve data protection (Reuters)

Privacy in the E.U. is further protected as a result of the adoption of Directive 95/46/EC of the European Parliament and of the Council (“E.U. Directive”). The E.U. Directive creates a legal floor for the minimum amount of privacy protection member states must afford to their citizens,[13] and it specifically limits processing of personal data.[14] Significantly, the E.U. Directive allows member states to craft laws penalizing parties for non-compliance with its provisions[15] and laws ensuring that processing personal information is only permissible after the subject “unambiguously” gives his or her consent.[16]

One final piece of E.U. privacy legislation relevant to this discussion is the Charter of Fundamental Rights of the E.U. (“E.U. Charter”). The E.U. Charter expressly protects personal data by stating that every person has the right to protect their personal data, to access the data that has been collected about them, and to be afforded the opportunity to rectify any incorrect information.[17] The E.U. Charter further states that any personal data “must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.”

These four pieces of legislature form the basis of privacy rights in the E.U. They affirm an individual’s right to privacy, which in turn provides a right to “respect and dignity” concerning what personal information is disclosed, the method whereby that information is disclosed, and the ability to control personal information. Multinational corporations operating in the E.U. must be cognizant of the E.U.’s omnibus approach to privacy, which incorporates laws “in which the government has defined requirements throughout the economy including public-sector, private-sector and health-sector.”

The United States

Just as the development of privacy law in Europe was governed by Europe’s historical social context, so too has America’s privacy been determined by its unique social history. Conceived in the context of overthrowing the monarchical control Britain held over its colonies, it is no surprise that privacy in the U.S. is rooted in a deep mistrust of the government.[18] Therefore, the primary privacy concern of Americans might be generalized as protection of the sanctity of the private home against government interference.[19] Because such a privacy concern is defined broadly, U.S. approaches to privacy have focused on specific remedial efforts rather than comprehensive action.[20]

In contrast to the omnibus approach of the E.U. toward privacy protection, the U.S. has adopted a sectoral approach to privacy regulation. The sectoral approach places significance on industry self-regulation while trusting to case law and highly specific legislation to protect particular aspects of privacy law.[21] For example, U.S. Supreme Court cases have recognized a right to privacy regarding family planning[22] and intimacy[23] as “penumbras” emanating from the Bill of Rights despite the lack of an enumerated right of privacy.[24] Industry self-regulation must give way, however, when Congress perceives a failure on the part of industry to adequately protect privacy. Although there are many examples of interest-specific protections, such as the Health Insurance Portability and Accountability Act, one example of specific legislation with particular importance to these posts is the Sarbanes-Oxley Act (“SOX”).

bush signs Sarbanes oxley

President Bush signs the Sarbanes-Oxley Act in 2002 (Ketan Rathod)

Although SOX amended many government statutes, of primary concern here is the Whistleblower Protection for Employees of Publicly Traded Companies provision.[25] The whistleblower provision delivers employees a cause of action against employer retaliation for the employee’s disclosure of the employer’s illegal conduct.[26] Further, SOX amended the Securities and Exchange Act of 1934 to require procedures for receiving whistleblower complaints and ensuring that whistleblowers are able to make communications in a confidential, anonymous manner.[27]

China

China’s privacy policy, similar to the U.S. and the E.U., is the product of its past but, like the E.U. and unlike the U.S., China has focused on omnibus regulations rather than adopting a sectoral approach. To many, China is perceived as an authoritarian government that closely monitors its citizens, effectively depriving them of any meaningful expectation of privacy. However, China has more than 200 laws or regulations referencing privacy in some manner,[28] but the privacy protections are viewed as “more aspirational than descriptive.”[29]

The Chinese Constitution provides citizens with privacy protections by stating that the “personal dignity,” residence, correspondence, and ability to criticize the government are given to the people. In the case of correspondence, the Constitution permits the suspension of private communication “to meet the needs of State security.” China’s General Civil Code also provides for certain privacy protections, including the “right of portrait,” the use of which without the owner’s permission is not permitted. However, despite the promise of these privacy rights, they are frequently violated.[30] As a condition of foreign companies operating in China, the Chinese government requires compliance with its monitoring activities.[31]

Conclusion

The interests protected under the term “privacy” will vary between jurisdictions because of unique historical and social contexts. The E.U.’s omnibus approach to privacy protection traces its inception to the need to protect human dignity, which is furthered only if people have access to and control over their personal information. In contrast, the sectoral approach adopted in the U.S. is the offspring of a mistrust of government intervention; the government should not be permitted to intrude into a citizen’s homes or intrude in how companies operate, so long as companies are acting fairly. China, like the E.U., has adopted an omnibus privacy regulatory scheme, but the protections enumerated in its laws are frequently in conflict with the government’s censorship regime. Although derived from cultural and ideological differences, the differing interests protected by the various privacy regimes have practical consequences for companies operating in multiple jurisdictions. The next post in this three part blog series will use two case examples to illustrate the issues companies must face in operating in the global economy.

 

Greg Henning is a 3L at the University of Denver Sturm College of Law and a General Editor for the View From Above.



[1] Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193, 197 (1890).

[2] See id. at 216.

[3] See id. at 195 (internal citations omitted).

[4] Daniel J. Solove, Conceptualizing Privacy, 90 Cal. L. Rev. 1087, 1088 (2002).

[5] See James Q. Whitman, The Two Western cultures of Privacy: Dignity Versus Liberty, 113 Yale L.J. 1151, 1156 (2004) (referring to the types of interests European privacy laws seek to protect) (internal citations omitted).

[6] Privacy book, page 42.

[7] See Helen Nissenbaum, Privacy as Contextual Integrity, 79 Wash. L. Rev. 119, 156 (2004) (“[N]orms of privacy in fact vary considerably from place to place, culture to culture, period to period . . ..”).

[8] See id. at 1216

[9] Time, Inc. v. Hill, 385 U.S. 374, 389 (1967).

[10] Country Reports on Human Rights Practices for 2012: China (Includes Tibet, Hong Kong, and Macau), U.S. Dept. of State (last visited Feb. 17, 2014), http://www.state.gov/j/drl/rls/hrrpt/humanrightsreport/index.htm?year=2012&dlid=204193.

[11] See Whitman, supra note 5, at 1165.

[12] Id. at 1161.

[13] See Council Directive 95/46/EC, art. 13 1995 O.J. (L 281) 31, 42.

[14] See id. arts. 6-9.

[15] Id. art. 23.

[16] Id. art. 7.

[17] Charter of Fundamental Rights of the European Union, art. 8, 2000 O.J. (C 364), 1, 10.

[18] See Whitman, supra note 5, at 1211.

[19] See id. at 1161-62.

[20] See Ryan Moshell, 373

[21] See Anna E. Shimanek, Do You Want Milk With Those Cookies?: Complying with the Safe Harbor Privacy Principles, 26 J. Corp. L. 455, 465-66 (2001).

[22] Griswold v. Connecticut, 381 U.S. 479 (1965).

[23] Lawrence v. Texas, 539 U.S. 558 (2005).

[24] See Griswold, 381 U.S. 479, 484.

[25] 18 U.S.C. § 1514A (2010)

[26] See Id.

[27] See 15 U.S.C. § 78j-1 (2010).

[28] See Ann Bartow, Privacy Laws and Privacy Levers: Online Surveillance Versus Economic Development in The People’s Republic of China, 74 Ohio St. L.J. 853, 855 (2013).

[29] Id. at 856.

[30] See Country Reports on Human Rights Practices for 2012: China (Includes Tibet, Hong Kong, and Macau), U.S. Dept. of State (last visited Feb. 17, 2014), http://www.state.gov/j/drl/rls/hrrpt/humanrightsreport/index.htm?year=2012&dlid=204193.

[31] See David Scheffer & Caroline Kaeb, The Five Levels of CSR Compliance: The Resiliency of Corporate Liability Under the Alien Tort Statute and the Case for a Counterattack Strategy in Compliance, 29 Berkeley J. Int’l L. 334, 389-90 (2011).

Posted in DJILP Staff, Greg Henning, TVFA PostsComments (0)

Critical Analysis: The Changing Landscape of International Privacy

In the weeks and months to come, the international community will see the deployment of a number of new privacy initiatives.  The new privacy laws are likely to have been spurned by several factors including: the need to update existing laws that are nearly 20 years old; data breaches and government leaks; and the increasing pressure to come into compliance with the privacy standards established by the European Union.

Noteworthy developments are coming from across the globe, with some of the most recent reforms coming out of Malaysia, South Africa and Ukraine.

privacy_embed

New data and privacy developments are happening across the globe in an effort to update old policies.

Malaysia’s Personal Data Privacy Act came into effect last November, but a deadline requiring companies to register by February 15th is fast approaching.  The PDPA will require stricter data management standards for businesses and impose large fines on those who fail to comply.  This hurdle will come quickly for many small and medium-sized business owners who may not know how or have difficulty implementing the required changes.  Despite the government’s efforts, there are many who are still in the dark about the Act.

Also in November, South Africa signed into law the Protection of Personal Information Act, but has yet to see an enforcement date.  The Act expands on a general ‘right to privacy’ that had been established in 1996.  The aims of the Act were to give effect to the constitutional right to privacy and bring South Africa into alignment with the existing data protection framework.  A noteworthy provision for businesses is that much like the E.U. Safe Harbor requirements, the Act places restriction on the flow of personal data outside of South Africa.

The regulatory structure responsible for data protection in Ukraine has undergone major reform.  One of the biggest changes was the abolition of the Data Protection Office and creation of the Ombudsman—an independent official appointed by the Parliament.  The move brings Ukraine into line with E.U. policies on Data Protection.

Although the trend seems to be that countries are implementing policies and statutes to come into compliance with E.U. standards, the European Union is expected to vote to replace the 1995 EU Data Protection Directive (95/46/EC).  Although the reform has been in the works since 2012, a vote to finalize the issue has been delayed and may not take place until 2015.  Changes, initially expected to broaden data exchange between the U.S. and E.U., may have different implications for the existing Safe Harbor framework following the exposure of widespread NSA surveillance.

The expansion of privacy regulation is good news for consumers worldwide, but also important for businesses who handle personal data.

Jordan Edmondson is a Staff Editor for the Denver Journal of International Law and Policy.

Posted in DJILP Staff, Jordan Edmondson, TVFA PostsComments (0)

Critical Analysis: Internet Surveillance Concerns Spark International Response

In May 2013, NSA contractor Edward Snowden leaked classified documents relating to mass surveillance programs igniting a long overdue international conversation concerning the legal rights and protections of data and digital communications in the internet age. Initially the media focused on the compelling story of Snowden’s decision to sacrifice his comfortable lifestyle and personal privacy in his flight from the US to asylum in Russia. Eventually the attention returned to the main question: how do we ensure that internet users’ rights are protected as the internet becomes an ever-increasing part of our daily lives? One of the biggest challenges in answering this question will be balancing the competing interests of governments, international organizations, businesses and individuals.

Vivane reding

European Union justice commissioner Viviane Reding addresses Parliament over privacy issues (picture-alliance/dpa)

The disclosures, which immediately sparked worldwide outrage, are now starting to bring about real change as governments begin to enact legislation that seeks to address many of the concerns exposed.  The European Union recently approved new data protection rules aimed specifically at preventing the issues presented by mass governmental surveillance programs. The rules seek to establish online privacy rights for EU citizens, simplification of the complaint process, and tougher standards for businesses that use personal data. The initial approval of these regulations has met criticism from internet businesses that say the new rules will result in impractical burdens.

While the European Union has led the charge, countries around the world have escalated the priority of data privacy laws. Indonesia publicly announced their support for United Nations’ actions with regards to data privacy. Opportunistic countries like the Bahamas are trying to establish themselves as safe places for companies to process personal data. Other countries, like Brazil, are taking more drastic positions on protecting their citizen’s data, calling for data localization and a break from the US-Centric Internet. Part of the concern arises out of the perceived dominance of the United States in the realm of internet governance. However, there are legitimate concerns that regulations restricting the flow of data will fundamentally change the internet, resulting in data silos and reduced innovation.

Reactions to the NSA spying program have been mixed in the United States. Many officials at the federal level have either denied culpability or maintained the importance of the programs. United States citizens concerned about data privacy may have better luck taking up the issue with their local state governments. While the United States federal government has sidestepped the issue many states have recently enacted new data privacy laws and state attorneys general can enforce those statutes. Privacy advocates hope that these laws will help to encourage laws at the federal level which can be more expansive in the scope of their protection.

If global internet usage trends are any indication, the issues of data privacy and internet governance will remain at the forefront of international policy discussions. The issue of data privacy prevents challenges on many fronts, including the fact that the pace of technology innovation vastly exceeds the ability of governing bodies to create legislation. In addition, we are seeing how the fear of data surveillance can strain the international relationships between countries. However great the challenges may be, the fact that this issue has gained international attention and created an active dialogue on the issues is a necessary step in the right direction.

Matthew Aeschbacher is a 3LE law student at the University of Denver Sturm College of Law and a staff editor for the Denver Journal of International Law & Policy.

Posted in DJILP Staff, Matthew Aeschbacher, TVFA PostsComments (0)

News Post: the Internet, Privacy, and National Security

Cell phone use in the Arab Spring

With the rise of hacker groups like “Anonymous,” coupled with the damage to Iran’s nuclear reactors left in the wake of the Stuxnet worm, 2012 has been coined the “Year of Cyber Security” by various media outlets. However, as the global community embarks upon what appears to be the epicenter of the Internet Age, privacy rights and freedom of speech on the internet creates tension with government domestic and national security and economic interests. Years before the advent of the internet, The United States Supreme Court cautioned in Keith the potential for a government to undermine the right to privacy inherent in the Bill of Rights through the unabated use of electronic surveillance in the name of “domestic security.”  Nearly four decades later and half-way across the globe, the Syrian Government has brought the fears of the Court to life; in an attempt to quell the recent uprising against the current political regime, the Syrian Government has begun blocking and intercepting text message communications between demonstration organizers and participants.

The Syrian government, using spyware  technology, issued orders to block all text messages containing terms such as “revolution” or “demonstration.” While this spyware technology is designed for protecting networks against spam and viruses, this same technology provides political regimes the ability to intercept their citizens’ e-mails and text messages, monitor Internet activity, and locate political targets. The orders from the Syrian Government are being carried out by the two of the largest mobile networks in the country, Syriatel and MTN Syria, using software provided by Dublin-based  Cellusys and AdaptiveMobile.

While AdaptiveMobile has yet to issue an official comment on the situation in Syria, AdaptiveMobile said in a statement that, in 2008, it provided MTN Syria with a standard SMS spam and MMS antivirus product for blocking spam, viruses, and inappropriate content.  However, “given the changing political situation in the region”, AdaptiveMobile did not renew the contract with MTN Syria last year.  Cellusys claims to have not sent workers to the country since 2009 and remains unaware of how its technology is being used today.  Despite the use of European technology by the current Syrian political regime to repress demonstrators, the supply of the software to MTN Syria and Syriatel did not violate any Irish or European laws: the transactions occurred prior to the 2011 EU imposed restrictions on sales of equipment to Syria that could be used for repression.

Even though the sales came about prior to the EU restrictions, human rights groups remain critical of both the companies. Several human rights groups and supporters have argued in the past week that both companies were irresponsible in selling filtering technology to Syria and ignoring the likelihood that the technology would be used to repress political dissidents.  Human rights groups assert that due diligence on the part of Cellusys and AdaptiveMobile would have revealed a high likelihood and propensity for the Syrian Government to use the technology to commit human rights violations.  The activists point to a U.S. State Department Human Rights report from 2008, which found that Syria’s security forces “committed numerous, serious human rights abuses” and “tortured and physically abused prisoners and detainees.”

 The news from Syria comes in the wake of the Arab Spring. Still fresh a year later in the minds of persons the world over, the use of Twitter, Facebook and text messaging were integral to organizing the revolutions and demonstrations that toppled autocratic regimes in Tunisia, Egypt and Libya. Through intercepting the private text messages and online communications of its citizens, the Syrian Government goes beyond just containing anti-regime sentiment and violates an often forgotten human right in today’s Facebook-addicted society: privacy.  As the international community begins to confront and monitor hacker groups like “Anonymous” in the name of domestic security, we must remember Syria’s censorship and interception in the private conversations of its citizens in the years to come.

Posted in DJILP Staff, TVFA PostsComments (0)


University of Denver Sturm College of Law

@View_From_Above

Resources
Visit the DJILP Newsroom

Posts by Date

October 2014
M T W T F S S
« Sep    
 12345
6789101112
13141516171819
20212223242526
2728293031  

Translator

EnglishItalianKoreanChinese (Simplified)Chinese (Traditional)PortugueseGermanFrenchSpanishJapaneseArabicRussianGreekDutchBulgarianCzechCroatianDanishFinnishPolishSwedishNorwegianHebrewSerbianSlovakThaiTurkishHungarianRomanian

TVFA Contributors