After a few months off (too many GDPR projects…), we are pleased to renew our monthly updates and provide you with our Group’s July newsletter, featuring leading Cyber, Privacy and Copyright regulation, case-law and related developments in the United States, Europe and Israel.
This edition features the following items:
- New privacy legislation hastily enacted in California
- Google faced with record breaking fine by EU regulators
- European parliament calls for suspension of EU-US Privacy Shield
- Israeli Privacy regulator issues opinion on surveillance cameras in kindergartens
- The EU and Japan agree on reciprocal adequacy for data transfers
NEW PRIVACY LEGISLATION HASTILY ENACTED IN CALIFORNIA
Earlier this summer, California lawmakers enacted a new privacy-centric law known as the “California Consumer Privacy Act of 2018” (CCPA). The CCPA will take effect on January 1, 2020.
This comprehensive legislation shares certain similarities with the European General Data Protection Regulation (GDPR) that became enforceable this May. Amongst other similarities, the CCPA adopts a number of GDPR principles, such as a ‘data controller’ and the GDPR’s broad definition for ‘personal information’.
The new legislation gives Californians a right to review the information that businesses collect about them, request its deletion, and be told who the information may have been sold to and request to cease such sale of data. The new law also gives consumers the right to opt-out of the sale of their personal information by a business, and at the same time, prohibits the business from discriminating against the consumer for exercising this right.
The Attorney General of California is responsible for the enforcement of the CCPA while consumers have no causes of action under the new law except in cases of data breaches.
The CCPA was hastily enacted in order to eliminate a ballot initiative seeking to enact a much harsher privacy law. The ballot initiative had earned the support of more than 600,000 Californians, but its initiators promised to withdraw it if an appropriate privacy law is enacted. Until it takes effect in about 17 months, lawmakers have plenty of time to amend the law before it becomes applicable.
July 18, 2018
GOOGLE FACES RECORD BREAKING FINE BY THE EU
The European Commission has fined Google with an unprecedented penalty of 4.3 billion Euros (about 5 billion dollars) for breaching EU antitrust rules. The European Commission determined that since 2011, Google has been imposing unlawful restrictions on Android device manufacturers and mobile network operators to establish the dominant position of its search engine. In particular, the EU Commission alleges that, Google -
- Required manufacturers to pre-install the Google Search app and browser app (Chrome) as a condition for licensing Google's app store (the Play Store);
- Paid certain large manufacturers and mobile network operators on condition that they exclusively pre-install the Google Search app on their devices; and
- Prevented manufacturers that wished to pre-install Google apps from selling even a single smart mobile device running on alternative versions of Android that were not approved by Google (socalled "Android forks").
In accordance with the EU Commission’s decision, Google must now bring this conduct effectively to an end within 90 days of the date of the decision, or face penalty payments of up to 5% of the average daily worldwide turnover of Alphabet, Google's parent company.
EUROPEAN PARLIAMENT CALLS FOR SUSPENSION OF EU-US PRIVACY SHIELD
Earlier this summer, the European Parliament passed a nonbinding resolution calling on the European Commission to suspend the EU-US Privacy Shield unless the United States becomes fully compliant with EU data protection laws by September 1, 2018.
The Privacy Shield is an arrangement between the authorities in the US and the EU, enabling US companies who certify to the Privacy Shield framework to receive personal data from EU countries, for processing and handling in the US. The European Parliament’s resolution indicates that the current arrangement does not provide the adequate level of protection required by EU data protection laws. The resolution seeks to make sure that US companies fully comply with EU data protection laws, with no “loopholes or competitive advantage for US companies”.
The resolution echoed recent revelations regarding the practices of Facebook and Cambridge Analytica, which highlighted the need for better monitoring of the arrangement, given that both companies are certified under the Privacy Shield. The resolution expects US authorities to remove companies that have misused personal data from the Privacy Shield list, where appropriate. It also encourages EU authorities to investigate such misuse and if appropriate, suspend data transfers under the Privacy Shield. CLICK HERE to read the resolution
July 8, 2018
ISRAELI PRIVACY REGULATOR ISSUES OPINION ON SURVEILLANCE CAMERAS IN KINDERGARTENS
Following incidents of abuse of children in kindergartens and calls to install security cameras in order to ensure the safety of the infants, the Israeli Privacy Protection Authority (PPA) has published an opinion on surveillance cameras used in kindergartens. According to PPA’s opinion, before deciding to install surveillance cameras, a kindergarten must obtain legal counsel on whether the installation is necessary to protect the children and whether the privacy risks arising from installing cameras do not outweigh their potential benefits. If the legal analysis concludes that cameras are necessary, the kindergarten should consider where it should store the camera’s footage, how long to retain the footage and the security measures taken to safeguard the footage. On the other hand, if the legal analysis finds that the risks in placing the cameras outweigh their potential benefit, resulting in disproportional invasion of the children’s privacy, then installing cameras in the kindergarten could constitute a criminal offense.
The use of surveillance cameras in kindergartens is subject to the oversight of the PPA. Consequently, a violation of the provisions of the Israeli Protection of Privacy Law and its corresponding regulations, relating to the installation of surveillance cameras in kindergartens, could result in investigative and enforcement measures taken by PPA.
July 17, 2018
THE EU AND JAPAN AGREE ON RECIPROCAL ADEQUACY FOR DATA TRANSFERS
The EU and Japan have agreed to recognize each other's data protection systems as 'equivalent', allowing the transfer of personal information between the EU countries and Japan. The agreement was announced during an economic summit in Tokyo. The agreement is due to enter into effect at the end of the year, after the European Data Protection Board (the pan-EU privacy regulator) gives its opinion on recognizing Japan as a country compatible with the European standards for the protection of personal data.
The GDPR states that transfer of personal data to a third country may take place only where the European Commission has determined that the country in question ensures an adequate level of protection of personal data. To date, thirteen countries have been recognized as ensuring an adequate level of protection, including Israel.
To live up to the European standards, Japan will have to implement changes in two areas:
- Japanese legislation should be amended to provide individuals in the EU whose personal data are transferred to Japan, with additional safeguards that will bridge gaps between the two data protection systems. For example, these additional safeguards will strengthen the protection of sensitive data, the conditions under which EU data can be further transferred from Japan to another country and the exercise of individual rights to access and rectification.
- A complaint-handling mechanism to investigate and resolve complaints from Europeans regarding access to their data by Japanese public authorities. This new mechanism will be administered and supervised by the independent Japanese data protection authority.