Poland’s data protection authority, the UODO, offers guidance on email monitoring in the workplace:

  • The employer may introduce monitoring of the employee’s e-mail when it is necessary in the employer’s opinion to ensure work organization that allows full use of working time and proper use of the work tools provided to the employee.
  • The monitoring may not violate the secrecy of correspondence and other personal rights of the employee.
  • You must inform the employee for what purpose you intend to use monitoring, as well as the scope and method of monitoring. This information is determined in the collective labor agreement or in the work regulations or in a notice, if the employer is not covered by the collective labor agreement or is not obliged to establish work regulations.
  • You should inform employees about the introduction of monitoring. This can be by a letter addressed to each employee, an announcement on the bulletin board, an e-mail message addressed to the staff or information provided via the company’s intranet.
  • You should inform the employee about the introduction of e-mail monitoring no later than two weeks before its launch.

Details from the Polish Data Protection Authority.

“Going forward, (Data Protection Impact Assessments) DPIAs should be considered beneficial to both controllers and processors for multiple reasons, including determining which alternative transfer mechanisms might be most viable, as well as establishing supplementary measures,” says Adam C. Schlosser for IAPP, the International Association of Privacy Professionals.

“Also, in light of the recent decision, there is an argument that now any processing activity that involves a transfer outside of the European Economic Area could be classified as a ‘high risk activity’ and may eventually become mandatory anyway.”

“The end result of a DPIA aimed at identifying new transfer mechanisms should be to document whether your organization is processing any data that might be at a higher risk for national security or law enforcement surveillance, and if it is, are there any mitigation steps you could take.”

Details from the International Association of Privacy Professionals.

“If the cedar trees have caught on fire,” says an old Hebrew adage, “what shall the shrubs on the wall say?”

Denmark data protection authority Datatilsynet suffered a data breach when its own documents, which should have been shredded, were disposed of in the normal wastepaper bin. The agency notified itself of the breach per Article 33 of the General Data Protection Regulation, but 24 hours after the 72 hours required by law.

Details in this Datatilsynet press release.

A group of UK MPs wrote a letter to the UK Information Commissioner’s Office demanding stronger data protection enforcement.

“It is imperative that you take action to establish public confidence – a trusted system is critical to protecting public health. The ICO has powers to compel documents to understand data processing, contractual relations and the like (Information Notices). The ICO has powers to assess what needs to change (Assessment Notices). The ICO can
demand particular changes are made (Enforcement notices). Ultimately the ICO has powers to fine Government, if it fails to adhere to the standards which the ICO is responsible for upholding.”

Details from WIRED UK.

In the wake of the UK A-Level algorithm fallout, the U.S. National Institute of Standards and Technology (NIST) has published a report, for public comment, on the Four Principles of Explainable Artificial Intelligence.

“AI is becoming involved in high-stakes decisions, and no one wants machines to make them without an understanding of why,” said NIST electronic engineer Jonathon Phillips, one of the report’s authors.

The four principles for explainable AI are:

  • AI systems should deliver accompanying evidence or reasons for all their outputs.
  • Systems should provide explanations that are meaningful or understandable to individual users.
  • The explanation correctly reflects the system’s process for generating the output.
  • The system only operates under conditions for which it was designed or when the system reaches a sufficient confidence in its output.

Under the General Data Protection Regulation (GDPR) for processing that could constitute profiling, you are required to provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing.

A similar requirement is found in the California Privacy Rights Act (the ballot initiative set to amend the California Consumer Privacy Act).

Read the full text of the NIST report.

Data Protection Authorities in the German states of Lower Saxony, North Rhine-Westphalia, Hesse, Hamburg and Brandenburg have launched a large scale inquiry against media websites to examine the use of tracking techniques and specifically whether the cookie banners they apply on their respective websites meet the requirements for a voluntary and informed consent of the user according to the requirements of the EU General Data Protection Regulation (GDPR).

Details from Golem.de.

Peter Swire and Kenneth Propp suggest a viable post-Schrems II alternative to address U.S. judicial redress deficiencies in the Lawfare Blog.

“Any future attempt by the United States to successfully address this perceived deficiency in judicial redress … must have two dimensions: a credible fact-finding inquiry into classified surveillance activities in order to ensure protection of the individual’s rights, and the possibility of appeal to an independent judicial body that can remedy any violation of rights should it occur.

We suggest that the obvious and appropriate path for an appeal from the fact-finding stage would be to the Foreign Intelligence Surveillance Court (FISC)

For redress, two options are: (i) utilizing the existing Privacy and Civil Liberties Officers (PCLOs) within the intelligence community, and (ii) enlist the Privacy and Civil Liberties Oversight Board.

A key legal issue in crafting such a system is ensuring that a plaintiff has “standing” to sue, as required by Article III of the U.S. Constitution. A solution might be a Freedom of Information Act (FOIA)-like mechanism where any individual can request documents from an agency, without the need to first demonstrate particular injury.”

Read the full post on the Lawfare Blog.

The IAB Europe, the continent’s digital advertising and marketing association, has issued an FAQ on Schrems II.

How does this impact the online advertising supported internet?

“While it is hard to measure the impact in specific terms, this is likely to cause a big disruption in an industry which is as global and interconnected as ours. What may be seen as a simple data transaction for our industry, such as recalling segmentation information about a particular web browser, may be seen in the eyes of the regulator as a cross-border data transfer depending on the locations of the respective servers.”

What can I do today to check that I’m complying with the law?

  • Take stock of your data inventory and that of your partners.
  • Understand how your partners are transferring data to the U.S., for which purposes, and how they ensure compliance with the General Data Protection Regulation (GDPR).
  • Review contracts with partners who are based in non-EU countries. If you work with companies who have their servers based in any non-EU country, make sure that you understand how they are ensuring compliance with the GDPR.
  • Seek guidance from your lead supervisory authority.

EU-US Privacy Shield

Privacy Shield is gone but not forgotten.

Adam C. Schlosser, for the International Association of Privacy Professionals (IAPP), writes on why the EU-U.S. Privacy Shield is still a useful data protection governance tool.

“Simply leaving the Privacy Shield program or disregarding its principles would be a mistake, particularly for those organizations that have already built an entire sophisticated compliance program and developed products and services with Privacy Shield in mind”.

Abiding by Privacy Shield principles is still beneficial because:

  • Privacy Shield obligations are still binding.
  • Privacy Shield still serves as a blueprint towards meeting General Data Privacy Regulation (GDPR) obligations, including those covering data minimization, retention, and data subject rights.
  • Maintaining a well-built data protection compliance program is not a sunk cost but one that will continue to provide a return on investment.
  • Privacy Shield principles may also serve as a form of “supplementary measures.”
  • Privacy Shield creates a foundation for compliance with more than GDPR – the Privacy Shield criteria meet or exceed most data privacy regulations.
  • Privacy Shield may return in a new form and you’ll be more prepared.

Full details from the IAPP.

Constantine Karbaliotis and Abigail Dubiniecki write on the topic of what Canadian companies should do after Schrems II:

  • If you are processing data as controller, or as a processor for a client with European Union personal data, and relying on onward transfers, first do a risk assessment; and then assuming the risks are addressable, put in place Standard Contractual Clauses (SCCs) between yourself and any organization doing processing for you, if in a non-adequate country.
  • If you are relying on adequacy for transfers from the EU to Canada, be sure you are correct in doing so; and if you cannot rely on adequacy, again, conduct a risk assessment and document the transfer with an SCC.

Read the full text of the article.