One effect of COVID-19 has been a sharp increase in businesses’ use of remote surveillance solutions to protect corporate resources and monitor the productivity and behavior of employees who will be working from anywhere but the office for the foreseeable future. Although such tools can provide valuable performance insights and mitigate data loss and other risks, they can also significantly increase a business’s legal risk.
This is especially true for businesses with employees working in the EU, where employee privacy is typically protected to a much greater extent than in the United States. Indeed, the German subsidiary of international retailer H&M recently learned a €35.3 million (approximately $41 million) lesson about these legal risks after being fined by a supervisory authority in connection with a workforce monitoring program that “led to a particularly intensive encroachment on employees’ civil rights.”
Employers are permitted to monitor EU employees at work, as long as they comply with the laws and regulations of both the EU and individual Member States. This includes the EU’s General Data Protection Regulation (GDPR), which applies to any U.S. or multinational business that has employees in, or monitors the behaviors of, individuals in the EU.
Remote surveillance solutions increasingly offer sophisticated features that promise—among other things—to identify suspicious activity, detect potential insider threats, and provide real-time alerts about employee behaviors. But automated technologies that generate insights or conclusions about employees based on data collected from employer-monitored systems, networks, and connected endpoints can generate additional risk because the GDPR (as well as the laws of some individual Member States) provides protections for individuals subject to automated decision making and profiling.
Further, the use of employee surveillance solutions powered by Artificial Intelligence (AI) and Machine Learning (ML) technologies may trigger additional compliance requirements under the GDPR. We will explore those issues and others, and offer risk mitigation strategies that employers should consider before monitoring employees in the EU.
With the Brexit transition period ending on 31 December 2020, and no deal in sight, the future of cross-border data transfers between the European Economic Area (the EEA) and the United Kingdom remains unclear. On 1 January 2021, the United Kingdom will be considered as a “third country” and, unless a Brexit deal is proposed dealing with data protection and how data transfers between the EEA and the United Kingdom are to be treated, it could be significantly more difficult for European Union (EU)-based entities to transfer personal data to the United Kingdom.
On 7 September 2020, the European Data Protection Board (“EDPB”) initiated a public consultation on draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR. Any interested party could provide comments by 19 October 2020 using the dedicated form.
Cymone Gosnell |
In 2016, the European Union (“EU”) created heightened data privacy rights for its citizens by enacting the General Data Privacy Regulation (“GDPR”). The most drastic change from the previous regulation, enacted in 1995, lies within the expanded territorial scope. The change now subjects companies to fines for violations of the regulation, even if those companies are not domiciled in the EU. Data privacy has always been considered a fundamental human right in the EU; however, within the United States, there is no fundamental right to privacy. Rather, the country’s privacy laws are based on a complicated sectoral structure that often leads the country’s citizens confused as to what rights they actually have. This paper will review the EU and United States’ fundamental differences in privacy laws, the changes implemented by the GDPR (including the expanded territorial scope), the compliance plans of some major players within the United States, and what the future looks like for American businesses that hold or process the data of EU citizens under the GDPR. |
Computer Law & Security Review, Volume 36, April 2020. |
Vagelis Papakonstantinou | Paul de Hert |
In this article, we provide an overview of the literature on chilling effects and corporate profiling, while also connecting the two topics. We start by explaining how profiling, in an increasingly data-rich environment, creates substantial power asymmetries between users and platforms (and corporations more broadly). Inferences and the increasingly automated nature of decision-making, both based on user data, are essential aspects of profiling. We then connect chilling effects theory and the relevant empirical findings to corporate profiling. In this article, we first stress the relationship and similarities between profiling and surveillance. Second, we describe chilling effects as a result of state and peer surveillance, specifically. We then show the interrelatedness of corporate and state profiling, and finally spotlight the customization of behaviour and behavioural manipulation as particularly significant issues in this discourse. This is complemented with an exploration of the legal foundations of profiling through an analysis of European and US data protection law. We find that while Europe has a clear regulatory framework in place for profiling, the US primarily relies on a patchwork of sector-specific or state laws. Further, there is an attempt to regulate differential impacts of profiling via anti-discrimination statutes, yet few policies focus on combating generalized harms of profiling, such as chilling effects. Finally, we devise four concise propositions to guide future research on the connection between corporate profiling and chilling effects. |
This report summarizes economic analyses of the consequences of GDPR for investment in new technology ventures in the European Union (EU). The analyses distinguish between the impacts on foreign and non-foreign investment, between younger and more established ventures, and between more and less data-reliant ventures. The results, utilizing global venture data, indicate that GDPR’s effects on investment in EU ventures are broadly negative, and particularly so for foreign investments, younger ventures, and data-reliant firms. The findings demonstrate a post-GDPR average reduction of 26.10% in the overall number of monthly EU deals and a 33.80% reduction in the average dollar amount raised per deal. |
The right to data protection set out in Article 8 of the EU Charter of Fundamental Rights had played a pioneering role in the development of EU fundamental rights jurisprudence. Schecke and Eifert became the first to deal a fatal blow to specific legislative provisions that were deemed incompatible with the Charter requirements. Digital Rights Ireland led to the annulment of an entire legislative instrument on the same basis. Moreover, in Schrems, the Court elaborated on the essence of the related right to respect for private life, indicating that it was this level of fundamental rights protection that served as the benchmark to assess the adequacy of the data protection offered by third countries.
[#article] In the wake of the adoption of the European Union’s General Data Protection Regulation (GDPR) in May 2018, other countries and jurisdictions have contemplated personal data privacy legislation. In August 2018, the former president of Brazil, Michel Temer, signed the country’s comprehensive data privacy regulation, Lei Geral de Proteção de Dados Pessoais (LGPD), into law. Temer, however, vetoed many of the enforcement provisions. Shortly before leaving office, Temer signed an executive order creating a regulatory agency as the bill initially called for, but situated the agency under executive control instead of creating a wholly independent agency. This Note provides a brief history of the evolution of data privacy protections in both the European Union and Brazil and compares the GDPR and LGPD. This Note argues that the agency created by Temer is not enough to insure compliance with Brazil’s new law and proposes adoption of the GDPR’s enforcement mechanisms to compel compliance in Brazil.
The register of one-stop-shop decisions is now live on the EDPB website. It contains access to summaries and final decisions adopted by the Lead Supervisory Authorities (LSAs), working together with other concerned authorities. The decisions concern a range of data protection compliance issues, in particular, data subject rights; lawfulness of processing, data breaches, security, and transparency requirements. In many cases, the LSAs concluded there was no violation of the GDPR. In the event there was a violation, the LSAs, for the most part, issued reprimands or compliance orders, rather than fines.
The Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”) recently announced that it levied a €600,000 fine on banking institution UniCredit for several violations of the Italian Personal Data Protection Code, in its pre-General Data Protection Regulation (“GDPR”) form.