Join or Login
Post view

Data Protection and Privacy revisited

Sometime before Christmas WikiLeaks leaked information relating to the German parliamentary inquiry into the surveillance activities of Germany's foreign intelligence agency Bundesnachrichtendienst (BND) and its cooperation with the United States' National Security Agency (NSA). From what I heard and read there were nothing about the construction industry in this leak. However, I got me once more thinking about data protection and privacy.

I do not want to start a political discussion about intelligence agencies across the world; their responsibilities and duties to report to parliaments, mass surveillance or other related topics. Then even though there has been a leak, most of this remains classified and gives a lot of room for speculation.

However, I thought once more about last year’s ruling of the European Court of Justice (ECJ) to invalidate the Safe Harbor Agreement between the EU and the US. Based on this ruling, I wrote a blog post, in which I looked into potential implications of telematic systems in the construction industry as they might create personal data – which are bound to very specific rules in the EU. In a nutshell, information to increase equipment utilization (e.g. fuel consumption) – one of the main benefits of a telematics system – can already be personal data, if they can be linked to a person (e.g. if there is only one person able to operate a machine). Obviously, using telematics data for employee performance reviews is most likely also personal data.

What happened after the ECJ ruling?

After a couple of months without any valid agreement, in July 2016 the new Privacy Shield Agreement came into effect (negotiated by the US Department of Commerce and the European Commission). My understanding is that the new agreement is basically a strengthened version of the Safe Harbor agreement. According to different legal experts the main differences are that

  • - US companies, who collect personal data from EU citizens are now accountable for onward transfer. They have to make sure that any 3rd party company using the data has the same level of protection as Privacy Shield
  • - Even if a company drops out of Privacy Shield, it needs to adhere to the Privacy Shield principles for the already collected data.
  • - With the new agreement, EU citizens have the right to bring complaints to independent dispute resolution bodies, their local Data Protection Authorities or - as a last resort – to a “Privacy Shield Arbitration Panel”.
  • - The Department of Commerce will stronger and more proactively monitor and enforce compliance to Privacy Shield.
  • - There are now mechanisms and processes in place to limit governmental access (especially law enforcement and national security) to personal data of EU citizens.

As you can imagine, the involved parties but also a lot of companies welcomed the new agreement and by November 2016 more than 500 companies were already certified while more than 1000 are in the certification process. However, there is also criticism towards Privacy Shield, for example the "Article 29 Data Protection Working Party" (all national data protection officers from EU countries) sees the dispute process for EU citizens as too complex and not practical, some problems with data retention and the possibility of ongoing massive and indiscriminate data collection of EU citizens.In November an Irish digital advocacy group challenged the agreement before an EU court with the goal of annulling the agreement. It might take a year for a first ruling (with the chance of more legal processes after this one).

What does this mean for the construction industry?

As mentioned earlier, telematics systems (or other systems) most likely collect personal data, so it is important for the construction industry (as any other industry) to have concrete reassurance and a long term solution for this compliance issue (at least if you are a European based company). Even if this Irish digital advocacy group does not win in court, I expect more court challenges to this agreement, so the uncertainty will be ongoing for some time.

Maybe a solution could be to use a European based company, which is already bound to the high European data privacy laws. Or, do you have any other idea how to tackle this uncertainty?

Disclaimer

Since this topic touches on several legal issues, I need to advise that this blog post is provided for your convenience and does not constitute legal advice. If you think you are affected by these issues, you or your company should seek information from qualified legal counsel.

Data Privacy

mlimbach 30.01.2017 0 3743
Comments
Order by: 
Per page:
 
  • There are no comments yet
Rate
1 votes
Actions
Recommend
Categories
Best Practices (13 posts)
Earthmoving (1 posts)
Road Construction (2 posts)
Technical Articles (1 posts)