A year ago, the Court of Justice of the European Union invalidated the U.S. Privacy Shield framework as an adequate safeguard under the General Data Protection Regulation (GDPR), which had previously been a popular safeguard mechanism to cover the export of personal data from the EU to the U.S. While the same decision also held that another GDPR-sanctioned cross-border transfer safeguard mechanism – Standard Contractual Clauses (SCCs) – remained valid, the Court took the opportunity to note in its decision that the then-current SCCs may not go far enough to safeguard the rights of European data subjects.
SCCs are pre-approved contractual terms between an EU controller or processor to a non-EU processor or sub-processor. By adopting them into a contractual arrangement where an EU party is transferring personal information to another country, the international transfer is said to have adopted “adequate safeguards” under Article 46 and should avoid running afoul of the GDPR’s restriction on such transfers. The SCCs the Court opined on pre-dated the GDPR, and there has been a push to update them since the GDPR went into effect on May 25, 2018. On June 4, 2021, the European Commission announced it had finally approved new versions … Keep reading
Breaking news out of Florida: On April 21, 2021, the Florida House, in a near unanimous vote, passed the Florida Privacy Protection Act (FPPA). Largely modeled after the California Consumer Privacy Act (CCPA), the FPPA would have made Florida the third state to pass a comprehensive privacy and data security law, following Virginia’s passage of its Consumer Data Protection Act (CDPA).
Just as quickly as it passed the Florida House, though, it was killed by the Senate on April 30, 2021, after disagreement between the House and Senate as to whether the bill should give individuals a private right of action to sue companies that violate their privacy rights under the FPPA. The pro-private-right-of-action camp believes a privacy act without a private right of action is an impotent law, while the anti-private-right-of-action camp believes the right unduly burdens businesses with costly compliance obligations.
Washington’s version of the CCPA, the Washington Privacy Act, suffered a similar fate a month ago after a similar fallout over the same private right of action question.
The failure of both Washington and Florida to pass comprehensive privacy laws – along with California’s and Virginia’s passage of comprehensive privacy laws that include a private right … Keep reading
The United States remains one of the few developed countries without a central, comprehensive federal privacy and data security law. Accordingly, websites that only collect information from U.S. residents have some of the loosest requirements with respect to disclosures and rights. However, most U.S. states have some sort of data security and privacy law requiring websites to post a privacy notice. The Federal Trademark Commission (FTC) has broad authority to regulate activities deemed … Keep reading
- Adopt Appropriate Security Measures: The GDPR requires organizations to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed to individuals by the organization’s processing of their personal data. This is a flexible standard, and while no specific measure is strictly prescribed by the GDPR, hundreds of organizations have already been fined for failing to implement appropriate security measures. For instance, sanctions have been imposed for failing to encrypt personal data, failing to train employees on data security, failing to conduct risk assessments, and even inadvertent disclosures due to human error.
- Ensure There Is a ‘Lawful Basis’ for Processing Personal Data: there are six, and only six, justifications (each called a “lawful basis”) for processing personal data
… Keep reading
One of the more operationally challenging components of the General Data Protection Regulation (GDPR), was the restriction on transferring European personal data to recipients outside of the European Economic Area (EEA). Essentially, unless an exception or some additional GDPR-approved mechanism applies, European personal data cannot be transferred to non-EEA countries unless the data is being transferred:
- within a related multinational group of companies who have adopted an internal code of conduct (called “binding corporate rules”) that applies to restricted transfers of personal data from the group’s EEA entities to non-EEA group that has been approved by an EEA supervisory authority;
- between an EEA-based data exporter and a non-EEA-based data importer who have entered into a contractual agreement that adopts a set of “standard contractual clauses” adopted by the European Commission; or
- to a jurisdiction that the European Commission has issued an “adequacy decision,” finding that such jurisdiction has adopted “adequate” data protection safeguards. As of the writing of this article, this list of jurisdictions was limited to Andorra, Argentina, commercial organizations in Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay. Importantly, up until last week, U.S.
… Keep reading
Under the GDPR, data controllers are tasked with communicating to data subjects how their data is processed in a way that is both concise and transparent. From a consumer-protection perspective, this is undoubtedly one of the regulation’s more commendable requirements; as many who have drafted website privacy policies understand, there is often tension between the twin goals of concision and transparency. Providing fully transparent disclosure about data-processing activities, while keeping such disclosures brief and easily readable, can be a tricky balance to strike.
One question the GDPR may prompt is whether it makes sense for an organization to maintain separate residency-dependent privacy policies, or a single, all-encompassing policy. There are pros and cons to each, and what works best for a particular organization will often depend on the operational impact of each, as well as the usability of each by the relevant data subjects.
The Multiple Privacy Policies Approach
Organizations that treat data-subject information differently depending on its origination point, or that opt not to extend the enhanced protections offered under the GDPR to non-European data subjects, may prefer to maintain separate residency-dependent privacy policies.
In this instance, the benefit is that each policy can be tailored, … Keep reading
As the effective date of the General Data Protection Regulation (GDPR) draws near, companies that collect, process, and use data relating to EU citizens need to be thinking proactively about issues they will face under the new directive. This post summarizes the discrete issue of how companies should start to manage data mining and data usage activities. Stay tuned as we continue to keep you updated in this space.
As most are probably by now aware, the GDPR seeks to regulate the use and disclosure of the personal data of all individuals within the 28 EU member states. Though passed into law in May 2016, it does not become enforceable until May 25, 2018. Unlike most privacy regulations in the U.S., the EU defines the term “personal data” broadly—it includes “any information relating to an identified or identifiable natural person (the ‘data subject’).” This means that even the most basic contact information, such as business card details or simply a name and email address, falls under the GDPR’s protections. Public sources of information, such as a residential phone listing, are not exempted from the GDPR’s restrictions.
To legally handle EU personal information harvested from third-party sources after May 25, … Keep reading
With only 100 days to go until the General Data Protection Regulation becomes enforceable on May 25, it is increasingly imperative for organizations that process information relating to an identified/identifiable European person to have a firm grasp on what the regulation entails, as well as any associated impacts on business that can be reasonably expected. Here are seven key questions to ask yourself, your team, or your project manager, to gauge how prepared your organization is to meet the requirements under the GDPR.
Has our data been inventoried and mapped, such that we have a complete understanding of our data flow?
An essential prerequisite to developing a GDPR compliance plan is to have a detailed understanding of the lifecycle of the personal data processed by the organization. It is impractical to implement a reasonable GDPR compliance plan if the organization does not thoroughly understand the personal information it processes, how it was collected, where it is stored, and where and to whom it is transferred. The GDPR identifies specific categories of information that it expects organizations to keep records on, with respect to data processing.
When personal information about people is collected indirectly from third-party sources (e.g., public databases,
… Keep reading
Does this look familiar?
Recently, Privacy Shield participants started receiving these troubling alerts, purportedly from the International Trade Administration, warning that the recipient organization owes a new fee, and threatening to cancel that participant’s Privacy Shield certification if payment is not remitted by February 16, 2018. These alerts have all the classic markings of a phishing scam—appearing very official but containing a generic salutation, demanding payment for some otherwise unheard of fee, threatening dire consequences for failure to remit payment—so some of these alerts have undoubtedly gone ignored.
Unfortunately, this is not another blog post about a new fraud alert. Rather, this post is an alert that, if you participate in the Privacy Shield program, you may need to take action before February 16, 2018, to maintain your certification.
Alternative Dispute Resolution Under Privacy Shield Prior to September 13, 2017
The EU-U.S. Privacy Shield is a self-certification program run through the Department of Commerce that provides a safe harbor for U.S. companies that process or transfer heavily regulated personal data of EU citizens in the U.S. Because the U.S. has comparatively lax laws on privacy and data security, to comply with EU regulations, its businesses must voluntarily agree to … Keep reading
The Noise About Privacy: Is Big Brother Watching, Or Is He Just the Most Compulsive Hoarder of ‘Random’ on the Planet?
On May 19, CNNMoney’s Jose Pagliery published a provocative piece: “What you really accept to when you click ‘accept’“–an exposé on the privacy policies of 18 of the most popular websites and mobile apps. The article shines the klieg lights on one of the dirty little secrets of consumer internet usage– that online privacy policies are ephemeral, dense, rarely read, one-sided and, sometimes, over-reaching. Pagliery infers from these conditions that most companies care little for a user’s privacy and want nothing more than to collect the maximum information and use it in any way that increases the bottom line.
At the risk of sounding defensive, I’d say that conclusion is largely unsupported and pretty far from accurate for most web-based companies. In fact, the density and vagueness of privacy policies often is caused by a variety of competing pressures faced by online companies. Varied international laws and regulatory schemes applicable in different jurisdictions to different kinds of data create part of the problem. There is no single or baseline set of standards for … Keep reading