CNIL Decision on Whistleblower Hotlines

CNIL Decision on Whistleblower Hotlines

France’s data protection authority, the CNIL – the Commission Nationale de l’Informatique et des Libertés — recently published a decision (n° 2017-191) setting out new guidelines with respect to whistleblower hotlines. The new guidelines implement changes in French law brought about by the Law no. 2016-1691 of December 9, 2016 (the so-called Sapin II Law). Sapin II introduced numerous changes in order to bring about more transparency, to fight corruption and generally to modernize the French economy. Until the mandatory introduction of whistleblower hotlines for companies subject to Sapin II, the CNIL had expressed notable resistance toward such hotlines, bowing begrudgingly to the requirements imposed on U.S. based companies by Sarbanes-Oxley. But Sapin II changed that by mandating the implementation of whistleblower hotlines and the adoption of company codes of conduct. …

CNIL

Data Privacy Issues of Self-Driving Vehicles

Data Privacy Issues of Self-Driving Vehicles

by Associate Christopher Achatz and Summer Associate Ashlee Difuntorum

In the next five years we will see more and more self-driving vehicles, or autonomous vehicles, hit the market. An “autonomous vehicle” is a vehicle capable of navigating roadways and interpreting traffic-control devices without a driver actively operating any of the vehicle’s control systems. Although self-driving vehicles have the potential to drastically reduce accidents, travel time, and the environmental impact of road travel, concerns remain that could delay widespread adoption. Of particular concern are data privacy and security risks. This article addresses the data privacy issues of self-driving vehicles. We have also published an article discussing the cybersecurity issues of self-driving vehicles, which can be found here. …

SELF

Responding To National Security Letters That Ask For Personal Information

Responding To National Security Letters That Ask For Personal Information

National Security Letters (“NSLs”) refer to a collection of statutes that authorize certain government agencies to obtain information and simultaneously impose a secrecy obligation upon the recipient of the letter.

Four statutes permit government agencies to issue NSLs: (1) the Electronic Communication Privacy Act,1 (2) the Right to Financial Privacy Act,2 (3) the National Security Act,3 and the (4) Fair Credit Reporting Act.4 Although differences exist between the NSLs issued under each statute, in general, all of the NSLs permit a requesting agency to prevent an organization that receives the NSL from disclosing the fact that it received the request, or the type of information that was requested, if disclosure may result in a danger to national security, interfere with a criminal, counterterrorism, or counterintelligence investigation, interfere with diplomatic relations, or endanger the life or physical safety of a person. …

NATIONAL

Organizing Data Privacy Within A Company

Organizing Data Privacy Within A Company

Although organizations have dealt with privacy issues for years, only in the past decade have they begun to view the complexities of privacy as requiring formal organizational structure, dedicated employees, and/or dedicated resources. While in some organizations “privacy” falls within the ambit of the legal department; other organizations have created offices that are focused solely on privacy issues and that report to a Chief Privacy Officer (“CPO”). There is little commonality in how these offices are staffed, funded, or organized. For example, while some CPOs report directly to senior management, others report through a General Counsel or a Chief Compliance Officer. …

ORG

Big Changes May Be Coming to Argentina’s Data Protection Laws

Big Changes May Be Coming to Argentina’s Data Protection Laws

This article was co-written with Diego Fernandez from Marval, O’Farrell & Mairal

Two important changes are underway if you do business in Argentina. In 2003, Argentina was the first Latin American country to be recognized as an adequate country by the European Commission. Its data protection law, Personal Data Protection Law Number 25,326 (“DPL”), was enacted in October of 2000 and provides broad protections similar to the EU Directive 95/46/EC. Although it already has some of the strictest data protection laws in Latin America, Argentina is currently seeking to further overhaul its data protection laws in two potentially significant ways. First, the Data Protection Authority (“DPA”) made public a comprehensive draft of a data protection bill that would completely overhaul Argentina’s data protection laws to align with the General Data Protection Regulation (“GDPR”) requirements. The legislative branch has also introduced a separate bill that would require certain data be stored exclusively in Argentina (“Localization Bill”). Both of these measures may impact the way in which personal data is stored, transferred, and maintained. …

VALDET

Privacy Due Diligence In A Merger Or Acquisition: A How-To Guide

Privacy Due Diligence In a Merger Or Acquisition: A How-To Guide

The FTC can hold an acquirer responsible for the bad data privacy practices of a company that it acquires. Evaluating a target’s data privacy practices, however, can be daunting and complicated by the fact that many “data” issues are first identified months, or years, after a transaction has closed. For example, although it is relatively easy to read a potential target’s privacy policies it is far more difficult to verify that the policy is accurate or complete. The following provides a snapshot of information concerning privacy violation penalties. …

privacy due

Passing Data Between Retailers To Facilitate Transactions: A How-To Guide

Passing Data Between Retailers To Facilitate Transactions: A How-To Guide

Online retailers often learn information about a consumer that may be used by them to help identify other products, services, or companies that may be of interest to the consumer. For example, if a person purchases an airplane ticket to Washington DC, the person may want information about hotels, popular restaurants, or amenities at the airport. …

passing

Facial Recognition Technology: A How-To Guide

Facial Recognition Technology: A How-To Guide

Facial recognition technology uses algorithms that map facial features – such as the distance between a person’s eyes, or the width of a person’s nose – and compares those features to a database of known individuals. Organizations may use the technology for security (e.g., cameras that “ID” employees or criminals), marketing to consumers (e.g., cameras that “ID” particular customers), or designing products that quickly categorize digital media (e.g., photograph sorting). …

facial recognition

 

Collecting Information From Children: A How-To Guide

Collecting Information From Children: A How-To Guide

There are relatively few restrictions on collecting information from children off-line. Efforts to collect information from children over the internet, however, are regulated by the Children’s Online Privacy Protection Act (“COPPA”). Among other things, COPPA requires that a website obtain parental consent prior to collecting information, post a specific form of privacy policy that complies with the statute, safeguard the information that is received from a child, and give parents certain rights, like the ability to review and delete their child’s information. COPPA also prohibits companies from requiring that children provide personal information in order to participate in activities, such as on-line games or sweepstakes. …

collecting info

Email Marketing In Canada (CASL): A How-To Guide

Email Marketing in Canada (CASL): A How-To Guide

On July 1, 2014, the central provisions of the Canadian Anti-Spam Law (“CASL”) came into force. 1 These provisions generally prohibit the sending of a Commercial Electronic Message (“CEM”) without a recipient’s express consent, and unless the CEM contains certain sender identification information and an effective unsubscribe mechanism. CASL provides a number of nuanced exceptions to the express consent requirements of the law. The primary enforcement agency of CASL is the Canadian Radio-television and Telecommunications Commission (CRTC). The CRTC has several compliance tools to enforce CASL, including the issuance of Administrative Monetary Penalties (AMPs) against individuals and organizations that have violated CASL’s provisions. …

CASL

Email Marketing: A How-To Guide

Email Marketing: A How-To Guide

Email is ubiquitous in modern life with billions of emails – wanted and unwanted – sent each day. Since its enactment in 2003, the Controlling the Assault of Non-Solicited Pornography and Marketing (“CAN-SPAM”) Act has attempted to curb the number of unwanted emails and impose some rules on a largely unregulated frontier. When followed, CAN-SPAM Act’s restrictions give email recipients some control over their inboxes and also maintain fairness in how emails present themselves. Failure to follow the CAN-SPAM Act can lead to penalties of up to $16,000 per violation. …

email marketing

It’s Time to Take Data Privacy Seriously in Singapore

It’s Time to Take Data Privacy Seriously in Singapore

In the past decade, there has been an explosion of new data privacy laws in Asia. However, at the same time, there has been a lack of enforcement of those laws. While certain countries like Malaysia have not actively been enforcing their privacy laws, recently, a number of countries like Singapore have substantially increased enforcement of their data privacy laws.

Even though the city-state of Singapore is only 720 square kilometers in size, it plays an integral role in the world economy. Singapore, along with Hong Kong, has often been called the “business nexus of the East.” In fact, a recent study conducted by Tower Watson states that Singapore is home to roughly 41 percent of the Asia Pacific headquarters for Fortune 500 companies (compared to 34 percent for Hong Kong and 16 percent for Mainland China).[1]

In 2012, Singapore passed the Personal Data Protection Act (PDPA), which established a general data protection law in Singapore. Among other things, the PDPA governs the collection, use, disclosure, and protection of individuals’ personal data by organizations. The main enforcement agency in charge of enforcing the PDPA is the Personal Data Protection Commission (PDPC). The PDPA provides the PDPC powers to: (1) investigate organizations’ data protection practices, (2) obligate organizations to cease activities which are in violation of PDPA, (3) obligate organizations to destroy personal data collected in contravention of PDPA, (4) obligate organizations to comply with any other orders by PDPC, and (5) obligate organizations to pay a fine which may not exceed US$ 1 million.[2]

PDPA guidance on enforcement actions

On April 21, 2016, the PDPC revised the Advisory Guidelines on the Enforcement of the Personal Data Protection Act (Enforcement Guidelines).[3] While the Enforcement Guidelines are not legally binding, they provide guidance on how the PDPC decides which organizations to target for an investigation and what fines it will seek.

The Enforcement Guidelines state that the PDPC may commence an investigation into any organization that the PDPC considers that an investigation is warranted based on the information that it obtained (whether from a complaint or otherwise).[4] Among other things, the PDPC looks at the following factors to decide whether to investigate and/or whether financial penalties may be assessed: whether the organization may have failed to comply with the PDPA, whether the organization has systematically failed to comply with the PDPA, or the potential harm and severity of the misconduct.[5]

Enforcement actions

In the past, the PDPC published enforcement actions related to “do-not-call” rules, which are a set of regulations loosely similar to the US Do-Not-Call rules. However, only recently has Singapore actively enforced and provided guidance on how the PDPC will approach enforcement of other parts of the PDPA.

First shots fired

On April 21, 2016, Singapore’s PDPC published its first set of 11 enforcement actions.[6] The organizations involved in the 11 enforcement actions range from small businesses to multinationals such as China’s Xiaomi subsidiary. Of the 11 enforcement actions, four organizations were fined for violations of the PDPA and six other organizations were issued warnings.[7] From the first set of 11 enforcement actions, a majority, eight out of 11 enforcement actions were based on a breach of Section 24 of the PDPA for failing to implement proper and adequate protective measures, which resulted in the unauthorized disclosure of personal data.[8] Section 24 of the PDPA provides that an organization shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks. [9]

The largest assessed fine by the PDPC was to K-Box Entertainment Group Pte Ltd for S$50,000.[10] In 2014, it was published that over 300,000 K-Box members’ information had been leaked and uploaded online.[11] The breach impacted the following types of data: names, contact numbers, and residential addresses.[12] K-Box was found by the PDPC to have failed to put into place adequate security measures to protect personal data in its possession.[13] Among other things, K-Box allegedly failed to enforce a password policy, provide reasonable controls over unused accounts, utilize new version of software, or conduct security audits.[14]

The PDPC also assessed a fine to Finantech Holding, K-Box’s IT service provider. Finantech was in charge of developing, hosting, and managing K-Box’s Content Management System (CMS).[15] As a data intermediary, Finantech allegedly did not implement adequate data security measures for the CMS, such as by patching security vulnerabilities or using a complex password for an administrative account.[16]

Continued enforcement of data privacy laws

Since April 21, 2016, Singapore has increased its rate of enforcement actions. The PDPC released details of 11 more enforcement actions.[17] Of the 11 new enforcement actions, seven companies received fines ranging from S$500 to S$25,000, and four companies received warnings.[18] Similar to the first set of enforcement actions released on April 21, the majority (eight out of 11) relate to a breach of Section 24 of the PDPA for allegedly failing to implement proper and adequate protection measures.
Among the most recent enforcement actions, the PDPC fined Toh-Shi Printing (Toh-Shi) on two separate occasions for failing to implement proper and adequate protection measures.[19] In both instances, Toh-Shi was a service provider in charge of printing and sending paper notices on behalf of consumers.[20] In both cases, Toh-Shi accidently sent sensitive financial information to the wrong customers.[21] The PDPC fined Toh-Shi for allegedly failing to provide adequate quality control and employee training.[22] The Toh-Shi cases suggest that enforcement of Section 24 of the PDPA is not limited to just IT security related measures, but includes non-technical measures of quality control and employee training.

Perhaps the most interesting aspect of the Toh-Shi enforcement actions is that the two different companies that hired Toh-Shi as a service provider were not fined or found in violation of Section 24 of the PDPA.[23] This contrasts with the K-Box enforcement action. Even though Finantech managed part of K-Box’s IT operations, K-Box was still fined for a breach of the PDPA.[24]

The K-Box enforcement action differs from the Toh-Shi enforcement action in two distinct ways. First, while Finantech was responsible for handling some of K-Box’s  IT operations, it did not manage all of K-Box’s IT operations.[25] K-Box still maintained some IT related responsibilities and the failures of those responsibilities contributed to the breach of over 300,000 customer records.[26] Under the Toh-Shi enforcement actions, Toh-Shi’s customer outsourced all parts of the printing operation, from the initial printing to the mailing of financial records.[27] This suggests that there may be less privacy risk with respect to enforcement actions if organizations use service providers to complete all aspects of a process.  Second, Unlike K-Box, which did not have any data protection provisions in its contract with Finantech, Toh-Shi’s customers contractually required Toh-Shi to put in to place adequate security policies, procedures and controls.[28] In other words, the PDPC’s actions suggest that the PDPC believes imposing contractual requirements on a vendor may discharge a company’s obligations to take “reasonable and appropriate” steps to secure information.

The Toh-Shi enforcement actions also show how a systematic and continuous disregard to adequate security measures may increase the magnitude of a company’s fines.[29] The systematic and continuous disregard for security measures likely resulted in an increase in Toh-Shi’s second fine, from S$5,000 to S$25,000.

While the size of the fines levied by the PDPC for non-compliance of the PDPA has been relatively modest as compared to million dollar fines issued by EU countries or the United States, the real cost of an investigation by the PDPC comes in the form of highly negative publicity and the expenditure of legal fees and human capital related to defend an investigation by the PDPC.

Future considerations

As Singapore’s PDPC gains more experience and refines its interpretation of the PDPA, we expect to see more enforcement actions in Singapore. According to Singapore’s government directory, there are 18 individuals who work in the Personal Data Protection Commission.[30] Of those 18 employees, roughly a third of the employees have been employed at the PDPC for less than 18 months.[31] Unfortunately, a detailed breakdown of headcount is not available from the Singapore government, but we speculate that as these new employees become more experienced and fully integrated with the PDPC, more enforcement actions will likely occur.

We understand that the PDPC is actively working with entities in Singapore by putting together data protection and security related training and educational sessions. However, the current list of enforcement actions shows that Singapore is also serious about its enforcement of the PDPA. Of the 22 enforcement actions, a sizeable majority of the companies are companies that may be deemed to be either a small or mid-size company. We speculate that this may be due to the fact that the PDPC is still a relatively new government organization and that it may want to pick relatively easy targets that either have egregious security practices or do not have the resources to challenge the PDPC in court. The PDPC may also be following an old Chinese idiom of (杀鸡儆猴) or kill the weak to scare the strong). Picking relatively small companies with egregious security practices to fine may be a method for the PDPC to show the general public that they are serious about enforcement of the PDPA and allows the PDPC to set an example of a few small companies in order to scare larger companies who may not be taking data protection seriously. As the PDPC becomes more experienced, we expect that larger organizations may be targeted and higher fines may be assessed.

Lastly, since data breaches are now high profile events often creating rapid and widespread media attention, we expect Singapore to focus heavily on Section 24 of the PDPA on implementing proper and adequate protective measures of personal data. 16 of the 22 enforcement actions involved a failure for entities to maintain proper and adequate protective measures of personal data.[32]

Considerations for entities operating in Singapore

Recent enforcement actions have showed a propensity for the PDPC to focus heavily on implementing proper and adequate protective measures for personal data. The PDPC recently released the Advisory Guidelines on Key Concepts In the Personal Data Protection Act (Guidelines).[33] Similar to the “I know it when I see it” standard for obscenity in the United States, the Guidelines do not provide a binary list of what an organization must do in order to be compliant under Section 24 of the PDPC. Instead, the Guidelines state that there is no one size fits all solution for data security, rather, security obligations depend on the nature of the information, the form of the information, and the possible impact of the unauthorized disclosure of the information.[34] Among other things, we recommend companies consider the following measures:

  1. Conduct a privacy and security assessment of policies and procedures. Conducting a data privacy and security assessment allows an organization to review current policies to determine whether (a) the policies and procedures need to be updated and (b) the company actually follows the stated policies and procedures. It is also important to remember that going through the motions of a security assessment is not enough. For example, the PDPC issued a warning to Metro Pte Ltd for not addressing SQL injection vulnerabilities that were discovered in earlier IT security audits.[35] To effectively lower risk, an organization needs to address issues found through security assessments and audits. In order to have an unbiased and truthful opinion of an organization’s security measures, an organization should consider using a third party vendor.

Organizations should consider at a minimum, implementing/acquiring the following policies and procedures:

  • Incident response plan.
  • Mobile IT policy.
  • Record retention policy
  • Password management policy.
  • User access and management policy.
  • IT vendor management process.
  1. Conduct an internal data inventory. Knowing the type of data collected and held allows an organization to review the sensitivity of the data and determine whether current security measures are appropriate and reasonable.

Organizations should consider the following when conducting a data inventory:

  • The types of data collected.
  • Where the data is physically housed (g., the building or location).
  • Where the data is logically housed (g., the electronic location within a server).
  • Whether encryption is applied to the data in transit (e., when it is moving). If it is, what encryption standard is being used?[36]
  • Whether encryption is applied to the data at rest (e., when it is being stored). If it is, what encryption standard is being used?[37]
  • The custodian of the data (e., who is responsible for it).
  • Who has access within the organization to the data.
  • Who has access outside of the organization to the data.
  • Whether the data crosses national boundaries.
  • The retention schedule (if any) applied to the data.[38]
  1. Review IT service provider contracts for adequate data protection provisions. The Toh-Shi enforcement actions suggest that one way an organization can protect itself against a possible enforcement action is to include adequate data protection measures in service provider contracts.

Consider adding the following provisions:

  • Limitations to the use of personal data.
  • Breach notification requirements.
  • Representations, warranties and covenants relating to data privacy and security.
  • Indemnification obligations.
  • Compliance with applicable data protection laws.
  • Data transfer limitations.
  • Audit or monitoring rights.
  • List of certain IT technical safeguards (i.e., encryption standard, access control).
  • Data maintenance/deletion obligations.
  1. Request IT service provider complete a security questionnaire. Taking a proactive approach of requesting a service provider complete a security questionnaire may avoid an organization the headache of selecting a service provider that does not have adequate security procedures and hence, lowers the risk of a potential data breach.

When drafting a security questionnaire, consider the following:

  • Designated employee responsible for overseeing security program.
  • Procedures for appropriately destroying documents with sensitive information.
  • Encryption standards for mobile devices.
  • Encryption standards for transmitting sensitive information.
  • Employee training.
  • Data breach incident response.
  • Vendor management process.
  • Process for provisioning user access.
  • Process for de-provisioning user access.
  • Disciplinary measures for security violations.
  1. Conduct data security/privacy training for employees. Conducting data security/privacy training for employees may prevent potential security incidents. This preventive measure allows employees to detect issues earlier and may prevent more serious security incidents in the future.

For good reason, Singapore is one of the most popular places for multinational companies to establish their APAC company headquarters. With a strong rule of law, Singapore takes enforcement of its laws serious and the PDPA is no exception. The increase in the number of PDPC enforcement actions shows the country’s intention of enforcing the PDPA. While the size of the fines levied by the PDPC for non-compliance of the PDPA has been relatively modest, it does not take into account the time and reputational costs associated with a PDPC investigation. Entities that operate in Singapore would be wise to conform their compliance to the PDPA and to pay attention to the PDPA’s actions and public statements.

 

[1] PriceWaterhouseCooper, The Preferred Asian HQ Location, (January 28, 2015), available at http://www.pwc.com/sg/en/singapore-budget-2015/budget-2015-01.html.

[2]    Personal Data Protection Act of 2012, Section 28-30, https://www.pdpc.gov.sg/legislation-and-guidelines/legislation   http://statutes.agc.gov.sg/aol/search/display/view.w3p;ident=566a39d6-31e9-44fa-8bb7-2d5bf3c8389a;page=0;query=DocId%3Aea8b8b45-51b8-48cf-83bf-81d01478e50b%20Depth%3A0%20Status%3Ainforce;rec=0#pr28-he-.

[3] Personal Data Protection Commission, Advisory Guidelines on Enforcement of the Data Protection Provisions, (April 21, 2016), https://www.pdpc.gov.sg/docs/default-source/advisory-guidelines-on-enforcement/advisory-guidelines-on-enforcement-of-dp-provisions-(210416).pdf?sfvrsn=2.

[4] Id. at Section 2.

[5] Id. at Sections 15.3 and 25.

[6]  Government of Singapore, PDPC Takes Action Against 11 Organizations for Breaching Data Protection Obligations, April 21, 2016, https://www.pdpc.gov.sg/docs/default-source/media/media-release-for-dp-enforcement-action-(25-apr-2016)(clean).pdf?sfvrsn=0

[7] Id.

[8] Id.

[9] Section 24 of the PDPA.

[10]  Decision of the Personal Data Protection Commission, K Box Entertainment Group PTE. LTD., Finantech Holdings PTE. LTD., [2016] SGPDPC 1, Section 44 (April 20, 2016), https://www.pdpc.gov.sg/docs/default-source/enforcement-data-protection-cases/grounds-of-decision—k-box-entertainment-(210416).pdf?sfvrsn=4.

[11] Id. at Section 2.

[12] Id. at Section 3.

[13] Id. at Section 30.

[14] Id. at Sections 26 to 29.

[15] Id. at Section at 5.

[16] Id. at Section 39.

[17] See Personal Data Protection Commission list of Data Protection Enforcement Cases at https://www.pdpc.gov.sg/commissions-decisions  (last accessed November 18, 2016); as of November 18, 2016.

[18]  Id.

[19] See Decision of the Personal Data Protection Commission, Aviva Ltd. and Toh-Shi Printing Singapore Pte. Ltd., [2016] SGPDPC 15, (September 21, 2016), https://www.pdpc.gov.sg/docs/default-source/enforcement-data-protection-cases/grounds-of-decision-aviva-ltd-and-toh-shi-printing-singapore-(210916).pdf?sfvrsn=0; Decision of the Personal Data Protection Commission, Central Depository (PTE) Limited and Toh-Shi Printing Singapore Pte. Ltd., [2016] SGPDPC 11, (July 21, 2016), https://www.pdpc.gov.sg/docs/default-source/enforcement-data-protection-cases/grounds-of-decision—toh-shi-(210716).pdf?sfvrsn=4.

[20] [2016] SGPDPC 15 at Section 4; [2016] SGPDPC 11 at Section 3.

[21] [2016] SGPDPC 15 at Section 8; [2016] SGPDPC 11 at Section 7.

[22] [2016] SGPDPC 15 at Section 34.

[23] [2016] SGPDPC 15 at Section 28; [2016] SGPDPC 11 at Section 18.

[24] [2016] SGPDPC 1, at Section 39.

[25] See generally, [2016] SGPDPC 1.

[26] Id. at Sections 9 to12.

[27] [2016] SGPDPC 15 at Section 4; [2016] SGPDPC 11 at Section 3.

[28] See [2016] SGPDPC 1 at Section 12; see also SGPDPC 15 at Section 27 and [2016] SGPDPC 11 at Section 17.

[29] [2016] SGPDPC 15 at Section 38.

[30]  See Singapore Government Directory for a list of Personal Data Protection Commission employees, https://www.gov.sg/sgdi/ministries/mci/statutory-boards/imda/departments/pdpc (last accessed November 18, 2016).

[31] Of the 18 individuals listed on the Singapore Government Directory, we found 13 of the individuals on LinkedIn. The information was based on a review of their LinkedIn profiles on November 18, 2016.

[32] See Personal Data Protection Commission list of Data Protection Enforcement Cases at https://www.pdpc.gov.sg/commissions-decisions  (last accessed November 18, 2016).

[33] Personal Data Protection Commission, Advisory Guidelines on Key Concepts in the Personal Data Protection Act (July 15, 2016), https://www.pdpc.gov.sg/docs/default-source/advisory-guidelines/advisory-guidelines-on-key-concepts-in-the-pdpa-(15july16).pdf?sfvrsn=2.

[34] Id at Section 17.

[35] Decision of the Personal Data Protection Commission, Metro Pte Ltd., [2016] SGPDPC 7, (April 20, 2016), https://www.pdpc.gov.sg/docs/default-source/enforcement-data-protection-cases/grounds-of-decision—metro-(210416).pdf?sfvrsn=2.

[36] In a recent enforcement action, the PDPC cautioned against the sole use of the common MD5 hash standard to encrypt passwords; see Decision of the Personal Data Protection Commission, Fei Fah Medical Manufacturing Pte Ltd., [2016] SGPDPC 3, (April 20, 2016), https://www.pdpc.gov.sg/docs/default-source/enforcement-data-protection-cases/grounds-of-decision—fei-fah-medical-manufacturing-(210416).pdf?sfvrsn=2.

[37] Id.

[38] Zetoony, David, Data Privacy and Security: A Practical Guide for In-House Counsel, Pg. 2-3, May 2016.

Knowing Where You Are, When You Are: Creepy or competitive? The privacy and security issues involved with geo-location tracking

Knowing Where You Are, When You Are: Creepy or competitive? The privacy and security issues involved with geo-location tracking

Smartphones, smartphone apps, websites, and other connected devices (e.g., “wearables”) increasingly request that consumers provide their geo-location information.  Geo-location information can refer to general information about a consumer’s location, such as his or her city, state, zip code, or precise information that pinpoints the consumer’s location to within a few feet, such as his or her GPS coordinates. …

Knowing

Video Viewing Information: A How-To Guide

Video Viewing Information: A How-To Guide

The Video Privacy Protection Act (“VPPA”) was passed in 1988 in reaction to a fear that people other than a consumer and a video rental store could collect information on a consumer’s video rental history. This was not an academic concern at the time. Immediately prior to the passage of the VPPA, Judge Robert Bork, who had been nominated to the Supreme Court, had his video rental history published by a newspaper that was investigating whether he was fit to hold office. …

VVI

Practical Data Security Takeaways from Australia’s Recent Privacy Determination

Practical Data Security Takeaways from Australia’s Recent Privacy Determination

The Privacy Act of 1988 (Privacy Act), which includes the 13 Australian Privacy Principles (APPs), is Australia’s federal law regulating the collection, use, and disclosure of personal information. Recently, the Office of the Australian Information Commissioner (OAIC) has stepped up its enforcement of the Privacy Act. This article reviews OAIC’s recent privacy determinations and discusses practical data security related takeaways that can help companies ensure compliance. …

acc

Online Behavioral Advertising: A How-To Guide

Online Behavioral Advertising: A How-To Guide

Behavioral advertising refers to the use of information to predict the types of products or services of greatest interest to a particular consumer. Online behavioral advertising takes two forms. “First party” behavioral advertising refers to situations in which a company’s website uses information that it obtains when interacting with a visitor. “Third party” behavioral advertising refers to situations in which a company permits others to place tracking cookies on the computers of people who visit the company’s website, so that those individuals can be monitored across a behavioral advertising network. …

online behavoiral

Social Media Privacy Concerns: A How-To Guide

Social Media Privacy Concerns: A How-To Guide

The majority of organizations utilize social media to market their products and services, interact with consumers, and manage their brand identity.  Many mobile applications and websites even permit users to sign-in with their social media accounts to purchase items or use the applications’ services.

While using third party social media websites has significant advantages for businesses, it also raises distinct privacy concerns.  Specifically, the terms of use that apply to social media platforms may give the platform the right to share, use, or collect information concerning your business or your customers.  To the extent that the social media platform’s privacy practices are not consistent with the practices of your own organization, they may contradict or violate the privacy notice that you provide to the public. …

social media privacy

Employee Monitoring: A How-To Guide

Employee Monitoring: A How-To Guide

Federal laws prohibit the interception of another’s electronic communications, but these same laws have multiple exceptions that generally allow employers to monitor employees’ email and internet use on employer-owned equipment or networks. As a result, under federal law, when private-sector employees use an organization’s telephone or computer system, monitoring their communications is broadly permissible, though there may be exceptions once the personal nature of a communication is determined. For example, under the National Labor Relations Act, employers cannot electronically spy on certain types of concerted activity by employees about the terms and conditions of employment. …

emp monitoring

Employer Privacy Policies: A How-To Guide

Employer Privacy Policies: A How-To Guide

In 2005 Michigan became the first state to pass a statute requiring employers to create an internal privacy policy that governs their ability to disclose some forms of highly sensitive information about their employees. Michigan’s Social Security Number Privacy Act expressly requires employers to create policies concerning the confidentiality of employees’ social security numbers (“SSN”) and to disseminate those policies to employees. New York adopted a similar statute. Several other states – Connecticut, Massachusetts, and Texas – have statutes mandating the establishment of privacy policies that could also apply in the employer-employee context. …EPP

Privacy Certifications and Trustbrands: A How-To Guide

Privacy Certifications and Trustbrands: A How-To Guide

Privacy certifications, or “trustbrands,” are seals licensed by third parties for organizations to place on their homepage or within their privacy policy. The seals typically state, or imply, that the organization which has displayed the seal has high privacy or security standards, or has had its privacy or security practices reviewed by a third party. Some seals also imply that the organization has agreed to join a self-regulatory program that may provide consumers with additional rights, such as a mechanism for resolving privacy-related disputes. …

privacy certs

Data Protection Officers: A Comparison of US Law, EU Law, and Soon-to-be-EU Law

Data Protection Officers: A Comparison of US Law, EU Law, and Soon-to-be-EU Law

Although organizations in the United States have dealt with privacy issues for years, only in the past decade have they begun to view the complexities of privacy as requiring formal organizational structure and, in some cases, one, or more, dedicated employees. While in some organizations “data privacy” and “data security” falls within the ambit of the legal department, other organizations have created offices that are focused solely on privacy issues. There is little commonality in how these offices are staffed, funded, or organized. For example, while some organizations have “Chief Privacy Officers” or “Chief Information Technology Officers” that report directly to senior management, other organizations have privacy officers that report through a General Counsel or to a Chief Compliance Officer. …

Data Protection Officers A Comparison of US Law, EU Law, and Soon-to-be-EU Law

 

 

Mobile App Privacy Policies: A How-To Guide

Mobile App Privacy Policies: A How-To Guide

Many of the most popular mobile apps collect personally identifiable information. Although most app developers are not required to display a privacy policy under federal law, they are contractually required to do so pursuant to the terms and conditions of the websites that market most major mobile device applications (e.g., the Apple Store, or Google Play). In addition, the California Attorney General has taken the position that applications that collect personal information are required to post a privacy policy pursuant to the CalOPPA discussed in the previous section. …

app provacy

Collecting Information From Children In The EU: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

Collecting Information From Children in the EU: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

In the United States there are relatively few restrictions on collecting information from children off-line. Efforts to collect information from children over the internet, however, are regulated by the Children’s Online Privacy Protection Act (“COPPA”). Among other things, COPPA requires that a website obtain parental consent prior to collecting information from children under the age of 13, that a website post a specific form of privacy policy that complies with the statute, that a company safeguard the information that is received from a child, and that a company give parents certain rights, like the ability to review and delete their child’s information. COPPA also prohibits companies from requiring that children provide personal information in order to participate in activities, such as on-line games or sweepstakes.

 

collecting

Social Security Number Privacy Policies: A How-To Guide

Social Security Number Privacy Policies: A How-To Guide

Social Security Numbers (“SSN”) were originally established by the Social Security Administration to track earnings and eligibility for Social Security benefits. Because a SSN is a unique personal identifier that rarely changes, federal agencies use SSN for purposes other than Social Security eligibility (e.g., taxes, food stamps, etc.). In 1974, Congress passed legislation requiring federal agencies that collect SSN to provide individuals with notice regarding whether the collection was mandatory and how the agency intended to use the SSN.1   Congress later barred agencies from disclosing SSN to third parties. Federal law does not, however, regulate private-sector use of SSN. …

social security

Privacy Certifications and Trustbrands In the EU: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

Privacy Certifications and Trustbrands In the EU: A Comparison of US Law, EU Law, and Soon-to-be EU Law

In the United States, privacy certifications, or “trustbrands,” are seals licensed by organizations to place on their homepage or within their privacy policy. The seals typically state, or imply, that the organization has high privacy or security standards, or has had its privacy or security practices reviewed by a third party. Some seals also imply that the organization has agreed to join a self-regulatory program that may provide consumers with additional rights, such as a mechanism for resolving privacy-related disputes. Certifications or trustbrands, however, are voluntary in nature, and, for the most part are not offered by government agencies and companies are not required to obtain them. …

Privacy certifications

Seeing the Silver Lining: 4 Positive Aspects of GDPR for Businesses

Since the General Data Protection Regulation (GDPR) was proposed, IT professionals, lawyers, and consultants have been talking about the potentially game-changing effect that it may have on businesses around the world. Similar to how US citizens in the 1950s and 60s were trained to prepare for a nuclear war, the vast majority of articles and presentations on GDPR relate to how one should prepare for a potential doomsday scenario. The looming risks and challenges to GDPR are real and daunting. Among other things, the regulation has an over-reaching territorial scope, includes the potential requirement of a Data Protection Officer in company practices, and encourages the incorporation of Data Protection Impact Assessments into an amended privacy program. However, there is a silver lining for almost everything, and GDPR compliance is no exception. This article discusses four “silver lining” benefits of GDPR as compared to the current data protection scheme in Europe.

 

Harmonization of EU privacy laws

One of the biggest complaints from companies operating in Europe is that they have to monitor and comply with the laws of 28 different countries. Under the EU Directive 95/96/EC (“EU Directive”), data privacy laws are essentially addressed at the member state level. To put it in another way, the EU Directive provides a framework for EU countries to develop and maintain their own privacy rules and regulations. This results in current data privacy laws essentially being a patchwork of different laws from various member states, which often leads to uncertainty for businesses and their EU-based clients, as well as substantial costs associated with compliance efforts.

Except for employment or national security-related privacy matters, GDPR will allow companies to focus on one all-encompassing, uniform set of data privacy regulations. This has the potential to help small- to mid-sized companies operating in or collecting information from EU residents. Rather than deciding between “full” compliance, which involves spending significant amounts on legal fees and relying on subjective analyses of various EU member state laws, or rolling the dice with non-compliance in certain EU countries, GDPR may permit companies to save costs and reduce risk by following a uniform set of rules that apply to the entire European Union.

 

Lead authority one-stop shop

Under the aforementioned EU Directive, there are over 20 different privacy regulations that a company operating in Europe must comply with. Although the EU Directive created a mechanism that was designed to facilitate communication between member state data protection authorities, investigations and enforcement actions are often done separately by various member states.

While companies would have preferred a system where one single privacy regulator has exclusive competence over regulation, GDPR allows companies to deal with one “lead authority” in the company’s place of main establishment. Various state data protection authorities will still have the ability to investigate and enforce data protection issues if a complaint is directed to them, but they must notify the lead authority of its intention to investigate or take action.

The lead authority will then have three weeks to determine whether it wishes to intervene and operate in a joint manner. While there are other nuances and exceptions, as a whole, GDPR’s designation of a lead authority has the potential to effectively promote various countries to work together on enforcement and investigation matters in a predictable and efficient manner, allowing companies to focus time, energy, and resources on dealing with one regulator.

 

Data breach reporting

The United States does not have a general federal breach reporting statute. Instead, most US states have their own data breach reporting rules and regulations. The current EU Directive also does not contain a general data breach-reporting obligation. Rather, data breach reporting requirements are predetermined by each member country. Some member states like Germany and the Netherlands have implemented data breach reporting obligations, while other countries such as the United Kingdom, Denmark, and Ireland have not. GDPR introduces a general obligation to report data breaches. GDPR Article 33(1) states that the breached entity must, without undue delay, notify the supervisory authority within 72 hours of becoming aware of personal data breach.

GDPR’s breach notification requirement may be advantageous to most companies. Similar to the burden of keeping track of changes in breach reporting statutes in the United States, the current EU Directive creates a burden upon companies to keep track of breach reporting statutes with member countries. For in-house counsel, contract negotiation over data breach provisions can be lessened and streamlined by virtue of the vendor company, providing detailed data breach reporting obligation provisions in their standard contracts as a component of GDPR compliance. Furthermore, it is often hectic during a data breach. In addition to keeping up with breach reporting regulations, breached companies also have to deal with contractual liability, PCI-DSS issues, and internal business/PR issues. Having to report to only one supervisory authority rather than figuring out which member states to report to saves time and energy for in-house counsel, particularly for smaller in-house departments. GDPR allows companies to have one all-encompassing EU data breach response plan.

 

Competitive advantage for GDPR compliant US entities

Compliance with GDPR, in addition to the cost and time savings mentioned above, can also serve as a competitive advantage in the US marketplace. Although not directly applicable in the context of a US-based customer company in most cases, a vendor company has the optical advantage of boasting its compliance with more stringent data privacy regulations in the form of GDPR than required under US law. This engenders trust in the vendor, and provides the customer company with the tangible benefits of transparency, privacy, and security with respect to the vendor’s treatment of the customer’s data. Customer companies are increasingly seeking to rely upon their vendors’ regulatory compliance as part of their overall compliance policies, and vendors that comply with GDPR support furthering those initiatives.

Data Protection Officers: A Comparison of US Law, EU Law, and Soon-to-be-EU Law

Data Protection Officers: A Comparison of US Law, EU Law, and Soon-to-be-EU Law

Although organizations in the United States have dealt with privacy issues for years, only in the past decade have they begun to view the complexities of privacy as requiring formal organizational structure and, in some cases, one, or more, dedicated employees. While in some organizations “data privacy” and “data security” falls within the ambit of the legal department, other organizations have created offices that are focused solely on privacy issues. There is little commonality in how these offices are staffed, funded, or organized. For example, while some organizations have “Chief Privacy Officers” or “Chief Information Technology Officers” that report directly to senior management, other organizations have privacy officers that report through a General Counsel or to a Chief Compliance Officer. …

data-protection-officers

 

Guidelines for Facial Recognition Technology

Guidelines for Facial Recognition Technology

Facial recognition technology uses algorithms that map facial features – such as the distance between a person’s eyes, or the width of a person’s nose – and compares those features to a database of known individuals. Organizations may use the technology for security (e.g., cameras that “ID” employees or criminals), marketing to consumers (e.g., cameras that “ID” particular customers), or designing products that quickly categorize digital media (e.g., photograph sorting). …

facial-recog

Companies Perceived By FTC As Emerging Threats

Companies Perceived By FTC As Emerging Threats

As discussed in the previous section, the FTC collects complaints about organizations that allegedly violate the data privacy, data security, advertising, and marketing laws.Each month DPI creates a “Surge” report that identifies those organizations with the greatest increase in consumer complaint volume. For each organization listed the report indicates the quantity of complaints received in the past two months, the jurisdiction in which the organization is based, and a summary of the complaints filed. …

companies-perceived-by-ftc

Guidelines for Collecting Information From Children: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

Guidelines for Collecting Information From Children: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

In the United States there are relatively few restrictions on collecting information from children off-line. Efforts to collect information from children over the internet, however, are regulated by the Children’s Online Privacy Protection Act (“COPPA”). Among other things, COPPA requires that a website obtain parental consent prior to collecting information from children under the age of 13, that a website post a specific form of privacy policy that complies with the statute, that a company safeguard the information that is received from a child, and that a company give parents certain rights, like the ability to review and delete their child’s information. COPPA also prohibits companies from requiring that children provide personal information in order to participate in activities, such as on-line games or sweepstakes. …

 

guidelines-for-collecting

Guidelines for Privacy Certifications and Trustbrands

Guidelines for Privacy Certifications and Trustbrands

Privacy certifications, or “trustbrands,” are seals licensed by third parties for organizations to place on their homepage or within their privacy policy. The seals typically state, or imply, that the organization which has displayed the seal has high privacy or security standards, or has had its privacy or security practices reviewed by a third party. Some seals also imply that the organization has agreed to join a self-regulatory program that may provide consumers with additional rights, such as a mechanism for resolving privacy-related disputes. …

privacy-cert

 

Guidelines for Data Maps and Data Inventories

Guidelines for Data Maps and Data Inventories

Knowing the type of data that you collect, where it is being held, with whom it is being shared, and how it is being transferred is a central component of most data privacy and data security programs. The process of answering these questions is often referred to as a “data map” or a “data inventory.”Although the questions that a data map tries to solve are relatively straightforward, the process of conducting a data map can be daunting depending upon the size and structure of an organization. In addition, it is important to remember that data constantly changes within an organization. As a result, organizations must consider how often to invest the time to conduct a data map and, once invested, how long the information will be useful. …

guidelines-for-data-maps

How to Avoid Risk When Renting, Selling or Streaming Video Content

How to Avoid Risk When Renting, Selling or Streaming Video Content

The Video Privacy Protection Act (“VPPA”) was passed in 1988 in reaction to a fear that people other than a consumer and a video rental store could collect information on a consumer’s video rental history. This was not an academic concern at the time. Immediately prior to the passage of the VPPA, Judge Robert Bork, who had been nominated to the Supreme Court, had his video rental history published by a newspaper that was investigating whether he was fit to hold office. …

video-viewing

Companies Perceived By The FTC as Top Violators

Companies Perceived by the FTC as Top Violators

As discussed in the previous section, the FTC collects complaints about organizations that allegedly violate the data privacy, data security, advertising, and marketing laws.

Each month the FTC’s Division of Planning and Information (“DPI”) creates a “Top Violators” report that ranks the fifty organizations with the greatest volume of consumer complaints in that month. The report indicates whether each organization listed was included in the previous month’s report, whether its rank has changed, and the number of complaints received by the FTC that month. For organizations that are new to the report, DPI reviews their complaints and summarizes the issue, or issues, that have been raised by consumers. …

 

companies

Guidelines for Email Marketing in Canada (CASL)

Guidelines for Email Marketing in Canada

On July 1, 2014, the central provisions of the Canadian Anti-Spam Law (“CASL”) came into force. [1] These provisions generally prohibit the sending of a Commercial Electronic Message (“CEM”) without a recipient’s express consent, and unless the CEM contains certain proscribed sender identification information and an effective unsubscribe mechanism. CASL provides a number of nuanced exceptions to the express consent requirements of the law. The primary enforcement agency of CASL is the Canadian Radio-television and Telecommunications Commission (CRTC). The CRTC has several compliance tools to enforce CASL, including the issuance of Administrative Monetary Penalties (AMPs) against individuals and organizations that have violated CASL’s provisions. …guidelines-for-email-marketing

Organizing Data Privacy Within A Company

Organizing Data Privacy Within a Company

Although organizations have dealt with privacy issues for years, only in the past decade have they begun to view the complexities of privacy as requiring formal organizational structure, dedicated employees, and/or dedicated resources. While in some organizations “privacy” falls within the ambit of the legal department, other organizations have created offices that are focused solely on privacy issues and that report to a Chief Privacy Officer (“CPO”). There is little commonality in how these offices are staffed, funded, or organized. For example, while some CPOs report directly to senior management, others report through a General Counsel or a Chief Compliance Officer. …

 

organizing-data

How to Respond To Third Party (Non-Government) Civil Subpoenas And Document Requests That Ask For Personal Information

How to Respond To Third Party (Non-Government) Civil Subpoenas And Document Requests That Ask For Personal Information

Litigants in a civil dispute often use subpoenas, subpoenas duces tecum, and discovery requests to obtain personal information about individuals who may not be present in the litigation. A request for documents and information that include personal information about third parties may conflict with legal obligations imposed upon an organization not to produce information. For example, if an organization promises within its privacy policy that it will never share personal information with a “third party,” and does not include an exception for requests made in civil litigation or through judicial process, a consumer could argue that by producing information pursuant to a subpoena or discovery request an organization has violated its privacy policy and committed an unfair or deceptive practice in violation of federal or state law. …

how-to-respond

How to Respond to Government Subpoenas and Document Requests That Ask for Personal Information

Federal and state agencies traditionally obtain information for law enforcement purposes using a variety of methods including:

  • court issued subpoenas,
  • grand jury subpoenas,
  • search warrants,
  • litigation discovery requests, and
  • administrative subpoenas.1

A request by a government agency for personal information about one, or more, consumers may conflict with consumers’ expectations of privacy, and, in some instances, may arguably conflict with legal obligations imposed upon an organization not to produce information.  For example, if an organization promises within its privacy policy that it will never share the information that it collects with a “third party” and does not include an exception for requests from law enforcement, or government agencies, a consumer could argue that by producing information pursuant to a government request, an organization has violated its privacy policy and committed an unfair or deceptive practice in violation of federal or state law. …

subpoenas

The Dispute Resolution Mechanisms Under the Privacy Shield (Part 2 of 2)

What Happens if I Join Privacy Shield and an Employee Submits a Complaint? (Part 2 of 2)

The first installment in our month-long series dissecting the new “Privacy Shield” framework for transferring data from the EU to the United States discussed the history and implementation of the Privacy Shield. The second, third and fourth installments provided side-by-side comparisons of the Privacy Shield against the former EU-US Safe Harbor Framework, the current Controller-Processor Model Clauses and the current Controller-Controller Model Clauses (Set 2). The remainder of our series will focus on addressing the top questions we have received concerning how the Privacy Shield will function in practice.

One of the most common areas of confusion surrounding the Privacy Shield is the way in which people are permitted to raise complaints with participating companies concerning the collection and use of their personal data. It’s easy to understand the source of confusion. The Privacy Shield contains seven different ways to raise complaints, but each method is not open to every person (in EU parlance, a “data subject”) in every situation. For example, some methods are guaranteed only to employees in the context of HR data transfers (e.g., use of an informal panel of European Union Data Protection Authorities to adjudicate claims); other methods require that a data subject first exhaust other methods of resolution (e.g., binding arbitration before a Privacy Shield Panel to be established by the Department of Commerce and the European Commission). Depending on the personal data at issue, there are various mechanisms by which a participating organization may receive a complaint either from a consumer or an employee.

In our fifth installment, we provided a roadmap of the different ways in which a consumer may file a complaint against a certifying organization where non-HR data is involved. In this sixth installment, we provide a similar roadmap for the ways in which an employee might file a complaint against an employer.

Click here to view a roadmap for the ways in which an employee might file a complaint against an employer.

hrdara

 

The Dispute Resolution Mechanisms Under the Privacy Shield (Part 1 of 2)

What Happens if I Join Privacy Shield and Someone Submits a Complaint? (Part 1 of 2)

The first installment in our month-long series dissecting the new “Privacy Shield” framework for transferring data from the EU to the United States discussed the history and implementation of the Privacy Shield. The second, third and fourth installments provided side-by-side comparisons of the Privacy Shield against the former EU-US Safe Harbor Framework, the current Controller-Processor Model Clauses and the current Controller-Controller Model Clauses (Set 2). The remainder of our series will focus on addressing the top questions that we have received concerning how the Privacy Shield will function in practice.

One of the most common areas of confusion surrounding the Privacy Shield is the way in which people are permitted to raise complaints with participating companies concerning the collection and use of their personal data. It’s easy to understand the source of confusion. The Privacy Shield contains seven different ways to raise complaints, but each method is not open to every person (in EU parlance, every “data subject”) in every situation. For example, some methods are guaranteed only to employees in the context of HR data transfers (e.g., use of an informal panel of European Union Data Protection Authorities to adjudicate claims); other methods require that a data subject first exhaust other methods of resolution (e.g., binding arbitration before a Privacy Shield Panel to be established by the Department of Commerce and the European Commission).

Depending on the personal data at issue, there are various mechanisms by which a participating organization may receive a complaint either from a consumer or an employee. In this fifth installment, we provide a roadmap for the different ways in which a consumer may file a complaint against a certifying organization where non-HR data is involved. Our next installment will provide a similar roadmap for the ways in which an employee might file a complaint against an employer.

Click here to view a roadmap for the different ways in which a consumer may file a complaint against a certifying organization where non-HR data is involved.non-hr

A Side-By-Side Comparison of “Privacy Shield” and the Controller-Controller Model Clauses

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for the national data-protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed, and traditionally the EU does not consider the laws of the United States as “adequate” unless a company (1) enters into EU Commission preapproved model contractual clauses with the data recipient, (2) sends data to a corporate affiliate in the US that is under the scope of “Binding Corporate Rules,” or (3) entered the EU-US Safe Harbor Framework.

Most data controllers that were based in the US complied with the Directive by entering the pre-approved controller-controller model clauses or the EU-US Safe Harbor Framework. In October of 2015, the EU-US Safe Harbor Framework was invalidated by the European Court of Justice. As a result, many of the companies that had relied upon the Safe Harbor switched to the controller-controller model clauses; the use of those clauses became far and away the most popular way to comply with the Directive if you were a data controller.

On July 12, 2016, the EU formally approved a new mechanism for transferring data to the United States called the “Privacy Shield.” Although you can find a full discussion of the history, and implementation, of Privacy Shield here, the best way for a company to understand Privacy Shield (and decide if it wants to use it going forward) is to do a side-by-side comparison of the Privacy Shield against the mechanism that it currently uses, used, or is considering. Our series of side-by-side comparisons has already included a Privacy Shield/Safe Harbor side-by-side comparison and a Privacy Shield/Controller-Processor Clauses side-by-side comparison.

Click here to view the side-by-side comparison of the Privacy Shield and the Controller-Controller Model Clauses.

contro-control

A Side-By-Side Comparison of “Privacy Shield” and the Controller-Processor Model Clauses

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for the national data-protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed, and traditionally the EU does not consider the laws of the United States as “adequate” unless a company (1) enters into EU Commission preapproved model contractual clauses with the data recipient, (2) sends data to a corporate affliate in the US that is under the scope of “Binding Corporate Rules,” or (3) entered the EU-US Safe Harbor Framework.

Most data processors (e.g., service providers) that were based in the US complied with the Directive by entering the pre-approved controller-processor model clause or the EU-US Safe Harbor Framework. In October of 2015, the EU-US Safe Harbor Framework was invalidated by the European Court of Justice. As a result, many of the companies that had relied upon the Safe Harbor switched to the controller-processor model clauses; the use of those clauses became far and away the most popular way to comply with the Directive.

On July 12, 2016, the EU formally approved a new mechanism for transferring data to the United States called the “Privacy Shield.” Although you can find a full discussion of the history, and implementation, of Privacy Shield here, the best way for a company to understand Privacy Shield (and decide if it wants to use it going forward) is to do a side-byside comparison of the Privacy Shield against the mechanism that it currently uses, used, or is considering. Our series of side-by-side comparisons started with a Privacy Shield/Safe Harbor comparison published here.

Click here to view the side-by-side comparison of the Privacy Shield and the Controller-Processor Model Clauses.

comparison2

A Side-by-Side Comparison of “Privacy Shield” and the “Safe Harbor”

More than 5,000 companies had taken advantage of the now defunct U.S.-EU Safe Harbor Framework. Those companies are now considering whether to join the newly approved “Privacy Shield,” and are trying to understand the difference between the old and new framework. As they do, these companies are faced with many questions: How does the Privacy Shield differ from Safe Harbor? Can you rely on the Model Clauses? Or would it make more sense to join the Privacy Shield? If so, what do you need to do to join?

To supplement our earlier publication, we have prepared a side-by-side comparison of the invalidated Safe Harbor and the new Privacy Shield. Over the next week, we will be publishing similar comparisons between Privacy Shield and other adequacy methods including the model controller-controller clauses and the model controller-processor clauses. If you would like to receive those comparisons, please register at www.bryancavedatamatters.com.

Click here to view the side-by-side comparison of the Safe Harbor and the Privacy Shield.

sidebyside

Privacy Shield Finalized – How Everyone Can Take Advantage of the New European Data Transfer Framework

Background

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for national data-protection laws in each EU Member State.  The Directive states that personal data may only be transferred to countries outside the EU when an “adequate” level of protection is guaranteed.  Few exemptions apply, and the laws of the United States are not considered by the European Union as providing an adequate level of data protection.  As a result, if a company intended to transfer personal data from the EU to the U.S., it traditionally had to achieve the Directive’s required “adequacy” status through: Safe Harbor certification; standard contractual clauses; or binding corporate rules….

priovacyshielf

Does Your Organization Collect Geo-Location Information?

Smartphones, smartphone apps, websites, and other connected devices (e.g.,“wearables”) increasingly request that consumers provide their geo-location information.  Geo-location information can refer to general information about a consumer’s location, such as his or her city, state, zip code, or precise information that pinpoints the consumer’s location to within a few feet, such as his or her GPS coordinates.

Organizations request geo-location information for a variety of reasons.  For example, many apps – such as transportation or delivery services – require geo-location in order to provide services that are requested by the consumer.  Other apps – such as mapping programs, coupon programs, or weather programs – require geo-location information in order to provide consumers with useful information.  Because such information has become intertwined, in many cases, with products and services, some organizations require the user to “Accept” or ‘“Agree”’ to the collection of geo-location information as a condition to using a device, application, or website….

geolocation

How to Comply with the Children’s Online Privacy Protection Act (COPPA)

There are relatively few restrictions on collecting information from children offline. Efforts to collect information from children over the internet, however, are regulated by the Children’s Online Privacy Protection Act (“COPPA”). Among other things, COPPA requires that a website obtain parental consent prior to collecting information; post a specific form of privacy policy that complies with the statute; safeguard the information that is received from a child; and give parents certain rights, like the ability to review and delete their child’s information. COPPA also prohibits companies from requiring that children provide personal information in order to participate in activities, such as online games or sweepstakes….

coppa

What to Consider When Drafting or Reviewing a Privacy Policy

Although financial institutions, health care providers, and websites directed to children are required to create consumer privacy policies under federal law, other types of websites are not.  In 2003, California became the first state to impose a general requirement that most websites post a privacy policy.  Under the California Online Privacy Protection Act (“CalOPPA”), all websites that collect personal information about state residents must post an online privacy policy if the information is collected for the purpose of providing goods or services for personal, family, or household purposes.1 Since the passage of the CalOPPA, most websites that collect information – whether or not they are directed at California residents or are otherwise subject to the CalOPPA – have chosen to post an online privacy policy….

prvacypolicy

What to Consider When Purchasing a Privacy Certification

Privacy certifications, or “trustbrands,” are seals licensed by third parties for organizations to place on their homepage or within their privacy policy.  The seals typically state, or imply, that the organization which has displayed the seal has high privacy or security standards, or has had its privacy or security practices reviewed by a third party.  Some seals also imply that the organization has agreed to join a self-regulatory program that may provide consumers with additional rights, such as a mechanism for resolving privacy-related disputes….

privacycert

 

Understanding How the FTC Tracks Privacy Complaints

The FTC collects complaints about companies that allegedly violate the data privacy, data security, advertising, and marketing laws. The result is a massive database of consumer complaints known as “Consumer Sentinel” that is used by the FTC and other consumer protection regulators to identify and investigate enforcement targets.

Regulators can use Consumer Sentinel to search for complaints on any company. They can also request that the database alert them to new complaints about an organization, or connect them with other law enforcement agencies that might have an interest in investigating the same organization. In addition to these functionalities, the FTC also creates a “Top Violator” report and a “Surge” report that track those organizations that the FTC believes may have a suspicious pattern of consumer complaints.1 The end result is that the vast majority of FTC enforcement actions target companies identified within the FTC’s database….

trackingcompalints

Recommendations for Evaluating Your Organization’s Use of Social Media

The majority of organizations utilize social media to market their products and services, interact with consumers, and manage their brand identity. Many mobile applications and websites even permit users to sign-in with their social media accounts to purchase items or use the applications’ services.

While using third party social media websites has significant advantages for businesses, it also raises distinct privacy concerns. Specifically, the terms of use that apply to social media platforms may give the platform the right to share, use, or collect information concerning your business or your customers. To the extent that the social media platform’s privacy practices are not consistent with the practices of your own organization, they may contradict or violate the privacy notice that you provide to the public….

socialmediaaa

How to Pass Data Between Retailers to Facilitate Transactions

Online retailers often learn information about a consumer that may be used to help identify other products, services, or companies that may be of interest to the consumer. For example, if a consumer purchases an airplane ticket to Washington, D.C., the consumer may want information about hotels, popular restaurants, or amenities at the airport.

Although online retailers often strive to provide recommendations quickly, and to make a consumer’s transition to a third party retailer seamless, the Restore Online Shoppers’ Confidence Act (“ROSCA”) generally prohibits one online merchant from transferring payment information (e.g., a credit card number) to a second online merchant…passingdata

FCC Proposes Indiscriminate PII Definition in Privacy NPRM

In addition to a bothersome “breach” definition, the Federal Communications Commission (“FCC”), in its April 1, 2016 Notice of Proposed Rulemaking (“NPRM”) concerning ISP privacy regulation, proposes a sweeping definition of personally identifiable information (“PII”). The definition is broad enough to cover virtually every piece of information about an individual. Despite the FCC’s legally necessary finding that ISPs are “common carriers” required to transmit information without undue discrimination, the FCC seems not to have carefully considered an ISP’s unique and limited role in facilitating the exchange of information between and among consenting communicators….

fcccnprm

Privacy Issues to Consider When Developing a Mobile App (2016)

Many of the most popular mobile apps collect personally identifiable information. Although most app developers are not required to display a privacy policy under federal law, they are contractually required to do so pursuant to the terms and conditions of the websites that market most major mobile device applications (e.g.,the Apple Store or Google Play). In addition, the California Attorney General has taken the position that applications that collect personal information are required to post a privacy policy pursuant to the CalOPPA….

app

How to Prepare for the Next Round of HIPAA Audits

Nearly two years after the Office of Civil Rights (“OCR”) first announced its preparation for another round of HIPAA audits, Phase II of OCR’s HIPAA audit program is finally underway.

On March 21, OCR began emailing various types of entities to verify their e-mail addresses and contact information.  OCR acknowledged that its email communication may be treated by email filters as spam, but has advised that it expects entities to check their junk or spam email folder for emails from OCR. Recipients have 14 days to verify their email address or provide OCR with updated primary and secondary contact information….

hipaa

FCC Proposes Bothersome Breach Definition in Privacy NPRM

On April 1, 2016 the Federal Communications Commission (“FCC”) released its Notice of Proposed Rulemaking (“NPRM”) concerning privacy regulation of internet broadband service providers (“ISPs”). The NPRM proposes, among other things, an expansive and vexing definition of “breach.” If not modified, the definition would require notices to customers, the FCC and the FBI of even trivial internal employee access to customer information….fccbothersome

The Top Three Privacy Takeaways of the New Delaware Online Privacy and Protection Act

Delaware’s New Privacy Policy Requirements

Effective January 1, 2016, Delaware became the second state in the U.S., joining California, to require operators of commercial websites that collect personally identifiable information to post online privacy policies. The Delaware Online Privacy and Protection Act (DOPPA) applies to anyone who operates a “commercial internet website, online or cloud computing service, online application, or mobile application.”…

doppa

How to Comply with the CAN-SPAM Act (2016)

Email is ubiquitous in modern life with billions of emails – wanted and unwanted – sent each day. Since its enactment in 2003, the Controlling the Assault of Non-Solicited Pornography and Marketing (“CAN-SPAM”) Act has attempted to curb the number of unwanted emails and impose some rules on a largely unregulated frontier. When followed, CAN-SPAM Act’s restrictions give email recipients some control over their inboxes and also maintain fairness in how emails present themselves. Failure to follow the CAN-SPAM Act can lead to penalties of up to $16,000 per violation….

complycanspam

Insurance Coverage and the Telephone Consumer Protection Act

The past several years have seen an explosion in class action cases brought under the Telephone Consumer Protection Act (“TCPA”), 47 U.S.C 227.  The TCPA generally restricts telemarketing phone calls and the use of automated telephone equipment.  Most of the reported court opinions involve financial services companies which send numerous messages by fax machine or SMS texts to cell phones….

tcpa

Privacy Regulation Regime Change: Bad or Good for ISPs?

The Federal Communications Commission (“FCC”) is on the verge of proposing new federal privacy regulations for internet broadband service providers (“ISPs”). ISPs were previously policed by the Federal Trade Commission (“FTC”). The FCC’s rulemaking is an outgrowth of its determination last year that wireline and wireless ISPs are telecommunications common carriers subject to Title II of the Communications Act, including the privacy provisions in Section 222 thereof. That determination, which is still under attack in court, effectively moved ISPs from FTC to FCC jurisdiction. ISPs will soon be forced to grapple with the details of a proposed FCC privacy regulatory scheme that has already been broadly outlined in a “Fact Sheet” released by the FCC. The FCC will fully unveil its specific proposals in a formal Notice of Proposed Rulemaking (“NPRM”) scheduled for an FCC vote on March 31….

isp

Privacy Shield Released – How Employers Can Take Advantage of the New European Data Transfer Framework (2016)

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for national data-protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an “adequate” level of protection is guaranteed. Few exemptions apply, and the laws of the United States are not considered by the European Union as providing an adequate level of data protection. As a result, if a company or employer intended to transfer personal data from the EU into the U.S., they traditionally had to achieve the Directive’s required “adequacy” status through: Safe Harbor certification; standard contractual clauses; or binding corporate rules….

rishield

At A Glance: De-Identification, Anonymization, and Pseudonymization (2016)

De-identification of data refers to the process used to prevent personal identifiers from being connected with information. The FTC indicated in its 2012 report Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers that the FTC’s privacy framework only applies to data that is “reasonably linkable” to a consumer.1 The report explains that “data is not ‘reasonably linkable’ to the extent that a company: (1) takes reasonable measures to ensure that the data is de-identified; (2) publicly commits not to try to re-identify the data; and (3) contractually prohibits downstream recipients from trying to re-identify the data.”2identiyf

Understanding Social Security Number Privacy Policies (2016)

Social Security Numbers (“SSN”) were originally established by the Social Security Administration to track earnings and eligibility for Social Security benefits. Because a SSN is a unique personal identifier that rarely changes, federal agencies use SSN for purposes other than Social Security eligibility (e.g., taxes, food stamps, etc.). In 1974, Congress passed legislation requiring federal agencies that collect SSN to provide individuals with notice regarding whether the collection was mandatory and how the agency intended to use the SSN.1  Congress later barred agencies from disclosing SSN to third parties. Federal law does not, however, regulate private-sector use of SSN….

socialsecurity

What to Consider When Using Fingerprint Identification Technology (2016)

Fingerprint identification technology uses fingerprints to uniquely identify individuals. The technology has been used by law enforcement agencies for decades, and dozens of statutes regulate when government agencies may collect fingerprints, how they are permitted to use them, and with whom they can be shared….fingerprint

How to Obtain EU Binding Corporate Rules (BCR) Approval (2016)

The following provides background concerning the approved Binding Corporate Rules (“BCR”) procedure. BCRs are in-kind privacy rules and standards that allow multinational groups of companies to transfer personal data within their group of companies, including to corporate affiliates outside of the EU. In order to obtain approval at a BCR, a company’s privacy policy has to demonstrate that it ensures an adequate level of data protection and respective safeguards under EU law. BCR are an internal tool only and do not allow for any data transfers outside of a corporate group…bcr

Privacy Shield: Safe Harbor 2.0? (2016)

As negotiators for the US Department of Commerce (“DOC”), Federal Trade Commission (“FTC”), and the European Commission move toward an agreement intended to allow continued US-EU data transfers, a closer look at the history of “Safe Harbor” and the proposed “Privacy Shield” framework leaves some questions unanswered.

Safe Harbor Invalidation
Under EU Data Protection Directive 95/46/EC (the “Directive”), personal data controlled in the EU may be transferred to countries outside the EU only when an “adequate level of protection” is guaranteed. From 2000 to 2015, thousands of companies achieved this adequacy status through the US-EU “Safe Harbor” framework, an annual certification process approved by the European Commission and made available to US companies subject to the jurisdiction of the FTC or Department of Transportation…..privacyshield

How to Use the EU Model Clauses (2016)

The EU Commission has created model contracts for data transfers (the “Model Contracts”) and determined that organizations which use the Model Contracts offer sufficient safeguards for cross-border data transfer as required by the Directive.

The EU Commission has issued three Model Contracts: Two for transfers from data controllers to data controllers established outside the EU, and one for a transfer to a data processor outside the EU1. Once a company decides to use the model clauses functionally, three steps must be followed in order to put those clauses into place and have them help in the transfer of information out of the EU. The following provides a high level overview of how to implement a Model Contract…

eumodel

Rules on Monitoring an Employee’s Private Internet Use at Work: A New ECHR Decision

In a decision rendered on January 12, 2016, the European Court of Human Rights (“ECHR”) held that the dismissal of an employee for having used his professional email account for personal purposes during working hours did not violate Article 8 of the European Convention on Human Rights1.

The applicant, a Romanian national, was employed by a private company from 2004 to 2007 as an engineer in charge of sales. At the employer’s request, he created a Yahoo Messenger account to respond to client enquiries. In July 2007, the employee was informed by his employer that his Yahoo Messenger account had been monitored for a week and the records showed that he had used the device for personal purpose, whereas the company internal regulations expressly prohibited the use of company device (e.g., computers, telephones) for personal purposes….delonbouquet

Understanding EU-US Safe Harbor Framework and Its Validity (2016)

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for the national data protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed. Few exemptions apply, and the laws of the United States are not considered by the European Union as providing an adequate level of data protection. … safeharborpic

How to Conduct a Data Inventory (2016)

Knowing the type of data that you collect, where it is being held, with whom it is being shared, and how it is being transferred is a central component of most data privacy and data security programs. The process of answering these questions is often referred to as a “data map” or a “data inventory.”  Although the questions that a data map tries to solve are relatively straightforward, the process of conducting a data map can be daunting depending upon the size and structure of an organization . . . 2016DataInventory

Best Practices for Handling Vehicle Event Data Recorders (2016)

Event data recorders, also known as “black boxes” or “sensing diagnostic modules,” capture information such as the speed of a vehicle and the use of a safety belt. In the event of a collision this information can be used to help understand how the vehicle’s systems performed.  In December of 2012, the National Highway Traffic Administration proposed a rule that would require automakers to install event data recorders in all new light passenger vehicles. . . 2016VehicleEventDataRecorders

Data Privacy Recommendations For Crafting Employee Monitoring Policies (2016)

Federal laws prohibit the interception of another’s electronic communications, but these same laws have multiple exceptions that generally allow employers to monitor employees’ email and internet use on employer-owned equipment or networks. As a result, under federal law, when private-sector employees use an organization’s telephone or computer system, monitoring their communications is broadly permissible, though there may be exceptions once the personal nature of a communication is determined. Also, under the National Labor Relations Act, employers cannot electronically spy on certain types of concerted activity . . . 2016EmployeeMonitoringPolicies

Evaluating Data Privacy and Security Issues of Self-Driving Vehicles (2016)

Self-driving cars, or autonomous vehicles, may be the greatest disruptive innovation to travel that we have experienced in a century. A fully-automated, self-driving car is able to perceive its environment, determine the optimal route, and drive unaided by human intervention for the entire journey. Self-driving cars have the potential to drastically reduce accidents, travel time, and the environmental impact of road travel. However, obstacles remain for the full implementation of the technology including the need to reduce public fear, increase reliability, and create adequate regulations . . . 2016SelfDrivingCars

Best Practices For Drafting Employee Privacy Policies (2016)

In 2005 Michigan became the first state to pass a statute requiring employers to create an internal privacy policy that governs their ability to disclose some forms of highly sensitive information about their employees. Michigan’s Social Security Number Privacy Act expressly requires employers to create policies concerning the confidentiality of employees’ social security numbers (“SSN”) and to disseminate those policies to employees . . .PrivacyPolicyDraftingThumbnail

Understanding The Responsibilities and Liabilities of Business Associates at a Glance (2015)

The Health Information Technology for Economic and Clinical Health (“HITECH”) Act modified the Health Insurance Portability and Accountability Act (“HIPAA”) by expanding the definition of “Business Associates” and their responsibilities and liabilities.  Pursuant to HITECH and HIPAA Business Associates are required to . . .

Business Associates_At A Glance

Due Diligence in Mergers & Acquisitions At A Glance (2015)

The FTC has held acquirers responsible for the bad data security and privacy practices of the companies that they acquire.  Evaluating a potential target’s data privacy and security practices can be daunting and complicated . . .

Mergers and Acquisition Due Diligence_At A Glance

 

BYOD At A Glance (2015)

Many companies permit their employees to use personal mobile devices, such as smartphones and tablets, to access company specific information, such as email.  Bring Your Own Device (“BYOD”) policies can be popular for employees that want to use their hand-picked device and for employers who avoid the cost of providing, and maintaining, company-owned devices. Nonetheless, the use of company data on noncompany devices implicates both security and privacy considerations . . . BYOD_Data Privacy_1

 

Mobile App Privacy Policies At A Glance (2015)

Many of the most popular mobile apps collect personally identifiable information.  Although most app developers are not required to display a privacy polucy under federal law, they are contractually required to do so pursuant to the terms and conditions of the platform for which the app will be marketed. . . Mobile App Privacy Policies

Asia and Data Protection: At A Glance (2015)

Europe has had data protection laws in place for over a decade.  In Asia, many countries have historically relied on constitutional law or sector based rules to protect personal data and, until recently, only  a few countries had any form of consolidated data protection legislation… Data Protection Asia_At A Glance

CAN-SPAM An In-House Guide (2015)

Email is ubiquitous in modern life with billions of emails – wanted and unwanted – sent each day.  Since its enactment, the CAN-SPAM Act has attempted to curb the number of unwanted emails and impose some rules on a largely unregulated frontier. When followed, CAN-SPAM’s restrictions give . . . CAN-SPAM

 

Safe Harbor No More: What this means for Asian Companies

Last month in the Schrems case (Case C-362/14), the Court of Justice of the European Union (CJEU) ruled the Safe Harbor Framework invalid.   While Asian companies may not consider that they need to be concerned with the decision of the CJEU due to its reference to the export of personal data to the US, there may be wider ramifications arising from this decision which may have an impact on the methods used by companies in the EU to export data to Asian countries, as well as on the export of data by Asian companies to the US. . . AsiaandSafeHarbor

Behavioral Advertising At A Glance (2015)

Behavioral advertising refers to the use of information to predict the types of products or services of greatest interest to a particular consumer.  Online behavioral advertising takes two forms. “First party” behavioral advertising refers to situations in which a website uses information that it obtains when interacting with a visitor. “Third party” behavioral advertising refers to situations in which a company permits others to place tracking cookies on the computers . . . Behavioral Advertising_At A Glance_1

 

Data Maps and Data Inventories At A Glance (2015)

Knowing the type of data that you collect, where it is being held, with whom it is being shared, and how it is being transferred is a central component of many data privacy and data security programs.  The process of answering these questions is often referred to as a data map or a data inventory.  Although the questions that a data map tries to solve are relatively straightforward, the process of conducting one can be daunting . . . Data_Map_At A Glance (2)

Document Retention and Collection Policies At A Glance (2015)

Data minimization can be a powerful – and seemingly simple – data security measure.  The term refers to retaining the least amount of personal information that is necessary in order for an organization to function. Less information means that there is less that the organization needs to protect, and less opportunity for information to be lost or stolen . . .

Document Retention_At A Glance_1

 

Collecting Information From Children At a Glance (2015)

COPPA_At A GlanceThere are relatively few restrictions on collecting information from children off-line. Efforts to collect information from children over the internet, however, are regulated by the Children’s Online Privacy Protection Act (“COPPA”)…

Advisory Board Calls for EU-US Safe Harbour Grace Period

The Article 29 Working Party — an independent data protection advisory board for the EU composed of representatives from the Member State’s — urgently called on the Member States to open discussions with US authorities in order to find legal and technical solutions that would replace the now-defunct EU-US Safe Harbour framework… Safe Harbor October 21 2015

Geo-Location Tracking At A Glance (2015)

Smartphones, smartphone Apps, websites, and other connective devices increasingly request that consumer’s provide their geo-location information.  Geo-location information can refer to general information about a consumer’s location, such as their city, state, or zip code, or precise information that pinpoints the consumer’s location to a few feet . . . Geo-Location_Tracking_At A Glance (2)_1

Restore Online Shoppers Confidence Act At A Glance (2015)

Online retailers often learn information about a consumer that may be used to help identify other products, services, or companies that may be of interest.  Although retailers strive to provide recommendations quickly, and to make a consumer’s transition to a third party retailer seamless, the Restore Online Shoppers’ Confidence Act (“ROSCA”) generally prohibits one online merchant from transferring payment information to another . . . Restore_Online_Confidence_At A Glance

The Privacy Implications of Whistleblowing in the EU

Whistleblowing schemes were introduced in the EU as a result of the Sarbanes-Oxley Act (“SOX”) adopted by the US Congress in 2002 following various corporate financial scandals. SOX requires US companies and their EU-based subsidiaries to establish “procedures for the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls or auditing matters [and] the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting of auditing matters.1”  The implementation of whistleblowing schemes will, in most cases, lead to the collection, processing and transfer of personal data (e.g., name of the accused person) which raises data privacy concerns . . .

WhistleblowingintheEU

Look Whose Watching What! The Video Privacy Protection Act At A Glance

The Video Privacy Protection Act (“VPPA”) was passed in 1988 in reaction to a fear that people other than a consumer and a video rental store could collect information on a consumer’s video rental history.  It was not an academic concern at the time. Immediately prior to the passage of the VPPA, Judge Robert Bork, who had been nominated to the Supreme Court, had his video rental history published by a newspaper that was investigating whether he was fit to hold office . . .VPPA_At A Glance (2)

 

The (ex) EU-US Safe Harbor At A Glance (2015)

On Tuesday, October 6, 2015, the European Court of Justice decided that the EU/US Safe Harbor regime for data transfers is no longer… safe.  Until now, companies exchanging data between the EU and the US could rely on the Safe Harbor regime, but with the decision that is no longer an option.  In addition companies currently relying on Safe Harbor are scrambling to find alternative compliance strategies . . . ExSafeHarbor

Credit Card Payment Processing Agreements At A Glance (2015)

Credit cards are the primary form of the payment for most retailers.  In order to process credit cards a retailer must enter into an agreement with a bank and a payment processor.  Those agreements can be daunting and often have significant impacts on a retailer’s financial liability in the event of a data breach. Indeed, in many cases the contractual liabilities that flow from the credit card processing agreement surpass all other financial liabilities that arise from a breach including litigation . . . Negotiating Card Agreements_At A Glance_1

The Canadian Anti Spam Law (CASL) At A Glance (2015)

On July 1, 2014, the central provisions of the Canadian Anti-Spam Law (CASL) came into force.  These provisions generally prohibit the sending of a Commercial Electronic Message (CEM) without the recipient’s express consent, and unless the CEM contains certain proscribed sender information and an unsubscribe mechanism. CASL provides a number of nuanced exceptions to the express consent requirements of the law, however . . . CASL_At A Glance_1

 

Facial Recognition Technology At A Glance (2015)

There is currently no federal statute that expressly regulates private-sector use of facial recognition technology. Nonetheless, the Federal Trade Commission (“FTC”), which has authority to prevent unfair and deceptive practices, has expressed interest in the privacy implications of facial recognition technology, has issued a set of best practices concerning its use, and has investigated companies that it believes violated those recommendations . . .Facial Recognition_At A Glance_1

 

Self-Driving Cars At A Glance (2015)

Self-driving cars, or autonomous vehicles, may be the greatest disruptive innovation to travel that we have experienced in a century. A fully-automated, self-driving car is able to perceive its environment, determine the optimal route, and drive unaided by human intervention for the entire journey. Self-driving cars have the potential to drastically reduce accidents, travel time, and the environmental impact of road travel. However, obstacles remain for the full implementation of the technology . . . Self_Driving Cars_At A Glance

 

Vehicle Black Box Event Recorders At A Glance (2015)

Vehicle Event Data Recorders - At A GlanceEvent data recorders, also known as “black boxes” or “sensing diagnostic modules,” capture information such as the speed of a vehicle and the use of a safety belt, in the event of a collision to help understand how the vehicle’s systems performed.  15 states have passed statutes that discuss the privacy of the data that these devicse collect . . .

 

Monitoring Employees At A Glance (2015)

Although federal law permits employers to monitor their employees’ email and internet, some states require that notice be given to employees; other states place restrictions on how far the monitoring can extend to non-work related accounts . . . Employee Monitoring in the Workplace - At A Glance

Progress on EU Data Protection Reform At A Glance (2015)

A timeline has been established in the EU to find an agreement between different versions of the draft data privacy regulations.  If followed, the EU’s new regulation should come into force in 2018 . . . EU Regulation Status_At A Glance_1

Social Media and Organizational Privacy At A Glance (2015)

Most companies utilize social media to market their products and services.  While using social media can be advantageous, it raises distinct privacy concerns.  Specifically the terms of use of some social media platforms give the provider the right to share, use, or collect infomration about your business and customers . . . Social Media

Monetizing Information From Startups At A Glance (2015)

Monetizing Data_At A Glance

Websites and internet-based startups are booming. Many startups thrive by collecting data about their online users’ age, gender, and geography and interpreting that data to predict consumer preferences and demand. In addition, many third party marketing services pay a premium for useful consumer data. Startups often find that data is their single most valuable commodity . . .