Header graphic for print

Privacy & Security Matters

Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Webinar Postponed – Post-Safe Harbor Update for Life Sciences Companies

Posted in Safe Harbor

The webinar on Post-Safe Harbor Update & Cross-Border Data Transfer Issues for Life Sciences Companies that was originally scheduled for today is being postponed and will take place after the holidays. We will announce a new date shortly. Continue Reading

Tweet Like Email linkedin
Comments Off on Webinar Postponed – Post-Safe Harbor Update for Life Sciences Companies

Standing Issues Could Still Derail Google Cookie Placement Litigation

Posted in Class Action Litigation, Privacy Litigation

In a decision almost a year in the making, the Third Circuit’s recent opinion in In re Google Inc. Cookie Placement Privacy Litig. (3d Cir. Nov. 10, 2015),  (“Google”), reversed a trial court order dismissing a lawsuit alleging that Google and other internet advertising companies circumvented cookie-blocking technology in Safari and Internet Explorer web browsers.  In doing so, the panel rejected a standing argument advanced by defendants that is identical to an issue currently pending before the Supreme Court.  A defense-favorable ruling on that issue by the Supreme Court could require a second look at the question of standing in Google.

In Google, plaintiffs allege that defendants exploited loopholes in the browsers’ cookie-blocking features to place cookies on plaintiffs’ computers that tracked plaintiffs’ web-browsing activities.  Defendants then used that tracking information to place targeted advertisements on web pages that plaintiffs visited.  Plaintiffs claimed that the use of such cookies violated federal and state law.  The trial court rejected defendants’ argument that the plaintiffs lacked standing, but dismissed all of their claims for failure to state a claim upon which relief may be granted. Continue Reading

What App Users Care About When Sharing Personal Data: Permissions

Posted in Mobile Privacy, Uncategorized

Written by Jane Haviland

The latest Pew Research Center Report relayed useful information regarding application users’ concerns with sharing personal data.  Ninety percent of app users indicated that how their personal data will be used is “very” or “somewhat” important to them, and influences their decision to download an app.  Sixty percent of users decided against downloading an app when they saw how much personal information they would need to share.  Android 6.0, or Marshmallow, should abate users’ concerns.

The Report looked at the type of permissions sought by apps available in the Google Play store—largely because the public availability of this data and the popularity of the Google Play store.  Google Play apps request a total of 235 unique permissions to access users’ information or phone hardware.  The most common permissions relate to accessing the device’s internet connectivity.  The average app sought five permissions.  The most common permissions sought access to the device’s hardware (i.e., controlling vibration, adjusting volume, etc.) as opposed to personal information.  The Android permissions structure is currently “all or nothing,” meaning the user must grant the app all permissions requested in order to install the app.  The permissions appear at the time of installation, requiring the user to accept them in order to install the app, and can be viewed at any time on the app’s page in the Google Play store.

With Android 6.0, or “Marshmallow,” Google will allow users to pick and choose the permissions they wish to grant.  Permissions will be displayed not at the time of download, but at the moment when the app requires the permission to perform a particular function.  Users can grant or deny the permission, then change the permission setting later.  For instance, the user can allow the app to access the user’s location when using the app, then turn this permission off afterwards.  This change makes the Android permission scheme more like Apple’s.

This change may result in more users for Google Play Store’s apps.  Those users who decline to download an app because of their wariness of sharing too much personal information can take control of what they share at any given time.  Users can refuse to allow access to data, including personal information, all together, or pick and choose when to allow access.  App developers can be less concerned with scaring off potential users by requesting multiple or broad permissions.  This development is good news for users and developers alike and will likely encourage increased and repeated app downloads.

Privacy Monday: November 9, 2015 – EU/Safe Harbor Updates

Posted in Employee Privacy, European Court of Justice, European Union, Privacy Monday, Safe Harbor

Privacy & Security Matters Monday Blog Series ImageAnd the days dwindle down, to a precious few … November …

We are still following developments in the EU relating to the invalidation of the US-EU Safe Harbor Framework.   In case you were on a secluded island during the month of October, you can catch up here.

European Commission Issues Communication.  On Friday, the European Commission issued “long-awaited” guidance (called a Communication), which did not shed much new light on the cross-border data transfer issues, but instead rehashes the “alternative transfer tools” available to legitimize data flows to jurisdictions deemed “not adequate,” like the United States.   More after the jump. Continue Reading

Data Breach Planning in 10 Easy Steps: How to Think Like A Litigator

Posted in Class Action Litigation, Data Compliance & Security, Events and Webinars, Privacy Litigation, Privacy Monday

For the first Monday in November, we have 10 easy steps to make sure that your data breach incident response planning is viewed from that pesky point of view of a litigator.

  1. Fail to plan = plan to fail.
  2. Big problems first, small problems later (don’t let the perfect be the enemy of the good).Privacy & Security Matters Monday Blog Series Image
  3. The criticality of the tone at the top cannot be overstated.
  4. You cannot prevent idiocy, but you can train (and retrain, and retrain).
  5. Make good email practices your fight song (in both times of calm, and times of crisis).
  6. Say what you mean and mean what you say (avoid good policies with poor follow-through; don’t set standards that you can’t meet).
  7. Avoid inconsistencies wherever possible.
  8. Know what your peers are doing (and if you aren’t doing the same thing, document why not).
  9. If you have a close call, document your decision and carefully consider whether you want privilege to apply or not (and why not).
  10. Think about your “story” in slow motion being played on a movie screen (or in excruciating detail on the front page of the Wall Street Journal).

H/T to Mintz’s Meredith Leary for these.   For more on these 10 easy steps and a replay of our Halloween-themed October Privacy Webinar, “Tricks, But No Treats:  A Halloween Visit to the Frightening World of Data Security Litigation,”  check out this link to the recording.

EU Round-UP: Safe Harbor 2.0 and Upcoming National Challenges

Posted in EU Data Protection Regulation, European Court of Justice, European Union, Privacy Regulation, Safe Harbor

EU Commissioner Vera Jourova recently announced in a speech to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) that the Commission and the US have made substantial progress in finalizing a new Safe Harbor program. Jourova noted that the collection and use of European personal data for US national security purposes remains a key open issue.  However, she also reminded LIBE that the US has undergone a substantial review of the NSA’s alleged mass surveillance activities over the past couple of years.

Overall, Jourova’s comments seemed optimistic regarding getting a new Safe Harbor program finalized prior the Art. 29 Working Party’s January deadline for increased enforcement by national Data Protection Authorities starting at the end of January 2016. (The Art. 29 Working Party’s statement is available as a PDF on this page.)

In the meantime, the German regional data protection authorities have collectively announced that they will investigate data transfers by Google and Facebook to the US (without waiting for complaints by German users).  The German DPAS have also suspended approval of new Binding Corporate Rules and customized data protection clauses.  (Model clauses, which don’t require DPA approval in Germany, are not immediately affected, but could be vulnerable to attack.)

Keeping an eye on national data protection authorities’ enforcement agendas will be important once we have Safe Harbor 2.0 in place, since under the Schrems decision, Safe Harbor 2.0 will be effectively subject to the review of national DPAs and courts.

More Dominos Fall on the Data Protection Table

Posted in EU Data Protection Regulation, European Court of Justice, European Union, Safe Harbor

As all of our readers know by now, as of October 6, the US-EU Safe Harbor Framework is no more.   Safe Harbor was the mechanism on which thousands of US companies (and thousands of companies based in the European Union) legitimized their data transfers from the EU to the US.  All the background, including links to a recording of our “emergency” Privacy webinar on the issue, can be found here, here, and here.

Two more dominos outside the European Union have toppled. Continue Reading

Irish High Court Quashes Irish Data Protection Commission Original Schrems’ Decision

Posted in EU Data Protection Regulation, European Court of Justice, European Union, Safe Harbor

The Irish High Court today has ordered the Irish Data Protection Commissioner (DPC) to investigate Facebook’s European data privacy practices, bringing Max Schrems’ three-year fight full circle.  The Court today quashed the original DPC refusal to examine Schrems’ complaint that came back to the High Court after the referral to the European Court of Justice (CJEU).

Ireland’s DPC, Helen Dixon, refused to investigate the original Schrems’ complaint based on the validity of the US-EU Safe Harbor Framework.   By now, we all know what happened to Safe Harbor when it reached the CJEU.

Today’s High Court decision awards Schrems costs for his legal bills and travel expenses and Judge Gerard Hogan commented that “the commissioner is obliged now to investigate the complaint … and I’ve absolutely no doubt that she will proceed to do so.”

The EU’s Article 29 Working Party of EU data protection officials issued a joint statement last week forthrightly expressing its position post-CJEU decision:

Regarding the practical consequences of the CJEU judgment, the Working Party considers that it is clear that transfers from the European Union to the United States can no longer be framed on the basis of the European Commission adequacy decision 2000/520/EC (the so-called “Safe Harbour decision”). In any case, transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful. 



EU Data Protection Authorities Issue Joint Statement on Invalidation of Safe Harbor: Not Much Help Here

Posted in European Court of Justice, European Union, Safe Harbor

The so-called “Article 29 Working Party” of EU Data protection officials from the 28 EU member states today released a much-anticipated press release regarding the Court of Justice of the European Union (CJEU) landmark decision invalidating the US-EU Safe Harbor framework.

US companies hoping for some guidance on managing cross-border data transfers will be sorely disappointed.

Regarding the practical consequences of the CJEU judgment, the Working Party considers that it is clear that transfers from the European Union to the United States can no longer be framed on the basis of the European Commission adequacy decision 2000/520/EC (the so-called “Safe Harbour decision”). In any case, transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful. 

Further, although the statement indicates that the Working Party considers that Model Contracts or binding corporate rules “can still be used,” the group reserves the right to investigate any privacy complaints that arise in relation to any such transfers.   In addition, unless the EU and US authorities agree on a Safe Harbor 2.0 or some other replacement, the statement says that the data protection authorities would consider taking “coordinated enforcement actions” against companies unlawfully transferring data.

The last paragraph of the statement sounds a warning to US businesses:

…in the context of the judgment, businesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection acquis.


In case you missed it, our webinar regarding the CJEU decision and how to navigate a path forward in a world without a Safe Harbor data transfer framework can be accessed here.


Wednesday Webinar: Tricks, But No Treats – A Halloween Visit to the Frightening World of Data Security Litigation

Posted in Class Action Litigation, Cybersecurity, Data Breach, Events and Webinars, Privacy Litigation, Security

To take a step back from our continuing analysis of the situation and developments in Europe,  there are other things going on in the privacy and data security world!   Our October Wednesday Webinar is coming up and we will take a walk on the wild side:  data security litigation.    Registration is open now! Read more – Continue Reading