The European Parliament passed a resolution today strongly criticizing Privacy Shield and recommending that Privacy Shield be suspended as of September 1, 2018, if the US doesn’t shape up by that deadline.  Should US companies that rely on Privacy Shield panic?

No.

The European Parliament has no power to suspend Privacy Shield on September 1, 2018, or any other date.  Only two entities can do that:  the European Commission, or the Court of Justice of the European Union (CJEU).  And the CJEU might just do that when it rules sometime during the next year or so on the new case between Maximillian Schrems and Facebook (Case C-311/18).  There’s no new information on the Schrems II case at CJEU, but we are tracking it.   That one is worth worrying about.

The European Parliament’s resolution does have some political weight, however.   The Commission is required to respond to the Parliament within three months explaining what it is going to do – if anything – in response to the Parliament’s criticisms.   And if the Commission shrugs its shoulders, there’s not much the Parliament can do except pass another resolution.

The final version of the European Parliament’s resolution is not available yet on the Parliament’s website (it was just passed today), but the proposed form can be found here. 

The Supreme Court ruled, at the end of June, that seizing cell-site location information—data that tracks cell phone users’ movements—constitutes a search under the Fourth Amendment. Speaking for a 5-4 majority in Carpenter v. United States, Chief Justice Roberts addressed questions surrounding law enforcement’s warrantless seizure of over 12,000 cell site location points pinged by the defendant’s phone, which allowed for nearly minute-by-minute tracking of his past movements. At the time, police needed only to prove that the data was reasonably relevant to their investigations.  In its opinion the Court will now require that a warrant be obtained with a showing of probable cause – a higher burden of proof than previously required –, and an individualized suspicion that the data’s owner committed a crime in order to access cell-site records.

Continue Reading Narrow Ruling for Privacy at SCOTUS in Carpenter

June 28, 2018 will be a watershed day in the history of U.S. data privacy legislation.   California has become the first state to move away from the U.S. approach of legislating data privacy in slow bits.   Yesterday, both houses of the legislature passed – and Governor Brown signed into law – the California Consumer Privacy Act of 2018.

Earlier we wrote about the effort to pass the California Privacy Ballot Initiative No. 17-0039 (the “Ballot Initiative”) that would be put forth on the November 6th, 2018 ballot.  The Ballot Initiative would give consumers broad rights regarding their personal information, including being able to learn who their personal information is being disclosed or sold to, preventing businesses from discriminating against consumers who exercise their rights under the act including opting out of the sale of their personal information.  Further, the Ballot Initiative would have given a private right of action to consumers to sue businesses where the business experienced a security breach and failed to implement reasonable security procedures, with statutory damages of $1,000, which would increase to $3,000 for willful violations.

Continue Reading PRIVACY ALERT: California Leads the Privacy Parade Again with Groundbreaking Privacy Legislation

Manufacturers of wireless devices used for Internet of Things (IoT) applications should take heed of new Trump Administration proposals aimed at reducing the cybersecurity threats from botnets and other automated and distributed attacks.

Following a year of public and internal discussions and inquiry, the Department of Commerce and Department of Homeland Security (DHS) recently issued a Final Report on the topic, “A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats.” The Report arises from the cybersecurity Executive Order issued by President Trump in May 2017, which required Commerce and DHS to lead a process to determine appropriate action to “dramatically reduc[e] threats perpetrated by automated and distributed attacks (e.g., botnets).” Continue Reading Trump Administration Botnet Report Will Impact IoT Device Makers – Things You Should Know

In the latest decision concerning standing in data breach cases, the Fourth Circuit has vacated a district court’s dismissal and reinstated putative class action data breach litigation against the National Board of Examiners in Optometry Inc. (“NBEO”).  In Hutton v. National Board of Examiners in Optometry, Inc., the court ruled that the plaintiffs alleged sufficient injury to meet the Article III standing requirement by virtue of hackers’ theft and misuse of plaintiffs personally identifiable information (“PII”), notwithstanding the absence of any allegation that the misuse had resulted in pecuniary loss to the plaintiffs.  In so ruling, the Fourth Circuit struck a middle course on the question of when misuse of sensitive PII results in a sufficient injury to confer standing to sue in federal court.

Continue Reading Fourth Circuit Decision Seizes Middle Ground on the Issue of Standing in Data Breach Cases

Recently, a new bill was signed by Colorado Governor John Hickenlooper, creating far reaching new requirements for entities that collect or maintain personal identifying information of Colorado residents.  These requirements, which will create one of the strictest state based privacy and data breach laws in the country, will go into effect September 1, 2018.  The Colorado Attorney General’s office led part of the effort to pass the new law, making enforcement a likely priority.

The new law requires organizations to maintain a policy for disposing documents with consumer data and notify Colorado residents of any potential personal information exposure no later than 30 days after discovering a data breach. The 30-day notification window does not provide for any specific exemptions (such as HIPAA) and is the shortest of any U.S. state.

Continue Reading Colorado Passes Far Reaching New Privacy and Cybersecurity Law

If you glance at the “countdown clock” in the left hand sidebar of our blog, you’ll see that it has reached 00:00:00.  GDPR Day is here.   But, unlike Y2K (for those of you old enough to remember the near-hysteria), 25 May 2018 is only the beginning of the GDPR compliance road and not a “completion date.”   It’s more like the new Sarbanes-Oxley.

Continue Reading HAPPY GDPR DAY!!

We are now in the 10-day countdown to the GDPR enforcement date that we’ve been talking about since 2015.   If you are a charter member of Procrastinators Anonymous, or just secretly hoped that this would all go away, the sands in the hourglass are running low.    Remember that this is not like Y2K.   May 25 just represents the date on which the EU will start to enforce the GDPR.  Compliance is ongoing and, if your company collects, processes, uses EU-origin personal data, the compliance obligation runs to you, regardless of where in the world you are located.

Here is a quick refresher list of the webinars that we’ve produced on GDPR issues.   Pick a topic and get going!

EU Data Protection GDPR for Life Sciences (3/14/2018)

https://mintz.webex.com/mintz/lsr.php?RCID=12a7441da963333b01da237ca419396b

This webinar, the ninth in our EU General Data Protection Regulation Series, focuses on topics that are vital to life sciences companies seeking to come into compliance, including handling clinical study data, other scientific research, CRO and other contractor agreements, and transferring personal data outside of the EU.

Getting Your Contracts Ready for GDPR (11/16/2017)

https://mintz.webex.com/mintz/lsr.php?RCID=fe0eed5640a85a8ebb2beb6bc83e83e8

This webinar, the eighth in our EU General Data Protection Regulation Series, reviews the GDPR’s express contract requirements and discusses additional matters that you may want to address in your contracts.

Handling Human Resources Data Under Privacy Shield and the GDPR (10/5/2017)

https://mintz.webex.com/mintz/lsr.php?RCID=880eaf4c652aad528de47cde6be78578

This webinar, the seventh in our EU General Data Protection Regulation Series, reviews current options for transferring personal data, including under Privacy Shield, and previews the new landscape under GDPR.

Access, Correction and Erasure: How to Minimize the Burden (2/16/2017)

https://mintz.webex.com/mintz/lsr.php?RCID=9f6b274207228673ad6d4fe938991ee8

This webinar, the sixth in our EU General Data Protection Regulation Series, considers companies’ obligations to give individuals access to their data and to correct or erase it.  We explore the new data portability requirements. The webinar concludes with some suggestions on how to make these requirements less burdensome.

Transferring Data from the EU (1/12/2017)

https://mintz.webex.com/mintz/lsr.php?RCID=f49a18275f1088209190e48151bec9ec

This webinar, the fifth in our EU General Data Protection Regulation Series, explores the ways in which the Regulation creates new avenues for data transfers, and narrows others. In particular, we consider sector-specific Commission decisions, privacy seals/certifications, the exception for non-repetitive, limited transfers, and the outlook for BCRs and Model Clauses.

Data Protection Officers: Do You Need One? (12/15/2016)

https://mintz.webex.com/mintz/lsr.php?RCID=86d1f2c36c05bcfc89eec5077f1cf921

This webinar, the fourth in our EU General Data Protection Regulation Series, examines the criteria that dictate whether or not your organization needs to appoint a Data Protection Officer. We discuss the role of the DPO, the significance of the “independence” requirement, and the qualifications required to hold the position.

Good-bye to the Cure-all: The New Rules on Consent (11/10/2016)

https://mintz.webex.com/mintz/lsr.php?RCID=de3b01c1f3d3828f8b8d12dc585a8cfe

This webinar, the third in our EU General Data Protection Regulation Series, reviews the new restrictions on relying on user consent to data processing and data transfers. In addition to the general “imbalance of power” problem, we consider the implications of the Directive on unfair terms in consumer contracts and changes that may need to be made to terms of use and privacy policies when dealing with consumers.

Accountability, Data Security, Data Impact Assessments and Breach Notification Requirements (10/13/2016)

https://mintz.webex.com/mintz/lsr.php?RCID=dadbef107c41c287059e1dcf0db3cc49

This webinar, the second in our EU General Data Protection Regulation Series, focuses on the data security and accountability requirements of the Regulation, including reviews and documentation of internal policies and procedures and data impact assessments. We also explore the breach notification requirements and actions that companies can take in advance to mitigate the need for breach notification.

One-Stop Shopping Mall? The New Regulatory Structure (9/14/2016)

https://mintz.webex.com/mintz/lsr.php?RCID=9b389aa85bb81e0af962ff4a5d8226df

This webinar, the first in our EU General Data Protection Regulation Series, explains the powers and role of the new European Data Protection Board, how a “lead supervisory authority” will be designated for each controller, and how the lead supervisory authority will interact with other interested supervisory authorities. We also look at the complaint process from the point of view of the individual who is claiming a violation, and explore the likely role that will be played by public interest organizations bringing group complaints.

Answering the centuries’ old question, it appears it is the Federal Trade Commission (“FTC”) that watches the watchmen. The FTC sent warning letters to a pair of foreign app developers cautioning them that their practices of collecting children’s geolocation data without parental consent may be in violation of the Children’s Online Privacy Protection Act (“COPPA”). The letters warned China-based Gator Group Co. Ltd. and recently-defunct Sweden-based Tinitell, Inc. that companies targeting U.S. children must comply with U.S. privacy laws regardless of where they are based. The FTC also sent copies of the warning letters to the Apple App Store and the Google Play Store, which make the apps available to consumers. While the apps give parents peace of mind by enabling them to track their children’s location to ensure they are safe, that benefit is negated when parents are not aware that that information is being collected and stored in a way that enables others to access that same data.

Continue Reading FTC Puts Kids’ Smart Watch Companies in Time Out for COPPA Violation

A challenge to the use of a cy pres charitable donations to settle privacy claims against Google will be heard by the Supreme Court.  In Frank v. Gaos, petitioners seek reversal of lower court decisions rejecting their objection to an $8.5 million settlement of claims arising from Google’s transmission of users’ search terms to third-party websites.  Because the proposed settlement amount could not feasibly be distributed to the estimated 129 million class members, the settlement called for Google to pay the settlement proceeds, less class counsel fees, to certain privacy-related charities.  The trial court awarded 25% of the settlement —  or $2.125 million – to class counsel; the balance went to the charities.  The petitioner’s objections to the settlement were overruled.

Continue Reading Supreme Court to Review Use of Charitable Donation to Settle Privacy Claims Against Google