If you glance at the “countdown clock” in the left hand sidebar of our blog, you’ll see that it has reached 00:00:00. GDPR Day is here. But, unlike Y2K (for those of you old enough to remember the near-hysteria), 25 May 2018 is only the beginning of the GDPR compliance road and not a “completion date.” It’s more like the new Sarbanes-Oxley.
We are now in the 10-day countdown to the GDPR enforcement date that we’ve been talking about since 2015. If you are a charter member of Procrastinators Anonymous, or just secretly hoped that this would all go away, the sands in the hourglass are running low. Remember that this is not like Y2K. May 25 just represents the date on which the EU will start to enforce the GDPR. Compliance is ongoing and, if your company collects, processes, uses EU-origin personal data, the compliance obligation runs to you, regardless of where in the world you are located.
Here is a quick refresher list of the webinars that we’ve produced on GDPR issues. Pick a topic and get going!
EU Data Protection GDPR for Life Sciences (3/14/2018)
This webinar, the ninth in our EU General Data Protection Regulation Series, focuses on topics that are vital to life sciences companies seeking to come into compliance, including handling clinical study data, other scientific research, CRO and other contractor agreements, and transferring personal data outside of the EU.
Getting Your Contracts Ready for GDPR (11/16/2017)
This webinar, the eighth in our EU General Data Protection Regulation Series, reviews the GDPR’s express contract requirements and discusses additional matters that you may want to address in your contracts.
Handling Human Resources Data Under Privacy Shield and the GDPR (10/5/2017)
This webinar, the seventh in our EU General Data Protection Regulation Series, reviews current options for transferring personal data, including under Privacy Shield, and previews the new landscape under GDPR.
Access, Correction and Erasure: How to Minimize the Burden (2/16/2017)
This webinar, the sixth in our EU General Data Protection Regulation Series, considers companies’ obligations to give individuals access to their data and to correct or erase it. We explore the new data portability requirements. The webinar concludes with some suggestions on how to make these requirements less burdensome.
Transferring Data from the EU (1/12/2017)
This webinar, the fifth in our EU General Data Protection Regulation Series, explores the ways in which the Regulation creates new avenues for data transfers, and narrows others. In particular, we consider sector-specific Commission decisions, privacy seals/certifications, the exception for non-repetitive, limited transfers, and the outlook for BCRs and Model Clauses.
Data Protection Officers: Do You Need One? (12/15/2016)
This webinar, the fourth in our EU General Data Protection Regulation Series, examines the criteria that dictate whether or not your organization needs to appoint a Data Protection Officer. We discuss the role of the DPO, the significance of the “independence” requirement, and the qualifications required to hold the position.
Good-bye to the Cure-all: The New Rules on Consent (11/10/2016)
Accountability, Data Security, Data Impact Assessments and Breach Notification Requirements (10/13/2016)
This webinar, the second in our EU General Data Protection Regulation Series, focuses on the data security and accountability requirements of the Regulation, including reviews and documentation of internal policies and procedures and data impact assessments. We also explore the breach notification requirements and actions that companies can take in advance to mitigate the need for breach notification.
One-Stop Shopping Mall? The New Regulatory Structure (9/14/2016)
This webinar, the first in our EU General Data Protection Regulation Series, explains the powers and role of the new European Data Protection Board, how a “lead supervisory authority” will be designated for each controller, and how the lead supervisory authority will interact with other interested supervisory authorities. We also look at the complaint process from the point of view of the individual who is claiming a violation, and explore the likely role that will be played by public interest organizations bringing group complaints.
Answering the centuries’ old question, it appears it is the Federal Trade Commission (“FTC”) that watches the watchmen. The FTC sent warning letters to a pair of foreign app developers cautioning them that their practices of collecting children’s geolocation data without parental consent may be in violation of the Children’s Online Privacy Protection Act (“COPPA”). The letters warned China-based Gator Group Co. Ltd. and recently-defunct Sweden-based Tinitell, Inc. that companies targeting U.S. children must comply with U.S. privacy laws regardless of where they are based. The FTC also sent copies of the warning letters to the Apple App Store and the Google Play Store, which make the apps available to consumers. While the apps give parents peace of mind by enabling them to track their children’s location to ensure they are safe, that benefit is negated when parents are not aware that that information is being collected and stored in a way that enables others to access that same data.
A challenge to the use of a cy pres charitable donations to settle privacy claims against Google will be heard by the Supreme Court. In Frank v. Gaos, petitioners seek reversal of lower court decisions rejecting their objection to an $8.5 million settlement of claims arising from Google’s transmission of users’ search terms to third-party websites. Because the proposed settlement amount could not feasibly be distributed to the estimated 129 million class members, the settlement called for Google to pay the settlement proceeds, less class counsel fees, to certain privacy-related charities. The trial court awarded 25% of the settlement — or $2.125 million – to class counsel; the balance went to the charities. The petitioner’s objections to the settlement were overruled.
With the recent enactment of data breach notification laws in South Dakota and Alabama, all 50 US states now have laws regulating data breach notification. We’ve updated the Mintz Matrix (maintained by the Mintz Privacy Team for nearly 10 years) to provide you with the latest information.
Managing the differing requirements remains a challenge, and points to the need for updated incident response plans. As an example, the chart below outlines the different timelines for notification. The Mintz Matrix contains information on all of these, and more.
Uber Technologies, Inc. (“Uber”) has agreed to an expansion of its initial August 2017 proposed consent agreement with the Federal Trade Commission (“FTC”), in light of revelations of an additional security breach in October 2016, which it knew about but did not disclose until November 2017, after it settled over its initial May 2014 breach. The second security breach occurred right in the middle of the FTC’s nonpublic investigation into Uber’s security practices from the initial breach; nevertheless, Uber failed to disclose the breach. Both breaches resulted from Uber’s lax security practices and Acting FTC Chairman Maureen K. Ohlhausen described them as “strikingly similar.” In light of the additional information, the FTC withdrew from the original proposed settlement it reached after the May 2014 breach, expanded the terms, and threatened to fine Uber for future incidents. In an attempt by new CEO Dara Khosrowshahi to set a new tone for the company, Uber agreed to the revised terms on April 12. Continue Reading Failure to Signal: Uber Forced to Accept Expanded Settlement after Concealing Security Breach from FTC
Facebook has recently chosen to no longer fund opposition to the California Consumer Privacy Act, which could appear on the California State Ballot as an initiated state statute on November 6, 2018. According to the petition summary the potential statute would:
Gives consumers right to learn categories of personal information that businesses collect, sell, or disclose about them, and to whom information is sold or disclosed. Gives consumers right to prevent businesses from selling or disclosing their personal information. Prohibits businesses from discriminating against consumers who exercise these rights. Allows consumers to sue businesses for security breaches of consumers’ data, even if consumers cannot prove injury. Allows for enforcement by consumers, whistleblowers, or public agencies. Imposes civil penalties. Applies to online and brick-and-mortar businesses that meet specific criteria.
As the clock ticks down to May 25, 2018, when the European Union’s General Data Protection Regulation (“GDPR”) becomes fully enforceable throughout the EU, the Internet and airwaves have become saturated with guidance for companies about what to expect and how to prepare for its new protections and restrictions. However, we’ve seen little intelligence for companies and their litigation counsel in situations where electronically-stored information (“ESI”) containing “personal data” resides in the EU and is relevant to discovery requests in American civil litigation.
In many ways, the process and procedures relating to transfers of personal data to the U.S. under the GDPR are similar – and similarly burdensome – to those of the existing privacy regime. However, the GDPR does introduce new transfer options and clarifies others. It has also added record-keeping and compliance reporting requirements as well as hefty penalties for non-compliance.
Our GDPR e-discovery series will examine these new and clarified transfer options for ESI containing personal data. We begin our series with a newly added transfer option – the Hail Mary pass of transfer options – contained in a GDPR provision permitting a one-time limited transfer where necessary to further a “compelling interest” of the transferring party.
Alabama has joined the “crazy quilt” of state data breach notification laws with the governor’s signature of the Alabama Data Breach Notification Act of 2018.
Things to take note of under the Alabama law:
- The law requires entities to “implement and maintain reasonable security measures” and includes a granular list of what such security measures should include. An interesting component of reasonable security measures is “keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures.”
- Notification to residents within 45 days after a breach has been discovered if it is reasonably likely to cause substantial harm.
- The definition of “personal information” is expanded to include health information and user name or email address in combination with a password.
- Notice to the Alabama Attorney General if notice is provided to more than 1,000 individuals at a single time.
- No private right of action, but the AG may enforce violations of the Act as a deceptive trade practice.
- The Act provides for civil penalties of not more than $5,000 per day for each consecutive day that a covered entity fails to take action to comply with notice provisions. “Knowing” violations of the Act (including a “reckless disregard in failing to comply with notice requirements”) could subject a covered entity to civil penalties of up to $500,000 per breach.
Only one U.S. state without a data breach notification law, that is.
South Dakota as become the 49th state to enact a data breach notification law, which take effect on July 1. The South Dakota law follows the pattern of the most recent notification laws, including an expansive definition of “Personal Information”.
The law defines personal information as a person’s first name/first initial and last name in combination with any one or more of the following:
- Social Security Number;
- Driver’s license number or other unique identification number created or collected by a government body;
- Account, credit or debit card number, in combination with any required security code, access code, password, routing number, PIN, or any additional information that would permit access to a person’s financial account;
- Health information;
- Identification number assigned to a person by the person’s employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes.
There is an additional definition of “protected information” that includes (a) a username or email address in combination with a password, security question answer, or other information that permits access to an online account; and (b) account number or credit/debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account. The definition of “protected information” does not include a person’s name.
Again, South Dakota includes an encryption “safe harbor,” but does require notification if the encryption key is compromised. Notice to the South Dakota Attorney General is required in any breach that exceeds 250 South Dakota residents.
Notification is required within 60 days of the discovery of the breach. A violation of the notification law is considered a deceptive act under South Dakota consumer protection laws, and the Attorney General has noted that this violation has the effect of creating a private right of action. The AG is also authorized to enforce the law and may impose a fine of up to $10,000 per day, per violation.
Alabama remains the sole U.S. state without a breach notification law, but the Alabama Data Breach Notification Act of 2018 passed the Alabama House unanimously and is now in the state Senate.
A update to the Mintz Matrix will be forthcoming this week with further details on this new South Dakota law, as well as some amendments to existing laws. Watch this space.