Executive summary:  The EU’s standard contractual clauses may be on the fast track to invalidation, putting a vast number of personal data transfers from the EEA at risk.  A case brought by Maximilian Schrems (whose first complaint resulted in the invalidation of Safe Harbor) has been referred to the EU’s highest court, via a 153-page Irish High Court decision that provides ample ammunition to those who would like to see the standard contractual clauses struck down.  Although aimed at Facebook, the consequences of the decision are virtually certain to affect all US companies that rely on the standard contractual clauses.

Many companies around the world rely on the EU’s standard contractual clauses (also known as the model clauses, and referred to in this article as the “SCCs”) as the legal basis for transferring personal data from the European Economic Area (EEA) to countries whose privacy laws have not been found adequate by the EU Commission.  The SCCs are private contracts, and while some EEA countries require that parties that enter into SCCs deposit a copy, other countries do not, so no one knows for sure how many companies rely on the SCCs.  But the answer is probably “an awful lot of companies.”  Given the data flows between the EEA and US, and the fact that, as of today, only around 2,500 companies rely on Privacy Shield as the legal basis for the data transfers, it’s safe to assume that for US companies, the standard contractual clauses are the primary mechanism for transferring personal data to the US.

The SCCs have been subject to a legal challenge by Maximillian Schrems (often called the Schrems II case) that has just reached a critical inflection point: The Irish High Court has just issued a decision referring to the Court of Justice of the EU (CJEU) the question of whether the SCCs are invalid.  The main thrust of the invalidity argument is the assertion that US national security laws do not offer adequate levels of protection for the rights of EU residents.  In particular, the argument runs, EU residents lack a meaningful remedy before US courts for uses of their personal data by US national security agencies that are inconsistent with those persons’ rights under EU law. Continue Reading Will the EU box itself in?  Fate of Standard Contractual Clauses (aka the Model Clauses) for personal data transfers is now in the hands of the EU’s highest court

We will be following up our post last week regarding the latest US-EU Safe Harbor decision out of Europe with further analysis both from the Mintz Privacy team and our international network of privacy specialists.  Our friends at TaylorWessing have graciously allowed us to repost their view here.   Continue Reading Privacy Monday, September 28, 2015: More on US-EU Safe Harbor — what’s next?

Written by Jake Romero, CIPP

If you are one of the approximately 1.3 billion people who use Facebook, you’ve likely experienced the phenomenon where a single event (like Luiz Suarez biting that Italian guy or pretty much anything involving TSA) manages to raise the ire of a large number of your Facebook friends, causing them to flood your timeline with single-issue Facebook user rage.  Another recent event you likely heard about both on the news and through numerous status updates is Facebook’s 2012 experiment in which user timelines were manipulated to gauge users’ response to changes in the number of positive or negative posts.  After results of the study were published in March, many users became upset at the idea of possibly having unknowingly taken part in the study.  Now, the Electronic Privacy Information Center (EPIC) has filed a formal complaint asking the Federal Trade Commission (FTC) to investigate Facebook’s use of user data for research purposes as a deceptive trade practice. Continue Reading Backlash Over Facebook Timeline Experiment Serves as a Reminder: User Expectations Still Trump Fine Print

Promises to Keep: Lessons Learned from Facebook’s Recent Acquisitions of WhatsApp and Moves

Written by Jake Romero, CIPP/US

Mergers are never simple, but the acquisition of consumer products and technology requires the purchasing entity to consider a number of questions and issues beyond the standard concerns related to executive pay, corporate valuations and per share prices.  Will we be able to integrate our corporate cultures?  Will the service’s current users make angry reaction GIFs about us to demonstrate their disapproval?  Is this something we can fix with a rapping monkey video?  Are Beats by Dre headphones ‘extraordinarily bad’?  Following a number of high profile tech acquisitions, Facebook, Inc. has learned that among the questions that must be asked, is “What promises has the target entity made to its users regarding data the target is collecting?” Continue Reading Privacy Monday – May 19, 2014 – Lessons Learned from Facebook

If you haven’t been paying attention to “password hygiene” preached by this blog and others, perhaps it’s time.    Jose Pagliery from CNNMoney reports of a large-scale hack that has compromised over 2 million passwords at Facebook, Gmail, Twitter, Yahoo and others.

Here is the partial list –

  • 318,000 Facebook accounts
  • 70,000 Gmail, Google+ and YouTube accounts
  • 60,000 Yahoo accounts
  • 22,000 Twitter accounts
  • 8,000 ADP accounts (ADP says it counted 2,400)
  • 8,000 LinkedIn accounts

Change your passwords for any of these accounts, and change any other accounts using that password as well.   Chances are good that the hackers were not after your latest Facebook post, but rather the information and access they could get to the rest of your digital life through that password.

And if you need any tips on how to create a strong password, read this post.


Dis-Like! Senator Markey Urges the FTC to Investigate Facebook’s New Policies

Written By Adam Veness

As we previously reported here, Facebook has proposed a number of revisions to its Data Use Policy and Statement of Rights and Responsibilities.  In response to these proposed changes, Senator Edward J. Markey (D-MA) sent a letter to the Federal Trade Commission (“FTC”) Chairwoman Edith Ramirez asking her to take a closer look into whether these new proposed policies violate Facebook’s 2011 settlement with the FTC.  That same day, the FTC announced that it was investigating Facebook’s new policies.

Facebook’s new policies make it clear that users are required to grant Facebook wide permission to use their personal information as a condition to using Facebook.  Peter Kaplan, a spokesman for the FTC, stated, “Facebook never sought out a discussion with us beforehand about these proposed changes.”  According to the New York Times, Facebook informed the FTC of the new language just before it was posted to its website.

Senator Markey’s letter to the FTC questions whether Facebook is attempting to improperly alter its privacy policy without user consent.  He points out that the Facebook/FTC settlement requires that Facebook “clearly and prominently” provide consumers notice and obtain consumers’ “affirmative express consent”, or opt-in, before their information is shared beyond previously established privacy settings.  Senator Markey is concerned that the new policy will automatically allow Facebook the right to use user information unless users expressly revoke permission, or opt-out, and this runs contrary to the settlement’s opt-in requirement.

The other main point in Senator Markey’s letter focuses on children under the age of 18.  Facebook’s new policies state to users under the age of 18 that “you represent that at least one of your parents or legal guardians has also agreed to the terms of this section (and the use of your name, profile picture, content, and information) on your behalf.”  Senator Markey is particularly concerned with this new policy and he points out that impressionable teens are still developing and learning safe online habits.  He cautions that “the FTC should pay close attention to any change that could harm our nation’s young people.

The Countdown to the HIPAA Omnibus Rule — Are you Ready For September 23rd?

With the September 23, 2013 compliance date for the HIPAA Omnibus Rule only one week away, the Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) have developed model Notices of Privacy Practices (“NPP”) to help health care providers and health plans ensure compliance with the HIPAA Privacy Rule and recent changes implemented under the Omnibus Rule.   Mintz Levin’s Health Law Policy Matters blog has a complete discussion here.

Breach of the Week – 2 Million Vodafone Germany Customers

Another case of insider data theft.   “This criminal attack appears to have been executed by an individual working inside Vodafone,” the company said in a statement provided to SecurityWeek. “An individual has been identified by the police and their assets have been seized.”

Read more:   SecurityWeek

“Small” is No Excuse – Vermont AG Settles Suit Against Grocer in Data Incident

A small grocery store chain in Vermont agreed to pay $30,000 to settle claims that it failed to protect consumer data when customer credit card numbers were repeatedly stolen from its computers.  Natural Provisions, Inc., of Williston, Vermont, agreed to pay a civil penalty of $14,938, spend $15,062 to upgrade its information technology systems and take other steps to prevent future data breaches, according to the assurance of discontinuance  in the Vermont Superior Court.
The company, which specializes in organic and natural foods, said it was unaware of the requirements of the Vermont Security Breach Notice Act, according to the settlement, and apparently relied on a third party vendor to make sure it was secure.   Under the act, a business must work quickly to remedy a security breach, inform the attorney general within 14 days of the breach and tell customers within 45 days.   After learning from a local police department about reports that customer credit card numbers were stolen and abused, Natural Provisions didn’t inform the attorney general for 45 days and didn’t begin to fix the problem until a month later, the settlement said.
Read more:  Burlington Free Press








Written by Jake Romero

If you use Facebook (and you likely do, if only to play some game that apparently involves crushing large amounts of candy), then you received an email last week informing you that Facebook is proposing changes to its Data Use Policy and Statement of Rights and Responsibilities.  The proposed changes are largely in response to the $20 million settlement, approved last month by a federal judge, of a class action brought against Facebook in response to its use of user names and photos in “Sponsored Stories”.

In January 2011, Facebook implemented the Sponsored Stories advertising mechanism, which turned user “likes” into product endorsements.  The claim argued that Facebook did not adequately inform its users that profile photos and user names would be used by advertisers to recommend products and services.  The claim also argued that Facebook inappropriately did not give users the ability to opt out of the Sponsored Stories advertising feature and allowed the use of the likeness and photos of minors who, the claimants argued, should have automatically been opted out of the program.  Arriving just days after the approval of the settlement, the proposed changes include an interesting mix of responses and clarifications.  These are the most noteworthy:

Your face is for sale.  Under the approved settlement, Facebook agreed to pay $20 million and give its users greater “control” over the use of information by advertisers.  Facebook did not, however, agree to let its users opt out of allowing advertisers to use information entirely.  Under the revised Statement of Rights and Responsibilities, each user gives Facebook permission to use his or her name, profile picture, content and information in connection with commercial, sponsored or related content.  Facebook further clarifies that this means that businesses or other entities will pay Facebook for the ability to display user names and profile pictures.

  • Kids, be sure to ask your parents’ permission.  By using Facebook, each user under the age of 18 represents that at least one parent or guardian has agreed to Facebook’s terms, including the use of the minor’s name, profile picture, content and information by advertisers, on that minor’s behalf.
  • Your profile photo is fair game for facial recognition scanning.  Facebook scans and compares pictures in which you are tagged so that when your friends post more photos of you, it can suggest that they tag you.  The updated Data Use Policy makes it clear that your profile photo will be scanned for this purpose as well.
  • There’s a renewed emphasis on mobile phone data.  The updated policies make it clear that Facebook and, in certain cases, third-party integrated applications, will have access to a broad array of mobile data.  This includes the use of friend lists by third party mobile applications to advertise mobile applications used by an individual’s friends.  Whereas Facebook encountered substantial difficulty in implementing Sponsored Stories and similar advertising mechanisms, Facebook’s program of allowing mobile applications to market themselves as “Suggested Apps” has been a bright spot for the company’s bottom line.  Moreover, Facebook has signed on to an agreement with California Attorney General Kamala Harris that mobile applications constitute “online services” and, as such, are governed by the same disclosure and transparency regulations applicable to websites.  The clarifications related to mobile devices and applications suggest that Facebook intends to further develop the use of mobile data as a revenue stream without risking the same type of legal action.

Facebook’s proposed revisions remain open for public comment.   While the proposed revisions are unlikely to stoke the kind of furor that past changes have inspired, they remain an interesting display of the developing give-and-take between consumers and online service providers who provide a “free” service in exchange for the right to use and monetize personal data.

Welcome to a new feature of Privacy & Security Matters — Privacy Monday.

We will start your week with a fresh collection of privacy tidbits, goofs and gaffes.

Tip:  Make Sure Your Employee Files are Distinguishable from Customer Merchandise

A Cambridge, Massachusetts Banana Republic customer got a lot more than she ordered.   When she opened the package containing her online order last week, she did not receive the expected tie and pocket square but rather an envelope containing personnel files for about 20 former Gap Inc. employees, replete with Social Security numbers and W-4s, handwritten resignation letters, doctors’ notes — everything.       According to an Associated Press story, this is not the first time this has happened at the Gap (according to the story, both customer shipments and HR files are sent in the same, gray plastic envelopes) — except that this time, the recipient was Emily Dreyfuss, an editor at CNET, the technology publication (she is also the daughter of actor Richard Dreyfuss).

Don’t expect this to end quietly.  Read Ms. Dreyfuss’ first hand account (including the customer service response….) at The Atlantic Wire

Data Security and Breach Notification Act of 2013 Introduced in U.S. Senate

In yet another effort to reach a national data breach standard and eliminate the crazy quilt of state data breach notification laws, three U.S. Senators have introduced the Data Security and Breach Notification Act of 2013.    Senators Pat Toomey (R-PA), Angus King (I-ME) and John Thune (R-SD) have reintroduced the bill in reportedly the same form as it was introduced in 2012 …. and in 2011….and in 2010.    The 2013 bill is not yet available online, but last year’s text can be found here. The 2012 version died at the end of the last session of Congress without making it out of the Senate, Commerce, Science and Transportation Committee.  Stay tuned for further analysis once the actual text is released.

More Data Security Problems for Facebook

Facebook is once again admitting a data security glitch – – a year-long breach affecting nearly 6 million users.  It is likely that most Facebook users missed the “disclosure,”  tagged as a “Message from Facebook’s White Hat Program.”    See more in the Reuters story here.







Our series over the next 10 days will highlight the top issues, as we see them, in privacy and security for 2013.    Yesterday, we looked at the increase in cybersecurity disclosure by public companies, triggered by the Securities and Exchange Commission’s Cybersecurity Guidance.

Privacy 2013 – What to Expect in the Employment Arena

Written by Jennifer Rubin and Michael Arnold

As more and more employees take to social media to conduct business, questions remain about how, if at all, employers may legally regulate and monitor employees’ conduct on social media. For example, employees use LinkedIn, not just for networking, but to conduct business – whether mining potential sales contacts and growing pipelines.  But who owns the contacts and what can employers tell employees about how to conduct themselves while mining them?  And what happens when an employee leaves?  Can the employee take “their” contacts on LinkedIn or does the employer “own” those contacts? Is ownership truly in question if an employee uses LinkedIn to obtain the contacts at the employer’s behest, utilizing the employer’s resources and while on the employer’s payroll?  These are questions some courts are beginning to address.

Related to this issue is the National Labor Relations Board’s growing interest in defining what employers with unionized and non-unionized workforces can and cannot do with respect to limiting communications in the workplace. The NLRB says that employees may air grievances about wages and working conditions without employer restriction – note the now infamous “Facebook” firings and related cases.  The NLRB has also invalidated employer social media policies for failing to comply with the National Labor Relations Act.  Twitter seems to be the next natural stop for the NLRB’s growing influence.  Many people “tweet” at their employer’s behest and with their employer’s blessings. What happens when the employee strays from the script? And who has the time and energy to undertake the “community curation” required to keep the employer’s finger on the pulse of these communications in a consistent and non-discriminatory manner?

Then, of course, there is the issue of an employer’s right to monitor an employee’s use of social media in the first instance.  In order to protect the corporate reputation, prohibit unlawful competitive activity, including the theft of trade secrets, or to affirmatively comply with certain government regulations, some employers now require employees (and prospective employees) to provide their social media passwords or other account information.  Fourteen state legislatures (like California) have recently enacted laws prohibiting this practice, and other states are likely to follow suit.  Social media privacy bills are under consideration in Missouri, Texas, and other jurisdictions. Whether a particular state prohibits this practice or not, employers must give serious thought before implementing (or continuing to implement) this practice.  Specifically, they must be mindful of the “Big Brother” perception and the potential exposure to claims under the anti-discrimination laws, labor laws, and state privacy laws.

In 2013, employers, employees, lawmakers, regulatory authorities and courts will continue to struggle to strike the right balance between privacy, corporate culture, ownership of business information, free expression, and creativity. Recommendation for action in 2013:  If your business has a social media policy, review it in light of emerging state laws and the NLRB cases.   If your business does not have a social media policy, 2013 is the time to take another look.