Last week, British Airways (BA) became one of the first public relations victims of the General Data Protection Regulation (GDPR). Per reports from TechCrunch, BA requested that individuals who had tweeted BA regarding flight delay complaints respond on Twitter—to the public—with personal information, purportedly in order to comply with the GDPR. The personal information that BA representatives requested included full names, billing addresses, dates of birth, the last 4 digits of payment cards, and even passport numbers. Eventually, BA clarified that it did not mean that users should respond with the requested information in the public feed, but rather that they should do so via direct message (DM).
For the fourth time, the Federal Trade Commission (FTC) has reached a consent agreement with a company for alleged misrepresentations regarding Privacy Shield certification. A California-based company, ReadyTech Corporation, agreed to a settlement whereby it is “prohibited from misrepresenting its participation in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework.” Privacy Shield is one of a few mechanisms that are available to U.S. companies for the lawful transfer of personal data from the European Union and Switzerland to the United States pursuant to applicable data protection laws including the new General Data Protection Regulation (GDPR). As part of the process, companies must self-certify with the Department of Commerce (DoC) and then annually re-certify that the company is Privacy Shield compliant.
Back in January, we posted about the circumstances in which your company, even if based in the US, must comply with the EU General Data Protection Regulation (GDPR), taking effect in May 2018. Now we get down to business. If your organization is covered, how do you start the process of preparing for compliance? There appear to be so many moving pieces, where to begin? Here we will provide a high level checklist to help you start down the path of GDPR readiness. As usual, this is not legal advice, just information based on the resources available from the EU authorities thus far designed to help you get your ducks in a row and start planning.
First, a reminder. Due to the extraterritorial jurisdiction provisions of the GDPR, your company is covered by the law even if you have no establishment in the EU if you process personal data of data subjects in the EU and that processing relates to (a) the offering of goods or services to those data subjects, irrespective of whether a payment of the data subject is required; or (b) the monitoring of those data subjects’ behavior as far as their behavior takes place in the EU. Processing means any operation which is performed upon personal data, whether or not by automatic means, including collection, recording, organization, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, combination, blocking, erasure and destruction. Personal data is also broadly defined and includes not only what we think of as traditionally personally identifiable information connected to a name or person, but also information connected to a particular device or even IP address. EU regulators can assess administrative fines of €20 million or up to 4% of the total worldwide annual turnover of the preceding fiscal year, whichever is higher.
If your organization is covered by the law, here is a list of things to consider — and the sooner the better (with barely over a year to become compliant). Each of the following points will be the subject of a more detailed overview in a series of forthcoming blog posts over the next few months. Continue Reading Start Your Engines: We Have to Deal With GDPR, What Now?
The new EU General Data Protection Regulation or “GDPR” takes effect May 2018. Many US companies may wonder why they should care about European privacy laws. The answer may surprise you if you are not a close follower of privacy law developments. The GDPR includes an extraterritorial jurisdiction provision pursuant to which many US companies without any personnel or servers in the European Union may still be subject to the law. So how do you know if you are covered? Here’s what you need to know: Continue Reading GDPR Stands for . . . “Gotta Do [Something] Privacy-Related?”; When Is My US Company Subject To the New EU General Data Protection Regulation?