On January 14, 2021, the European Data Protection Board (“EDPB”) adopted Guidelines 01/2021 on Examples Regarding Data Breach Notification (“Guidelines”). The Guidelines complement prior guidelines issued by the Article 29 Working Party in October 2017; namely, the Guidelines on Personal Data Breach Notification under Regulation 2016/679, (“GDPR”), WP 250. The Guidelines are not yet final, pending a public comment period that concludes on March 7, 2021. While the final version of these Guidelines informed by public comments may vary slightly, they are not likely to change drastically from the current version as it draws on the experiences of European national supervisory authorities in responding to data breach notifications since the GDPR became effective.
Privacy and data security continue to make headlines and this time the waves are coming from the European Court of Justice (i.e., the highest court of the European Union). Without comprehensive U.S. federal privacy legislation, it is of little to no surprise (albeit disappointing) that the European Court of Justice (the “Court”) invalidated the EU-U.S. Privacy Shield Framework because it failed to impose appropriate safeguards with respect to the transfer of personal data located in Europe to the United States.
What is Privacy Shield and What Happened to Change it?
The EU-U.S. Privacy Shield Framework (“Privacy Shield”), as stated on the official government website, “was designed by the U.S. Department of Commerce and the European Commission…to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union…to the United States in support of transatlantic commerce.”
On July 24, 2019, the FTC announced a $5 billion settlement with Facebook to address Facebook’s alleged violations of the FTC Act and its 2012 consent order with the FTC. The settlement comes as no surprise to the privacy community – Facebook has been closely scrutinized by the public and regulators since the Cambridge Analytica data incident in March 2018 and indicated to investors earlier this year that it anticipated a fine from the FTC between $3 and $5 billion.
We have read the complaint, settlement, and press releases issued by the FTC and Facebook, and provide our thoughts below on what it means for business:…
Continue Reading Business Takeaways from the FTC $5 Billion Settlement with Facebook
Last week, British Airways (BA) became one of the first public relations victims of the General Data Protection Regulation (GDPR). Per reports from TechCrunch, BA requested that individuals who had tweeted BA regarding flight delay complaints respond on Twitter—to the public—with personal information, purportedly in order to comply with the GDPR. The personal information that BA representatives requested included full names, billing addresses, dates of birth, the last 4 digits of payment cards, and even passport numbers. Eventually, BA clarified that it did not mean that users should respond with the requested information in the public feed, but rather that they should do so via direct message (DM).
Continue Reading GDPR Woes Take Flight: British Airways Asks Customers to Tweet Their Personal Information in Misguided Attempt to “Comply” with GDPR
For the fourth time, the Federal Trade Commission (FTC) has reached a consent agreement with a company for alleged misrepresentations regarding Privacy Shield certification. A California-based company, ReadyTech Corporation, agreed to a settlement whereby it is “prohibited from misrepresenting its participation in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework.” Privacy Shield is one of a few mechanisms that are available to U.S. companies for the lawful transfer of personal data from the European Union and Switzerland to the United States pursuant to applicable data protection laws including the new General Data Protection Regulation (GDPR). As part of the process, companies must self-certify with the Department of Commerce (DoC) and then annually re-certify that the company is Privacy Shield compliant.
Continue Reading A Privacy Shield Enforcement Action: More to Come?
Back in January, we posted about the circumstances in which your company, even if based in the US, must comply with the EU General Data Protection Regulation (GDPR), taking effect in May 2018. Now we get down to business. If your organization is covered, how do you start the process of preparing for compliance? There appear to be so many moving pieces, where to begin? Here we will provide a high level checklist to help you start down the path of GDPR readiness. As usual, this is not legal advice, just information based on the resources available from the EU authorities thus far designed to help you get your ducks in a row and start planning.
First, a reminder. Due to the extraterritorial jurisdiction provisions of the GDPR, your company is covered by the law even if you have no establishment in the EU if you process personal data of data subjects in the EU and that processing relates to (a) the offering of goods or services to those data subjects, irrespective of whether a payment of the data subject is required; or (b) the monitoring of those data subjects’ behavior as far as their behavior takes place in the EU. Processing means any operation which is performed upon personal data, whether or not by automatic means, including collection, recording, organization, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, combination, blocking, erasure and destruction. Personal data is also broadly defined and includes not only what we think of as traditionally personally identifiable information connected to a name or person, but also information connected to a particular device or even IP address. EU regulators can assess administrative fines of €20 million or up to 4% of the total worldwide annual turnover of the preceding fiscal year, whichever is higher.
If your organization is covered by the law, here is a list of things to consider — and the sooner the better (with barely over a year to become compliant). Each of the following points will be the subject of a more detailed overview in a series of forthcoming blog posts over the next few months.…
Continue Reading Start Your Engines: We Have to Deal With GDPR, What Now?
The new EU General Data Protection Regulation or “GDPR” takes effect May 2018. Many US companies may wonder why they should care about European privacy laws. The answer may surprise you if you are not a close follower of privacy law developments. The GDPR includes an extraterritorial jurisdiction provision pursuant to which many US companies without any personnel or servers in the European Union may still be subject to the law. So how do you know if you are covered? Here’s what you need to know:…
Continue Reading GDPR Stands for . . . “Gotta Do [Something] Privacy-Related?”; When Is My US Company Subject To the New EU General Data Protection Regulation?