Blog

European Commission Adopts EU-US Privacy Shield as Replacement for EU-US Safe Harbor Framework

What this is about 
On July 12, 2016, the European Commission formally adopted the EU-US Privacy Shield (the “Privacy Shield”) which will provide organizations a mechanism to comply with EU data protection requirements when transferring personal data from the EU to the US. This new privacy framework reflects the requirements set out by the European Court of Justice in its October 2015 landmark decision in Maximillian Schrems vs. Data Protection Commissioner, which declared the EU-US Safe Harbor privacy regime invalid.
Privacy Shield overview: The framework provides a set of robust and enforceable protections for the personal data of EU individuals, as well as transparency regarding the use of such data by participating companies, strong US government oversight, and increased cooperation with EU data protection authorities. For more information, see US Department of Commerce (“DOC”) factsheet and FAQs.
Joining the program: 
The DOC will start accepting self-certifications beginning August 1, 2016. Organizations must identify and register with an independent dispute resolution provider prior to submitting their self-certification.
About self-certification:
The decision to participate in the program is voluntary; however, once an organization publicly commits to comply with the framework’s principles through self-certification, that commitment is enforceable under US law by the relevant authority–either the US Federal Trade Commission or the Department of Transportation. To receive the Privacy Shield’s benefits, an organization must self-certify annually to the DOC that it agrees to adhere to the framework’s requirements, based on the privacy principles that include notice, choice, access, and transfer accountability. See the DOC’s guide for more information about participation and compliance requirements.

Disclaimer: This communication is for general informational purposes only, and does not constitute legal advice. No recipient should act, or refrain from acting, on the basis of any information provided here without advice from a qualified attorney licensed in the applicable jurisdiction.

For further information, please contact us at 1-866-723-2287.
July 14th, 2016|Business Transactions, European Union, Security|

The EU-US Privacy Shield Framework text is now available

U.S. Secretary of Commerce Penny Pritzker released a statement regarding the historic agreement, noting that the “EU-US Privacy Shield is a tremendous victory for privacy, individuals, and businesses on both sides of the Atlantic.”

The EU-US Privacy Shield Framework (the “Framework”) was designed by the U.S. Department of Commerce (the “DOC”) and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.

The Framework provides robust and enforceable protections for the personal data of EU individuals, mandating transparency for participating companies, strong U.S. government oversight, and increased cooperation with EU data protection authorities. Offering EU individuals access to multiple avenues to address concerns regarding participants’ compliance and a free dispute resolution, the Framework makes it easier for EU individuals to understand and exercise their rights.

The European Commission proposed that the Framework be deemed adequate to enable data transfers under EU law, which is now in the approval process. Once an adequacy determination is made, the DOC will begin accepting certifications under the Framework. Similar to the certification process of the now invalid Safe Harbor, if a U.S. based-company wishes to join the Framework, it will be required to self-certify to the DOC and publicly commit to comply with the Framework’s requirements. While joining the Framework will be voluntary, once an eligible company certifies compliance, the commitment will become enforceable under U.S. law.

Read the fact-sheet about the EU-US Privacy Shield Framework here.

Read the full text of the EU-US Privacy Shield Framework here.

February 29th, 2016|European Union|

Three companies to be fined for relying on invalidated Safe Harbor to transfer data from the EU

Fortune reported that Hamburg, Germany’s data protection commissioner, Johannes Caspar, is taking five unspecified global companies to task for continuing to transfer EU data to the US after the Safe Harbor ruling made it illegal, The Hamburg data protection authority is preparing to fine three companies for relying on the Safe Harbor privacy framework as the legal basis for their trans-Atlantic data transfers, the report states. “Two other firms are also under investigation” according to the report.  Caspar refused to disclose the names of the companies for legal reasons, but said they are “large international companies” and “subsidiaries of US-based global corporates.”

February 29th, 2016|European Union, International|

Judicial Redress Act of 2015 signed into law

On February 24, 2016, President Obama signed the Judicial Redress Act of 2015 (“the Act”) into law, a major step toward formalizing the recently announced privacy framework, the EU-U.S. Privacy Shield, which will replace the Safe Harbor program that was declared invalid by the European Court of Justice in October 2015. The Act’s intent, as explained by House Judiciary Committee Chairman Bob Goodlatte (R-VA), is to reestablish the United States’ credibility with the European Union following the highly-publicized leaks of classified information in the recent years.

The Act extends to the citizens of EU countries that permit commercial transfers of personal data [to the United States] similar rights to those enjoyed by US citizens under the Privacy Act of 1974, which established a code of fair information practices that govern the federal government’s collection, maintenance, use, and dissemination of information about individuals. The citizens of these EU countries will now be allowed to sue the United States for unlawful disclosure of their personal information obtained in connection with international law enforcement efforts. Under current law, only US citizens and legal residents can bring such claims against the federal government.

Read the text of the Act here.

February 28th, 2016|European Union, Legislation|

The EU-US Privacy Shield for transatlantic data transfers makes its debut

Announced on February 2, 2016 by the European Commission, the new political agreement called the Privacy Shield, reflects the requirements set out by the European Court of Justice in its ruling on October 6, 2015, which declared the old Safe Harbor privacy framework invalid.

The new arrangement calls for strong data privacy and security measures and robust enforcement of U.S. companies handling Europeans’ personal data, clear safeguards and transparency for U.S. government access, and effective protection of EU citizens’ rights with several redress possibilities.

The College of Commissioners is now preparing an adequacy decision regarding the Privacy Shield–the Article 29 Working Party (the “Working Party”), a data protection authority, is requesting that all documents be provided  by the end of February 2016 so that it can complete its assessment of the new framework at a special plenary meeting shortly thereafter. In a statement issued February 3, 2016, the Working Party provided some assurances that during this period of transition, transfer mechanisms, such as standard contractual clauses (which are data transfer agreements approved by the Commission) and binding corporate rules (generally described as internal data processing rules binding on all members of a global corporate group) to permit intragroup transfers of personal data) can still be used as transfer tools to the U.S.

Organizations that certified compliance under the Safe Harbor regime must continue to meet their obligations in connection with previously transferred personal data to avoid enforcement actions by the Commerce Department or the Federal Trade Commission, which consider the Safe Harbor as still binding. In the interim, implementing the above-mentioned clauses should also be considered to the extent they supplement the Safe Harbor platform. It appears that the Privacy Shield, at least initially, will rely significantly on the Safe Harbor framework, and it is likely that the Department of Commerce will offer a means for Safe Harbor certified organizations to transition to the Privacy Shield.

February 24th, 2016|Educational Series, European Union, Guidence|

CFPB publishes annual guide about consumer reporting agencies

Every year, the Consumer Financial Protection Bureau (the “CFPB”) updates and publishes a guide to consumer reporting companies, The guide includes information in connection with requesting a consumer report from the three largest nationwide consumer reporting companies and dozens of specialty reporting companies, tips regarding specialty reports, updated information about authentication of identity when requesting a consumer report, information on companies that provide free credit scores, and rights with respect to consumer reports.

The CFPB notes that in prior years, its guide referred to consumer reporting businesses as “agencies” or “bureaus,” and that these terms can be confusing because they may imply these businesses are government entities. They are not—these companies are private-sector, for-profit entities, and in this year’s guide, the CFPB refers to them as “companies” for better clarity.

February 23rd, 2016|Educational Series|

What’s up with California’s new E-Verify law?

The new law, AB 622, which went into effect January 1, 2016, adds Labor Code section 2814 to strengthen current California prohibitions on employers’ use of E-Verify and other electronic employment eligibility verification systems.  Labor Code section 2811 (enacted in 2011) already prohibits private employers from using E-Verify or such other verification systems, unless required by federal law or as a condition of receiving federal funds.

The amended Labor Code section 2814 expands the definition of an unlawful employment practice to prohibit an employer or any other person or entity from using the E-Verify system at a time or in a manner not required by a specified federal law or not authorized by a federal agency memorandum of understanding to check the employment authorization status of an existing employee, or an applicant who has not received an offer of employment, except as required by federal law or as a condition of receiving federal funds. The new law also requires an employer that uses the E-Verify system to provide to the affected employee any notification issued by the Social Security Administration or the United States Department of Homeland Security containing information specific to his/her E-Verify case or any tentative non-confirmation notice. Employers will now face a civil penalty of $10,000 for each violation of these provisions.

  • Read the text of AB 622
  • Read guidance published by the U.S. Department of Homeland Security on conducting internal audits regarding Form I-9 compliance
February 23rd, 2016|Employment Decisions|

FTC files charges against operators of alleged high school diploma mills

The Federal Trade Commission (the “FTC”) filed complaints on February 10, 2016 against two operators of online “high schools” that claim to be legitimate but allegedly are diploma mills, charging anywhere from $135 to $349 for a worthless certificate.

Complaints in both cases filed by the FTC in the U.S. District Court for the District of Arizona charge that the operators bought several website names designed to appear like legitimate online high schools and used deceptive metatags with terms such as “GED” and “GED online” to bring the bogus sites higher in search rankings. Once consumers got to the sites, messages popped up implying that the diplomas offered were equivalent to an actual high school diploma.

According to the FTC’s documents, the “courses” amounted to four untimed and unmonitored multiple-choice tests, requiring that students answer 70% of each test correctly. For some “high schools,” when students failed to meet that standard, they were redirected to the test once more, and this time, the correct answers were highlighted so that the students could change their answers.  Other “high schools” provided students with an online “study guide” that also highlighted the correct answer for students to select when taking the test.

Upon completing the tests, the FTC’s documents charge that consumers were directed to a set of menus to evaluate their “life experiences,” where selecting that he/she knows how to “balance [a] checkbook” translates as credit for accounting coursework.  If a consumer says they “listen to music occasionally,” he/she may be given credit for a music appreciation course.

The FTC’s complaints in both cases point to numerous consumers who sought to use the diplomas to get jobs, apply for college and even join the military, only to find out that their diplomas were not recognized.

February 23rd, 2016|Fraud, Lawsuit|

Uber settles class-action for $28.5 million for misleading claims about drivers’ background checks

On February 12, 2016, Uber agreed to settle a consolidated class-action filed in the U.S. District Court for the Northern District of California (Philliben v. Uber Technologies, Inc. and Mena v. Uber Technologies, Inc.) by paying $28.5 million to approximately 25 million riders and promising to avoid using certain language in safety-related advertising, as well as the term “safe ride fee.”

In their complaint filed in 2014, the plaintiffs alleged that Uber’s claim of conducting “industry-leading background checks” for which they paid a “safe ride fee” of $1 to $2 on top of each fare, was false and misleading. According to the complaint, Uber does not and has never had an “industry-leading background check process.” To the contrary, the complaint stated that background screening by Uber does not involve fingerprint identification and, therefore, cannot ensure that the information obtained from a background check actually pertains to the driver that submitted the information. By contrast, most taxi regulators in United States require drivers to undergo criminal background screening, using fingerprint identification, and typically employing a technology called “Live Scan.”  Going forward, Uber said it will rename the “safe ride fee” as a “booking fee” which will be used to cover safety and additional future operational costs.

If the judge approves the settlement, members of the class who rode in an Uber vehicle in the United States between January 1, 2013 and January 31, 2016 will be eligible to receive a portion of the settlement.  If that pot is divided evenly among Uber’s 25 million passengers, after attorneys’ fees, each will get around $1.

Read the consolidated class-action complaint here.

February 23rd, 2016|Lawsuit|

Province of Ontario passes the Police Record Checks Reform Act

On December 1, 2015, Ontario passed the Police Record Checks Reform Act, 2015 (the “Act”) which has significant implications regarding criminal record checks. The Act establishes comprehensive standards governing the type of information that can be disclosed by police in response to record check inquiries, and is intended to remove unnecessary barriers to employment, licensing, holding office, applying to educational programs and participating in volunteer activities. Its main objective is to prevent the inappropriate disclosure of non-conviction and non-criminal records, such as information obtained from street checks or “carding,” as well as mental health information.  

Possibly the most significant requirement under the Act is that the individual must review the requested information and then consent to its disclosure. In the event that potentially inappropriate non-conviction information is included in a record, the Act provides that the individual may request a reconsideration of the disclosure. As a result, employers who conduct employment criminal record checks will now only be able to obtain the results if the applicant/employee has consented to the disclosure. 

December 22nd, 2015|Legislation|