Privacy Archives

New Draft Guidelines Attempt to Clarify Territorial Scope of the GDPR

Since the adoption of the General Data Protection Regulation (GDPR) by the European Union (EU) in May 2018, businesses established outside of the EU have grappled with the question of whether the GDPR’s strict rules apply to them. Many commentators have noted that the GDPR provisions and recitals do not have an easy answer. The European Data Protection Board (EDPB) recently attempted to provide some clarification by publishing draft guidelines that include a commentary on the territorial scope of the GDPR. The EDPB’s guidelines also address the related issue of whether a non-EU company subject to the GDPR must have an EU-based representative.

GDPR’s Targeting Criteria

Arguably the most significant change to the regulatory landscape affecting an individual’s data privacy is the territorial scope of the GDPR’s Article 3 (2). Generally described as the GDPR’s “targeting criteria,” your business must be GDPR compliant if it engages in processing activities of an EU individual’s data (data subject) related to (1) offering goods or services to data subjects, or (2) monitoring data subjects’ behavior. Although the EDPB’s guidelines state that the targeting criteria is applied on a case-by-case basis, the guidelines provide several examples showing how the targeting criteria can be applied that clarify some basic points, such as:

The data subject’s nationality or citizenship is irrelevant. The GDPR protects data subjects geographically located within the EU, without regard to the data subject’s nationality or citizenship. Conversely, data subjects outside of the EU, including EU citizens, are not protected by the GDPR.
Geographic allocation and timing are critical. For purposes of applying the GDPR, thedata subject’s geographic location is assessed atthe moment when your activity occurs; e.g., when your goods or services are offered, or your monitoring of the datasubject’s behavior begins.
Charging for services is irrelevant. The GDPR protects data subjects regardless of whether your services are free.
Cookies are considered monitoring. TheGDPR protects data subjects that your business profiles or undertakes someanalysis by using cookies or similar technologies.

GDPR Compliance and an EU-based Representative

A significant point clarified by the EDPB’s guidelines is that a non-EU company subject to the GDPR must appoint an EU-based representative, even though the not have a physical location within the EU. A company’s Data Protection Officer, who can be an existing employee of the company under the GDPR, cannot fulfill the requirements for an EU-based representative. The purpose of the requirement is to ensure that a qualified individual or entity is located within the EU to whom regulatory authorities can address compliance issues. The guidelines also make clear that the EU-based representative can even be held liable for any non-compliance, including being fined or otherwise sanctioned.

Consultation Period

The territorial scope and appointment of an EU-based representative poses two of the most critical issues that a non-EU based company faces regarding GDPR compliance. The EDPB’s draft guidelines address several other GDPR issues in addition to these, and a full version of the guidelines can be found here. The EDPB is taking public comments on the draft guidelines until January 18, 2019. Comments should be sent to the EDPB at EDPB@edpb.europa.eu.

December 12th, 2018|Categories: Compliance Corner for Employment Decisions|Tags: Employment Decisions, European Union, GDPR, International, Privacy, Social Media|

The Swiss-U.S. Privacy Shield Framework is approved

The Swiss-U.S. Privacy Shield Framework (the “Framework”) made its debut on January 12, 2017 without much fanfare when Swiss federal councillor Johann Schneider-Ammann announced the Framework’s approval as a valid legal mechanism to comply with Swiss requirements for transferring personal data from Switzerland to the United States. The Framework, designed by the U.S. Department of Commerce (the “DOC”) and the Swiss government to align with the EU-U.S. Privacy Shield, will immediately replace the U.S.-Swiss Safe Harbor. The DOC will begin accepting self-certifications starting April 12, 2017 to give organizations ample time to review the new Framework’s principles and compliance requirements. For more of Scherzer International’s coverage of the EU-U.S. Privacy Shield, click here.

February 2nd, 2017|Categories: Commercial Transactions Due Diligence|Tags: International, Privacy|

European Commission Adopts EU-US Privacy Shield as Replacement for EU-US Safe Harbor Framework

What this is about	On July 12, 2016, the European Commission formally adopted the EU-US Privacy Shield (the “Privacy Shield”) which will provide organizations a mechanism to comply with EU data protection requirements when transferring personal data from the EU to the US. This new privacy framework reflects the requirements set out by the European Court of Justice in its October 2015 landmark decision in Maximillian Schrems vs. Data Protection Commissioner, which declared the EU-US Safe Harbor privacy regime invalid.
Privacy Shield overview:	The framework provides a set of robust and enforceable protections for the personal data of EU individuals, as well as transparency regarding the use of such data by participating companies, strong US government oversight, and increased cooperation with EU data protection authorities. For more information, see US Department of Commerce (“DOC”) factsheet and FAQs.
Joining the program:	The DOC will start accepting self-certifications beginning August 1, 2016. Organizations must identify and register with an independent dispute resolution provider prior to submitting their self-certification.
About self-certification:	The decision to participate in the program is voluntary; however, once an organization publicly commits to comply with the framework’s principles through self-certification, that commitment is enforceable under US law by the relevant authority–either the US Federal Trade Commission or the Department of Transportation. To receive the Privacy Shield’s benefits, an organization must self-certify annually to the DOC that it agrees to adhere to the framework’s requirements, based on the privacy principles that include notice, choice, access, and transfer accountability. See the DOC’s guide for more information about participation and compliance requirements.

Disclaimer: This communication is for general informational purposes only, and does not constitute legal advice. No recipient should act, or refrain from acting, on the basis of any information provided here without advice from a qualified attorney licensed in the applicable jurisdiction.

For further information, please contact us at 1-866-723-2287.

July 14th, 2016|Categories: Commercial Transactions Due Diligence|Tags: European Union, International, Privacy|

The EU-US Privacy Shield Framework text is now available

U.S. Secretary of Commerce Penny Pritzker released a statement regarding the historic agreement, noting that the “EU-US Privacy Shield is a tremendous victory for privacy, individuals, and businesses on both sides of the Atlantic.”

The EU-US Privacy Shield Framework (the “Framework”) was designed by the U.S. Department of Commerce (the “DOC”) and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.

The Framework provides robust and enforceable protections for the personal data of EU individuals, mandating transparency for participating companies, strong U.S. government oversight, and increased cooperation with EU data protection authorities. Offering EU individuals access to multiple avenues to address concerns regarding participants’ compliance and a free dispute resolution, the Framework makes it easier for EU individuals to understand and exercise their rights.

The European Commission proposed that the Framework be deemed adequate to enable data transfers under EU law, which is now in the approval process. Once an adequacy determination is made, the DOC will begin accepting certifications under the Framework. Similar to the certification process of the now invalid Safe Harbor, if a U.S. based-company wishes to join the Framework, it will be required to self-certify to the DOC and publicly commit to comply with the Framework’s requirements. While joining the Framework will be voluntary, once an eligible company certifies compliance, the commitment will become enforceable under U.S. law.

Read the fact-sheet about the EU-US Privacy Shield Framework here.

Read the full text of the EU-US Privacy Shield Framework here.

February 29th, 2016|Categories: Compliance Corner for Employment Decisions|Tags: Employment Decisions, European Union, International, Privacy|

The EU-US Privacy Shield for transatlantic data transfers makes its debut

Announced on February 2, 2016 by the European Commission, the new political agreement called the Privacy Shield, reflects the requirements set out by the European Court of Justice in its ruling on October 6, 2015, which declared the old Safe Harbor privacy framework invalid.

The new arrangement calls for strong data privacy and security measures and robust enforcement of U.S. companies handling Europeans’ personal data, clear safeguards and transparency for U.S. government access, and effective protection of EU citizens’ rights with several redress possibilities.

The College of Commissioners is now preparing an adequacy decision regarding the Privacy Shield–the Article 29 Working Party (the “Working Party”), a data protection authority, is requesting that all documents be provided by the end of February 2016 so that it can complete its assessment of the new framework at a special plenary meeting shortly thereafter. In a statement issued February 3, 2016, the Working Party provided some assurances that during this period of transition, transfer mechanisms, such as standard contractual clauses (which are data transfer agreements approved by the Commission) and binding corporate rules (generally described as internal data processing rules binding on all members of a global corporate group) to permit intragroup transfers of personal data) can still be used as transfer tools to the U.S.

Organizations that certified compliance under the Safe Harbor regime must continue to meet their obligations in connection with previously transferred personal data to avoid enforcement actions by the Commerce Department or the Federal Trade Commission, which consider the Safe Harbor as still binding. In the interim, implementing the above-mentioned clauses should also be considered to the extent they supplement the Safe Harbor platform. It appears that the Privacy Shield, at least initially, will rely significantly on the Safe Harbor framework, and it is likely that the Department of Commerce will offer a means for Safe Harbor certified organizations to transition to the Privacy Shield.

Read Scherzer International’s first bulletin about the invalidation of the Safe Harbor privacy framework
Read the European Commission’s guidance about data transfers issued in November 2015
Read the European Commission’s press release about the Privacy Shield
Read the Working Party’s statement issued on February 3, 2016 about the Privacy Shield
Read the U.S. Department of Commerce fact-sheet about the Privacy Shield

February 24th, 2016|Categories: Compliance Corner for Employment Decisions|Tags: Employment Decisions, European Union, International, Privacy|

U.S. Supreme Court case offers window into CFPB’s position on the FCRA

The U.S. Supreme Court has agreed to hear a closely followed case involving the Fair Credit Reporting Act (the “FCRA”) that will have great significance on privacy law. In connection with this case, the Consumer Financial Protection Bureau (CFPB) offered a glimpse of its stance on the FCRA in an amicus brief recently filed with the U.S. Supreme Court.

In 2012, the Bureau took over the enforcement reins of the FCRA from the Federal Trade Commission (FTC). Since then, the industry has watched for signs on how the Bureau would tackle its new job, with few clues. But in an amicus brief filed jointly with the Solicitor General in Spokeo v. Robins, the CFPB weighed in, taking a consumer-friendly position on the statute.

The dispute began when Robins claimed that Spokeo ran afoul of the FCRA. The spokeo.com site allows users to obtain information about other individuals like address, phone number, employment information, and economic data such as mortgage value and investments. Robins sued after finding incorrect information about himself on the site, alleging that Spokeo was a consumer reporting agency (CRA) under the FCRA and sold “consumer reports” but failed to comply with the various statutory requirements by neglecting to assure the maximum possible accuracy of the information reported on its site and failing to provide notice of statutory responsibilities to purchasers of its reports.

Relying on Section 1681n of the FCRA, which grants consumers a cause of action against an entity that negligently or willfully violates “any requirement imposed

[under the FCRA] with respect to [that] consumer,” Robins filed a putative class action. A federal district court dismissed the suit for a lack of standing but the Ninth Circuit Court of Appeals reversed. The federal appellate panel held that Robins sufficiently alleged an injury in fact because Congress created a right of action to enforce a statutory provision, demonstrating intent to create a statutory right.

Spokeo petitioned the U.S. Supreme Court to take the case. The CFPB filed the amicus brief, siding with the plaintiff and arguing that the justices should deny the writ of certiorari. The Bureau argued to the Court that the statutorily created cause of action found in the FCRA satisfied the injury required for Article III standing. While recognizing that Congress does not have unlimited power to define the class of plaintiffs who may sue in federal court, the CFPB said the legislature “may grant individuals statutory rights that, when violated, confer standing, and the clear language of the FCRA did just that.”

“FCRA thus grants an individual consumer a statutory entitlement to be free from a CRA’s actual dissemination of inaccurate information about him when the CRA fails to employ ‘reasonable procedures’ to assure the information’s accuracy,” according to the CFPB’s brief. A CRA’s willful failure to follow reasonable procedures to ensure that an accurate report about a consumer is disseminated violates a ‘requirement imposed under [FCRA] with respect to [that] consumer.’ It is also a concrete and particularized injury to the consumer because it involves the actual, specific, and non-abstract act of disseminating information about the particular consumer.” This reading – recognizing a legally protected interest in consumer privacy – “is particularly salient in modern-day society given the proliferation of large databases and the ease and rapidity with which information about individuals can be transmitted and retransmitted across the Internet,” the CFPB added, as “public dissemination of inaccurate personal information about the plaintiff is a form of ‘concrete harm’ that courts have traditionally acted to redress, whether or not the plaintiff can prove some further consequential injury.”

Read the CFPB’s amicus brief in Spokeo v. Robins here.

Read the opinion of the U.S. Court of Appeals for the Ninth Circuit here.

June 12th, 2015|Categories: Compliance Corner for Employment Decisions|Tags: FCRA, Privacy|

Privacy laws gain momentum in Congress

President Barack Obama has made data security a priority in recent weeks.

Speaking at the Federal Trade Commission (FTC) in January, the President announced three pieces of legislation: the Student Digital Privacy Act (which would prohibit the sale of sensitive student data for non-education purposes), the codification of the Consumer Privacy Bill of Rights issued by the White House in 2012, and the Personal Data Notification & Protection Act.

Implicating businesses across the country, the Data Notification Act would establish nationwide, uniform data breach notification rules that would preempt the existing collection of 47 different state laws. Criminal penalties for hackers would also be strengthened and companies would be required to notify consumers of a breach within 30 days.

Broader than prior proposals of federal data breach notification bills, the Act defines “sensitive personally identifiable information” to include a range of data, like an individual’s first and last name or initial and last name in combination with two other items like a home address or telephone number, birthdate, or mother’s maiden name, a Social Security number by itself, and a user name or e-mail address in combination with a password or security question answer that would permit access to an online account.

The notice provisions allow companies to inform consumers of a breach by mail, telephone, and e-mail, under certain conditions. When more than 5,000 individuals are affected in a single state, media notice is required; if more than 5,000 total individuals (regardless of residence) are impacted, the company must also notify credit reporting agencies and the federal government.

Although the bill designates the FTC as the primary enforcement agency, with the authority to promulgate rules pursuant to the law, the measure also requires the agency to coordinate with the Consumer Financial Protection Bureau (CFPB) where a data breach relates to “financial information or information associated with the provision of financial products or services.”

Some exemptions are included in the proposed bill. A business that does not access, store, or use covered data for more than 10,000 individuals during a 12-month period is exempt from the individual notice requirements. Safe harbor is also provided for companies that conduct a “risk assessment” that determines the data breach did not result in – and will not result in – harm to affected individuals. The business must notify the FTC of its “risk assessment” results and affirmatively indicate its intent to invoke the safe harbor.

A few days after he presented the proposal, President Obama reiterated his intent to pass data security measures in his State of the Union address, sending a message that he is focused on cybersecurity and privacy in the coming legislative session. Recent high-profile cyberattacks and data breaches (think Sony and Target) have also led to support from lawmakers and consumers, giving the bill momentum, but the question of its passage remains uncertain.

Learn more about Personal Data Notification & Protection Act

February 23rd, 2015|Categories: Commercial Transactions Due Diligence|Tags: CFPB, FTC, Privacy|

Virginia takes workers’ privacy to a new level

Starting July 1, 2013, new Virginia Code §40.1-28.7:4 provides that “employers shall not, unless a listed exemption applies, be required to release, communicate, or distribute to a third-party, any current or former employee’s personal identifying information.”

In this context, “personal identifying information” is defined as a “home telephone number, mobile telephone number, e-mail address, shift times, or work schedule.” Exceptions permitting the disclosure of such information include requirements of federal laws that supersede state statutes, court orders, judicial warrants or a subpoena in a civil or criminal case. Although there is no penalty, the statute establishes a public policy that endorses protection of the personal identifying information and could be used in a lawsuit against employers.

June 27th, 2013|Categories: Compliance Corner for Employment Decisions|Tags: Employment Decisions, Legislation, Privacy, Virginia|

The White House casts “Consumer Privacy Bill of Rights”

Over two years in the making, and backed by online ad powerhouses such as AOL, Microsoft, Yahoo, and even Google, the Bill of Rights announcement on February 22, 2012 pulls together consumer privacy initiatives of both the Federal Trade Commission (FTC) and the Commerce department. Intended to lead to new legislation that fills the gaps of current U.S. privacy laws, the bill promotes a set of standards for the fair handling of private information based on a set of principles that date back to the early 1970s known as the Fair Information Practices.

The Consumer Privacy Bill of Rights applies to personal information, which means any data, including aggregations of data that is identifiable to a specific individual, and to a specific computer or other device. According to the Administration, this bill will establish codes of conduct and call for strong enforcement, ultimately increasing interoperability between the U.S. consumer data privacy framework and that of its international partners. Below are the bill’s highlights.

Individual control. Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
Transparency. Consumers have a right to easily understandable and accessible information about privacy and security practices.
Respect for context. Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
Security. Consumers have a right to a secure and responsible handling of personal data.
Access and accuracy. Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
Focused collection. Consumers have a right to reasonable limits on the personal data that companies collect and retain.
Accountability. Consumers have a right to have personal data handled by companies with appropriate measures in place to ensure that they adhere to the Consumer Privacy Bill of Rights.

March 2nd, 2012|Categories: Commercial Transactions Due Diligence|Tags: FTC, Privacy|

FTC’s latest privacy initiatives

On December 1, 2010, the Federal Trade Commission (FTC) released its long-awaited preliminary report on the protection of consumer privacy titled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.” The FTC is seeking input on this proposal and intends to issue a final report sometime in 2011.

The report, which covers both online and offline data collection and use, reiterates certain concrete steps that the FTC believes organizations should take related to choice and transparency and also provides broad guidance that applies to all commercial entities that collect or use consumer data, including companies that do not interact directly with consumers, such as information brokers. The framework is not limited to personally identifiable information (PII); it applies to all consumer data that can be linked to a specific individual or to a computer or other device.

Focusing on new and growing threats to consumer privacy driven by innovations that rely on consumer data, the proposal outlines a three-step framework for data protection:

1) Privacy by Design – Organizations should integrate privacy concepts into every stage of the life-cycle of their products and services, develop marketing initiatives and data-sharing activities based on privacy guidance from the inception of such projects, and develop and maintain comprehensive information programs to protect and manage consumer data within the organization itself. Data security, reasonable collection limits, sound retention practices, and data accuracy are critical program components.

2) Choice – Organizations should offer clear and easy-to-use choice mechanisms at the point when the consumer is making a decision about his/her data, such as at the point of collection, implement a “do not track” mechanism, such as a persistent web browser setting that allows consumers to block all tracking of their online activities, obtain consumer consent before sharing data for marketing purposes with third parties or even with its affiliates if the affiliate relationship is not clear to consumers, and require enhanced consent for sensitive information, such as data about children, financial and medical information, and precise geolocation data.

3) Transparency – While privacy policies remain a critical tool for notifying consumers (and regulators) of an organization’s privacy practices, in general, most privacy polices need to be streamlined and simplified, and organizations must obtain consumer consent before implementing a change in policy that affects previously collected data. Organizations also should explore mechanisms for providing consumers with access to their data.

December 10th, 2010|Categories: Commercial Transactions Due Diligence|Tags: FTC, Privacy|

Services

The Scherzer Difference

ScherzerBlog

Legal

Services

The Scherzer Difference

ScherzerBlog

Legal