U.K. Information Commissioner’s Office Intends to Impose Fine on Facebook

U.K. Information Commissioner’s Office Intends to Impose Fine on Facebook

By: Allison Trimble

The U.K. Information Commissioner’s Office announced it will impose the maximum fine of $660,000 for Facebook’s breach of the U.K. Data Protection Act (see Notice of Intent).  The breach, which includes both the failure to safeguard personal information and the failure to provide transparency as to how personal information was harvested by others, is tied to the Cambridge Analytica scandal in which the personal information of 87 million Facebook users was improperly shared with third parties without such users’ consent. 

Read More

Winter is Coming…and so is PSD2

Winter is Coming…and so is PSD2

By Reece Clark

Consumers can expect increased competition, efficiency, and innovation in the payment services sphere when the European Union’s long-anticipated revised Payments Service Directive (“PSD2”) comes into effect on January 13, 2018. However, European banks and service providers will not be required to immediately harden their customer data exchange security measures in response. According to a recent press release from the European Commission, payments service providers will have up to 18 months after the release of the PSD2’s Regulatory Technical Standards (“RTS”) to upgrade their payment security systems. RTS is slated for release in September 2019, giving market players until Q1 2021 to move their systems and procedures into compliance.

Read More

Privacy Shield Updates: Positive Joint Annual Review; Mandated Arbitral Fees

Privacy Shield Updates: Positive Joint Annual Review; Mandated Arbitral Fees

By Steven A. Hengeli, Jr.

The EU-U.S. Privacy Shield has passed its first test: the first joint annual review. If your organization has been waiting for a positive review of the Privacy Shield to join, now is a good time to consider moving forward. 

The European Commission and the U.S. Department of Commerce conducted the first joint annual review of the Privacy Shield in September. The joint annual review helps ensure that the Privacy Shield remains “adequate” under EU data protection law over time. The European Commission’s published report following the review generally expresses support for the Privacy Shield—with some noted opportunities for improvement, including increased enforcement activity and efforts to raise awareness among EU residents of their Privacy Shield rights. 

Read More

Massive Global Ransomware Attack

Massive Global Ransomware Attack

By JJ Bollozos

A cybersecurity attack of global proportions...

As of this afternoon, cybersecurity company Avast reported a ransomware attack, known as WanaCrypt0r 2.0, has been detected over 57,000 times across 99 countries. Of note, the attack has allegedly infected a large telecommunications company in Spain, hospitals across England, and a shipping company based in the U.S., as well as other companies throughout the world. According to the New York Times, the ransomware was included in a compressed file sent via email that would infect a victim’s device once it was opened. 

Read More

Trump Executive Order Puts Privacy Shield’s Future in Doubt

Trump Executive Order Puts Privacy Shield’s Future in Doubt

By Amanda J. Katzenstein and By Daniel L. Farris

President Trump signed an Executive Order last week that potentially puts the six-month old Privacy Shield in jeopardy. While mostly aimed at immigration and border patrol, the Executive Order entitled “Enhancing Public Safety in the Interior of the United States,” also includes a provision aimed at eliminating privacy protection for foreigners. Section 14 of the Executive Order reads:

"Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information."

By specifically excluding non-U.S. citizens or residents from the protections of the Privacy Act, the U.S. safeguards provided by the Privacy Shield regarding the adequacy of protection of the personally identifiable information of EU citizens could be destroyed, leading to the invalidation of the Privacy Shield Agreement outright. 

Read More

As the GDPR Compliance Date Looms, Risks and Budgets Grow in Tandem

As the GDPR Compliance Date Looms, Risks and Budgets Grow in Tandem

By Jean Marie R. Pechette and Daniel L. Farris

As the May 2018 effective date of the General Data Protection Regulation’s (GDPR) looms, U.S. companies have had to expand their investment in implementing measures to ensure compliance with the GDPR. According to a recent PwC Pulse Survey, 92% of respondents considered GDPR a “top priority” in 2017, with 77% of companies planning to allocate more than $1 million, and 68% saying their budget falls between $1 million and $10 million. 

Read More

Following EU, U.S. and Swiss Regulators Reach New ‘Privacy Shield’ Data Transfer Agreement

Following EU, U.S. and Swiss Regulators Reach New ‘Privacy Shield’ Data Transfer Agreement

By Daniel L. Farris

The United States and Switzerland finalized a new “Privacy Shield” Agreement on Wednesday that mirrors the existing U.S.-E.U. Privacy Shield framework. The new deal will allow multinationals to continue to transfer data between the U.S. and Switzerland while complying with Swiss data protection requirements. 

The new deal replaces the existing U.S.-Swiss Safe Harbor Agreement, the validity of which has been in question since the Schrems decision was issued in October of 2015. Companies that have maintained their Swiss Safe Harbor certification may begin certifying under the new U.S.-Swiss Privacy Shield framework on April 12th. The 90 day delay is intended to provide companies with time to review the new Swiss principles and the commitments they entail. 

Read More

European Commission Approves Privacy Shield, Ushering in ‘Safe Harbor 2.0’

European Commission Approves Privacy Shield, Ushering in ‘Safe Harbor 2.0’

By JJ Bollozos, Joseph D. McClendon, and Daniel L. Farris

For thousands of U.S. companies left in limbo after the invalidation of Safe Harbor last year, relief has finally arrived.  The European Commission (“EC”) formally approved and adopted the new trans-Atlantic Privacy Shield data transfer pact on Tuesday, opening the door for new certification and EU-US data transfers. 

Read More

Brexit & Privacy: Keep Calm and Carry On

Brexit & Privacy:  Keep Calm and Carry On

By Daniel L. Farris

As markets tumble and many business leaders try to predict what the Brexit may mean for their organizations, privacy officers should remember the neo-classic British refrain: Keep Calm and Carry On.  

There may be turmoil, confusion, new regulations, and new compliance regimes ahead, but it will likely take years for the UK to untangle itself from the European Union, and even then the UK may well remain within the European Economic Area. For US companies with transatlantic operations, the best course is to continue a measured but deliberate approach towards eventual GDPR compliance.  

Read More

UK Parliamentary Committee Recommends Penalizing CEOs for Cyber Breach

UK Parliamentary Committee Recommends Penalizing CEOs for Cyber Breach

By Daniel L. Farris

The effects of last year’s data breach at UK Telecom, TalkTalk, may be farther reaching than the one million customers whose data was compromised. The UK Parliament's Culture, Media and Sports Committee – which opened an inquiry into the circumstances surrounding the breach last November – made recommendations Monday to significantly enhance penalties for both companies and chief executives who fail to prepare for, timely report, or learn from data breaches, including tying CEO compensation to the effectiveness of their companies’ cybersecurity programs.  

Read More

EU Regulators Reject Privacy Shield

EU Regulators Reject Privacy Shield

By Daniel L. Farris

A group of European data protection authorities, known as the Article 29 Working Party, is refusing to support the proposed transatlantic data transfer deal known as the “Privacy Shield.”  In a highly anticipated opinion issued Wednesday – which does not bode well for US companies anxiously awaiting guidance after the invalidation of Safe Harbor last year – the Working Party criticized the Privacy Shield for its failure to provide protection for EU citizens’ data against US government surveillance programs. 

In February, the European Commission and US Department of Commerce announced a new deal to replace the Safe Harbor mechanism for transferring personal data from Europe to the United States.  While acknowledging that the Privacy Shield was an improvement that would impose new and heightened obligations on US companies to protect Europeans’ privacy, the Working Party expressed numerous concerns over the ways transferred data may be used for commercial or national security purposes. 

Read More

Details of the Privacy Shield Agreement Emerge, but Uncertainty Persists

Details of the Privacy Shield Agreement Emerge, but Uncertainty Persists

By Joseph D. McClendon and Daniel L. Farris

On Monday, U.S. and EU officials revealed the full text of the proposed EU-US Data Privacy Shield agreement. The Privacy Shield, if approved by the European Commission Article 29 Working Party, would introduce new provisions geared at EU concerns regarding mass surveillance and privacy protection of personal data collected and transferred from the EU into the United States.

U.S. and EU officials have been in talks for nearly five months to get a new agreement in place. Negotiations began in October 2015 when the European Court of Justice invalidated the EU Commission’s Safe Harbor decision. That decision put at risk the ability of nearly 4,000 United States companies to transfer data from the EU to the United States under the now invalidated Safe Harbor framework.

Read More

Obama Signs U.S. Privacy Act, Extends U.S. Privacy Rights to Europeans

Obama Signs U.S. Privacy Act, Extends U.S. Privacy Rights to Europeans

By Rachel Stevenson

President Obama signed the Judicial Redress Act of 2015 (H.R. 1428/S.1600) on Wednesday, extending parts of the U.S. Privacy Act of 1974 to European Union (EU) citizens.  This new law is aimed at demonstrating good faith efforts by the United States to restore the trust of our European after the invalidation of the Safe Harbor Agreement.  Europeans skeptical of the old Safe Harbor regime now have increased data privacy, protection, and security rights in the United States.  

Read More

French Data Protection Authority Cracks Down On Facebook Data Transfer

French Data Protection Authority Cracks Down On Facebook Data Transfer

By Joseph D. McClendon

Facebook is again under fire for its EU-US data transfer practices, with the latest scrutiny coming from the French data protection authority (CNIL).  In a two part order issued on February 8, CNIL ordered Facebook to stop transferring user data to the US under the now defunct Safe Harbor framework. In October 2015, the European Court of Justice invalidated the EU Commission’s Safe Harbor pact, an agreement between the EU and US, that allowed US companies to transfer EU citizens’ data to the US out of the EU. The ECJ’s decision, which was prompted by an Austrian citizen’s claim that Facebook’s transfer of his personal information out of the EU violated his privacy rights, put at risk the ability of nearly 4,000 US companies to transfer data from the EU to the United States. CNIL’s order is predicated on the fact that Facebook’s France privacy policy webpage still includes language detailing Facebook’s use of Safe Harbor to transfer data.

Read More

One Pen Stroke Closer to U.S.-EU ‘Privacy Shield’: Congressional Legislation Awaits the President’s Signature

One Pen Stroke Closer to U.S.-EU ‘Privacy Shield’: Congressional Legislation Awaits the President’s Signature

By Rachel Stevenson

In the stalemate culture of Washington DC politics, privacy and security issues prevailed last week when Congress passed the Judicial Redress Act (H.R. 1428/S. 1600) on Feb. 10th.  This show of Congressional support is important as the U.S. and EU continue to work toward adoption of the Data Privacy and Protection Agreement (DPPA). DPPA, also known as an “Umbrella” agreement, covers personal data exchanges between the U.S. and EU so law enforcement can work to prevent, investigate, and adjudicate transnational crimes.  The Judicial Redress Act is vital for the EU to adopt DPPA, whereby extending law enforcement information sharing and generating positive international cooperation.

Read More

New US-EU ‘Privacy Shield’ Will Impose Heightened Compliance Obligations on US Companies

New US-EU ‘Privacy Shield’ Will Impose Heightened Compliance Obligations on US Companies

By Dov H. Scherzer and By Daniel L. Farris

The European Commission and United States Department of Commerce agreed to a new transatlantic data transfer pact on Tuesday, two days after the January 31st deadline imposed by European data protection authorities. The deal comes four months after the European Court of Justice invalidated the Safe Harbor Agreement in Schrems v. Data Protection Commissioner.  

Read More

The U.S.-China Relationship - Should We “Hack Back?”

The U.S.-China Relationship - Should We “Hack Back?”

By Mary Kathryn Curry

Last week, the U.S.-China Economic and Security Review Commission released its annual report to Congress. One big take-away from the economic perspective of the report is the Commission’s recommendation that Congress take steps to defend U.S. companies against “unrelenting” Chinese cyber attacks: in other words, allow the U.S. to hack back on behalf of companies.

Read More

Belgian Court Orders Facebook to Stop Tracking Belgian Users Who Don’t Have Facebook Accounts

Belgian Court Orders Facebook to Stop Tracking Belgian Users Who Don’t Have Facebook Accounts

By Dov H. Scherzer

In another setback for Facebook in Europe, a Belgian Court of First Instance issued an order enjoining the social media site from tracking the web activity of Belgian users who don’t have Facebook accounts.  Facebook, which faces fines of € 250,000 per day if fails to comply, has issued a statement that it will abide by the court’s order, but will appeal the ruling.  The order went into effect on November 11, 2015.

The latest salvo against Facebook began last June when Belgium’s data protection authority sued Facebook for violations of Belgian privacy laws based on the findings of a May 2015 report and recommendation by a Commission for the Protection of Privacy. 

Read More

US-EU Have Agreement in Principle on New Data Sharing Pact

US-EU Have Agreement in Principle on New Data Sharing Pact

By Gregory M. Kratofil, Jr.

The European Commission announced Monday that it has reached a deal in principle with the United States on what is being called “Safe Harbor 2.0” – a new data sharing agreement to replace the Safe Harbor agreement invalidated by the EU Court of Justice earlier this month. The Commission’s announcement came on the same day that the German DPA issued a position paper declaring all remaining alternatives to Safe Harbor – including model contract clauses and Binding Corporate Rules – to no longer be viable means for transatlantic data transfer. 

Read More

Israel Revokes U.S. Data Transfer Authorization in Wake of EU Safe Harbor Invalidation

Israel Revokes U.S. Data Transfer Authorization in Wake of EU Safe Harbor Invalidation

By Joseph D. McClendon

The Israeli Law, Information and Technology Authority (ILITA) revoked authorization for businesses that previously relied on the EU’s Safe Harbor exception to transfer data from Israel to the United States. 

Under Israel’s 2001 Privacy Protection Regulations, moving data from inside Israel to a database outside of Israel was permitted provided that the transferee country had laws regulating data protection that were at least as protective of data as Israeli law. 

Read More