Category Archives: Data Privacy

Data Privacy

EU-US Privacy Shield: Legal Certainty for US Companies

A new data privacy protection agreement has been tentatively reached between the U.S. and the EU. This new agreement to be called the “EU-EU Privacy Shield” replaces the 15 year old EU-US Safe Harbor Program that US companies have relied on to ensure legal certainty when personal data from the EU to the US.  The EU-US Safe Harbor was struck down late last year as not providing sufficient protection of personal information.

One of the most difficult obstacles to overcome in reaching this new agreement was the scope of access and transfer by U.S. government intelligence agencies. This new agreement should replace current uncertainty with clearer limitations and robust oversight and enforcement powers given to the Federal Trade Commission.  US companies will be subjected to vigorous obligations on data processing guaranteeing individual rights.   The new agreement also provides new redress options to any citizen who believes their personal information has been misused.

The EU-US Privacy Shield must now be approved by the European Union’s 28 member states. There will be both detractors and advocates, but it is nevertheless expected to pass muster.  Details of the new agreement should be drafted over the next two weeks and if approved it would be effective from early April.




UPDATE: Canada’s Anti-Spam Legislation is in full swing

This isn’t the first time we’ve addressed Canada’s increasing concern for personal privacy and data security as expressed in legislation. In particular, the Canadian Anti-Spam Legislation (hereinafter “CASL”) has finally come into effect and we’re learning about it as Canadians and those who advertise to Canadians spend time with the CASL.

CASL impacts those who use electronic and digital marketing and acts to protect Canadians from the impacts of spyware, phishing and the like. Violations of are expensive and therefore, companies were on the ball when CASL came into effect this June. If you’d like more information on CASL, please see our post “Coming to Canada this Year: The National Anti-Spam Law.

Networking. Consent can be obtained from word-of-mouth and conversations carried out on the phone or in person. Part of sealing the deal with these requests for commercial information is to obtain all of the requisite information for valid consent in the form of an email after the conversation.

Referrals. CASL allows a company to send one commercial electronic message as a referral. This must include the name of the person who referred the company to the individual. The referring individual and the company must have an existing business relationship and this relationship must be made transparent to the person obtaining the referral.

Social Media. Consent to advertise can be obtained through social media. Twitter, Facebook, Pinterest are crawling with companies wanting to advertise. If consent is given by an individual on a social media platform, the consent is limited to that social media platform. Messages posted on the public face of the platform are not under the jurisdiction of CASL, but private messages are.

Recording Consents. Because CASL requires that a company obtain consent before advertising to someone, the company must be able to prove that consent was obtained. This is easily proved when permission is obtained online or in written form, but permission can also be obtained by oral consent. In these cases, it is recommended that an email be sent after the conversation verifying that consent was given to advertise to them.

These are just some observations made by those engaging with the CASL so far. If you require more information about that CASL and your business in particular, please contact us! CASL is used to help keep the personal data of Canadians protected. For more information about data privacy, please check out our e-book! And here are the links to the Kindle edition on Amazon US and Amazon UK.



Post-Data Breach Notifications and Disclosures.

You are a business that holds the personal information of employees and customers and the worst has been released: there has been a data breach.

Depending on where your business, employees and customers are located, there are different requirements on how to handle such a breach.

For those jurisdictions that have laws governing this area, there will be notice and disclosure requirements.

But what happens if the breach goes unnoticed? How can your business be sure that they are keenly aware of all data breaches? Many data breaches aren’t even discovered for months. Are all data breaches created equally? What sort of breach must be reported? We hope this posting will clear up some of the questions that your business may have regarding data breaches and required action if not put your business on the right track to data security.

There are ways in which companies can monitor if breaches have happened or if any strange behaviours are happening that would suggest that they have been hacked. Still, sixty-two percent of breaches take months to be discovered.

Almost every state has requirements that in at least some cases, data breaches, once discovered, be subjected to a risk of harm analysis and parties and the Attorney General be notified. Some industries require that there be notifications made. Some suggest that all data breaches should be paired with a notification and some press about what the company is going to do in the future to prevent such events from happening.

It is important to know what the standards are for not only the jurisdiction your business is located in but the jurisdictions for every person’s data that you hold, as residency of the person’s data is the standard that must be followed to meet the standards of most state laws in addition to the industry standards.

If you have more questions about data breaches and notification and disclosure requirements more specific to your business or jurisdiction then please don’t hesitate to contact us for more personalised information. Even questions about how to get started are welcomed.

We also can suggest purchasing a copy of our e-book, Data Privacy: A Practical Guide, available at:



Outsourcing Data Management: The Risk.

Owing to a lack of knowledgeable or skilled staff or simply due to wanting to shift the risk, many businesses have their data managed by third parties. Database administrators help businesses manage, maintain, monitor and secure their data, among other important functions. Having the help of a database administrator can be invaluable to a business. When businesses choose to outsource their data management, database administration companies can take on the responsibility on behalf of the business. As with all services purchased, a contract will be drafted to outline the relationship-to-be and expectations upon the cessation of services among all other contractual needs. A recent English Court of Appeal case has brought to light some things that British companies outsourcing database and data management should be aware of.

Datateam, a publishing company had employed the database management services of Your Response, database administrators. Their contract was partially oral and written but failed to denote what a reasonable notice period was for cancellation of services. When Datateam gave what Your Response deemed to be too short of notice to end their contract and had outstanding fees, Your Response did not return the electronic database that they had been maintaining as a lien. The lower court determined that the Your Response was entitled to exercise a possessory lien over the database, but Datateam appealed arguing that the lien was incorrect as the database was intangible property and thus a possessory lien was not allowed. The Court of Appeal decision does not stray from the common law and in an age when most documents are stored electronically parties must take extra precaution during their negotiation and bargaining phase to contract for these types of situations.

If your business’ data is managed by a third party or is looking at the option, then please contact us so that you can be confident that your contract will protect your interests in a similar case. Data protection is essential to protecting your business interests. Check out our latest e-book, Data Privacy: A Practical Guide. It is the perfect guiding tool for a small-to-medium-sized business tackling data privacy issues. Available at:



Big News in the EU: Court Strikes Down Data Retention Directive.

The European Union has been praised for being so forward with their data privacy laws, however, one law that was designed to aid in the apprehension of terrorists in the wake of terror scares and threats in the past decade, has been struck down by the Court of Justice of the European Union. The Court explained that whilst national security concerns are indeed very important and very alive, that personal privacy and data protection was in this case, more important.

The directive that was struck down is called the Data Retention Directive. The Directive required that internet service providers and telecom companies retain data for up to two years. The Court found that this requirement was a “wide-ranging and particularly serious interference” with the fundamental rights to communication, private life and protection of personal data. The Court opined that some data could be retained but data that was in violation of the fundamental rights was to be left. This certainly speaks loudly to how the European courts value data protection. In defence of upcoming trials, Google has said that they believe that the courts will not uphold strict data protection laws and thus rule in their favour… perhaps they ought to re-think their statements.

If your company has a presence online and is concerned that it is not meeting the standards set forth in legislation about gathering and protecting customer or user data, or perhaps you have international users and customers and worry about different legal standards from the differing jurisdictions, then please contact us for more assistance. Also, check out our newest e-book, Data Privacy: A Practical Guide, available at this link: . This guide is the perfect way to get your business started on the path to complete data security for your customers and employees. With easy access to the authors for follow-up or more specific jurisdictional advice and updates, this e-books is the perfect read for any business.


Google Facing Lawsuit for Scanning Data of Students.

Google will be facing the courts again soon in California where a class action lawsuit has been brought against the company for data-mining emails. This is certainly not Google’s first encounter with the court system and not even the first time that the company has been accused of violating the privacy of its users. Google has been called to answer for data privacy violations all over the world: the French have warned, fined and are currently suing the company, the Spanish, British, Dutch, Germans and Italians are following a similar path with the company as well. Google’s particular trouble in Europe stems from the EU’s data protection rules overhaul that Google is strongly resisting. In the US, claims have been made against the company for violation of federal wiretapping laws by scanning Gmail emails as well as state privacy laws and with the most recent allegation, violation of the Family Educational Rights and Privacy Act (hereinafter “FERPA”) for scanning of students using Google’s Apps for Education.

Google’s Apps for Education is part of the growing group of Google Apps. The education Apps do differ from the other Apps as these are aimed specifically at K-12, college and university students, staff and faculty for which there are no Google Adwords targeted ads displayed. The accusation by two students party to the class action is that Google has violated their rights under FERPA by scanning and indexing their Google emails, used as tools for education, to provide certain features that cannot be turned off. FERPA was written and contemplated before cloud computing and Google believes that it will be interpreted by the courts in such a way that they will find success. Check back for updates!

If your company has a presence online and is concerned that it is not meeting the standards set forth in legislation about gathering and protecting customer or user data, or perhaps you have international users and customers and worry about different legal standards from the differing jurisdictions, then please contact us for more assistance. Also, check out our newest e-book, Data Privacy: A Practical Guide. This guide is the perfect way to get your business started on the path to complete data security for your customers and employees. With easy access to the authors for follow-up or more specific jurisdictional advice and updates, this e-book is the perfect read for any business.



Small to Medium-Sized Business with Data Security Worries?

Data security is not something that only large businesses and corporations need to be worried about. Any business with an online presence must be even more worried about it. However, securing customer and employee data is something that is either passed on to a third party to deal with or is largely ignored because businesses are unaware of their obligation to do protect the data or because it is just too overwhelming and confusing. It is true that data protection regulation and legislation can be confusing especially when having to meet the standards of both domestic and international legislation. A breach in data security could range from the system being hacked and held for ransom or a retired employee’s access not being closed by mistake. The result of misuse, loss or theft of data could be a lawsuit, loss of reputation and business or fines. Whilst these may not be devastating for a large business or corporation such as Google, a repeat offender, to a small to medium-sized business, the result could mean closing the doors.

Owing to these problems faced by the small to medium-sized businesses and even some of the newer larger businesses, two of our top consultants of Interstice Consulting have gathered together their valuable insight to help guide businesses through the process of setting up data security measure to meet the stringent requirements of legislation. Data Privacy: A Practical Guide examines global trends in data security and data privacy, analyses in depth the larger jurisdiction’s legislation and how to be in compliance, touches on business-to-business issues as well as data breach insurance, informs on what to do in the case of a data breach and provides ways to be continually updated. There is no to wait for your book to arrive in the mail because it is available immediately as an e-book only.

This guide will give small to medium-sized business not only the information they need to set up their data protection scheme but will also give them to confidence to be able to reach out to the authors should they have a more specific question or assistance in a jurisdiction not covered by this guide. By starting on the right path to data security for your business, you can assure your customers that they made the right choice to continue their business relationship with you.

To purchase your copy of Data Privacy: A Practical Guide, please follow this link:



Employees Need to Understand Data Security Risks.

Business organisations do and should have big worries about data security. The potential losses to business and reputation by a breach of data privacy can be great enough to have to shut the doors for good.

But whilst data privacy and data security may weigh heavy on the minds of the organisation’s leaders, employees usually fail to understand how essential data security is to their job as well. Employees will often think that there is a department or person that hangs those things or that there is software that protects them. However, educating and training employees on the importance of data security to everyone in the organisation sets the organisation on a path towards locking up any gaps in their data security network.

An important concept to focus on throughout employee training is that data security is the responsibility of everyone. Whilst a department or individual may manage security, individual security obligations should be undertaken by everyone employed by the company. Not only does this make the security managers more accessible for the employees, but also encourages the employees to release the important of and to take pride in the organisation’s data security.

Data security training shouldn’t be a one-time event but should be addressed at every training session from orientation to farewells. Building data security training into every training session will highlight the importance of it and continue to remind employees of their individual security obligations. This could also be a time to update employees on news in the data security field and updates that the organisation has made to its own data security network.

Employees also need to be made aware of the responses that the organisation has planned for data security failures. For employees to know that there are plans and what the plans are, even just generally, executing them will be much less confusing and perhaps even more effective because the employees have been trained to handle the situations.

If you require assistance in training your employees about the risks in security breaches and data privacy then please contact us.

Also, be on the lookout for our new e-book, Data Privacy: A Practical Guide to assist you further in this matter and with other important issues surrounding data privacy.



France is finished with Big Data Privacy Violations.

A French consumer protection group is fed up with unreadable, inaccessible and illegal user agreements of three major companies: Facebook, Twitter and Google.

The UFC-Que Choisir, France’s top consumer rights group, isn’t the only European consumer group with major concerns about how these websites are run and collect data on their countrymen. In December, Spain fined Google €900.000 for breaking data protection laws, another French group CNIL fined Google €150.000 for failing to meet a three-month long deadline to align the practice of tracking and storing user information with France’s law and the Netherlands have accused Google of violating privacy protection laws. Several other European consumer protection groups have been investigating the Google privacy policy as well.

The UFC-Que Choisir argues that the user agreements presented by these websites are only available on the website, are too long with too many hypertext links that often aren’t available in French. UFC-Que Choisir sent letters to these companies in June of last year asking that they bring their policies within the letter of French law. The user agreement is a contract between the user of the website and the company itself. French contract law requires that the entire contract be in French. Additionally, UFC-Que Choisir argues that the enormous number of hypertext links make it unclear to the consumers whether or not they form part of the agreement. Because the letters to the companies yielded no responses, the consumer group has issued the companies with summons to appear before the Paris High Court. UFC-Que Choisir has asked that the court strike out what they allege to be unfair or illegal clauses in the user agreements.

Check back with us soon for an update on what the French courts decide in this matter and for our new e-book, Data Privacy: A Practical Guide for more information about data privacy issues and solutions!