Category Archives: Privacy Violations Damages

EU-US Privacy Shield: Legal Certainty for US Companies

A new data privacy protection agreement has been tentatively reached between the U.S. and the EU. This new agreement to be called the “EU-EU Privacy Shield” replaces the 15 year old EU-US Safe Harbor Program that US companies have relied on to ensure legal certainty when personal data from the EU to the US.  The EU-US Safe Harbor was struck down late last year as not providing sufficient protection of personal information.

One of the most difficult obstacles to overcome in reaching this new agreement was the scope of access and transfer by U.S. government intelligence agencies. This new agreement should replace current uncertainty with clearer limitations and robust oversight and enforcement powers given to the Federal Trade Commission.  US companies will be subjected to vigorous obligations on data processing guaranteeing individual rights.   The new agreement also provides new redress options to any citizen who believes their personal information has been misused.

The EU-US Privacy Shield must now be approved by the European Union’s 28 member states. There will be both detractors and advocates, but it is nevertheless expected to pass muster.  Details of the new agreement should be drafted over the next two weeks and if approved it would be effective from early April.




UPDATE: Canada’s Anti-Spam Legislation is in full swing

This isn’t the first time we’ve addressed Canada’s increasing concern for personal privacy and data security as expressed in legislation. In particular, the Canadian Anti-Spam Legislation (hereinafter “CASL”) has finally come into effect and we’re learning about it as Canadians and those who advertise to Canadians spend time with the CASL.

CASL impacts those who use electronic and digital marketing and acts to protect Canadians from the impacts of spyware, phishing and the like. Violations of are expensive and therefore, companies were on the ball when CASL came into effect this June. If you’d like more information on CASL, please see our post “Coming to Canada this Year: The National Anti-Spam Law.

Networking. Consent can be obtained from word-of-mouth and conversations carried out on the phone or in person. Part of sealing the deal with these requests for commercial information is to obtain all of the requisite information for valid consent in the form of an email after the conversation.

Referrals. CASL allows a company to send one commercial electronic message as a referral. This must include the name of the person who referred the company to the individual. The referring individual and the company must have an existing business relationship and this relationship must be made transparent to the person obtaining the referral.

Social Media. Consent to advertise can be obtained through social media. Twitter, Facebook, Pinterest are crawling with companies wanting to advertise. If consent is given by an individual on a social media platform, the consent is limited to that social media platform. Messages posted on the public face of the platform are not under the jurisdiction of CASL, but private messages are.

Recording Consents. Because CASL requires that a company obtain consent before advertising to someone, the company must be able to prove that consent was obtained. This is easily proved when permission is obtained online or in written form, but permission can also be obtained by oral consent. In these cases, it is recommended that an email be sent after the conversation verifying that consent was given to advertise to them.

These are just some observations made by those engaging with the CASL so far. If you require more information about that CASL and your business in particular, please contact us! CASL is used to help keep the personal data of Canadians protected. For more information about data privacy, please check out our e-book! And here are the links to the Kindle edition on Amazon US and Amazon UK.



Post-Data Breach Notifications and Disclosures.

You are a business that holds the personal information of employees and customers and the worst has been released: there has been a data breach.

Depending on where your business, employees and customers are located, there are different requirements on how to handle such a breach.

For those jurisdictions that have laws governing this area, there will be notice and disclosure requirements.

But what happens if the breach goes unnoticed? How can your business be sure that they are keenly aware of all data breaches? Many data breaches aren’t even discovered for months. Are all data breaches created equally? What sort of breach must be reported? We hope this posting will clear up some of the questions that your business may have regarding data breaches and required action if not put your business on the right track to data security.

There are ways in which companies can monitor if breaches have happened or if any strange behaviours are happening that would suggest that they have been hacked. Still, sixty-two percent of breaches take months to be discovered.

Almost every state has requirements that in at least some cases, data breaches, once discovered, be subjected to a risk of harm analysis and parties and the Attorney General be notified. Some industries require that there be notifications made. Some suggest that all data breaches should be paired with a notification and some press about what the company is going to do in the future to prevent such events from happening.

It is important to know what the standards are for not only the jurisdiction your business is located in but the jurisdictions for every person’s data that you hold, as residency of the person’s data is the standard that must be followed to meet the standards of most state laws in addition to the industry standards.

If you have more questions about data breaches and notification and disclosure requirements more specific to your business or jurisdiction then please don’t hesitate to contact us for more personalised information. Even questions about how to get started are welcomed.

We also can suggest purchasing a copy of our e-book, Data Privacy: A Practical Guide, available at:



Google Facing Lawsuit for Scanning Data of Students.

Google will be facing the courts again soon in California where a class action lawsuit has been brought against the company for data-mining emails. This is certainly not Google’s first encounter with the court system and not even the first time that the company has been accused of violating the privacy of its users. Google has been called to answer for data privacy violations all over the world: the French have warned, fined and are currently suing the company, the Spanish, British, Dutch, Germans and Italians are following a similar path with the company as well. Google’s particular trouble in Europe stems from the EU’s data protection rules overhaul that Google is strongly resisting. In the US, claims have been made against the company for violation of federal wiretapping laws by scanning Gmail emails as well as state privacy laws and with the most recent allegation, violation of the Family Educational Rights and Privacy Act (hereinafter “FERPA”) for scanning of students using Google’s Apps for Education.

Google’s Apps for Education is part of the growing group of Google Apps. The education Apps do differ from the other Apps as these are aimed specifically at K-12, college and university students, staff and faculty for which there are no Google Adwords targeted ads displayed. The accusation by two students party to the class action is that Google has violated their rights under FERPA by scanning and indexing their Google emails, used as tools for education, to provide certain features that cannot be turned off. FERPA was written and contemplated before cloud computing and Google believes that it will be interpreted by the courts in such a way that they will find success. Check back for updates!

If your company has a presence online and is concerned that it is not meeting the standards set forth in legislation about gathering and protecting customer or user data, or perhaps you have international users and customers and worry about different legal standards from the differing jurisdictions, then please contact us for more assistance. Also, check out our newest e-book, Data Privacy: A Practical Guide. This guide is the perfect way to get your business started on the path to complete data security for your customers and employees. With easy access to the authors for follow-up or more specific jurisdictional advice and updates, this e-book is the perfect read for any business.



Protecting Your Business from Data Breach and Cyber Attack.

Carrying insurance as business is commonplace and depending on what type of business one is involved in there are a myriad of different insurance policies and coverage types that may be used to ensure that the business is protected in the event of some sort of unplanned event. As an increasing number of businesses are falling victim to cyber attack during which sensitive personal data is stolen many businesses are purchasing Data Breach Insurance or Cyber Security Liability Insurance, all depending on which plan a business chooses to protect them in the event of a data breach. So, is this insurance coverage the right thing for your business?

Deciding on whether or not coverage of this sort is something that your business must consider shouldn’t hinge on whether or not data is stored on the Internet. In some cases, data breach insurance covers stolen laptops and computers and even paper files, though it is a coverage aimed at protecting against cyber attack, in general. If your business collects, stores or transmits personal data of others, including employees, or would suffer monetarily in the event of an attack then this coverage is something that should be investigated.

Once a business has decided that further investigation is warranted, the next place to start is with the business’ current insurance coverage plans as some types of data breach events may already be coverage. A small business may find that for its needs the current coverage is sufficient. Following, the business should acquire as many coverage plans as they can and read them thoroughly as to find the coverage that meets their needs. In this case the business will consider the types of attacks that they would be looking to prevent, breach of customer data or distributed denial of service attack, for example. As well as considering the type of the attack, the type of damage covered also needs to be considered: first-party expenses and third-party liabilities. First-party expenses will be the costs to the business in notifying customers of the breach and offering data monitoring services, forensic analysis, boosting bandwidth or even paying an extortionist’s ransom to prevent an attack. Third-party liabilities will be lawsuits brought by customers or employees whose data has been compromised, fines or redress sought by regulators.

Reputational damage and loss of business will probably not be covered by insurance therefore it is important to safeguard the business’ data holdings. Insurance alone will not suffice to cover all potential damage that could arise in the event of a cyber attack.

If your business is evaluating its data security or considering purchasing cyber attack insurance or data breach insurance, then please contact us for assistance with this matter.



Choosing to Use Online Targeted Advertising.

Online targeted advertising, such as Google’s Adwords, uses potential customer demographics and behaviour online to specifically target brands, products and services to that individual. When using these services, a business can purchase advertising rights to certain searched words and locations and geographical locations. As courts around the world are finding, many businesses are choosing to use their competitor’s trademark in addition to their own for keyword searches that will trigger their own advertisement to be shown. Depending on where you are advertising and targeting, different rules and judgments will apply to what situations use of a competitor’s trademark as a keyword to activate your advertisement is allowed, because believe it or not, it isn’t always against the law.

In Australia, a high court decision of Google v. ACCC found that Google itself wasn’t responsible if an Adwords customer used an infringing trademark however, did not expand on whether or not the Adwords customer would be held liable for damages if using an infringing trademark.

In the UK, two cases have shone light on situations when it is legal and illegal to use a competitor’s trademark in online targeted advertising. The Interflora case gave a more specific guide in the case of business networks. In this case, Interflora is a vast network of florists that trade under individual names but all are part of the Interflora network. M&S, not a part of the Interflora network of florists, used the Interflora trademark as a keyword indicator for their advertisement. The court found that because of the nature of the business network, it was misleading to the customers that they did not indicate that they were not a part of the Interflora network and thus, the use of the trademark was illegal. In a case involving and Lush, Amazon used Lush’s trademark in Google Adword advertising suggestive that Amazon had for purchase Lush products. The court determined that the average customer would not be able to ascertain without difficulty that the Amazon goods did not originate from Lush.

Whilst these decisions are based on different sets of laws, they do help to guide future customers of such advertising companies on the best manner in which to make use of trademarks. If you are advertising using Google Adwords or a similar company and want to get the most from your advertising or are unsure if your advertising constitutes a trademark infringement, or if you have found that a competing business has been using your trademark then please contact us so that we examine the situation and advise you further.


Data Protection: Where does “Processing” Occur?

The EU Data Protection Directive, implemented by individual member states, is to be applied even where the data controller is located outside the EU, but uses equipment located within the EU to process that personal data.  The High Court of Berlin has been reviewing a case brought against Facebook by the Federation of German Consumer Organisations.  The group claimed that Facebook was in breach of German data protection law by sending emails to non-users without their consent through use of the “Friend Finder” feature.

Most significantly, the High Court placed particular importance on the use of cookies.  Holding that Facebook, as a data controller, used “equipment” in Germany when it placed cookies on the devices of German users, regardless of whether they were Facebook users.  This is significant since Facebook, a US company argued that any German data was controlled and processes from its operations in Ireland and therefore, Irish data protection laws applied to it.  Yet the High Court held that Facebook did not provide sufficient evidence to demonstrate that its Irish operations actually made the decisions expected from a data controller, rather the US operations was the decision maker.

This ruling is contrary to that handed down by the Schleswig-Holstein Administrative Court of Appeals last year,  which ruled that Facebook was not subject to local  (German) data protection laws.  The Administrative Court of Appeals did not address the question of whether the Irish or US operations controlled the processing of German users’ personal data.  Rather found that the Irish operation’s participation of the blocking of anonymous accounts was sufficient to render a decision.

This most recent decision is important since most online advertising companies use cookies to track consumer preferences in order to more specifically target relevant advertising materials.  Should this decision stand it is likely that characterizing the placement of cookies onto a consumer’s device as using equipment would subject US companies, in particular, to much closer scrutiny by many countries.

Need assistance? Please contact us and see how we can help.



Facebook Lawsuit the Latest in a Disturbing Trend?

A class action lawsuit filed just a few weeks ago has brought another Internet giant into the light having allegedly breached the privacy of its users. This is not the first time that the social media site has been sued for breaches of privacy and it almost certainly will not be the last. Just last year Facebook settled a different privacy class action lawsuit alleging that Facebook’s Sponsored Story advertisements used the user’s name and “Liked” information without the ability to opt out or without their permission as well as “liking” pages that the user did not “Like” themselves. Facebook settled with the five plaintiffs, two of which were minors, agreeing to pay them $US20-million. The year before, Facebook settled a very similar class action by agreeing to pay out $US10-million to charity.

Facebook is not the only provider of a free messaging service that has faced scrutiny over its privacy practices or been brought to answer in court. Google, the creators of Gmail, has been forced into court to defend against lawsuits also alleging breaches of privacy involving screening of user’s email messages.  Filed in the same Federal Court as the most recent Facebook class action, the Court ruled that Google’s actions were breaches of the user’s privacy and beyond that, the Court found that Google’s Street View cars inadvertently sweeping up personal data from homes as it drove was in violation of the federal wiretapping laws and ruled that Google could also be held liable in damages for that transgression.

In the newest class action, filed in Federal Court in California on 30 December 2013, the two American plaintiffs allege that Facebook has been scanning users’ private messages that contain links to other webpages and using those messages to capture data about the user to share with data collectors and advertisers. Because the Facebook users are led to believe that those messages are “private” the plaintiffs argue that Facebook has violated the Federal Electronic Communications Privacy Act and other California state privacy laws. In response to the allegations made in the complaint, Facebook has denied their merit and has said that they look forward to defending against them. As the lawsuit is still young in the judicial process, we will have the watch how things progress, but chances are very good that if there is merit to the claims, Facebook will be paying large fines and will likely choose to settle as it has done in many other cases preceding this.

If you are concerned that your internet company or business could be in breach of its privacy policy or the privacy of your customers, or just aren’t sure, please contact us to share your concerns and we’ll be happy to help make certain that a costly lawsuit is not in your future.


Coming to Canada This Year: The National Anti-Spam Law

As mentioned in a previous article, Canada is no-nonsense when it comes to protecting the privacy of its citizens.  To join the new host of data protection laws this year is Canada’s Anti-Spam Legislation (hereinafter “CASL”), a national law aimed at ending the most invasive types of spam for Canadians include identity theft, phishing and spyware. The hope is to drive spamming out of Canada in an effort to protect e-commerce within the country. The legislation has been in the works for years and will certainly have big impact on businesses that are based in or operate in Canada, including those that e-advertise within the country.

Whilst a final date has yet to be set for the legislation to come into effect, it is thought that it will be effective in June 2014. CASL will impact companies and individuals alike who employ digital and electronic marketing, be it SMSing, e-mailing and installing computer programmes without consent but does exclude telemarketing. Sending marketing information without prior consent will be a thing of the past, except for some slim situations where consent is implied from previous dealings or personal relationships, for example. Whilst PIPEDA (please see article titled: “Canadian Courts to Businesses: We Do Not Take Privacy Violations Lightly” posted on 13 January 2014) consent may have been received by some, CASL consent is completely different and inferred consent will not be derived from PIPEDA consent. Different from the US’s CAN-SPAM legislation, Canada’s CASL is an “opt-in” system, though consent can be revoked at anytime thus the requirement for the “unsubscribe” feature.

Upon the regulations coming into effect, businesses may have a grace period to reach compliance, but there are massive benefits to being compliant beforehand. The penalties for non-compliance are not cheap: up to $10-million for companies and up to $1-million for individuals. This law does apply to marketers outside of Canada, so being current with this legislation could save businesses trouble even where they are not based or established.

Please contact us to get a list of services we can offer your entire business in becoming CASL compliant in order to best avoid any penalisation for non-compliance. Moreover, we can help in the obtaining of consent from potential Canadian clients.


U.S. FTC Cracks Down on Customer Data Privacy Violations

The United States Federal Trade Commission (hereinafter “FTC”) is not only charged with promoting competition but also protecting American consumers. One way, by protecting their privacy. In order to enforce the seventy-one federal statutes within its jurisdiction, the FTC investigates businesses and their practices to ensure that laws are followed to the letter. Though most investigations by the FTC are not public, an investigation will undoubtedly cost a business time and focus. Beyond investigation, there can be a lawsuit, either of which may lead to a settlement in the form of a consent order. In the case of settlement, the FTC will propose a consent order that will detail the terms of settlement reached. This will be published and open for public comment for thirty days, afterwhich if the consent order is violated, the FTC can seek judicial enforcement. These public events will not only  impact businesses’ reputation but are also costly in other ways, such as legal fees.

Last year, the FTC released a report titled, “Protecting Customer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers.” In this report the FTC suggested the best methods for businesses to assure that not only its data is protected but also the data collected from customers. It is certain that the FTC does not take privacy violations lightly, as Google learned from the strong message sent by the Commission in the form of the largest FTC penalty for violation of a settlement order to the tune of $22.5-million. This after Google deceived Apple Safari users by stating that it would not be collecting their user and browsing information or tracking them for the purposes of advertising. The penalty was not the only term in the consent order; Google is now barred from future privacy misrepresentations, must implement a comprehensive privacy program and will be forced to have independent privacy audits for the 20-years.

Google is not the only company that has been hit with FTC privacy violations. LabMD compromised and inadvertently released personal information of 10,000 of its customers, some including medical information. Whilst the case is on-going, the FTC is seeking a similar outcome to the one reached with Google: a comprehensive security and privacy program and independent privacy audits for 20-years. Interestingly, LabMD has challenged the FTC’s authority to bring such a complaint against it.

This year, an FTC investigation into data broker companies’ uncovered ten companies that were in violation of the Fair Credit Reporting Act, a federal statute under its jurisdiction to enforce. In this case, the FTC simply sent letters to the incompliant companies informing them of their wrong practices and reminding them of how to act lawfully in the future.

If your business or company has concerns over FTC compliance or has come under investigation by the FTC, please contact us for help.