Tag Archives: data privacy

Data Privacy and Security: The Demise of the EU-U.S. Safe Harbor

padlock-1569395-639x852The lack of a cohesive body of data privacy and security laws in the U.S. created problems with transfers of personal information from EU citizens held by U.S. companies. Thus the EU-U.S. Safe Harbor was created and is administered by the U.S. Department of Commerce.  Under the Safe Harbor, U.S. companies could self-certify their compliance with minimum standards of data privacy and security such that the EU deemed such companies efforts as adequate to meet EU data privacy and security principles (set out in both Directives and regulations).  Late in 2015, the European Court of Justice issued a judgment declaring the Safe Harbor agreement as invalid.  This decision is cause for concern as U.S. companies may discover that they are no longer in compliance with EU data privacy and security principles, even though they have self-certified under the Safe Harbor.  Nevertheless, the Department of Commerce continues to allow U.S. companies to register and self-certify in the Safe Harbor program as a new solution is being sought to address tighter controls to meet more stringent data privacy and security principles.

In the meantime, companies of all sizes should be reviewing their current practices and reviewing the practices of any third party services providers being used, including cloud services. Be ready to take action.  Approximately one third of all data transfers of personal information is between the U.S. and the EU.  The EU General Data Protection Regulations (GDPR) set to become law in 2018 sets in place more rigorous regulations for consent to collect personal data, requests for removal of personal information from servers, and stepped up enforcement for complaints.  The object of the GDPR is to ensure strict levels of security without impeding market growth for businesses. Fines for failure to comply with the new Regulations may result in fines of up to 4% of a company’s global revenue.

Although the GDPR isn’t scheduled to take effect for some time, moving to best practices and implementing changes that will ensure future compliance is necessary. Don’t wait until the Regulations become effective, the invalidation of the Safe Harbor can, and likely will, trigger law suits against U.S. companies regardless of whether they have self-certified under the Safe Harbor.

Don’t be left behind and leave your company exposed.



Post-Data Breach Notifications and Disclosures.

You are a business that holds the personal information of employees and customers and the worst has been released: there has been a data breach.

Depending on where your business, employees and customers are located, there are different requirements on how to handle such a breach.

For those jurisdictions that have laws governing this area, there will be notice and disclosure requirements.

But what happens if the breach goes unnoticed? How can your business be sure that they are keenly aware of all data breaches? Many data breaches aren’t even discovered for months. Are all data breaches created equally? What sort of breach must be reported? We hope this posting will clear up some of the questions that your business may have regarding data breaches and required action if not put your business on the right track to data security.

There are ways in which companies can monitor if breaches have happened or if any strange behaviours are happening that would suggest that they have been hacked. Still, sixty-two percent of breaches take months to be discovered.

Almost every state has requirements that in at least some cases, data breaches, once discovered, be subjected to a risk of harm analysis and parties and the Attorney General be notified. Some industries require that there be notifications made. Some suggest that all data breaches should be paired with a notification and some press about what the company is going to do in the future to prevent such events from happening.

It is important to know what the standards are for not only the jurisdiction your business is located in but the jurisdictions for every person’s data that you hold, as residency of the person’s data is the standard that must be followed to meet the standards of most state laws in addition to the industry standards.

If you have more questions about data breaches and notification and disclosure requirements more specific to your business or jurisdiction then please don’t hesitate to contact us for more personalised information. Even questions about how to get started are welcomed.

We also can suggest purchasing a copy of our e-book, Data Privacy: A Practical Guide, available at: http://intersticeconsulting.com/ibtt/tradeandtaxation/data-privacy/.



You don’t need to be Target to get sued over data privacy violations

Following the latest major security breach, this time aimed at Target Corp. in which data connected to approximately 40 million credit and debit card users was stolen, over a dozen lawsuits have been filed, including 3 class action lawsuits.  The claims range from negligence in failing to protect customer data, to invasion of privacy, to failure to notify of the breach.  And a number of states have breach notification laws requiring the attorney general be notified.  This could also that governmental action will be taken possibly resulting in fines and penalties.

Civil lawsuits are becoming more prevalent to enforce data privacy policies and data protection laws.  Thus far, the biggest hurdle to overcome by plaintiffs, is proving damages.  Courts have dismissed a number of these suits simply because the plaintiffs could not establish that the data breach caused the plaintiff injury.  Plaintiff’s schooled off previous cases are becoming more clever in carefully in establishing damages.

One of the early cases, Burrows v. Purchasing Power, LLC, 12-cv-22800-UU (S.D. Fla. Oct. 18, 2012), filed claims for identify theft, negligence, invasion of privacy, and a violation of Florida’s Deceptive and Unfair Trade Practices Act.  The Plaintiffs, employee’s of Winn-Dixie, alleged that Winn-Dixie failed to protect and secure their personal information from theft.  An employee of a Winn-Dixie service provider, Purchasing Power, had obtained the Plaintiff’s personal information and misused it.  The case was eventually settled, and the defendants were required to maintain rigorous security safeguards going forward.  In order to receive settlement proceeds the plaintiffs had to prove they were victims of fraud and the circumstances of any loss.

In another case, there was no data breach, rather the plaintiffs alleged that their personal information was collected and sold to media outlets without their consent.  The claims included violations of the Electronic Communications, the Computer Fraud and Abuse Act and the Stored Communications Act.  This Seventh Circuit upheld certification of the class action, giving little weight to the defendant’s argument that the plaintiffs would each have to establish damages.

A Massachusetts law, the Song-Beverly Credit Card Act, prohibited retailers from collecting ZIP code information, thus preventing retailers from using ZIP code to find other personal information.  The Massachusetts Supreme Judicial Court broadened the term “personal information” to include ZIP codes and allowed the plaintiffs to proceed without having to establish that their data was compromised.

The number of cases involving claims of breach of data privacy or unauthorized use of information will undoubtedly continue to grow.  Businesses must keep vigilante to ensure compliance data protection laws wherever customers are located. Take precautions to avoid inadvertent breaches and update data privacy policies at least bi-annually.

Contact us if you need assistance maintaining an up-to-date data privacy policy.


2014: Data Privacy and a Big Boon for EU Companies

In 2014, the impending and almost certain to be enacted EU Data Privacy Directive, the strictest and the most comprehensive to date, may create an artificial boon for EU companies.  This year, with news that the NSA readily accesses data collected and stored by U.S. cloud companies, such as Google, consumers and companies alike are looking for an option that provides greater security and greater anonymity.  EU companies, and any company collecting information from an individual located in the EU will have to abide by the rigourous articles set out in the Directive.  This just might provide a competitive advantage to EU companies.  Consumers may be more likely to seek out companies that comply with the Directive to purchase goods or services.

One of the primary tenants of the EU Data Privacy Directive is control over personal information.  Every individual will have control over the collection, storage and use of his or her personal data.  Explicit consent from the individual will be required.  And that control will not end with a one-time simple expression of consent.  Individuals, will retain the right to access his or her personal information, make changes, and if so desired, the right to have personal information deleted completely.  Companies that do not comply will face significant penalties.  U.S. companies that currently maintain personal information on EU citizens will have to comply or suffer the risk of steep fines.

There is no comprehensive federal U.S. law governing data privacy, nor is there likely to be one soon.  A number of states are enacting data privacy laws, but the focus has been on protecting information primarily related to health and children.  Implementing a U.S. federal law as comprehensive as the EU Data Privacy Directive seems not just unlikely, but impossible.  Data collection is a huge industry and revenues generated and potential jobs created could assist in the current economic recovery.  Following enactment of the Directive, however, U.S. companies may have to step in line or risk alienating their customers.


Data Privacy in the Cloud

As cloud computing becomes more popular and experiences widespread adoption, the cost of using a cloud provider, as opposed to maintaining your own data servers, could give your business a competitive advantage.  But when your business stores personal data on someone else’s servers a degree of control over this sensitive data is lost.  Beware, data privacy laws do not permit the cloud user to shift the risk of violation solely to the cloud provider.  Staying compliant with data protection laws around the world will require you to ensure that any cloud provider also abides by the same regulatory and legal requirements.  Transfer of personal data outside of, the EU, for example must comply with EU data protection law and any other local data protection laws.

Although Cloud providers may not provide an easy path to negotiate changes to their standard terms and conditions, your business may nevertheless be responsible for violations of the law.  Examining the cloud provider’s privacy policy, security, redundancy practices and disclosure policy will allow you to make an informed decision.  Push for changes to terms and conditions that would impose risk of noncompliance with data protection laws.

Know where your cloud provider is located, the legal environment with regard to data protection varies significantly from country to country.  Data protection laws in Asia, have not caught up with other regions in introducing laws regulating data sovereignty, cross border data flow and data security.  Yet the cost of a cloud provider located in China, for example, could be much lower than one located in the EU.  The cost, however, of a violation of data protection laws could bring the overall costs much higher than using that budget cloud provider located in a country that does not sufficiently protect the personal data collected by your business.


Should Marketing Companies Pay for the Right to Use Personal Information?

When personal information is collected, often from multiple internet based sources, then combined and shared or sold to marketing companies,  should those who personal information is the subject of the sale be paid.  This question was raised by a group of plaintiffs in Northern California, looking for compensation from Google for the use and reuse of their personal information for profit.  U.S. Magistrate Judge Paul Grewal, dismissed the claims that Google’s privacy policy, allowing personal information from more than one source be combined, caused injury to the plaintiffs.

In his dismissal, Judge Grewal stated “Plaintiffs’ allegations certainly plead that Google made money using information about them for which they were provided no compensation beyond free access to Google’s services. But an allegation that Google profited is not enough equivalent to an allegation that such profiteering deprived plaintiffs of economic value from that same information.”

The practice of combining personal information from multiple sources, added to Google’s Privacy Policy and terms and conditions, implemented in March 2012, has come under heavy fire recently. Courts in Germany and the Netherlands have both cited this as a violation of data protection laws and Google is subject to significant fines and penalties. In this class action lawsuit, Google’s users, in addition to claiming Google’s policy of combining personal information obtained through various sources violated their privacy rights, also claimed misappropriation of likeness, violations of the Wiretap Act, the Stored Communications Act and California’s Unfair Competition Law.

Although this case was dismissed, it raises an important question about whether marketing companies will need to offer compensation in addition to free use of a particular service in order to collect, combine and use personal information of their users. Google, for example, provides a number of services that are “free” to the user, provided the user agrees to their privacy policy and terms and conditions, which include the user’s consent to combine and share personal information across many platforms. Yet, without collecting revenue from its users, Google still makes substantial profits in part because it is able to sell advertisements that can be more carefully targeted on the users based on their personal information.

Marketing companies using panelists who are surveyed for opinions ranging from new products, use of existing products and various services, pay the panelists for completing surveys. Albeit the compensation is minimal, but the model might prove important in the future to avoid similar legal claims. Marketing companies might want to consider compensation ranging from free services to coupons or tokens for future purchases, to entice consumers to provide unrestricted use of personal information. This dismissal will not stop future litigants from raising the same issues, since it is possible that  future litigants will have more success.


South Africa: Protection of Personal Information Bill

On November 27, 2013, the South African government signed into law, the Protection of Personal Information Bill.  This comprehensive Bill regulates how personal information may be collected, processed, and used, and aligns with international standards that prescribe the minimum threshold requirements for the collection, processing and use of personal information.

One significant change from previous law, will give individuals the right control over the collection, processing and subsequent use of their personal information.  Companies must obtain express consent from individuals to collect, process and use their personal information.  The previous practice allowed companies to collect, store and use personal information provided the individual did not object.  As was often the case, the objection, or opt out choice was not readily apparent.   Companies will be required to notify individuals and obtain consent before any communication takes place.  Consent may be revoked by the individual at any time after its been given.

In addition, the Protection of Personal Information Bill establishes a regulatory agency, sets stricter limits on processing of personal information of children and information regarding the individual’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life or criminal behavior.  The Bill requires companies who collect and/or process personal information to implement security measures, to notify individuals of breaches, to set restrictions on processing of personal information for the purpose of direct marketing and limits transfers of personal information to other countries unless that country has data privacy laws at least as strict.

Companies will have one year to demonstrate compliance with the new law, although this transition period may be extended for up to 3 years.

Since South African data privacy laws will now be in line with international norms, the Act could increase multijurisdictional trade and provide a boost to the economy.  To be compliant, companies will have to limit outsourced data storage and processing to vendors in countries that have adopted similar data protection laws.

Similar to other jurisdictions, larger companies will have to appoint data protection officers to ensure compliance with the Act.  Failure to comply can result in significant penalties and/or imprisonment.




In Spring 2012, Google completed its new privacy policy and implemented it throughout its product and services offerings worldwide.  The new privacy policy allows Google to collect, combine and share personal information obtained from its different products and services.  A court in Berlin, only last week, found Google’s privacy policy together with its terms of service, to be in violation of Germany’s data protection laws.  The German court raised a number of issues with Google’s privacy policy and terms of service, underlying each of the issues is the apparent lack of control users have over personal data collected by Google.

Now, the Dutch data protection authority is focused on Google’s practice of combining personal data collected from all sources.  The Dutch data protection authority claims that when Google changed its privacy policy it did not inform or obtain consent from users.  Google users must click acceptance to a general privacy policy and terms of service.  These general terms allow Google to make changes to the privacy policy and terms of service without obtaining further consent from its users.  This practice breaches Dutch data privacy law.  In addition, Google does not provide information to its users on what is being done with the personal data collected, including combining personal information obtained from multiple sources for undisclosed uses.

The Dutch data protection authority has not yet indicated what enforcement measures will be imposed.

Google’s data privacy troubles are not isolated to breaches of German and Dutch privacy laws.  Spain and France also have investigations and are calling for enforcement actions.  Google will have to change its privacy policy and terms of service to avoid further enforcement actions and penalties.  The US Safe Harbor is being carefully scrutinized to determine whether, following implementation of data privacy rules in 2014, self-certification under the program will be satisfactory.  Prior to implementation of the US Safe Harbor agreement, US data privacy laws, which differ from state to state, did not adequate data protection to satisfy the EU Data Protection Directive.  As EU data protection laws get tougher the US Safe Harbor will likely not offer the protection against enforcement actions, it once did.


German court rules Google privacy policy violates data protection law

Google has certainly suffered its share of scrutiny from privacy regulators recently.  The company faces financial sanctions in France and Spain for failure to comply with privacy laws.  Now a German court has ruled that as many as 25 provisions in its privacy policy and terms of service violate German data protection law.  The court indicated that the offending provisions were too vaguely formulated, and prevented or restricted consumers from exercising control over their personal data.  13 privacy policy provisions and 12 terms of services provisions were held invalid.

Google, like many other high tech companies, ask consumers to click a box if they agree to its Terms of Service and have read the Privacy Policy.  This approach does not comply with German law, which is much stricter than any of its US counterparts.  German data privacy law requires the consumer to make a more definitive and conscious choice to opt-in to provisions that would allow collection and use of personal data and restrict the consumer’s ability to delete or change its preferences.  The consumer’s consent must be explicit and ongoing.  Google’s vague data privacy and terms of services provisions simply don’t go far enough to satisfy that threshold of continuing control by the consumer.

Google has indicated that it will appeal this decision and a decision from the court of appeal will not likely take place until late 2015.

The Federation of German Consumer Organizations, which brought the case, complained about, among other things, the way Google obtained its right to review and control, change and delete certain types of information, remove applications by directly accessing a device, and adjust functions and features of services completely at will.

Companies collecting personal information should take this as a wake-up call.  Google is not the only company to run afoul of European privacy laws. Both Apple and Samsung have been before the same court and had a number of privacy policy provisions held invalid.   Under proposed EU rules, companies violating the rules, effective as early as June 2014, could face fines of as much as $135 million for violations of the new data protection laws.


Does One Size Fit All? Data Privacy Considerations in Global Transactions

How does a global business grapple with implementing a Data Privacy Policy that addresses the requirements of their largest markets, pursuant to the legislation in each country it transacts business in, which likely includes the toughest restrictions on the collection, use, access, transfer and storage of personal privacy data the business has ever seen?

We all know personal consumer data is important to the success of most businesses. Being able to target consumers based on personal information such as their known likes, dislikes, previous purchases and other personal identifiers such as address, gender, age, religion, ethnicity, profession, income, and family life is a necessity to the viability and ultimate profitability of the business. A business that is able to leverage personal consumer information it has collected is able to more successfully target their products and services to be tailored to specific consumers and create a new revenue stream by sharing the information collected with other businesses, thereby enhancing its ability to succeed.

Where there is no current legislation, the pressure felt by a business to self-regulate by providing consumers a right to access and control their personal data creates a balancing act, between the consumers right to control their personal data and the business’ desire to use that data to increase its profitability. Consumer confidence and trust on a global basis is already weakened by the fragmentation, legal uncertainty and inconsistent enforcement of data protection legislation. Unfortunately, Data Privacy Legislation, for the foreseeable future covering cross-border transfers are likely to remain without consistent enforcement.

Personal Information. There are two categories of personal information that is the subject of most legislation: 1) General Personal Information; and 2) Sensitive Personal Information.

General Personal Information is information that can identify individuals from the data collected or together with other information that is or may be in the possession of the data controller. Sensitive Personal Information is information collected about a person’s racial or ethnic origin, religious beliefs, political opinions, physical or mental health or condition; sexual orientation, criminal convictions or other court proceedings.

Collection and Use of Personal Information. Generally, legislation is aimed at those who control and/or process the data by restricting the collection and use of personal information. The processing of such personal data includes collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, transmission, dissemination, alignment, blocking, deletion, and/or destruction.

It has become an essential business practice in today’s global market to implement a Privacy Policy. The question then becomes: How broadly written should such a Privacy Policy be to protect against potential government violation(s) where there is a myriad of disparate data privacy laws in different countries, and still suit the business needs?

Data Privacy in the European Union. The European Union (“EU”) has one of the most sophisticated and well thought out pieces of legislation on the subject of data privacy. Perhaps because this legislation, beginning in the form of the 1995 Directive, has been tested and revamped over a number of years and enforcement has become less fragmented among Member States in the EU.

The US Department of Commerce entered into an agreement for a “Safe Harbor” with the EU in 2000 to ease the administrative burden on US companies doing business with EU consumers. US businesses are able to become “self-certified” under this Program, which is evidenced through compliance with the 1995 EU’s Data Privacy Directive. The Directive, however, is to be superseded by the tougher General Data Protection Regulation, which will likely be finalized and enacted into law in 2014. Public declaration of compliance with the Safe Harbor is all that is needed to self-certify, which shows intent to adhere to the principles contained in the 1995 Directive and therefore freeing the self-certified business from penalties for the transfer of personal data from the EU to the US. The purpose of the Program was to ease compliance with the Directive since each EU Member State was permitted to take the underlying principles set out in the Directive and make adjustments to integrate the principles into their own laws which resulted in inconsistencies and fragmentation making compliance for businesses operating in both the US and EU difficult and inefficient. The Safe Harbor Program sets the threshold wherein self-certification is the shield for a business against penalties for non-compliance.

Several factors are lowering this shield and businesses should be taking a closer look at whether their Data Privacy Policies are up-to-date. First, in July 2013, the EU Commissioner, Viviane Reding announced that the European Commission will be reviewing the Safe Harbor Agreement with the US and has promised to provide an assessment of the Agreement in light of the more stringent changes reflected in the current EU Data Privacy reform. If the Safe Harbor is suspended or revoked by the EU then the transfer of personal data outside the EU would be unlawful unless some other lawful method was used, for example, using EU model contracts, or obtaining individual consent, which will be overburdensome and costly for many global businesses.

Secondly, following the NSA scandal which uncovered mass governmental surveillance in June 2013, the EU Civil Liberties Committee has proposed amendments to the EU Data Protection Regulation that would require permission be obtained from the National Data Privacy Authority by any third country requesting the transfer of any personal data processed in the EU to a company outside the EU, including search engines, social networks or cloud providers. The proposed fines for non-compliance could be as high as EU100 million or 5% of the company’s annual worldwide turnover. The proposed amendments would also give the consumer further rights regarding “erasure”, which requires explicit consent and sets stiffer limits on the profiling of personal information.

The Plenary vote on these amendments is set to proceed before the end of the current Parliamentary term in May 2014.

Data Privacy Around the World. Since the Safe Harbor applies only to transfer of personal data from the EU to US, there is no certainty that data privacy policies designed to meet the Safe Harbor will be sufficient to meet the requirements of other jurisdictions. Other countries, where consumer markets are substantial, are currently passing Data Privacy Legislation which throws businesses new compliance hurdles to overcome. Even larger companies with substantial resources already allotted to Data Privacy compliance will likely be impacted and ultimately overwhelmed.

For example, in Canada only three Provinces (British Columbia, Alberta and Quebec) have privacy laws that mirror the Federal Privacy Act, and the Personal Information Protection and Electronic Documents Act of Canada which regulate the collection, use and disclosure of personal information by businesses and other organizations and provide consumers with a general right of access to, and correction of, their personal information. Other Provinces have not only implemented the Federal Acts but have gone further by enacting privacy laws pertaining specifically to personal health information, consumer credit reporting, financial transactions and the collection and use of personal data.

Also, earlier this year China issued standardized guidelines called the “Security Technology – Guide for Personal Information Protection within Public and Commercial Information Systems” and although this Guide is not legally binding (at this time) it is thought that compliance with the guidelines is prudent as there is no doubt that at some point in the very near future this Guide will become law. The Guide was released by the Standardisation Administration of China with the primary purpose to protect personal information processed by commercial businesses. ‘”Personal information'” (in China) is defined as ‘”computer data that may be processed by an information system, relevant to a certain natural person, and that may be used solely or along with other information to identify such natural person”‘. This definition is vague by design. The basic guidelines cover the collection and use of personal information, consent, transfer outside of China, retention and deletion. The guidelines are more stringent with regard to sensitive personal information. Businesses can expect these guidelines, perhaps with some adjustment to become legislation in the very near future.

Further, in Argentina, Section 43 of the Federal Constitution grants citizens, through judicial action, access to information about them on any database and to demand changes, confidentiality or deletion of incorrect data. The Personal Data Protection Law Number 25,326 provides broader protection of personal data and nd registration of all databases used for the collection and transfer of personal data with the Argentine Personal Data Protection Agency, (Dirección Nacional de Protección de Datos Personales or“DNPDP”). Data controllers must also hire a Head of Security to which security requirements will apply. Consent is required to collect personal information in all but very limited circumstances. Transfer of personal information out of Argentina requires consent by the consumer, which may be revoked by the consumer at any time.

Both the transferee and the transferor are jointly and severally liable for any breach of data protection obligations.

Other considerations: There currently are many technological roadblocks to a one-
size fits all solution for global compliance. Many large business can establish global hardware and software standards. Smaller companies may simply find sufficient technology at affordable prices to manage Personal Privacy Data. Certainly businesses will find that the adoption rate for new technology, support and speed differs from country to country. Legal requirements may also differ not only from country to country but also within states and/or provinces within the same country. For example, in India certain states require hard copies with original signatures be maintained for certain records containing personal data. Also, many countries consider the information collected by cookies to be personal information. The EU ePrivacy Directive, effective May 2012, requires the consent of the consumer for a business to use the information contained in a cookie.

Formulating a Privacy Policy to ensure compliance with the widest range of is difficult and time consuming. The Policy should differentiate the two categories of personal data (General Personal Information and Sensitive Personal Information. Different types of personal information collected will require different protective measures to be put in place by the business. Understanding the nature of the personal information collected, and identify the damage that might arise in the event of a breach is crucial. Further, it must determine whether the personal information will be transferred from one country to another, or from one company to another company. If the personal information is to be transferred to be used or processed for any purpose or retained by the other company, the business transferring the personal information must review the Privacy Policy of the company accepting the transfer, including contractual assurances with regard to confidentiality, control, access, transfer, deletion and security measure and monitor continuously for compliance. Consent must be obtained from consumers where necessary so opt-in choices may be drafted in a clever fashion as to entice consumers to provide their consent. Significant changes increasing the administrative burden are likely.

The call for global harmonization is present in nearly every country and is unlikely to be reached for many years. However, it is imperative for businesses to begin implementation of Privacy Policies sooner rather than later in order to be ahead of the impending legislation.


Wendy Kennedy or Michelle Berner

(949) 481-0112