Tag Archives: EU data privacy

Data Privacy and Security: The Demise of the EU-U.S. Safe Harbor

padlock-1569395-639x852The lack of a cohesive body of data privacy and security laws in the U.S. created problems with transfers of personal information from EU citizens held by U.S. companies. Thus the EU-U.S. Safe Harbor was created and is administered by the U.S. Department of Commerce.  Under the Safe Harbor, U.S. companies could self-certify their compliance with minimum standards of data privacy and security such that the EU deemed such companies efforts as adequate to meet EU data privacy and security principles (set out in both Directives and regulations).  Late in 2015, the European Court of Justice issued a judgment declaring the Safe Harbor agreement as invalid.  This decision is cause for concern as U.S. companies may discover that they are no longer in compliance with EU data privacy and security principles, even though they have self-certified under the Safe Harbor.  Nevertheless, the Department of Commerce continues to allow U.S. companies to register and self-certify in the Safe Harbor program as a new solution is being sought to address tighter controls to meet more stringent data privacy and security principles.

In the meantime, companies of all sizes should be reviewing their current practices and reviewing the practices of any third party services providers being used, including cloud services. Be ready to take action.  Approximately one third of all data transfers of personal information is between the U.S. and the EU.  The EU General Data Protection Regulations (GDPR) set to become law in 2018 sets in place more rigorous regulations for consent to collect personal data, requests for removal of personal information from servers, and stepped up enforcement for complaints.  The object of the GDPR is to ensure strict levels of security without impeding market growth for businesses. Fines for failure to comply with the new Regulations may result in fines of up to 4% of a company’s global revenue.

Although the GDPR isn’t scheduled to take effect for some time, moving to best practices and implementing changes that will ensure future compliance is necessary. Don’t wait until the Regulations become effective, the invalidation of the Safe Harbor can, and likely will, trigger law suits against U.S. companies regardless of whether they have self-certified under the Safe Harbor.

Don’t be left behind and leave your company exposed.



German court rules Google privacy policy violates data protection law

Google has certainly suffered its share of scrutiny from privacy regulators recently.  The company faces financial sanctions in France and Spain for failure to comply with privacy laws.  Now a German court has ruled that as many as 25 provisions in its privacy policy and terms of service violate German data protection law.  The court indicated that the offending provisions were too vaguely formulated, and prevented or restricted consumers from exercising control over their personal data.  13 privacy policy provisions and 12 terms of services provisions were held invalid.

Google, like many other high tech companies, ask consumers to click a box if they agree to its Terms of Service and have read the Privacy Policy.  This approach does not comply with German law, which is much stricter than any of its US counterparts.  German data privacy law requires the consumer to make a more definitive and conscious choice to opt-in to provisions that would allow collection and use of personal data and restrict the consumer’s ability to delete or change its preferences.  The consumer’s consent must be explicit and ongoing.  Google’s vague data privacy and terms of services provisions simply don’t go far enough to satisfy that threshold of continuing control by the consumer.

Google has indicated that it will appeal this decision and a decision from the court of appeal will not likely take place until late 2015.

The Federation of German Consumer Organizations, which brought the case, complained about, among other things, the way Google obtained its right to review and control, change and delete certain types of information, remove applications by directly accessing a device, and adjust functions and features of services completely at will.

Companies collecting personal information should take this as a wake-up call.  Google is not the only company to run afoul of European privacy laws. Both Apple and Samsung have been before the same court and had a number of privacy policy provisions held invalid.   Under proposed EU rules, companies violating the rules, effective as early as June 2014, could face fines of as much as $135 million for violations of the new data protection laws.