The European Union (EU) is preparing to treat the United Kingdom (UK) as a third country after its withdrawal from the bloc, commonly known as Brexit.  Unless a deal is agreed before 29 March 2019, the UK’s trade with the EU will be heavily impacted by regulatory restrictions, increased costs, and lengthier procedures applicable to the movements of people, goods and services.  Less obvious is the impact on trade of the “no deal” scenario from potentially restricted data flows. With only eight months left until Brexit Day, the UK and EU have yet to start talks on a data protection agreement.

Data flows play an increasingly important part in international trade and are estimated to contribute up to 2.8 trillion USD to the world economy.  In 2016 alone, EU services reliant on data exported to the UK, such as finance, telecoms and entertainment, were worth approximately 36 billion EUR. Data flows from the UK to the EU constitute as much as three-quarters of all data from the UK. Under the EU’s General Data Protection Regulation (GDPR), however, personal data included in such data flows must be protected. For companies, this can include employee data (e.g. payroll information, biographical information, etc.) and customer data (e.g., contact information, transaction information, biographical information, social media profiles, etc.). Data flows from the EU to a third country are permitted if there is an adequacy decision by the European Commission that the third country’s data protection laws are adequate to meet the objectives of the GDPR or through another adequacy mechanism approved by the European Commission (e.g., EU-approved Binding Corporate Rules, use of Standard Contractual Clauses, etc.). Continue Reading No Post-Brexit Arrangement on Data Protection Will Affect UK-EU Trade

Just when you think you’ve tackled the Wild, Wild West of GDPR and privacy compliance, California decides to mix it all up again.

This November 6th, California voters will decide on the California Consumer Privacy Act (“Act”), a statewide ballot proposition intended to give California consumers more “rights” with respect to personal information (“PII”) collected from or about them.  Much like CalOPPA, California’s Do-Not-Track and Shine the Light laws, the Act will have broader consequences for companies operating nationwide.

The Act provides certain consumer “rights” and requires companies to disclose the categories of PII collected, and identify with whom the PII is shared or sold. It also includes a right to prevent the sale of PII to third parties, and imposes requirements on businesses to safeguard PII.  If passed, the Act would take effect on November 7, 2018, but would apply to PII collected or sold by a business on or after nine (9) months from the effective date – i.e., on August 7, 2019.

Who is Covered?

The Act is intended to cover businesses that earn $50 million a year in revenue, or businesses that “sell” PII either by (1) selling 100,000 consumer’s records each year, or (2) deriving 50% of their annual revenue by selling PII. These categories of businesses must comply if they collect or sell Californians’ PII, regardless of whether they are located in California, a different state, or even a different country. Continue Reading SADDLE UP AMERICA: California Aims to Pass its Own GDPR Law

The Federal Trade Commission recently announced settlements with Decusoft, LLC, Tru Communication, Inc. (doing business as TCPrinting.net), and Md7, LLC, resolving allegations that the companies misrepresented their participation in the E.U.-US and Swiss-US Privacy Shield. The announcement comes just before the first Privacy Shield annual review (scheduled for September 2017) and marks the FTC’s first enforcement action related to Privacy Shield. This post provides a brief overview of the Privacy Shield framework, notable facts from the enforcement action, and key takeaways for companies.

Privacy Shield. The E.U.-US and Swiss-US Privacy Shield frameworks are an alternative transfer mechanism for companies to transfer E.U. and Swiss individual data to the United States in compliance with E.U. and Swiss data protection requirements. To participate in either framework, a company must self-certify to the Department of Commerce (“Commerce”) that it adheres to the Privacy Shield Principles. The FTC enforces compliance with the Privacy Shield framework under its Section 5 deception authority, and companies who misrepresent their Privacy Shield participation run the risk of an FTC enforcement action.

Charges and Settlement. All three companies claimed, in their respective online privacy policies and statements, that they were Privacy Shield framework participants.  These representations were either express or by implication. Notably, in the case of TCPrinting.net, the company’s privacy policy stated that it would “remain compliant and current with Privacy Shield at all times.” Contrary to these claims, none of the three companies completed the steps necessary to participate in the Privacy Shield framework. The FTC settlement prohibits the companies from misrepresenting the extent to which they participate in any privacy or data security program and imposes FTC reporting requirements for a 20-year period.

Key Takeaways.  Since 2009, the FTC has settled 36 cases involving claims of Safe Harbor participation, three cases involving alleged violations of Safe Harbor Privacy Principles, and four cases involving claims of participation in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system. As noted in the chart below, the FTC has been active in enforcing cross border privacy frameworks, and companies should expect this trend to continue.  As part of the Privacy Shield negotiations, the FTC committed to give priority to Privacy Shield non-compliance referrals received from EU Member States, Commerce, and privacy self-regulatory organizations and other independent dispute resolution bodies.  With the first Privacy Shield annual review forthcoming, these enforcement actions affirm that commitment.

Year FTC Enforcement Actions and Warning Letters
2009-2013 -10 Companies Settle Safe Harbor Charges
2014 -14 Companies Settle Safe Harbor Charges
2015 -15 Companies Settle Safe Harbor Charges
2016 -1 Company Settles APEC CBPR Charges
-FTC Issues Warning Letters to 28 Companies Regarding APEC CBPR Participation
2017 -3 Companies Settle APEC CBPR Charges
-3 Companies Settle Privacy Shield Charges

In light of this activity, companies should review their privacy policies and similar statements to ensure that claims about participation in or compliance with self-regulatory or governmental privacy related programs are up to date and accurate.

An Update on the New EU General Data Protection Regulation

On 16 April 2016, the EU adopted the General Data Protection Regulation (‘GDPR’) which largely rewrites and harmonizes the European legal framework of data protection. The new regulation will become applicable in May 2018, but given the scope and complexity of the GDPR it is important to prepare for this legal change well in advance.

Global scope?

With the GDPR, there will be a substantial expansion of the territorial scope of the EU data protection obligations, which may impact US companies and employers who were previously not affected by EU data protection rules. In determining its geographical reach, the GDPR considers not only the location of the processing, but also the location of the individual whose data is being processed. In this context, if your group of companies has one EU-based employee, the GDPR could be applicable to your organization. Note that the GDPR would also be triggered by processing personal data of EU-based customers.

Processing information?

If your group of companies has one EU-based employee, and it processes (i.e., collect, use, transfer or electronically store) personal data of this employee the GDPR may apply. ‘Personal data’ includes information that is typically considered personal such as an employee’s name, address, income details and medical condition, but also includes not always considered personal such as an employee’s computer or device IP address device identifiers, or other ‘unique identifiers.’ Even if you as an employer offer certain services which give you access to such personal data, such as an IT helpdesk, server access, etc., the GDPR could apply to you.

What do I need to do?

First, you should determine whether your group of companies has EU-based employees or is otherwise processing information related to EU-based employees.

If you have EU-based employees and are processing such information, you should conduct an internal GDPR review to determine which department or which companies (e.g. IT help desk, HR, accounting, etc.) are in scope for GDPR compliance obligations, evaluate current compliance and gaps to be resolved by May 2018, and set up the necessary structure for compliance with the GDPR. The level of data protection in the EU is considered (by the EU) to be higher than in the US and US companies should be prepared for the disclosures, specific guarantees, and obligations under the GDPR. Depending on the circumstances, the GDPR will even require US based companies with access to personal information to designate a representative based in an EU country to act as the point of contact for the relevant data protection authorities. Given the technical and detailed requirements companies may benefit from the use of targeted guidance.

Sanctions?

The global reach of the GDPR calls into question the enforceability on US-based employers. Violating the GDPR can result in penalties of up to € 20 million or 4% of the annual worldwide turnover of the company (i.e., annual worldwide gross income), whichever is higher.

Bottom line?

The GDPR will not apply until 25 May 2018, but the time for action is now. All HR departments and/or employers should carry out a data review and assess whether the GDPR is applicable and what impact it has on its activities, this in order to implement the necessary changes in time.

If you need additional guidance, an employment attorney will be able to provide guidance both on US and EU aspects of data protection law.

On January 16, 2017, the Article 29 Working Party (“Working Party”)—the EU’s central data protection advisory board—published a press release regarding its Action Plan for 2017, which was adopted as part of its wider implementation strategy for the General Data Protection Regulation (“GDPR”).  The Action Plan follows up on the actions initiated in 2016 and outlines the priorities and objectives for the year to come in anticipation of the entry into force of the GDPR in May 2018.

In 2017, the Working Party commits to continue and/or finalize work on several key issues:

  • Guidelines on certification and processing likely to result in a high risk and Data Protection Impact Assessments (“DPIA”);
  • Administrative fines;
  • Setting up the administration of the European Data Protection Board (“EDPB”) structure; and
  • Preparation of the one-stop shop and the EDPB consistency mechanism.

New work priorities and objectives for 2017 include:

  • Guidelines on the topics of consent and profiling;
  • Guidelines on the issue of transparency; and
  • Update of existing opinions and guidance documents on data transfers to third countries and data breach notifications.

Moreover, the Working Party commits to continue consultation rounds and will invite relevant stakeholders to provide input on topics of interest.  During a “Fablab” workshop announced for April 5 and 6, stakeholders will have the opportunity to comment on the Working Party’s Action Plan. Non-EU counterparts will have an opportunity to exchange views on the Working Party’s GDPR implementation and the GDPR generally during an interactive workshop scheduled for May 18 -19, 2017.

*           *           *

In other data protection news, on January 11, 2017 the U.S. and Switzerland signed a Privacy Shield Agreement recognizing the adequacy of U.S. data protection legislation in light of Swiss requirements.  Months earlier, on October 7, 2015, the Swiss Data Protection Commission stated that it would follow the Court of Justice of the European Union’s invalidation of the U.S. – EU Safe Harbor framework, and hence, a new framework was required.  Resembling the EU – U.S. Privacy Shield, the new Swiss – U.S. agreement enables certified companies to export data from Switzerland to the U.S. in compliance with Swiss data protection laws.  There are three notable differences between the EU –U.S. and Swiss – U.S. Privacy Shield frameworks:

EU – U.S. Privacy Shield Swiss – U.S. Privacy Shield
EU Data Protection Authority is cooperation and compliance authority Swiss Federal Data Protection and Information Commissioner is cooperation and compliance authority
Sensitive data definition under Choice Principle Modified sensitive data definition under Choice Principle includes ideological or trade union-related views or activities, information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings
Binding arbitration option in place Commerce to work with Swiss Government to put in place binding arbitration option at first annual review

The new agreement replaces the existing U.S. – Swiss Safe Harbor Framework with immediate effect. The Department of Commence will begin accepting self-certification applications on April 12, 2017.