Safe Harbor Fallout; Germany Rejects Safe Harbor Alternatives; Judicial Redress Act Passes House; Device IDs Not Personally Identifiable; Sony Settles Data Breach Suit

Safe Harbor repercussions in Switzerland, Israel

In light of the recent European Court of Justice (“ECJ”) Safe Harbor decision [link:  ], the Swiss Data Protection and Information Commissioner has declared its safe harbor agreement with the U.S. “no longer sufficient” for governing data transfers between the two countries.  Unless and until the countries agree upon a new framework, companies transferring data should rely on “contractual guarantees” as defined by the Swiss Data Protection Act.  Similarly, the Israeli Law, Information and Technology Authority revoked authorization for data transfers to the U.S. that rely on the now-invalid Safe Harbor agreement.  Companies seeking to transfer data from Israel to the U.S. must review and assess whether they may do so pursuant to other mechanisms.  For more on both of these developments, see our recent client alert.

Germany rejects Safe Harbor alternatives

German privacy officials have declared insufficient the Safe Harbor alternatives suggested by the European Commission.  German federal and state data protection authorities (“DPAs”) will not approve new transfers pursuant to binding corporate rules, one of the suggested Safe Harbor alternatives.  Furthermore, the DPAs intend to exercise their audit powers in scrutinizing contractual clauses governing transfers to the U.S. to ensure compliance with the ECJ decision.  The DPAs also call into doubt the validity of transfers based on consent.  Consensual transfers of personal data should not occur repeatedly or “routinely,” and consensual transfer of employee data may occur “only in exceptional cases.”  A DPA for one of the German states had previously advised companies to cancel contracts using standard model clauses governing data transfers. The German approach is a significant departure from statements by the European Commission and other EU members, such as Switzerland, that encourage the use of one or both of these alternative data transfer mechanisms.  Companies transferring data from Germany to the U.S. should exercise great care in reviewing transfer rules and practices and ensuring their compliance with rules and principles announced by the European Commission and the ECJ.  For more on this development, see our client alert on the position of the German DPAs .

House passes Judicial Redress Act

The House of Representatives passed H.R. 1428, the Judicial Redress Act, which grants non-U.S. citizens standing to challenge U.S. government practices involving unlawful collection, disclosure, or other misuse of personal information.  This comes on the heels of the Safe Harbor decision criticizing the unavailability of redress for EU citizens whose data are compromised after transfer to the U.S.  Under the bill, citizens of certain foreign nations may pursue civil relief under the Privacy Act of 1974, so long as the citizen’s country has in place privacy protections for sharing information with the U.S. for law enforcement purposes.  Future enactment would likely be considered a significant step in agreeing upon a new framework to replace the invalid Safe Harbor agreement.  The Senate has not yet acted on the bill.

SDNY: Device IDs are not personally identifiable under VPPA

A New York federal court held that the serial number of a device used to access content is not personally identifiable information (“PII”) under the Video Privacy Protection Act.  The plaintiff in Robinson v. Disney alleged that Disney disclosed the encrypted serial number of the digital device he used to access Disney video content, as well as his viewing history, to a third party that was later able to re-identify the plaintiff by combining the serial number with other information.  The court found that this unique identifier was different from other information inherently containing PII, such as a name or address.  The court rejected the “overly expansive” theory that any identifier tied to a user constitutes PII.  The court opined that the scope of PII would be “limitless” if it included any piece of information that, when combined with other information, could identify an individual.  The opinion suggests that companies can continue to collect and use unique device IDs under the VPPA, so long as 1) those identifiers cannot, on their own, identify a particular person; and 2) the companies do not disclose additional information that may allow a third-party to identify the user.

Sony data breach settlement between $2 million and $4.5 million

Sony has agreed to settle a class action suit filed by employees in the wake of last year’s data breach.  Sony will pay $2 million for the employees’ time and effort to prevent identity theft, and also cover the costs for two years of identity protection.  Class members will also be eligible to enroll in identity theft insurance.  For losses not covered by that insurance, Sony will pay up to an additional $2.5 million.  Sony could potentially pay an additional $3.49 million in attorneys’ fees.