Uncertainty surrounding the U.S.-EU Safe Harbor (Safe Harbor) replacement, the EU-U.S. Privacy Shield (Privacy Shield), will remain for now. On April 13, 2016 the European Union (EU) Article 29 Working Party (WP29) comprised of all 28 EU member state data protection authorities (DPAs) announced its official but non-binding opinion on the European Commission’s (EC) draft

On February 8, 2016, the French Data Protection Authority (CNIL) publicly issued a formal notice to Facebook, following a joint investigation with four other EU regulators, asking the U.S. social network provider to comply with the French Data Protection Act within three months’ time. The notice (unofficial English translation available here), outlined several alleged violations of the law, including:

  1. collection of non-user data;
  2. collection of sensitive data (sexual orientation and political/religious views) without users’ “explicit consent” (i.e., a tick box);
  3. collection of “excessive” information to verify identities (e.g., requesting medical records when users replace their surname with that of a celebrity);
  4. use of cookies without notice or consent;
  5. failure to define and observe proportional data retention periods and failure to ensure data security (e.g., stronger password requirements);
  6. failure to obtain CNIL authorization for processing related to preventing fraud and banning users; and
  7. transfer of data to the U.S. under the invalidated U.S.-EU Safe Harbor (Safe Harbor) (alleged based on the company’s privacy statement).


Continue Reading

The U.S. Department of Commerce and European Commission have remained publicly optimistic about their renegotiation of the U.S.-EU Safe Harbor (Safe Harbor) following the program’s invalidation by the European Court of Justice in October. Unfortunately, there are signs of trouble in the U.S. Senate and future trouble coming from European Union (EU) regulators.

The EU

A European Court of Justice (ECJ) advocate general released his opinion September 23 in the matter of Maximillian Schrems v. Data Protection Commissioner, a case that questions the “adequacy” of the U.S.-EU Safe Harbor (Safe Harbor). The nonbinding opinion, which will now be considered by the full court in the coming months ruled: (1) that

On April 7, 2015 the Federal Trade Commission (FTC) announced two new U.S.-EU Safe Harbor cases. TES Franchising, LLC and American International Mailing, Inc. have agreed to settle FTC charges that the companies falsely claimed they were abiding by the U.S.-EU Safe Harbor Framework, a voluntary but enforceable framework that enables U.S. companies to transfer personal data from the European Union to the United States in compliance with the EU data protection directive’s adequacy requirement.

According to the TES settlement, TES allegedly deceived consumers about the nature of its dispute resolution procedures by noting on its website that Safe Harbor-related disputes would be settled by an arbitration agency, would take place in Connecticut, and costs would be split between the consumer and the company. Aside from the fact that it would be nearly impossible to argue that a dispute resolution process like that is “readily available and affordable,” as the Safe Harbor Framework requires, the TES policy also allegedly failed to align with the TES Safe Harbor certification filing, which stated that TES would resolve disputes through the European data protection authorities, a process which does not require in-person hearings and which costs the consumer nothing. Finally, the FTC complaint notes the alleged misrepresentation by TES that it was a licensee of TRUSTe’s privacy compliance products when in fact TES was not a licensee of TRUSTe.


Continue Reading

President Obama recently proposed several new laws reflecting the administration’s increased focus on privacy and cyber issues. The proposals seek to create a consistent national data breach notification law (to replace the current patchwork of 47 state laws), to encourage cyber threat information sharing, and to update cybercrime enforcement. Although Immediate reactions to the proposed

The Federal Trade Commission (FTC) has been at it again, settling on December 31, 2014 with Snapchat over privacy and data security concerns stemming from its text and video mobile messaging services. The settlement is instructive for gauging the FTC’s enforcement priorities and illustrates the steep costs a company can face when the FTC alleges the company has engaged in deceptive or unfair trade practices.
Continue Reading

Over the past year, privacy concerns have played an increasingly critical role in influencing how government and the private sector think about information collection, use, and disclosure. With the rapid pace of technological advancements – and the complex issues that accompany developments such as the Internet of Things, cloud technology, and “big data” analytics –

On June 20, 2014, Florida enacted the Florida Information Protection Act of 2014 (FIPA) to strengthen its data breach notification law. The amendments, which take effect July 1, will make Florida one of the strictest jurisdictions for reporting deadlines (which shortens to 30 days) and the types of information that trigger notification obligations (Which now

The July 2000 Safe Harbor agreement between the United States and Europe concerning cross-border data flows is one of the key regulatory structures governing how organizations can collect, store, move, and use the massive amount of personal data generated in our interconnected world. Fourteen years after its inception, the agreement is under increasing strain from the rapid pace of technological innovation, high-profile breaches of consumer data, and the continued fallout from the Edward Snowden revelations. The EU and U.S. are in the process of updating the original agreement to reflect these new concerns. The implications for organization data operations and privacy policies could be significant, creating new regulatory structures and demanding new procedures and safeguards.
Continue Reading