Showing 18 posts in Privacy.
With the EU’s new privacy rules (GDPR) that took effect earlier this year, the California Consumer Privacy Act that takes effect January 1st, 2020, and the clamor for a federal data privacy law in the United States, it is increasingly clear that privacy will not, in the future, be an optional part of business operations.
The advent of new rules make clear that personal data is considered a human right and a property right belonging to consumers – which can include employees, customers, patients and other persons.
Now, Apple is taking sides publicly. Speaking in Brussels this week, CEO Tim Cook said that GDPR has confirmed that privacy is good law and good policy, and that users should know what is collected about them and why; that data belong to users; that security is at the heart of data privacy; and that companies should “challenge themselves” not to collect unnecessary data in the first place. Echoing the view of the modern regulator, he also said that privacy is a “fundamental” human right.
This statement draws a clear line between Apple, a hardware company, and its data-collecting business rivals such as Facebook and Google. However, it also points to an increasingly true reality: lawmakers are starting to pay attention to privacy, both in the U.S. and outside of the U.S. Consumers are starting to expect better from companies.
For small and medium companies, coming out strong on privacy is a good way to differentiate yourself from competitors. It is an excellent employee-relations tool (and may be helpful in forestalling data-privacy claims with disgruntled or terminated employees). It is smart business. It is a part of every acquisition’s due diligence, so it should be part of your exit strategy. And it will soon be required for operations anyway.
Why not plan, and profit from it, now?
In a case of first impression, the Eleventh Circuit has held that an employer need not show an interruption of service to prove actionable harm under the Computer Fraud and Abuse Act (CFAA) and other federal laws. This is good news for employers and potentially for others who suffer computer intrusions.
On September 13, 2016, the New York Attorney General announced settlements with four major US toy and media companies regarding their use of online tracking of children who use their websites. Viacom, Inc. (Nickelodeon), Hasbro, Inc. (My Little Pony), and Mattel, Inc. (Barbie, Hot Wheels, American Girl) are among the companies fined a collective $835,000 for violating the Children's Online Privacy Protection Act (COPPA).
United States businesses have been on tenterhooks since October, when the European Union's (EU) highest court dismantled a privacy scheme covering trans-Atlantic data transfers. That scheme, the Safe Harbor, was a negotiated solution allowing U.S. businesses to self-certify that they met certain privacy standards, and thereby to avoid dealing with laws and regulators in every individual EU member country. With the dismantling of Safe Harbor, the EU and U.S. have been scrambling to negotiate a replacement.
Earlier this week, the "Privacy Shield" that will replace Safe Harbor was announced. Details are not yet fully available (a draft has not been published), but we know they include periodic review of U.S. practices and promises, the appointment of a U.S. ombudsman, certain individual rights of action for EU citizens who feel their information has been mishandled, and more. As of today, EU member countries say they will hold off prosecuting U.S. companies for privacy violations for at least a few months, pending implementation of the Privacy Shield.
However, U.S. businesses still do not know what the precise legal rules are that apply to their use of data from EU persons (employees, customers, vendors). In light of the uncertainty, and until the Privacy Shield is published along with any guidance from U.S. regulators, any business with trans-Atlantic connections should use caution and should be aware of where its data resides.
The officials working to replace the recently-invalidated data transfer Safe Harbor have in place a handshake deal.
The full details are not yet public, but presumably will be disclosed before the deadline of January 2016 for US businesses to comply with EU data protection laws.
Data security is a multi-part process for most organizations. Today's installment of cyber hygiene habits for 2015 reminds us that updating software is a critical step in securing our networks.
This fourth installment in our cyber hygiene series will discuss the importance of hardware upgrades in maintaining corporate data security. As with all the best practices we recommend in this series, the idea behind protection is to avoid incidents where possible, mitigate damage if they occur, and have a defensible position or "storyline" if you suffer a dispute or investigation.
For 2015, we are addressing data security and privacy by discussion of topics relating to information security and hygiene. Parts one and two covered knowledge of what laws cover your business and of what data you have in your networks. This installment covers the human side of data handling: which employees have access to your data, and why.
The EU high court today struck down the fifteen year-old "Safe Harbor" that has allowed US businesses to operate there under a single set of privacy rules. Reacting to the Edward Snowden revelations about NSA spying programs, the EU court ruled that companies in the U.S., which has no national set of privacy rules about consumer data, must now deal with the privacy regulators in each EU country rather than deal with a single, uniform, EU-wide standard.
For US businesses that process data coming out of EU countries, this creates a huge level of uncertainty and difficulty. Online businesses, Web sites, cloud storage, e-commerce, data processing, and more may be affected if it contains EU data. If you are an online, Web, cloud, etc company, or if you have employees overseas and therefore process HR data across borders, please start looking at your privacy policies and practices.
As a practical matter, this decision probably means that affected US businesses will have to achieve compliance with the strictest EU member privacy rules (highest common denominator) about things like cookies, consumer access to data, right to be forgotten, and so forth. It's a big compliance headache.
The 3d Circuit Court of Appeals in Federal Trade Commission v. Wyndham Worldwide Corporation, in a decision filed August 24, 2015, ruled that the Federal Trade Commission (the "FTC") by virtue of Section 5 of the FTC Act, has jurisdiction over the data security practices of corporations that collect and use the personal data of their cases.
Consumer advocates have celebrated the case as a win for consumers. I fear it will have the opposite effect.
- Data Privacy
- Data Security
- Government Investigations
- Limited Government
- FAST Act
- JOBS Act
- Public Policy
- Intellectual Property
- Social Media
- Employment Issues
- Non-Profit Organizations
- Due Process
- Political Philosophy
- Risk Avoidance
- Risk Management
- Regulation A+
- Renewable Energy Around the Web
- In-House Counsel
- Mergers and Acquisitions
- Real Estate