According to a recent global survey commissioned by Dell and conducted by Dimensional Research, fewer than 1 in 3 companies are prepared for the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which will become effective on May 25, 2018. The GDPR will carry hefty fines that will be based on case-specific multi-factor analysis. Depending on the type of infringement, GDRP violators can be fined up to €10 – €20 million, or up to 2% – 4% of total worldwide annual turnover, whichever is higher.

Among key survey results are the following findings:

  • Approximately 31 percent of respondents were aware of the GDPR but knew no details and approximately 38 percent knew some details. Only 4 percent of respondents said they were very knowledgeable about the details of the GDPR.
  • More than half as many business executives compared to IT executives did not know any details about the GDPR. Most companies also expect IT to take the primary responsibility for data protection and compliance with the GDPR.
  • Only 3 percent of respondents reported having in place a clear plan to prepare for the GDPR; 27 percent were still figuring out who needs to be involved in putting such a plan together and 33 percent have not started their planning at all.
  • Only 31 percent of respondents reported that they are prepared for the GDPR today.
  • Only 9 percent of respondents were confident that their company will be fully ready for the GDPR when it comes into force in May 2018.

Continue Reading Survey Finds Few Companies Are Prepared for the New European Data Protection Regulation

At the Paris Motor Show earlier this month, the French Data Protection Authority (“Commission Nationale de l’Informatique et des Libertés” or “ CNIL”) provided an update on the progress of its development of a “compliance package on connected vehicles.” The work began on March 23, 2016, and the finalized “compliance package” is expected to be delivered next spring.

The CNIL undertook this task to provide the auto-industry, the insurance and telecommunications sector, and the public authorities with guidance on the treatment of personal data collected by connected vehicles about their drivers and the interaction of the vehicle with the road environment. The guidance is expected to bring companies in compliance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which will become effective on May 25, 2018.

The CNIL noted that the challenge is to weave “data protection” into the product design “to ensure transparency and control by individuals of their data.” Doing so would address the Privacy by Design principle codified in the GDPR.

In preparing its guidance, the CNIL is using the following scenarios as its analytical framework.

Continue Reading CNIL Calling for “Privacy by Design” for Connected Vehicles

On April 14, 2016, Microsoft sued the United States Department of Justice to challenge the search and seizure provisions of the 30-year old ECPA, because its customers “have a right to know when the government obtains a warrant to read their emails, and because Microsoft has a right to tell them.”  (Microsoft v. DOJ, No. 2:16-cv-00538-JLR, Complaint (W.D. Wash. Apr. 14, 2016).)

On September 2, several prominent tech companies, including Apple, Amazon, and Google, filed amici briefs that echo and reinforce Microsoft’s position.  (Accessible here and here).

Microsoft’s suit challenges the constitutionality of the antiquated Electronic Communications Privacy Act (ECPA).  Specifically, Microsoft argues that Section 2705(b) of the ECPA violates the Fourth Amendment right of its customers to be notified that the government searches or seizes their property, and it violates the company’s First Amendment right to freely speak to its customers.

Microsoft’s suit, unlike Apple’s public fight with the FBI over access to a password-protected iPhone, does not center on just one dispute.

Rather, every year, the government conducts thousands of investigations into the contents of communications stored in the cloud,  using  the ECPA as authority.  At the same time, the government places Microsoft and other service providers under “gag orders” that prohibit disclosure to the affected customers.

Continue Reading Powerful Tech Companies Lend Support to Microsoft’s Protest Against “Secrecy Orders”

On May 25, 2018, the EU General Data Protection Regulation (GDPR) will come into effect requiring companies that process personally identifiable information of EU residents to comply with a significant number of enhanced data-protection requirements. One of these requirements is an individual’s “right to explanation” of an algorithmic decision made about him or her by a machine.
Continue Reading European Restrictions on Computer Profiling

Michael Coscia, the first person convicted as a “spoofer” under the 2010 Dodd-Frank Act, has been sentenced to 3 years in prison. Coscia is not a young hacker kid or even a computer whiz, he is a fifty-four-year-old commodities trader and owner of New Jersey-based Panther Energy Trading.

Coscia was convicted in November 2015 for artificially bumping up commodities prices by using computer algorithms to quickly place large orders through commodity markets in Chicago and London which he then cancelled within milliseconds.  These placed-then-cancelled trades were alleged to have had effects on the pricing of the commodities that benefitted Coscia to the tune of more than $100,000 per month in 2011.
Continue Reading Federal Court Sentences First Convicted Spoofer Under Dodd-Frank to 3 Years