As the companies doing business in Europe are trying to get their arms around the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), but so far not making substantial headways, the European Data Protection Authorities (DPAs) are doing their own GDPR preparation by securing increased budgets and additional workforce.

Last week, the Irish Data Protection Commissioner (DPC), Helen Dixon, has “welcomed” the additional funding of €2.8 million for her office’s 2017 budget, as announced by the Government, bringing the total funding allocation to the DPC to over €7.5 million. The 2017 budget increases are in line with the increases in 2015 and 2016, representing a 59% increase on the 2016 allocation and over four times the €1.9 million provided to the DPC in 2014.

Commenting on the 2017 funding allocation, Helen Dixon stated:

“The additional funding being provided by Government in 2017 will be critical to our preparations for the implementation of the EU General Data Protection Regulation in May 2018. In 2017 we will continue to invest heavily in building our capacity and expertise, including the recruitment of specialist staff, to administer our new enforcement powers and all of our additional responsibilities under the new law.

Continue Reading Irish Data Protection Commissioner Welcomes Increases in Budget in Preparation for the GDPR Enforcement

As part of its Working Group on Electronic Document Retention & Production, the Sedona Conference recently released a “TAR Case Law Primer” that analyzes court decisions that directly or indirectly touch upon issues involving technology-assisted review (“TAR”).

The primer begins with a brief summary of Da Silva Moore v. Publicis Groupe, 287 F.R.D. 182 (S.D.N.Y. 2012), the first published opinion agreeing that TAR is an “acceptable way to search for relevant ESI in appropriate cases.” Id. at 183. Although this opinion approved the use of TAR in that case under the particular facts and issues before the court, many parties were still unclear regarding the method of implementing TAR, the appropriate level of involvement by opposing parties (if any), and whether an agreement must be reached regarding technical specifics of the TAR process. Continue Reading Sedona Conference Releases “TAR Case Law Primer”

According to a recent global survey commissioned by Dell and conducted by Dimensional Research, fewer than 1 in 3 companies are prepared for the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which will become effective on May 25, 2018. The GDPR will carry hefty fines that will be based on case-specific multi-factor analysis. Depending on the type of infringement, GDRP violators can be fined up to €10 – €20 million, or up to 2% – 4% of total worldwide annual turnover, whichever is higher.

Among key survey results are the following findings:

  • Approximately 31 percent of respondents were aware of the GDPR but knew no details and approximately 38 percent knew some details. Only 4 percent of respondents said they were very knowledgeable about the details of the GDPR.
  • More than half as many business executives compared to IT executives did not know any details about the GDPR. Most companies also expect IT to take the primary responsibility for data protection and compliance with the GDPR.
  • Only 3 percent of respondents reported having in place a clear plan to prepare for the GDPR; 27 percent were still figuring out who needs to be involved in putting such a plan together and 33 percent have not started their planning at all.
  • Only 31 percent of respondents reported that they are prepared for the GDPR today.
  • Only 9 percent of respondents were confident that their company will be fully ready for the GDPR when it comes into force in May 2018.

Continue Reading Survey Finds Few Companies Are Prepared for the New European Data Protection Regulation

At the Paris Motor Show earlier this month, the French Data Protection Authority (“Commission Nationale de l’Informatique et des Libertés” or “ CNIL”) provided an update on the progress of its development of a “compliance package on connected vehicles.” The work began on March 23, 2016, and the finalized “compliance package” is expected to be delivered next spring.

The CNIL undertook this task to provide the auto-industry, the insurance and telecommunications sector, and the public authorities with guidance on the treatment of personal data collected by connected vehicles about their drivers and the interaction of the vehicle with the road environment. The guidance is expected to bring companies in compliance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which will become effective on May 25, 2018.

The CNIL noted that the challenge is to weave “data protection” into the product design “to ensure transparency and control by individuals of their data.” Doing so would address the Privacy by Design principle codified in the GDPR.

In preparing its guidance, the CNIL is using the following scenarios as its analytical framework.

Continue Reading CNIL Calling for “Privacy by Design” for Connected Vehicles

As we previously reported, on August 1, 2016, the United States Department of Commerce launched the EU-U.S. Privacy Shield self-certification process on its Privacy Shield Website.  Several hundred companies, including Microsoft, Salesforce, Panasonic Avionics, and Workday, have already self-certified and many others have submitted their applications and are awaiting DOC’s approval.  Those companies who submitted their applications before September 30, 2016 were granted a nine-month grace period to conform their existing contracts with third-party processors to the new onward transfer requirements under the Privacy Shield, thereby being allowed to achieve compliance sooner.

For those considering participating in the framework, the Privacy Shield website offers factual information about the framework, including instructions and details on how to join Privacy Shield, requirements of Privacy Shield participation, and administration of Privacy Shield Program.  Likewise, amidst some continued criticism of the framework in the EU, the European Commission published a Guide for citizens, outlining how the Privacy Shield guarantees individuals’ data-protection rights and what remedies are available for individuals who believe their personal data was misused in violation of the framework.

Specifically, the Guide provides detailed information on the following.

Continue Reading European Commission’s Guide to the EU-U.S. Privacy Shield

shutterstock_423624865

In Moore v. Lowe’s Home Centers, LLC, Case No. 14-01459 (W.D. Wash., June 24, 2016), plaintiff Marla Moore brought a Motion for Sanctions for Defendant Lowe’s Home Centers’ willful spoliation of evidence.  In short, Plaintiff claimed she was the target of verbal harassment, a hostile work environment, and was demoted as a result of her pregnancy.  The Plaintiff was ultimately terminated for violation of the Defendant’s photo copying policy.

Plaintiff’s sanctions motion stemmed from Defendant’s deletion of Plaintiff’s email account following her termination.  Continue Reading Duty to Preserve Not Triggered by Employee Complaints

On April 14, 2016, Microsoft sued the United States Department of Justice to challenge the search and seizure provisions of the 30-year old ECPA, because its customers “have a right to know when the government obtains a warrant to read their emails, and because Microsoft has a right to tell them.”  (Microsoft v. DOJ, No. 2:16-cv-00538-JLR, Complaint (W.D. Wash. Apr. 14, 2016).)

On September 2, several prominent tech companies, including Apple, Amazon, and Google, filed amici briefs that echo and reinforce Microsoft’s position.  (Accessible here and here).

Microsoft’s suit challenges the constitutionality of the antiquated Electronic Communications Privacy Act (ECPA).  Specifically, Microsoft argues that Section 2705(b) of the ECPA violates the Fourth Amendment right of its customers to be notified that the government searches or seizes their property, and it violates the company’s First Amendment right to freely speak to its customers.

Microsoft’s suit, unlike Apple’s public fight with the FBI over access to a password-protected iPhone, does not center on just one dispute.

Rather, every year, the government conducts thousands of investigations into the contents of communications stored in the cloud,  using  the ECPA as authority.  At the same time, the government places Microsoft and other service providers under “gag orders” that prohibit disclosure to the affected customers.

Continue Reading Powerful Tech Companies Lend Support to Microsoft’s Protest Against “Secrecy Orders”

Recently, the U.S. Court of Appeals for the Second Circuit sided with Microsoft Corporation and global privacy advocates in the case of In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, No. 14-2985, 2006 WL 3770056 (July 14, 2016), by holding that the issuance of a warrant to obtain private emails stored on a Microsoft server in Dublin, Ireland, constituted an impermissible extraterritorial application of the Stored Communications Act, 18 U.S. Code §§ 2701 et seq. (“SCA”).

The Microsoft decision coincides with a rise of international tension over the data privacy interests of foreign customers of U.S. electronic communications providers.  This tension was heightened by the Snowden revelations in 2013, sparking EU concerns about “unfettered” U.S. government surveillance, reaching a crescendo last October, when the Court of Justice of the EU, invalidated the fifteen year-old U.S.-EU Safe Harbor as not providing an “adequate” level of data protection. Thereafter, the U.S. and EU Commission rushed to develop a new EU-U.S. Privacy Shield Framework to replace Safe Harbor.

As some commentators have noted the Second Circuit’s ruling may incidentally help EU/U.S. data transfer mechanisms, including model contract clauses and the Privacy Shield program to survive this scrutiny. See Kenneth Withers, M. James Daley, and Taylor Hoffman, In Re Microsoft: U.S. Law Enforcement Not Entitled to Email Stored in Ireland (Aug. 28, 2016).  While the Second Circuit’s ruling temporarily defused an explosive issue in EU/U.S. data protection relations, it left unresolved a number of practical issues regarding cross-border government investigations under the outdated SCA.

Continue Reading The Microsoft Warrant Decision

On August 1, 2016, the United States Department of Commerce launched the EU-U.S. Privacy Shield self-certification process on its Privacy Shield Website. More than 115 U.S. companies have already self-certified. The Privacy Shield was designed to provide U.S. and European companies with a mechanism to comply with EU data protection requirements for cross-border transfers of personal data in the wake of the invalidation of the previously-used U.S.-EU Safe Harbor Framework.

As with the prior Safe Harbor Framework, U.S. companies that self-certify under the Privacy Shield are identified on Department of Commerce’s website as “active” participants in the program. To avail itself to the benefits of the Privacy Shield, a company must self-certify annually that it agrees to adhere to additional new Privacy Shield requirements, which expand the protection previously provided by Safe Harbor with respect to long-standing EU data protection principles of notice, choice, accountability for onward transfers, security, data integrity and purpose limitation, access, recourse, enforcement and liability.  Organizations that self-certify under the new Privacy Shield will need to revise their policies and practices to ensure compliance with the new framework.

Continue Reading The EU-U.S. “Privacy Shield” Opens for Business

On February 16, 2016, California Attorney General Kamala D. Harris released the California Data Breach Report 2012-2015 (the “Report”), which provided a comprehensive analysis of the data breaches reported to the Attorney General’s office during the covered years, as well as set forth concrete recommendation for minimum data security that would be considered “reasonable” under California law.

According to the Report, in the past four years, the Attorney General has received reports on 657 data breaches, affecting a total of over 49 million records of Californians. These breaches occurred in all sectors of the economy. The greatest threat to security, both in the number of breaches and the number of records breached, was presented by malware and hacking, followed by physical breaches, breaches caused by insider errors, and breaches caused by insider misuse. The most breached data types were Social Security numbers and medical information.

Continue Reading Definition of “Reasonable” Information Security in California