As brief background, the EU General Data Protection Regulation (GDPR) requires that businesses have in place mechanisms that ensure an adequate level of protection for EU data subject personal data transferred to the United States. Until July 16, the available transfer mechanisms were Privacy Shield, SCCs, and Binding Corporate Rules. This case arose from a complaint, filed by Austrian privacy activist Max Schrems, with the Irish Data Protection Commission (DPC). Schrems alleged that the transfer of EU personal data to the U.S. via SCCs did not ensure an adequate level of protection (and therefore violated EU data subject rights) because U.S. law enforcement and government agencies were provided essentially unrestricted access to that data. The DPC then referred to the CJEU 11 questions about whether SCCs and Privacy Shield violate EU data subject rights, including the rights to the protection of personal data, under the Charter of Fundamental Rights of the EU.

Schrems had followed the same process in 2015, and in that decision, the CJEU agreed with Schrems, holding that the data transfer framework that existed at that time (Safe Harbor) did not provide protection equivalent to that afforded within the EU, and therefore did not meet the adequacy standards for international transfers. As a result, the EU Commission agreed to replace Safe Harbor with Privacy Shield, which currently has over 5,000 participants. Most companies, including Facebook, switched to SCCs after that decision.

As the CJEU explains in the decision issued on July 16, although Privacy Shield provides an adequate level of protection for data transferred thereunder, it allows derogation from those protections “to the extent necessary to meet national security, public interest, or law enforcement requirements” and therefore “cannot ensure a level of protection essentially equivalent to that guaranteed by the EU Charter [of Fundamental Rights].” As a result, Privacy Shield is invalid, effective immediately. The CJEU upheld SCCs as a valid transfer mechanism, but reiterated that companies cannot simply sign the SCCs and be done with them. Rather, they have an obligation to ensure that their privacy and security practices are in compliance with the requirements within the SCCs, and should therefore be sensitive to sharing any EU personal data with U.S. law enforcement and government agencies.

An appeal is possible, and could result in a different outcome, but Schrems is pleased with the CJEU decision. In the meantime, please reach out for any assistance implementing, or confirming that your practices are in compliance with, SCCs.

• Update its public commitment to specify that it will apply Privacy Shield protections to personal data transferred from the UK. The FAQs provide model language for this commitment. Entities that will use Privacy Shield to transfer employment data from the UK must also make a corresponding disclosure in their HR privacy policies.
• Maintain a current Privacy Shield certification, comply with Privacy Shield’s requirements, and continue to recertify annually.

• Privacy law 101
• Data security and breaches
• E-Mail, calls, and text marketing

• RETAILERS: New Colorado Consumer Protection Law Requires Redemption of Gift Cards with a Cash Value of $5 or Less May 10, 2010
• Dietary Guidelines for Americans, 2010 February 2, 2011
• Insurance Coverage for Lanham Act False Advertising Claims April 2, 2012
• How to Properly Use Establishment Claims in Advertising October 28, 2013
• White House Objects to Commercial Use of President’s Photo April 8, 2014
• Applying the Video Privacy Protection Act to Online Streaming June 2, 2015
• The Regulatory Landscape for Indirect Auto Lenders After Ally January 30, 2016
• Read This Before Scanning A Driver’s License In New Jersey July 26, 2017
• GDPR Sidebar: Comparing the California Consumer Privacy Act to the GDPR July 13, 2018
• CCPA Update: California Governor Signs Seven Amendments to the CCPA October 13, 2019

Geographic Limitations

The first case decided on Tuesday arose in 2016 after France’s privacy watchdog CNIL fined Google for refusing to de-list links globally upon request. As a policy, Google only deletes links within the European Union, stating that most searches occur on country-specific sites such as Google.fr. Google and its supporters argued that individuals should not be able to determine what information appears about them in other countries. The European Court of Justice agreed with Google, finding that the right to be forgotten cannot be enforced outside of the European Union.

Sensitive Information

In the second ruling of the day, the Court found that certain categories of data deserve special consideration from businesses when they receive a right to be forgotten request. The case was brought by individuals whose requests to remove links were denied by Google. The Court gave a mixed ruling, acknowledging that privacy considerations must be weighed against the public’s right to know, but stating that businesses should give careful consideration to requests to remove certain categories. These categories include, for example, religion, political belief, sex life and past criminal convictions. It is not yet clear how Google and other businesses will interpret and implement this decision.

***

These cases are a notable development in defining the broad rights given to European data subjects. In each case, the Court must balance individual privacy rights with the public’s right to information. While the privacy laws are different in the United States, some of these GDPR interpretations may well serve as examples for how practitioners will evaluate and apply analogous provisions under the California’s Consumer Privacy Act (CCPA) and other U.S. privacy laws. We will continue to track these developments. For information on the GDPR and recent enforcement please see additional articles here and here, or contact Alysa Hutnik.

In Denmark, Datatilsynet recommended fining the taxi company Taxa 4x35 nearly $180,000 for failing to delete records on 9 million taxi rides after they were no longer needed. Article 5 of the GDPR discourages companies from holding on to data that they no longer need: “personal data shall be … adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’); …” and “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed … (‘storage limitation’).”

In Taxa 4x35’s case, the company allegedly sought to comply with Article 5 by anonymizing its data after two years. In practice, the company only removed customer names from its database, keeping other data points such as customer phone numbers and ride histories for five years for purposes of business analytics.

The Datatilsynet said this procedure was insufficient. The data protection authority found that phone numbers still permit identification of a data subject, meaning that Taxa 4x35 did not properly anonymize its records. Furthermore, the Datatilsynet rejected Taxa 4x35’s explanation that its technical systems did not allow preservation of ride history data without an associated phone number. “One cannot set a deletion deadline, which is three years longer than necessary, simply because the company’s system makes it difficult to comply with the rules in the Data Protection Regulation,” the data protection authority wrote.

Meanwhile, Poland’s Personal Data Protection Office (UODO) fined digital marketing company Bisnode €220,000 for failing to notify 6 million people about its data scraping activities. The UODO said that Bisnode was required to notify data subjects that it was pulling their publicly-available personal data from public sources in accordance with Article 14 of the GDPR, which mandates notice to data subjects where personal data was not obtained from the data subject.

UODO noted that of the data subjects Bisnode did notify, 13 percent objected to the data processing. “This shows how important it is to properly fulfill the information obligations in order to exercise the rights we are entitled to in accordance with the GDPR,” UODO wrote.

In response to UODO’s inquiries, Bisnode pointed to a notice it had posted on its website, apparently explaining to UODO it would be far too costly to notify data subjects directly. UODO rejected such an approach: “[w]hile having the contact data to particular persons, the controller should have fulfilled the information obligation in relation to them,” UODO wrote in a press release.

These actions by the Danish and Polish authorities are just the latest in an increasing number of GDPR-related enforcement actions so far in 2019.

How Does Google Violate GDPR, According to CNIL?

• Lack of Transparency: GDPR Articles 12-13 require a data controller to provide data subjects with transparent, intelligible, and easily accessible information relating to the scope and purpose of the personal data processing, and the lawful basis for such processing. CNIL asserts that Google fails to meet the required level of transparency based on the following:

• • Information is not intelligible: Google’s description of its personal data processing and associated personal data categories is “too generic and vague.”
  • Information is not easily accessible: Data subjects must access multiple Google documents or pages and take a number of distinct actions (“5 or 6”) to obtain complete information on the personal data that Google collects for personalization purposes and geo-tracking.
  • Lawful basis for processing is unclear: Data subjects may mistakenly view the legal basis for processing by Google as legitimate interests (that does not require consent) rather than individual consent.
  • Data retention period is not specified: Google fails to provide information on the period that it retains certain personal data.

• Invalid Consent: Per GDPR Articles 5-7, a data controller relying on consent as the lawful basis for processing of personal data must be able to demonstrate that consent by a data subject is informed, specified, and unambiguous. CNIL claims that Google fails to capture valid consent from data subjects as follows:

• • Consent is not “informed”: Google’s data processing description for its advertising personalization services is diluted across several documents and does not clearly describe the scope of processing across multiple Google services, the amount of data processed, and the manner in which the data is combined.
  • Consent is not unambiguous: Consent for advertising personalization appears as pre-checked boxes.
  • Consent is not specific: Consent across all Google services is captured via consent to the Google Terms of Services and Privacy Policy rather than a user providing distinct consent for each Google personal data use case.

While Google’s size, market power, and diversity of offerings (and associated scope of data collection) places it in a somewhat unique position within the online ecosystem, CNIL’s action nevertheless offers several practical takeaways for all companies that may be re-assessing their GDPR compliance status in light of this action:

• Don’t Hide the Ball: Make a concerted effort to ensure that privacy disclosures are clear, easily discernible to consumers, and contain a plain-language description of the categories of personal data that you collect, and the purposes for which you collect it.
• Minimize Clicks: To avoid EU regulator scrutiny, reduce the number of clicks required for a consumer to determine the scope of personal data collection relating to your service.
• Be Upfront on the Legal Basis for Processing: Explicitly state within your privacy notice your lawful basis for the intended data processing. If you are relying on consent, and your business intends to use the collected data for different purposes, ensure that the consumer has a reasonable opportunity to provide consent for each specific purpose (and avoid pre-checked boxes!).
• Sweat the Details: the CNIL action shows that regulators are taking a comprehensive look at how companies are complying with GDPR requirements, including ensuring that consumers understand how long a controller may retain their personal data. Take a checklist approach to GDPR compliance to ensure your privacy disclosures satisfy all requirements.

Data flows play an increasingly important part in international trade and are estimated to contribute up to 2.8 trillion USD to the world economy. In 2016 alone, EU services reliant on data exported to the UK, such as finance, telecoms and entertainment, were worth approximately 36 billion EUR. Data flows from the UK to the EU constitute as much as three-quarters of all data from the UK. Under the EU’s General Data Protection Regulation (GDPR), however, personal data included in such data flows must be protected. For companies, this can include employee data (e.g. payroll information, biographical information, etc.) and customer data (e.g., contact information, transaction information, biographical information, social media profiles, etc.). Data flows from the EU to a third country are permitted if there is an adequacy decision by the European Commission that the third country’s data protection laws are adequate to meet the objectives of the GDPR or through another adequacy mechanism approved by the European Commission (e.g., EU-approved Binding Corporate Rules, use of Standard Contractual Clauses, etc.).

The UK, however, is of the view that its historic relationship with the bloc and current regulatory alignment places it in a different position than other third countries vis-à-vis the EU. The UK recently published a position paper outlining its proposal for a data agreement that goes beyond the unilateral EU adequacy decision. Instead, the UK seeks a legally binding agreement to allow for EU-UK data flows that cannot be changed unilaterally by the EU. According to the UK, such an agreement would provide greater legal certainty, stability and transparency, as well as reduced costs and more efficient processes, for both UK and EU businesses.

While the UK strives for special treatment, time may be too short to achieve a bespoke agreement, even if the EU was willing to treat the UK differently than other third countries. Further, even a standard adequacy decision may be difficult to obtain by the time the UK exits the EU. Once it is no longer part of the EU, Brussels can demand higher protection of personal data held by government agencies, including intelligence agencies, which are excluded from EU data protection requirements while the UK is part of the bloc. The same issues arising from a conflict between expectations for the protection of personal data and security interests as were seen during the negotiation of the EU – U.S. Privacy Shield (adequacy mechanism) may surface once data protection negotiations or the procedure to determine the adequacy of UK data protection laws begins. In the absence of an agreement or adequacy decision, companies trading in the EU27 (the EU minus the UK) that rely on personal data being stored, managed or processed in the UK will have to provide appropriate legal safeguards to continue those operations. For example, a German based-business using a UK Cloud provider for accounting information would have to implement an appropriate data transfer mechanism for the data-sharing to satisfy the adequacy requirement under GDPR. Even the flows of personal data within the same company (or group of companies) from the EU to the UK would be subject to this requirement for an appropriate data transfer mechanism. Given the current uncertainties in the Brexit negotiations, companies urgently need to ensure they have legal mechanisms in place to allow for continuing data flow necessary to support their international trade and business operations.

This post was originally published on Trade and Manufacturing Monitor.

This November 6th, California voters will decide on the California Consumer Privacy Act (“Act”), a statewide ballot proposition intended to give California consumers more “rights” with respect to personal information (“PII”) collected from or about them. Much like CalOPPA, California’s Do-Not-Track and Shine the Light laws, the Act will have broader consequences for companies operating nationwide.

The Act provides certain consumer “rights” and requires companies to disclose the categories of PII collected, and identify with whom the PII is shared or sold. It also includes a right to prevent the sale of PII to third parties, and imposes requirements on businesses to safeguard PII. If passed, the Act would take effect on November 7, 2018, but would apply to PII collected or sold by a business on or after nine (9) months from the effective date – i.e., on August 7, 2019.

Who is Covered?

The Act is intended to cover businesses that earn $50 million a year in revenue, or businesses that "sell" PII either by (1) selling 100,000 consumer’s records each year, or (2) deriving 50% of their annual revenue by selling PII. These categories of businesses must comply if they collect or sell Californians’ PII, regardless of whether they are located in California, a different state, or even a different country.

What is Considered PII?

The term “personal information” is broadly defined as “information that identifies, relates to, describes, references, is capable of being associated with, or could reasonable be linked, directly or indirectly, with a particular consumer or device.” The term expressly includes, but is not limited to:

• Typical personal or contact information (such as name, address, email, account name, SSN, driver’s license number, or other similar identifiers);
• Any persistent identifier that can be used to recognize a consumer or a device over time and across different services (such as IP address, device identifier, cookies, beacons, pixel tags, mobile ad identifiers, or similar technology, customer number or user alias);
• Internet or other electronic network activity information (such as browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement), or geolocation data;
• Commercial and purchasing information (such as records of property, products or services that have been provided, obtained or considered, or other purchasing or consuming histories or tendencies);
• Biometric data, or audio, electronic, visual, thermal, olfactory, or similar information;
• Professional or employment-related information, information relating to characteristics of protected classifications under California or federal law (such as race, ethnicity, or gender); and
• Any inferences drawn from any of this information.

What are the Consumer “Rights”?

The Act enumerates four specific consumer “rights”:

• “Right to Know” What PII is Collected: Consumers would have the right to request that a business that collects PII disclose the categories of PII that it has collected about the consumer.
• “Right to Know” Whether Information is Sold or Disclosed: Consumers would have the right to request that a business that sells PII or discloses it for a business purpose identify the categories of PII that the business sold or disclosed about the consumer and the identity of the third parties (name and contact information) to whom it was sold or disclosed (whether or not it was sold or disclosed for marketing purposes).
• “Right to Say No” to Sale of PII: A consumer shall also have the right to direct a business that sells PII about the customer, not to sell the customer’s PII. Businesses must provide notice on the website or app homepage and privacy policy that such information may be sold and that consumers have a right to opt out of such sale.
• “Right to Equal Service and Price”: The Act provides that a business is prohibited from discriminating against a consumer for exercising these rights. This includes prohibiting the business from denying goods or services to the consumer, charging different prices or rates (including through the use of discounts or other benefits or imposing penalties), providing a different level of quality or services, or suggesting that the consumer will receive a different price or rate, or level of quality or service, for exercising these rights.

The Act provides very specific compliance obligations for each of the consumer rights, and enumerates certain disclosure requirements for online privacy policies. This includes:

• Contact Designation: Business must designate two or more methods for submitting requests, including at a minimum a toll-free telephone number, and if the business maintains a website, the website address.
• Timeframe for Response: Business would be required to provide the requested information free of charge and within 45 days of receiving a verifiable request from the consumer. Businesses must take steps to verify the request, but this verification shall not extend the 45 day time period to respond. The disclosure must cover the information collected, sold, or disclosed in the preceding 12 months.
• “Right to Say No”: Business must provide a clear and conspicuous link on the homepage and in the online privacy policy, titled “Do Not Sell My Personal Information,” that provides consumers a link of where to opt out of the sale of the consumer’s PII.
• Privacy Policy Requirements: The Privacy Policy must contain the following information, and must be updated at least once every 12 months:
  • A description of the consumers’ “rights.”
  • A list of the categories of PII it has collected about consumers in the preceding 12 months by reference to one or more of the enumerated categories in the Act.
  • A list of the categories of PII that it has sold about consumers in the preceding 12 months by reference to one or more of the enumerated categories, or if a business has not sold consumers’ information, the business shall disclose that fact.
  • A separate list of the categories of PII it has disclosed about consumers for a business purpose in the preceding 12 months by reference to one or more of the enumerated categories, or if a business has not disclosed consumers’ information for a business purpose, the business shall disclose that fact.
• Reasonable Security Measures: Businesses must implement and maintain reasonable security procedures and practices, appropriate to the nature of the information, to protect the PII from unauthorized disclosure.

The Act provides a private right of action for any consumer suffering a violation of the Act, and permits statutory damages in the amount of $1,000 per violation or actual damages (whichever is greater), or up to $3,000 or actual damages (whichever is greater) per knowing and willful violation.

The Act also permits a number of public entities (including the Attorney General, any district attorney, and certain county counsel, city attorneys, or city prosecutors) to bring an enforcement action and issue a civil penalty of up to $7,500 for each violation.

The Act contains a whistleblower provision allowing any person who becomes aware, based on non-public information, that a person or business has violated the Act to file a civil action for civil penalties, provided that notice is first given to the Attorney General.

* * *

For companies around the country, this California proposition will be one to watch during the November 2018 general election.

The Federal Trade Commission recently announced settlements with Decusoft, LLC, Tru Communication, Inc. (doing business as TCPrinting.net), and Md7, LLC, resolving allegations that the companies misrepresented their participation in the E.U.-US and Swiss-US Privacy Shield. The announcement comes just before the first Privacy Shield annual review (scheduled for September 2017) and marks the FTC’s first enforcement action related to Privacy Shield. This post provides a brief overview of the Privacy Shield framework, notable facts from the enforcement action, and key takeaways for companies.

Privacy Shield. The E.U.-US and Swiss-US Privacy Shield frameworks are an alternative transfer mechanism for companies to transfer E.U. and Swiss individual data to the United States in compliance with E.U. and Swiss data protection requirements. To participate in either framework, a company must self-certify to the Department of Commerce (“Commerce") that it adheres to the Privacy Shield Principles. The FTC enforces compliance with the Privacy Shield framework under its Section 5 deception authority, and companies who misrepresent their Privacy Shield participation run the risk of an FTC enforcement action.

Charges and Settlement. All three companies claimed, in their respective online privacy policies and statements, that they were Privacy Shield framework participants. These representations were either express or by implication. Notably, in the case of TCPrinting.net, the company’s privacy policy stated that it would “remain compliant and current with Privacy Shield at all times.” Contrary to these claims, none of the three companies completed the steps necessary to participate in the Privacy Shield framework. The FTC settlement prohibits the companies from misrepresenting the extent to which they participate in any privacy or data security program and imposes FTC reporting requirements for a 20-year period.

Key Takeaways. Since 2009, the FTC has settled 36 cases involving claims of Safe Harbor participation, three cases involving alleged violations of Safe Harbor Privacy Principles, and four cases involving claims of participation in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system. As noted in the chart below, the FTC has been active in enforcing cross border privacy frameworks, and companies should expect this trend to continue. As part of the Privacy Shield negotiations, the FTC committed to give priority to Privacy Shield non-compliance referrals received from EU Member States, Commerce, and privacy self-regulatory organizations and other independent dispute resolution bodies. With the first Privacy Shield annual review forthcoming, these enforcement actions affirm that commitment.

Year	FTC Enforcement Actions and Warning Letters
2009-2013	-10 Companies Settle Safe Harbor Charges
2014	-14 Companies Settle Safe Harbor Charges
2015	-15 Companies Settle Safe Harbor Charges
2016	-1 Company Settles APEC CBPR Charges -FTC Issues Warning Letters to 28 Companies Regarding APEC CBPR Participation
2017	-3 Companies Settle APEC CBPR Charges -3 Companies Settle Privacy Shield Charges

In light of this activity, companies should review their privacy policies and similar statements to ensure that claims about participation in or compliance with self-regulatory or governmental privacy related programs are up to date and accurate.

On 16 April 2016, the EU adopted the General Data Protection Regulation (‘GDPR’) which largely rewrites and harmonizes the European legal framework of data protection. The new regulation will become applicable in May 2018, but given the scope and complexity of the GDPR it is important to prepare for this legal change well in advance.

Global scope?

With the GDPR, there will be a substantial expansion of the territorial scope of the EU data protection obligations, which may impact US companies and employers who were previously not affected by EU data protection rules. In determining its geographical reach, the GDPR considers not only the location of the processing, but also the location of the individual whose data is being processed. In this context, if your group of companies has one EU-based employee, the GDPR could be applicable to your organization. Note that the GDPR would also be triggered by processing personal data of EU-based customers.

Processing information?

If your group of companies has one EU-based employee, and it processes (i.e., collect, use, transfer or electronically store) personal data of this employee the GDPR may apply. ‘Personal data’ includes information that is typically considered personal such as an employee’s name, address, income details and medical condition, but also includes not always considered personal such as an employee’s computer or device IP address device identifiers, or other ‘unique identifiers.’ Even if you as an employer offer certain services which give you access to such personal data, such as an IT helpdesk, server access, etc., the GDPR could apply to you.

What do I need to do?

First, you should determine whether your group of companies has EU-based employees or is otherwise processing information related to EU-based employees.

If you have EU-based employees and are processing such information, you should conduct an internal GDPR review to determine which department or which companies (e.g. IT help desk, HR, accounting, etc.) are in scope for GDPR compliance obligations, evaluate current compliance and gaps to be resolved by May 2018, and set up the necessary structure for compliance with the GDPR. The level of data protection in the EU is considered (by the EU) to be higher than in the US and US companies should be prepared for the disclosures, specific guarantees, and obligations under the GDPR. Depending on the circumstances, the GDPR will even require US based companies with access to personal information to designate a representative based in an EU country to act as the point of contact for the relevant data protection authorities. Given the technical and detailed requirements companies may benefit from the use of targeted guidance.

Sanctions?

The global reach of the GDPR calls into question the enforceability on US-based employers. Violating the GDPR can result in penalties of up to € 20 million or 4% of the annual worldwide turnover of the company (i.e., annual worldwide gross income), whichever is higher.

Bottom line?

The GDPR will not apply until 25 May 2018, but the time for action is now. All HR departments and/or employers should carry out a data review and assess whether the GDPR is applicable and what impact it has on its activities, this in order to implement the necessary changes in time.

If you need additional guidance, an employment attorney will be able to provide guidance both on US and EU aspects of data protection law.

In 2017, the Working Party commits to continue and/or finalize work on several key issues:

• Guidelines on certification and processing likely to result in a high risk and Data Protection Impact Assessments (“DPIA”);
• Administrative fines;
• Setting up the administration of the European Data Protection Board (“EDPB”) structure; and
• Preparation of the one-stop shop and the EDPB consistency mechanism.

• Guidelines on the topics of consent and profiling;
• Guidelines on the issue of transparency; and
• Update of existing opinions and guidance documents on data transfers to third countries and data breach notifications.

* * *