The Impact of the Schrems Safe Harbor Decision
Here is the latest fallout from Edward Snowden’s public disclosures about NSA snooping on international communications: On Tuesday, the European Court of Justice invalidated the 15-year-old “Safe Harbor Data Protection Framework” under which more than 4500 US companies and organizations are permitted to process data relating to European consumers and employees. According to the EU’s highest judicial institution, it does not matter how carefully the companies keep their privacy commitments, because US government agencies may be reading their electronic mail without adequate legal supervision. This means that US-based companies must quickly pivot to other legal means of bringing European personal data to the US, such as Model Contracts and Binding Corporate Rules. But that is only the beginning.
Blowing up the Safe Harbor
The 1995 EU Data Protection Directive (Article 25) generally forbids transferring personal data from Europe to countries that do not assure an “adequate” level of legal privacy protection. The United States is deemed inadequate (along with India, Russia, China, Brazil, and, well, most of the rest of the world), because the US does not have a comprehensive data protection law on the European model.
An important alternative has been available since 2000: US companies participating in the “Safe Harbor” program negotiated between the European Commission and the US Department of Commerce could receive (or access) personal data from Europe so long as they certified compliance with the Safe Harbor Privacy Principles, a streamlined version of the principles found in the EU Data Protection Directive. Safe Harbor companies submit to third-party dispute-resolution procedures and, ultimately, enforcement in the US (chiefly by the Federal Trade Commission) or in Europe by a panel of European national data protection authorities in the case of employee data. The European Commission, with the assent of the European Council representing the governments of the EU Member States, issued a decision in 2000 that data flows subject to Safe Harbor principles and enforcement mechanisms should be deemed “adequately” protected. The thousands of Safe Harbor companies and organizations listed on the Department of Commerce website include Google, Microsoft, Apple, IBM, Amazon, most of the major US-based outsourcing and cloud services providers, and many global companies with European affiliates, including those that use Safe Harbor chiefly to access their own customer and employee records in Europe, operate central database applications, or simply manage their email servers on a global basis.
Developing a privacy compliance program is an essential, if often daunting, compliance step for organizations of all sizes, and across all industries. InfoLawGroup partner Justine Young Gottshall recently co-authored an in-depth practice note on this topic, published by Practical Law and available here.
The Federal Trade Commission’s (“FTC”) announcement last week of settlements with 13 separate companies for charges of falsely advertising certification with the U.S.-EU and/or U.S.-Swiss Safe Harbor Frameworks (“Safe Harbors”) – some of which never existed but several of which had simply lapsed – serves as a reminder that businesses should periodically and often review their online privacy policies (“PP”). During this review, businesses should ensure that: (i) they are following all of the stated provisions of the PP; (ii) the PP accurately reflects current business practices, technologies used on the applications, websites or other online services (“Online Services”), and business arrangements with third parties; and (iii) the PP remains current with regard to applicable laws, regulations and self-regulatory programs for which the Online Services are subject. A look at recent FTC actions illustrate the importance of this review. Continue Reading
A purported class action lawsuit was recently filed against meal-delivery service Blue Apron based on its alleged failure to satisfy the requirements of California’s law regulating automatic-renewal provisions in consumer contracts (Cal. Bus. & Prof. Code § 17600 et seq.). The case, C.D. Cal. No. 2:15-cv-05521, was filed in June 2015 and removed to federal court last month. California’s law, which went into effect in December 2010, has in recent months been the basis for a spate of similar lawsuits – Blue Apron being the latest entry in a trend that we anticipate will continue.
InfoLawGroup is happy to announce that McLean B. Sieverding has joined the firm as Senior Counsel. Most recently, McLean served as Assistant General Counsel for Int’l Data Protection & Regulatory Compliance at Verizon and prior to that, he spent more than a decade practicing in the Communications, Media & Privacy group at Willkie Farr & Gallagher LLP.
McLean’s practice focuses on identifying and managing state, federal, and international privacy and data security issues and risks for a broad range of clients in the software, financial services, healthcare, IT, new media, telecommunications and retail sectors. He is also a seasoned contract negotiator and data breach law attorney, having managed more than 500 data breach remediations.
McLean is a frequent speaker and writer on privacy and data security law and policy issues, and he regularly develops and conducts tailored privacy and data security compliance/training programs for clients. We are thrilled to have him on board!
This Post Was Co-Authored by Partner, Justine Gottshall and Counsel, Brian Schaller
The Federal Communications Commission (“FCC”) released its TCPA Omnibus Declaratory Ruling and Order (“Order”) regarding the Telephone Consumer Protection Act (“TCPA”) on July 10, 2015, which Chairman Tom Wheeler announced via a blog post and FAQ’s in late May. InfoLawGroup previously discussed the potential impact on businesses based on the initial announcement. The FCC has now released the Order and statements from the Commission, including dissents by certain Commissioners. Below are key points that your business should know about the Order.
- In almost all cases, the equipment being used is likely an “audodialer” as currently defined by the FCC .
InfoLawGroup congratulates partner Justine Young Gottshall for being recognized by SC Magazine as one of the 5 Women in IT Security: Women to Watch. It is an honor to be named, particularly given the other accomplished and successful women on the list, and those profiled throughout the Women in IT Security issue. Ms. Gottshall is the sole lawyer included on the “Women to Watch” list.
The Federal Communications Commission (“FCC”) adopted a package of declaratory rulings regarding the Telephone Consumer Protection Act of 1991 (“TCPA”), which the dissenting Commissioners warn could cause issues for businesses that communicate with their customers via phone or text messages. InfoLawGroup discussed this vote and issue in a previous post. Last week the rulings passed 3 to 2, but the order has not yet been released. However, the FCC has issued a press release. The press release, states that,
“Autodialer” is defined in the Act as any technology with the capacity to dial random or sequential numbers. This definition ensures that robocallers cannot skirt consumer consent requirements through changes in calling technology design or by calling from a list of numbers.”
As we identified in our previous post, this broad definition will impact certain calls and text messages. Statements from dissenting Commissioners give us insight into the rulings and potential issues. In his dissent, Commissioner Ajit Pai stated that, “After this Order, each and every smartphone, tablet, VoIP phone, calling app, texting app—pretty much any phone that’s not a “rotary-dial phone” will be an automatic telephone dialing system.” He gives an example of how this could potentially subject innocent actors to a TCPA lawsuit.
“Jim meets Jane at a party. The next day, he wants to follow up on their conversation and ask her out for lunch. He gets her cellphone number from a mutual friend and calls her from his smartphone. Pursuant to the Order, Jim has violated the TCPA, and Jane could sue him for $500 in statutory damages. If he follows up with a text, that’s another $500 violation.” Continue Reading
The FTC recently updated its published guidance on the use of endorsements in advertising. In 2009, the FTC revised its Guides Concerning the Use of Endorsements and Testimonials in Advertising (“Endorsement Guides”). Following the release of the Endorsement Guides, the FTC issued an informal FAQ in June 2010 to answer some of the most frequently asked questions it had then received. Now, the FTC has revised those FAQs, “The FTC’s Endorsement Guides: What People Are Asking,” in order to expand on topics broached the first time around and to address new communication media and other issues not previously covered.
The revised FAQs contain a lot of very valuable information regarding how the FTC staff interprets the Endorsement Guides. If your company uses endorsements in any of its advertising – from employment of a celebrity spokesperson to incentivizing discussion of your brand online through the use of a sweepstakes or contest – you will want to review the new FAQs in their entirety. For now, here are a few highlights:
(1) The Need for Disclosure, Generally. One of the fundamental principles of the Endorsement Guides is that any material connection between the endorser and the advertiser that would affect how people evaluate the endorsement and would not be reasonably expected by the audience must be disclosed. As the FTC notes, “[u]nder the law, an act or practice is deceptive if it misleads ‘a significant minority’ of consumers.” So, even if a majority of the audience would understand the connection between endorser and advertiser without a disclosure, if a significant minority of the audience would not, a disclosure is required in order to avoid deception.
There are many articles circulating the web about new live-streaming video technologies like Meerkat. These tremendous apps make it possible for users to stream real time video from their phone to the internet for all to view, turning every individual into a real-time video-journalist. Brands and entertainment properties have also jumped into the fray with these technologies. For example, Jimmy Fallon live-streams some of his show practices on his Periscope channel and, in late March, Mountain Dew live-streamed a hang out for fans to view and get rewarded with Mountain Dew swag. Of course, most legal articles about live-steaming apps focus on the intellectual property and piracy issues raised by use of these apps. Indeed, sports franchises, which make a huge portion of their income from selling exclusive rights to broadcast their events in real time, are already noodling on these issues. Sports franchises typically protect their broadcast interests by restricting who can bring live broadcasting equipment into their facilities. However, that becomes more challenging when the only necessary equipment is an ordinary cell phone.
Less talked about, but equally important, is how these technologies may increase the real-time risk of exposure of a wide range of sensitive or private information in the workplace. Companies’ potentially controversial business practices, legally-sensitive situations like employee firings, or internal programs and trade secrets could be revealed to the public instantly. The apps could also create risks for individual employees privacy, as everyday workplace activity could be streamed to the general public in real-time.
Of course, some of these risks have existed since the advent of built-in cell phone video cameras. But these new apps eliminate the delay between when the video is filmed and when it becomes available to the global public. By the time someone is seen filming, the video is already streaming, and rather than preventing exposure, the company may have to focus on cleaning up the mess. Even the most devoted employees could inadvertently expose corporate secrets without the ability to screen and edit videos before publication.
I contend that these technologies may re-raise BYOD (bring your own device) issues for the workplace. Should these technologies be forbidden on workplace devices? Should all devices containing these technologies be forbidden at work? Would the NLRB agree with these types of workplace restrictions? At the very least, employers may need to implement training programs to make their employees aware of these risks. Though individual businesses’ needs will vary and by no means will all use of these apps be problematic, the advent of this technology highlights the importance of companies having, and regularly updating, a clear internet and social media policy.