What is Privacy Shield?  Since 2016, U.S. companies and organizations receiving personal data relating to individuals in the European Union have relied upon a self-certification program known as Privacy Shield. Rather than enter into numerous agreements and meet other requirements to process the personal data of individuals in the EU, U.S. companies have been able to self-certify to a level of compliance to meet EU law. Privacy Shield serves to address the General Data Protection Regulation’s (GDPR) requirement that adequate safeguards be in place for the protection of transatlantic transfers of personal data and the receiving entity’s handling of that data. Under Privacy Shield, self-certified companies that comply with the agreement’s requirements are considered to have met the EU’s higher standard for data privacy and obtained some level of “adequacy.” Since its implementation, more than 5,300 companies have operated under its terms. The future of Privacy Shield, however, is now in jeopardy.

EU Court holds Privacy Shield to be Inadequate.  On July 16, 2020, Europe’s highest court, the Court of Justice of the European Union (CJEU) held that United States law is inadequate to protect EU citizens’ personal data to the extent that EU law requires. Specifically, the CJEU held that the “limitations on the protection of personal data arising from the domestic law of the United States, on the access and use by U.S. public authorities of such data transferred from the European Union… are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.” To put it another way, Privacy Shield’s fundamental flaw, according to the court, is not so much that member companies’ practices are inadequate, but rather that the U.S. government cannot be trusted to maintain the confidentiality, integrity, and availability of personal data.  Specifically, the justices found that federal laws such as the Foreign Intelligence Surveillance Act “cannot be regarded as limited to what is strictly necessary” and fails to meet “minimum safeguards” guaranteed by the EU.
Continue Reading Warning! Shields are Down: Top EU Court Invalidates EU-US Privacy Shield Protections

It is summer and you just finished all the hard work to make sure your organization addressed all applicable California Consumer Privacy Act (CCPA or the “Act”) requirements.  You sit down, take a deep breath, and see what California has been up to during your CCPA preparations.  Well, lo and behold, California wants to give the nation’s most aggressive data protection law a facelift in a new ballot initiative to be voted on this November.

You may remember that California pioneered the first sweeping privacy reform in the United States in 2018 when the CCPA was passed. The Act was amended in 2019 and went into effect January 1, 2020, with enforcement beginning July 1 of this year. Taft’s Privacy & Data Security group has provided information regarding the data requirements of the CCPA in previous blog posts, but generally, the Act affords consumers the right to know what information is being collected from them, the right to prohibit businesses from keeping their information, and the right to opt-out of the sale of their personal information, among other things.  The CCPA already reaches outside California state lines, as it applies to companies that do business within the state that have revenues of over $25 million per year, derive at least 50% of its revenue from selling information, or buy, sell or share personal information of at least 50,000 California consumers, households or devices.


Continue Reading Data Déjà vu? Data Protection Back On the Ballot in California

On Jan. 25, 2019, the Illinois Supreme Court issued a landmark opinion in Rosenbach v. Six Flags Entertainment Corporation, a case brought under the Illinois Biometric Information Privacy Act (“BIPA”). 740 ILCS 14/1 et seq. The court reversed the decision of the Illinois appellate court and held that a plaintiff may bring a lawsuit under BIPA as an “aggrieved” party based upon a defendant’s violation of the statutory requirements of BIPA and without the plaintiff being required to show actual damages.

The court’s decision has important ramifications for the many lawsuits that have already been brought under BIPA and opens the way for plaintiffs to seek BIPA’s liquidated damages and injunctive relief based upon technical violations of the statute.


Continue Reading The Illinois Supreme Court Clears the Way for a Proliferation of Lawsuits Under the Illinois Biometric Information Privacy Act

In a local news interview, I was recently asked to comment on the Facebook-Cambridge Analytica story involving the unauthorized use of Facebook user profile information by Cambridge Analytica for profiling and targeting purposes. The focus of the interview was what consumers can do to better protect themselves. However, there are learning opportunities for businesses too. Here are some quick points to consider for both parties.

Consumers

  1. Your choices matter most. I beat this drum pretty heavily, but it is


Continue Reading Data Protection: Key Takeaways for Consumers and Businesses After the Facebook and Cambridge Analytica Scandal

U.S. privacy law is based on the principles of notice and consent – for instance, under FTC and state consumer protection laws, consumers given fair notice and the opportunity to consent generally cannot complain about the use of their data.

But as we have noted in prior posts, the E.U.’s General Data Protection Regulation (“GDPR”), which will become effective May 25 of this year, is more comprehensive than any U.S. privacy law in most respects. It treats personal data (defined broadly) as belonging to the person identified by the data, or “data subject.” The company collecting the data has a limited license to use that data in legitimate ways – as described in one article, a company can only use the data in ways that “wouldn’t surprise them or make them uncomfortable.”

It is unsurprising, then, that under the GDPR, the specific concepts of fair notice and consent are also more robust than in the U.S. This post will give an overview of the notice requirements under the GDPR, and a future post will explore the consent requirements.


Continue Reading What’s in a notice? Privacy notices under the GDPR

The Office for Civil Rights (OCR) announced a settlement agreement for $5.5 million dollars with Florida’s Memorial Healthcare Systems (MHS) stemming from allegations it failed to protect patient data. The privacy violation arose out of the unauthorized access of 115,143 patients by MHS employees. The information that was compromised consisted of names, dates of birth and social security numbers. A majority of these impermissible actions occurred when a former employee’s login credentials were used from 2011-2012 which affected 80,000 individuals.
Continue Reading HIPAA’S Privacy Rule: Having a Policy – But Not Enforcing It – Costs Provider $5.5 Million

To effectively guard against an enemy of any kind it’s important to know your enemy. This strategy is just as effective when fighting an online battle to protect your company’s data.

Before you can effectively defend against cyberattacks, it is important to educate yourself on potential threats and how to handle them. We invite you to join us on September 7 for part two of the Columbus Cybersecurity Series featuring FBI agent David Fine returns. During this portion of the
Continue Reading Real-Life Attacks On Business & What You Can Do To Deter A Cybercriminal – Event September 7

This is the first of a three-part series on the implications of cybersecurity threats on boards of directors. 

Now, more than ever, corporate boards face an immense challenge to ensure that their companies are prepared for cybersecurity threats before they occur.  It is not question of if a corporation will be hit by a cybersecurity incident or data breach, but when.

The Existing Cybersecurity Landscape and Associated Risks  

The landscape that corporate boards face has never been more treacherous, with


Continue Reading Corporate Boards: The Challenges and Risks of Maneuvering Through Cybersecurity

The Department of Justice Cybersecurity Unit recently issued its “best practices” for cybersecurity incidents, while the SEC recently circulated a cybersecurity “guidance update.”  These publications recommend that companies institute certain policies and procedures for cybersecurity based on each agency’s experience in the area.

The agencies’ suggestions are good ones.  More importantly, like NIST’s Cybersecurity Framework, such recommendations may become de facto standards that regulators, courts, and juries look to when they assess whether your company’s
Continue Reading Regulatory Update: DOJ and SEC Issue Privacy and Cybersecurity Recommendations

Threat Intelligence is, very simply, network defense techniques that leverage knowledge (i.e. intelligence and counter intelligence) about adversaries so that organizations can build a superior information base which decreases the chances of an attacker compromising their networks. Gartner more specifically defines it as “Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to the menace or hazard.”

Vulnerability
Continue Reading Threat Intelligence – What You Should Be Doing