Europe map with padlock symbolizing the General Data Protection Regulation (GDPR)With the European’s Union’s new General Data Protection Regulation (or GDPR) taking effect in less than 100 days, the interest of many U.S. Companies has been piqued as to how the GDPR may affect their overseas and internet-based businesses.  This article on, “Why GDPR Matters,” which I co-authored with Bill Shipp from Vaxient, LLC and Jonathan Marks, CPA from Marcum, LLP, tackles this hot issue and answers why GDPR should matter to U.S. companies in a wide variety of industries.

To assist U.S.-based companies in determining how GDPR may affect their business, Fox Rothschild has also developed a GDPR mobile app called “GDPR Check” (details and download information here).  The app is designed to help companies determine which areas of their business (if any) may require GDPR compliance.

If you have any questions about how GDPR may affect your company, we encourage you to consult a knowledgeable attorney and experienced professionals.

Last year saw multiple high-profile data breaches, enough to place cybersecurity atop any in-house attorney’s 2018 priority list.

But the threat posed by hackers isn’t the only cyber concern on the minds of in-house counsel this year, reports Corporate Counsel magazine.

In the regulatory realm, complying with the European Union’s General Data Protection Regulation, which takes effect in May,  is expected to be companies’ top data privacy task of 2018. But it’s not the only one. The Chinese government also plans to impose new, below-the-radar data privacy regs that will make companies jump through another set of legal hoops.

The legal implications of new technologies, such as fitness devices that blur the line between medical and personal data collection, are also expected to challenge corporate counsel. And groundbreaking legal cases could change the law regarding who has standing to sue following a data breach in the U.S. and whether companies can use standard contractual clauses to transfer personal data out of Europe.

On June 14, Fox Partner Scott Vernick appeared on live-streaming financial news network Cheddar to provide background information on the European Union’s General Data Protection Regulation, which goes into effect on May 25, 2018. To comply with the new privacy rules, companies that provide online services to residents of the EU will be required to obtain documented “hard consent” from customers before processing and storing their data. For many American companies, this is a significant shift.

Scott L. Vernick, Partner, Fox Rothschild LLPScott outlines the high stakes for companies affected by the GDPR, in the form of a fine for failure to comply of four percent of their worldwide annual turnover (i.e., gross revenue). He also discusses the potential impact on EU-based user experience, and notes that companies will need to account for changes to the GDPR allowed within specific member countries.

We invite you to watch Scott’s informative segment.

Officials from both the Federal Trade Commission (FTC) and European Union (EU) recently called for enhancements to the Obama administration’s proposed Consumer Privacy Bill of Rights.

The White House’s proposed Consumer Privacy Bill of Rights seeks to provide “a baseline of clear protections for consumers and greater certainty for companies.”  The guiding principles of the draft bill are:  individual control, transparency, respect for context, security, access and accuracy, focused collection and accountability.

But the proposed legislation also seeks to afford companies discretion and flexibility to promote innovation, which some officials argue has led to a lack of clarity.

FTC Chairwoman Edith Ramirez had hoped for a “stronger” proposal and had “concerns about the lack of clarity in the requirements that are set forth.”  However, Chairwoman Ramirez acknowledged the significance of a privacy bill backed by the White House.  FTC Commissioner Julie Brill also expressed concern over weaknesses in the draft, calling for more boundaries.

Likewise, European Data Protection Supervisor Giovanni Buttarelli felt that the proposal lacked clarity and that, as written, “a large majority of personal data would not be subject to any provisions or safeguards.”

To review the administration’s proposed bill, click here.


In its continuing efforts to give the State of California a run for its money when it comes to privacy rights, the United Kingdom’s “cookie law” is now in effect. Websites for European companies with European visitors, or non-European companies that are directed at European users, must now inform users of any tracking technology used on the website, and the purpose of the use of that tracking technology.

The Law

The new law is part of the European Union’s "e-Privacy" Directive. Implementation of the e-Privacy Directive requires that each member state incorporate the e-Privacy Directive into its own law in 2011. The United Kingdom accomplished the foregoing by creating the amended Privacy and Electronic Communication Regulations (PECR) Act 2011, which became effective on May 26, 2011. The disclosure of the use of user tracking technology is only one element of PECR.

Types of Tracking Technology

The use of cookies on a website is only one practice covered by the cookie law. Uses of advertising tracking and analytics, for example are covered practices.

Affected Businesses

If you have only a U.S.-based web site, with no web page directed explicitly at the United Kingdom, then the cookie law should not affect you. However, if you have a website or web page directed specifically to residents of the United Kingdom, you almost certainly are subject to the cookie law.

Opt-Out or Opt-In

Good question. Originally the cookie law was interpreted to mean that a user must explicitly opt-in to the tracking technology. However, just before the cookie law went into effect the Information Commissioner’s Office (“ICO”), the United Kingdom’s data protection agency, updated its guidance to say that “implied consent” was acceptable, and that continued use of the subject website would meet the consent requirement.

Compliance Deadline

The cookie law is currently in effect, but it is no secret that many, many organizations are not currently in compliance. Those websites that are in compliance with the cookie law will present users with a dialogue similar to this:

Mobile Applications

Just to keep things interesting, the cookie law applies to mobile applications as well. Because mobile applications have just as many, if not more, opportunities for user tracking, and because that user tracking is not always obvious, it has already been made clear that the ICO will pay particular attention to mobile application compliance


The ICO has the authority to fine non-compliant organizations up to $780,000 (or 500,000 pounds) for not complying with the cookie law. Fortunately, the ICO is not going to be in a big rush to penalize non-compliant organizations and, instead, is focusing on educating companies regarding compliance requirements.

A video of an autistic boy being harassed by bullies is posted to a service offered by Google in Italy. Google is informed of the availability and content of the video. Google removes the video within two (2) hours of being informed. Did Google react appropriately?

Those familiar with US privacy laws know that there is little about which Google should be concerned. Those familiar with European Union (EU) privacy laws generally conclude that Google is protected by the safe harbor under Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market. Those unfamiliar with EU privacy laws probably conclude that Google did the right thing, acted swiftly and should not be responsible for material posted by third parties about which Google is not aware.

Google is guilty of violation of Italian privacy laws, says an Italian court. The Italian court held three (3) Google executives criminally liable for making the bully video available. Yeah, seriously, convicted in absentia for violation of privacy (but cleared of defamation charges), Google’s Chief Legal Officer, Chief Privacy Counsel and a former Chief Financial Officer were sentenced to six-month suspended sentences. (I understand that for most convictions of less than two years, sentences are generally suspended if there are no prior convictions.)

Continue Reading With Conviction of Google Executives for Invasion of Privacy, Companies Need to Consider Risks of Social Media Services in the European Union

As with NebuAd here in the United States, the Phorm service in Europe is under constant and increasing attack.  The business model for both is basically to team up with Internet service providers, track and collect Internet usage data, and then use that information to serve interest-based ads to the Internet user.  Take a trip to a popular gadget web site, and expect to be served advertisements that offer gadgets for sale.  Visit a travel interest web site, and expect to start noticing advertisements from travel sites in other web pages. 

Announcing that the European Union has "opened an infringement proceeding" to investigate Phorm’s activities, the European Union’s Commissioner for Information Society and Media, Viviane Reding, said in a video message that "European privacy rules are crystal clear: a person’s information can only be used with their prior consent. We cannot give up this basic principle, and have all our exchanges monitored, surveyed and stored in exchange for a promise of ‘more relevant’ advertising! I will not shy away from taking action where an EU country falls short of this duty."

The legal action commenced by the European Union basically consists of an inquiry and warning to Britain, inquiring into Britain’s interpretation of the privacy regulations and rules in place, and an explanation of how operations by Phorm comply with those privacy regulations and rules.  In other words, the European Union wants Britain to explain why it has not commenced any action against Phorm.  Britain has two months to respond, and additional inquiries and warnings may follow before the European Union forces Britain into court.


Continue Reading European Union Seeks Privacy Enforcement By Britain

Starting April 6, 2009, European Union telecommunications companies and Internet service providers (ISPs) suddenly found themselves required to store even more data about their users.

Under existing requirements under the 2006 Data Retention Directive, telecommunications providers are required to retain records (when calls were made and the origination/destination details) regarding telephone calls made over their lines.

Now, The Data Retention Regulations 2009, those European telecommunication providers, and for the first time some ISPs (other than ISPs that also provide voice over IP services, which have always been covered), must retain details of Internet traffic and electronic mail transmissions for a period of six (6) to twenty-four (24) months from origination.  The United Kingdom has determined that the period of retention shall be twelve (12) months.  Sweden has threatened to “ignore” these new requirements.

Although the new regulations do not require the retention of the actual data (i.e., the telephone conversations, Internet content or the electronic mail content), affected European telecommunication providers and ISPs must retain the details of the transmissions (e.g., origination and destination telephone numbers, length of telephone calls, IP address of the user, but not the destination IP addresses, and electronic mail addresses, time of transmission).


Continue Reading European Telecoms and ISPs Start Storing User’s Internet Data