Registration for the Privacy Summit is open.

Fox Rothschild’s Minneapolis Privacy Summit on November 8 will explore key cybersecurity issues and compliance questions facing company decision-makers. This free event will feature an impressive array of panelists drawn from cybersecurity leaders in major industries, experienced regulatory and compliance professionals and the Chief Division Counsel of the Minneapolis Division of the FBI.

Attendees receive complimentary breakfast and lunch, and can take advantage of networking opportunities and informative panel sessions:

GDPR and the California Consumer Privacy Act: Compliance in a Time of Change

The European Union’s General Data Protection Regulation has been in effect since May. Companies that process or control EU citizens’ personal data should understand how to maintain compliance and avoid costly fines. Many more businesses should also prepare for the next major privacy mandate: the California Consumer Privacy Act.

Risk Management – How Can Privacy Officers Ensure They Have the Correct Security Policies in Place?

Panelists offer best practices for internal policies, audits and training to help maintainn protected health information (PHI), personally identifiable information (PII) or other sensitive data. Learn the cutting edge strategies to combat the technology threats of phishing and ransomware.

Fireside Chat

Jeffrey Van Nest, Chief Division Counsel of the Minneapolis Division of the FBI, speaks on the state of affairs in regulation and enforcement, including how to partner with the FBI, timelines of engagement and the latest on cyber threat schemes. His insights offer details on forming effective cyber incident response plans.

Keynote Speaker – Ken Barnhart

Ken is the former CEO of the Occam Group, a cybersecurity industry advisor and the founder and principal consultant for Highground Cyber – a spin-off of the Occam Group’s Cybersecurity Practice Group. For more than a decade, he has helped companies of all sizes design, host and secure environments in private, public and hybrid cloud models. Prior to his work in the corporate sector, Ken served as a non-commissioned officer in the United States Marine Corp and is a decorated combat veteran of Operation Desert Shield\Storm with the HQ Battalion of the 2nd Marine Division.

Geared toward an audience of corporate executives, in-house chief privacy officers and general counsel, the summit will provide important take-aways about the latest risks and threats facing businesses.

Stay tuned for more agenda details. Registration is open.

Facebook has failed to prevent its feud with an Austrian privacy activist over the legality of two widely used mechanisms for transferring data between the European Union and the U.S., from reaching the EU Court of Justice.

In a May 2nd ruling, the Irish High Court sided with activist Max Schrems and the Irish Data Protection Commissioner, rejecting Facebook’s request to stay the court’s October 2017 referral of the case to the EU Court of Justice to give the company time to appeal the referral to the Irish Supreme Court.

The decision carries with it potential consequences for thousands of international companies that use model contracts and Privacy Shield for transatlantic data transfers.

Schrems filed a grievance over Facebook’s use of model contracts with the Irish Data Commissioner in 2015 saying that Facebook failed to protect EU citizens’ data from the prying eyes of U.S. law enforcement and intelligence agencies.

The Data Commissioner referred the case to the Irish High Court in May 2016 after determining the compliant was “well founded.” The Irish High Court expanded the scope to include Privacy Shield in its 2017 decision to refer the matter to the EU Court of Justice.

In 2015, the EU Court of Justice invalidated the Safe Harbor accord, then a widely used mechanism for transferring data between the EU and U.S., ruling it failed to adequately protect the privacy of EU citizens. Privacy Shield was created to replace Safe Harbor. Details via Reuters, Fortune and Bloomberg.

Data-rich companies like Facebook have a unique opportunity to capitalize on the recent surge in regulatory scrutiny and turn it to their advantage.

Savvy tech companies are attuned to public opinion and won’t allow others to control the narrative. They are already taking steps to regain the upper hand in the privacy debate.

Facebook demonstrated this during Senate hearings on the Cambridge Analytica “data breach” by announcing it would upgrade privacy features and offer its users protections that mirror those in the EU’s strict General Data Protection Regulation (GDPR). Facebook has also gone out of its way to publicize its efforts to comply with GDPR. Messaging service WhatsApp, too, recently touted its decision to set a minimum age of 16 for EU users.

Some of the major tech companies – Facebook, Google and Apple – could actually benefit from increased data privacy and security regulation if they take the initiative. They have the resources to impose strict compliance requirements on smaller third-party players such as application developers and vendors in the tech eco-system, portraying themselves as trusted custodians of consumer data.

To gain the advantage, they will need to be proactive because regulators are not sitting back.

Officials at all levels of government are clamoring to get a piece of the data privacy enforcement pie. The SEC recently imposed a first-of-its-kind $35 million fine on Altaba Inc., formerly Yahoo, for failing to disclose a major data breach. The FTC struck a first-of-its-type 20-year consent decree that requires Uber Technologies Inc. to report any future data breach regardless of whether it involves harm to consumers. States are also getting into the act. Arizona and Delaware recently joined the list of states that have toughened their breach notification laws, while attorneys general have stepped up enforcement activities in Massachusetts (Equifax), New York (Facebook), Pennsylvania (Uber) and other states.

Data is the new currency. As a result, antitrust regulators have stepped up scrutiny of M&A deals in relation to the aggregation and control of data. This has already affected proposed deals. The EU halted Apple’s proposed acquisition of Shazam over possible adverse effects on other music streaming services.

In this climate, it is no time for major tech companies to lay low. The smarter path – the one that will allow them to regain the initiative – is taking proactive steps to address privacy and data security concerns before regulators do it for them.

The European General Data Protection Regulation (GDPR) comes into force on May 25, 2018.  This gives companies only two months to prepare for and comply with the GDPR. Companies should be conducting data mapping to identify all cross-border transfers of personal data so that they can determine the best way to comply with the GDPR requirements.

Illustration of binary code rippling out from the European Union flag, in relation to GDPRThe GDPR has been, perhaps, the most widely talked about privacy regulation for the past year and a half after it was approved by the EU Parliament on April 14, 2016 because of the sweeping changes it will bring to how the global digital economy operates with regard to processing personal data. GDPR will apply to all EU-based companies, irrespective of whether personal data is processed inside or outside of the EU. The GDPR will also apply to companies outside the EU that offer goods or services to individuals in the EU and/or that monitor or track the online behavior or activities of individuals in the EU.

Any transfer of personal data to a third country can take place only if certain conditions are met by the data exporter and the data importer. If a company is transferring EU personal data outside of the EU, that company must identify a valid transfer mechanism to legally transfer that personal data.  The most widely used transfer mechanisms are: (1) transfers within the EU and adequacy rulings; (2) appropriate safeguards; and (3) derogations.

Transfers Within the EU and Adequacy Rulings

Under GDPR, personal data can be moved between EU member states (and Norway, Liechtenstein, and Iceland) without restriction.

Cross-border transfers may also take place without a need to obtain further authorization if the European Commission determines that the third country’s body of national law ensures an adequate level of protection for personal data. The European Commission considers several factors when determining if the country has an adequate level of protection, including the specific processing activities, access to justice, international human rights norms, the general and sectoral law of the country, legislation concerning public security, defense and national security, public order and criminal law.

Appropriate Safeguards

In the absence of an adequacy determination, cross border personal data transfers are permitted if the controller and processor use EU-approved safeguards. The most widely used transfer mechanisms are binding corporate rules, model contractual clauses, and certification mechanisms (e.g. Privacy Shield).

Binding corporate rules (BCRs) are internal codes of conduct adopted by multinational companies to allow transfers between different branches of the organization. BCRs are a favored mechanism because of their flexibility, ability for tailored customization, and a lower administrative burden once implemented.

Model contractual clauses are legal terms contained in a template data processing agreement drafted and ratified by the EU. Model contractual clauses can be burdensome because companies are required to enter new model contractual clauses to cover each new third party and each new purpose for processing or transfer.

Because the European Commission does not recognize the U.S. as an adequate third country, U.S. companies can comply by certifying under the EU-U.S. Privacy Shield that they meet the high data protection standards set out in the Privacy Shield.  The Privacy Shield remains subject to the same criticism that ultimately resulted in the downfall of its predecessor (Safe Harbor), that it does not fully protect the fundamental rights of individuals provided under EU privacy laws.

Derogations

In the absence of either an adequacy decision or the implementation of an appropriate safeguard, a cross-border transfer can still take place in limited circumstances, where an exception applies. These circumstances include situations where the individual explicitly consents after having been informed of the risks of data transfer in the absence of an adequacy decision and appropriate safeguards, the transfer is necessary for the performance of a contract between the parties, or if the transfer is necessary for important reasons of public interest. The permitted derogations are fact-specific and are generally not intended to be relied upon as a company’s primary transfer mechanism.

Guidance for GDPR Compliance

Transferring personal data out of the EU without a valid transfer mechanism can result in significant fines and increased regulatory oversight.  Beginning on May 26, 2018, compliance with the GDPR will be essential for companies engaging in cross-border transfers of personal data.

To comply with the GDPR, companies should first identify and map all cross-border data flows.  Companies should then examine and assess for each of these flows whether the receiving country is in the EU (and Norway, Liechtenstein and Iceland) or is otherwise deemed adequate.  If not, the company should consider whether any appropriate safeguards have been put in place, and/or whether any specific derogations apply.

Europe map with padlock symbolizing the General Data Protection Regulation (GDPR)With the European’s Union’s new General Data Protection Regulation (or GDPR) taking effect in less than 100 days, the interest of many U.S. Companies has been piqued as to how the GDPR may affect their overseas and internet-based businesses.  This article on CFO.com, “Why GDPR Matters,” which I co-authored with Bill Shipp from Vaxient, LLC and Jonathan Marks, CPA from Marcum, LLP, tackles this hot issue and answers why GDPR should matter to U.S. companies in a wide variety of industries.

To assist U.S.-based companies in determining how GDPR may affect their business, Fox Rothschild has also developed a GDPR mobile app called “GDPR Check” (details and download information here).  The app is designed to help companies determine which areas of their business (if any) may require GDPR compliance.

If you have any questions about how GDPR may affect your company, we encourage you to consult a knowledgeable attorney and experienced professionals.

Last year saw multiple high-profile data breaches, enough to place cybersecurity atop any in-house attorney’s 2018 priority list.

But the threat posed by hackers isn’t the only cyber concern on the minds of in-house counsel this year, reports Corporate Counsel magazine.

In the regulatory realm, complying with the European Union’s General Data Protection Regulation, which takes effect in May,  is expected to be companies’ top data privacy task of 2018. But it’s not the only one. The Chinese government also plans to impose new, below-the-radar data privacy regs that will make companies jump through another set of legal hoops.

The legal implications of new technologies, such as fitness devices that blur the line between medical and personal data collection, are also expected to challenge corporate counsel. And groundbreaking legal cases could change the law regarding who has standing to sue following a data breach in the U.S. and whether companies can use standard contractual clauses to transfer personal data out of Europe.

On June 14, Fox Partner Scott Vernick appeared on live-streaming financial news network Cheddar to provide background information on the European Union’s General Data Protection Regulation, which goes into effect on May 25, 2018. To comply with the new privacy rules, companies that provide online services to residents of the EU will be required to obtain documented “hard consent” from customers before processing and storing their data. For many American companies, this is a significant shift.

Scott L. Vernick, Partner, Fox Rothschild LLPScott outlines the high stakes for companies affected by the GDPR, in the form of a fine for failure to comply of four percent of their worldwide annual turnover (i.e., gross revenue). He also discusses the potential impact on EU-based user experience, and notes that companies will need to account for changes to the GDPR allowed within specific member countries.

We invite you to watch Scott’s informative segment.

An executive order signed by President Trump last week potentially put the six-month old Privacy Shield in jeopardy. Although targeting mostly immigration and border patrol, the EO, titled “Enhancing Public Safety in the Interior of the United States,” also eliminates privacy protection for foreigners.

The White House, Washington, D.C.Section 14 of the Executive Order reads:

Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

The potential consequences of this should be obvious. Excluding non-U.S. citizens or residents from the protections of the Privacy Act could effectively destroy the U.S. safeguards provided by the Privacy Shield regarding the adequacy of protection of the personally identifiable information of EU citizens. This could lead leading to the invalidation of the Privacy Shield Agreement outright.

In a statement, the European Commission supported the Privacy Shield and downplayed the impact of Trump’s EO. “The U.S. Privacy Act has never offered data protection rights to Europeans,” a spokeswoman for the EC said. This suggests that the EC is taking the position that the Privacy Shield is not contingent on the Privacy Act, which covers only data held by U.S. agencies, and not by private companies.

But others in Europe are less sanguine. European Parliament Member Jan Philipp Albrecht said he fears the EO will undermine the Privacy Shield, tweeting: “If this is true @EU_Commission has to immediately suspend #PrivacyShield & sanction the US for breaking EU-U.S. umbrella agreement.”

Albrecht’s opinion may better reflect the stance of European regulators. Comparing the EO against the Judicial Redress Act, for example, reveals that the Privacy Shield and the Umbrella Agreement between the U.S. and EU – which governs information sharing by law enforcement across the Atlantic – both remain intact.

Still, it seems impossible to think that the EO and other protectionist policies announced by the Trump Administration will not jeopardize the Privacy Shield which is enforced by the Department of State and the FTC, agencies under Trump’s control. If Trump directs them not to prosecute privacy violations, or if enforcement is reduced, the Privacy Shield is unlikely to survive in the long-term. One critical component of the Privacy Shield framework, after Safe Harbor’s invalidation, was increased U.S. enforcement of EU privacy rights. That agreement must contain a recognition by the U.S. of the right of Europeans to bring enforcement actions in the U.S. against companies that might not otherwise be reachable in the EU.

Worth remembering, too, is that that the Privacy Shield Agreement must be renewed annually by the U.S. Department of Commerce and the European Commission. A deal that was founded upon U.S. enforcement is unlikely to win renewal by the European Commission if Trump has directed his executive branch not to enforce non-citizen privacy rights.

The question may in the end turn on the FTC and whether it enforces both privacy violations generally, and the Privacy Shield specifically. U.S.-EU diplomacy in other areas may also bleed over into the Privacy Shield debate.

So far, more than 1,500 companies have self-certified under the Privacy Shield, which was approved in July 2016. Self-certifications began in August 2016 in the wake of the invalidation of the Safe Harbor agreement. U.S. companies certified under the Privacy Shield should closely monitor the situation. One smart strategic option is adoption of Model Contract Clauses as a “belt and suspenders” approach to compliance.

The clock is ticking toward the May 2018 implementation of the EU’s General Data Protection Regulation (GDPR) and, according to PwC’s recently released Pulse Survey, U.S. companies are now investing significantly in compliance measures. Per the survey, 92% of respondents consider GDPR a “top priority” for 2017, with 77% of companies planning to allocate more than $1 million, and 68% saying their budget falls between $1 million and $10 million.

Illustration of binary code rippling out from the European Union flag, in relation to GDPR“No legislation rivals the potential global impact of the EU’s General Data Protection Regulation,” said Jay Cline, PwC’s U.S. Privacy Leader. “The new law will usher in cascading privacy demands that will require a renewed focus on data privacy for U.S. companies that offer goods and services to EU citizens.”

In December, prominent GDPR analyst Chiara Rustici advised businesses “to ring fence 4 percent of 2016 global turnover and earmark it as budget for 2017 compliance.” (Because of its proximity to the release of the EU Article 29 Working Party’s own GDPR guidance, which clarified certain key enforcement issues for member states, Rustici’s budget advice was unable to fully account for the new information.)

“American multinationals that have not taken significant steps to prepare for GDPR are already behind their peers,” Cline also said. This statement echoes Rustici’s advice in 2016, in which she stated that “there are no excuses for not having a GDPR budget in place before the end of 2016.” Though more than a year remains for companies to achieve compliance, and further guidance is expected from EU data protection regulators, PwC cautioned that companies should not wait to make it a priority.

For organizations wondering where to start, here are perhaps the most important steps they should take.

Need for Data Portability and Data Mapping

In its December guidance, the Article 29 addressed a major issue that companies will need to develop infrastructure and processes to address. Namely, it discussed data portability – the ability for an EU citizen to access their personal data and easily transfer it to a different service provider. Closely tied into this concept are two central rights within GDPR: the Access Principle, whereby a user can discover what personal data of theirs a company holds, and the “right to be forgotten,” whereby a user can request the deletion of that data. To turn these concepts into reality, Article 30 of GDPR practically obligates companies to create comprehensive data maps to easily discern what data the company possesses, where it is stored, how it flows, with whom it is shared, and how it is used.

The guidance also indicated the need for companies to develop systems, technological or otherwise, to respond to individual requests under the data portability provision. According to the Working Party, “one of the ways in which a data controller can answer requests for data portability is by offering an appropriately secured and documented Application Programming Interface (API). This would enable individuals to make requests for their personal data via their own or third-party software or grant permission for others to so do on their behalf.” Regardless of process, fulfilling the data portability and data mapping requirements represent no small IT investment for affected companies.

Budgeting

GDPR applies to companies as a whole, and for budgeting purposes, leaders should also take the regulation into account across the full enterprise, as opposed to merely in the legal, compliance and IT areas. “[T]he budget is there to ensure that any interaction of EU-based individuals with a brand’s real and digital estate follows the EU data protection principles,” noted Rustici, and “that will mean product design, user experience, distribution and after sales support, HR, marketing, legal, risk and compliance, storage and security should all own a share of the corporate GDPR budget.”

A good GDPR budget may allocate money to some or all of the following line items:

  • data inventory and mapping
  • privacy and state-of-the-art safety by design
  • solutions to enable data portability and the right to be forgotten
  • internal GDPR training
  • stress-testing GDPR resilience, information security, and audit
  • enterprise-wide coordination and compliance
  • vendor management
  • hiring of a GDPR architect, CISO, and/or DPO

Hire a Data Protection Officer

Relevant to the last line item above, GDPR requires companies that process personal data “as a core activity” and/or monitor data subjects “on a large scale” to hire a Data Protection Officer (DPO). This role acts to independently oversee corporate compliance. In its 2016 Guidance, however, the Article 29 Working Party went so far as to recommend voluntary designation of a DPO when GDPR does not specifically require it.

The guidance also indicated that the terms “large scale” and “core activity” as they pertain to the DPO requirement will also be broadly interpreted. Regulators will consider a number of factors including the volume of data, its geographic breadth, and its importance to a company’s operations. The Article 29 Working Party clarified this point by way of example: “the core activity of a hospital is to provide health care. However, a hospital could not provide health care safely and effectively without processing health data, such as patients’ health records. Therefore, processing these data should be considered to be one of any hospital’s core activities and hospitals must therefore designate DPOs.” Following this example, organizations operating in highly regulated industries, such as healthcare, financial services, insurance and consumer businesses, should anticipate the need to hire a DPO.

A GDPR architect – a CTO, CISO, CIO, data privacy lawyer, compliance officer, or all of the above – may also be required however. As Rustici warned, “Think of a DPO as a ship’s captain and of a GDPR architect as the naval engineer. [T]o set sail to the seas you rely on a good captain, who can chart a course and avoid thirty-foot waves; but to build or make a ship sea-worthy, and ensure that it can withstand even thirty-foot waves, you first rely on a good naval engineer.”

Other Initiatives

Ensuring data portability and enabling data mapping, budgeting across the organization for GDPR, and designating the DPO and other important roles are only three of the most prominent steps U.S. multinationals are taking in the new year. Other top priorities could include reviewing and revamping privacy policies, examining procedures to ensure consent for collecting/processing personal data, and improving vendor management programs. Many organizations are also considering data localization, including moving data centers to Europe, while others are assessing the viability of transitioning operations out of Europe altogether.

 

On Wednesday, the United States and Switzerland struck a new “Privacy Shield” agreement that mirrors the U.S.-EU Privacy Shield framework. It will allow multinationals to continue to transfer data between the U.S. and Switzerland while complying with Swiss data protection requirements.

Pixelated shield icon on digital background,, illustrating security or EU-U.S. Privacy Shield conceptThe deal replaces an existing safe harbor agreement, which has been in question since the Schrems decision was issued in October of 2015. Companies with Swiss Safe Harbor certification may begin certifying under the new U.S.-Swiss Privacy Shield framework on April 12. The 90-day delay is intended to provide companies with time to review the new Swiss principles and the commitments they entail.

Ken Hyatt, the acting Under Secretary of Commerce for International Trade, praised the accord, saying it “will enhance transatlantic data protection and support the continued growth of U.S.-Swiss commercial ties, which included two-way direct investment totaling more than $410 billion in 2015.”

And Swiss officials echoed the sentiment, highlighting that the deal aligns with the U.S.-EU Privacy Shield framework, and imposes stronger obligations on U.S. companies to protect the personal data of Europeans. Like the U.S.-EU framework, this new deal also requires more stringent monitoring and enforcement by the Department of Commerce and the Federal Trade Commission.