Inside the Privacy Shield Annual Review
News and analysis that matters for privacy and data security.
Federal US News
Inside the Privacy Shield Annual Review
Dozens of senior US and EU government officials were joined by officials from data protection authorities in Austria, Bulgaria, France, Germany and Hungary to discuss whether the Privacy Shield framework is functioning as intended. Many of the officials in the room have remained the same year to year, which has helped avoid a rehashing of first principles.
“With every successive review, both sides have gained a greater understanding of where each other are coming from and their experiences and processes,” Privacy Shield Director Alex Greenstein said. “We are definitely moving past the phase of mutual education and into exchanging experience and cooperating and finding common ground.”
As review participants welcomed the strides that have been made, they also recognized the hurdles that lay ahead. The US government and European Commission are both participating in the Schrems II case before the Court of Justice of the EU, which challenges model contracts and raises questions about Privacy Shield. There is no doubt that case is top of mind for review participants.
FTC Settles Allegations of Falsely Claimed Participation in Privacy Shield
In separate actions, the FTC alleges that management software provider DCR Workforce; cloud-based file transfer software provider Thru; LotaData, which provides analysis of mobile users’ data; and facial recognition software provider 214 Technologies all falsely claimed in statements on their websites that they were certified under the EU-US Privacy Shield framework. While each submitted applications under the Privacy Shield, all four companies failed to complete the necessary steps to obtain certification.
The FTC also alleges that statistical analysis and support services provider EmpiriStat falsely claimed it was a current participant in the Privacy Shield after allowing its certification to lapse in 2018. As part of the proposed settlements with the FTC, all five companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization and must comply with FTC reporting requirements.
In addition, EmpiriStat must also continue to apply the Privacy Shield protections to personal information it collected while participating in the program, or return or delete the information.
FTC Gives Final Approval to Settlement with Auto Dealer Software Company
Following a public comment period, the FTC approved a final order settling charges against an Iowa-based auto dealer software provider, LightYear Dealer Technologies LLC d/b/a DealerBuilt, that allegedly failed to take reasonable steps to secure consumers’ data, leading to a breach that exposed the personal information of millions of consumers.
The FTC alleged that the company failed to implement readily available and low-cost measures to protect the personal information it obtained from its auto dealer clients, leading to a breach of their backup database beginning in late October 2016, when a hacker gained access to the unencrypted personal information of about 12.5 million consumers. Among other things, the settlement order requires DealerBuilt to implement specific safeguards, such as obtaining third-party assessments of its information security program every two years. We previously reported on this enforcement action here.
State US News
Customer Says Company’s Silence Caused Harm in Data Breach
Illinois consumer Nik Turik claims Michigan-based Carl’s Golfland Inc. put its customers at risk for identity theft or fraud by staying quiet when its online shop suffered a data breach. Golfland learned in June that its databases had been breached but waited two months to tell customers their financial and personal information had been compromised.
According to the suit, hackers obtained credit card information, including card numbers, expiration dates and CVV numbers, addresses, shipping information, emails and phone number. Turik filed his lawsuit the day after the company announced its system was compromised, claiming the company’s two-month silence surrounding the data breach “deprived consumers of the opportunity to take immediate precautionary measures to protect themselves from identity theft and fraud.”
Turik seeks to represent himself and all other consumers nationwide whose personal information has been compromised as a result of the data breach. He asks a court to award him and the proposed class compensatory, consequential and nominal damages as well as statutory damages allowed under Michigan law.
Privacy Activist Launches New California Ballot Initiative for 2020
The activist who spurred California to adopt the CCPA is readying for another battle: a new ballot initiative that’d be even tougher on tech giants and other big businesses that collect personal information. The initiative if passed could grant web users in California new rights around their sensitive information, such as health and financial records or precise location.
Consumers would have to give their permission before such data could be sold, and they’d gain the ability to block companies from monetizing those sensitive insights through targeted ads. The proposal also includes the creation of a new agency in California to enforce privacy protections, along with tougher penalties for mishaps involving kids under age 16, and it would require companies to demystify their powerful, secret algorithms when such software is used to profile a person.
EU News
Covert Recording in Smartphone Era: What do Employers Need to Consider?
The UK Employment Appeal Tribunal (EAT) recently dealt with an employee making a covert recording during a HR meeting and the case sets out some issues for employers to consider. Following an internal restructure, a payroll officer for Phoenix Housing became distressed and believed she had been treated differently throughout the process. After an incident at work, she attended a meeting with HR, which she covertly recorded on her mobile phone. The employee was ultimately dismissed for other reasons and brought an unfair dismissal claim.
The EAT decided she had been unfairly dismissed; however her award was reduced by 30%, 10% of which was attributed to the covert recording. Phoenix House appealed, arguing that the covert recording was a breach of the implied duty of trust and confidence, which amounted to gross misconduct. If they had known about it they would have dismissed her—the tribunal award should therefore be reduced by 100%. The EAT upheld the employment tribunal’s decision to only apply a 10% reduction of the award, considering:
- The employee was flustered in making the recording, not entirely sure it would be successful;
- The content of the meeting had not been highly confidential and would have been transcribed in any event;
- The recording contained elements detrimental to her own case.
Finally, the EAT discussed the fact that covert recording equipment is now readily accessible to employees, with the vast majority of individuals now carrying mobile phones with audio and video recording capabilities.
Global News
Equifax Breach Prompted Privacy Culture Shift
Equifax’s 2017 data breach marked a “once in a corporate lifetime event” that led the credit reporting giant to take a fresh look at and revamp how it handles personal data. Nicholas Oldham, who was tapped in December 2017 to serve as Equifax’s first chief global privacy and data governance officer, has worked during the past two years to better align and standardize the company’s data management approach.
Oldham said the company recognized that, given the growing privacy law landscape around the world and the increasing connectivity of data, it was in a different environment than ever before, and that the ultimate goal was to “look at our practice holistically” and build a framework that was able to adapt to this changing landscape. Oldham said he leans heavily on the voluntary privacy framework developed by NIST. Equifax is an early adapter of the framework, which is still under development and is designed to help organizations better identify, assess, manage and communicate about privacy risks.
Equifax Breach Prompted Privacy Culture Shift
Clicking the “unsubscribe” button could come with a risk—some scammers rely on your click to access even more of your information. According to a blog run by a computer tech, you shouldn’t click the unsubscribe button in any questionable spam emails, as doing so can have multiple negative consequences. For one, it can confirm that your email address is indeed valid, which will likely prompt a spammer to continue contacting you, at the very least. Furthermore, clicking the unsubscribe button in a spam email can also sometimes result in you being linked to spam websites, including ones that can download viruses to your computer or encourage you to participate in some type of fraudulent online activity.
Instead of clicking unsubscribe, you should mark the message as spam in your inbox instead. This should cut down or eliminate the messages you get from that address. If this doesn’t work, you can also try setting up a filter to automatically remove similar spam emails as opposed to clicking unsubscribe. That being said, if you want to unsubscribe from an email list that you know is from a legitimate company, it’s usually okay to click the unsubscribe link. Just make sure that when you hover over the unsubscribe link, it goes to a web address that’s associated with the company or person who sent you the email.
- Related Practices