First Joint Consultations May Foreshadow Effectiveness of Privacy Shield

–  Stephen Díaz, Partner, Rimon, P.C. &  Claudio Palmieri, Of  Counsel Rimon, P.C. (Principal, Studio Legale Palmieri –Rimôn Italia)

On October 6, 2015, the Court of Justice of the European Union invalidated the so-called “Safe Harbor” that previously governed data transfers between the U.S. and the EU (Case C-362/14 – Maximillian Schrems v. Data Protection Commissioner, 6 October 2015).

As you already know if you read our Legal Bytes’ posting in May concerning the US-EU Data Transfer Privacy Shield, personal data cannot be transferred to from the EU to a non-European Union/European Economic Area country, unless that country can ensure “adequate levels of protection” for such personal data. While the European Commission had identified a number of countries that met the ‘adequate protection’ test, the United States was not one of them and without the Safe Harbor understandings, transatlantic exchanges of data – both for commercial and national security reasons – were at risk of being non-compliant with EU regulations!  In an attempt to temporarily address the data transfer issues, the EU and the U.S. proposed a new framework for exchanges of personal data for commercial purposes, known as the EU-U.S. Privacy Shield (“Privacy Shield”) which was formally launched on July 12, 2016.

Further complicating matters, a new EU General Data Protection Regulation (GDPR) comes into effect on May 25, 2018.    In furtherance of a formal and more permanent agreement under the Privacy Shield and in contemplation of the new regulations, representatives of the U.S. and the EU have announced they will meet in Washington, DC during the week of September 18, 2017, for the first Annual Review of the Privacy Shield.  In advance of the meeting, the EU’s official Working Group (WP 29) sent the European Commission their recommendations and consistent with previous pronouncements, they believe the meeting should focus on enforcement of rights and obligations, as well as changes in U.S. law since the adoption of the Privacy Shield.  WP29 recommended discussions focus on these issue and that any formal agreement must deal with both commercial, as well as law enforcement and national security access.

These concerns and considerations are explored in more detail in our full Client Alert: No Certainty in Future of Privacy Shield as Transatlantic Consultations Set to Begin and it is clear that the September consultations may well be an indication of whether the Privacy Shield will prove an adequate regulatory regime for the transatlantic transfer of personal data and whether meaningful progress is likely in the current environment.

If you would like more information, a better understanding or need guidance regarding compliance with these regulations, contact Stephen Díaz Gavin, a Rimon Law Partner based in Washington, DC or Claudio Palmieri is of counsel to Rimon, P.C. and the principal of Studio Legale Palmieri –Rimôn Italia in Rome, Italy. Of course you can always contact me, Joe Rosenbaum, or any of the lawyers at Rimon with whom you regularly work.

 

Thought Leadership

Thought leadership is a state of being in which one or more individuals articulate innovative ideas – ideas that stimulate thought and are futuristic or leading-edge.

Thought leadership requires confidence and a willingness to share ideas in the form of insights and principles that inform and guide future considerations.

Thought leadership is often controversial. New or different ideas, like innovative technology, can cause evolutionary change, but can also create disruptive or revolutionary change.

Although not all thought leadership must be actionable, it is often the basis for a re-evaluation of existing pathways, and a guidepost for new roads ahead.

Annual Registrar Summit – Take the Fifth (Amendment or Bourbon – What’s In A Name?)

Just last Thursday, I had the joy of attending and presenting at the Fifth Annual Registrar Summit (2012) sponsored by GoDaddy.com. A great group of people gathered to discuss the current state of domain name registration. Kicked off by a terrific “how to properly hold a meeting of competitors without running afoul of anti-trust and competition laws” presentation by Chris Compton, the topics ranged from what ICANN is up to these days, to discussions of authentication, security, phishing, malware and what the domain name registration community is trying to do about it.

As I always attempt to do, when permitted, I post a PDF version of my presentation for all to read, and, if you choose, to download a personal copy in PDF form. So, without further ado – feel free to browse through “What’s in a Domain Name? Registration by Any Other Name Would Still Create Legal Issues (subtitled “Clouds, Mobile & Internet Domains – What Me Worry?” [PDF] (The embedded videos have file sizes that are too large to include – so next time show up in the audience and you’ll see them.)

If you want to know more about anything covered in the presentation, or if you need counsel or help navigating the legal issues, feel free to call me, Joseph I. (“Joe”) Rosenbaum, or any of the Rimon lawyers with whom you regularly work.

IAPP Privacy Presentation – Is the Wizard of Oz Still Behind the Curtain?

On May 10, 2012, I had the privilege of making a presentation at the IAPP Canada Privacy Symposium 2012. The title of my presentation was "Social and Mobile and Clouds, Oh My!" and it addressed some of the emerging issues in privacy, data protection and surveillance that arise as a result of globalizing technology and the convergence of social media, mobile marketing and cloud computing.

As part of that presentation (and as I have started to do for some time now in other presentations), I raised the issue of how lawyers, the law, legislators and regulators often use words to describe activities – words rooted in tradition or precedent – that are no longer applicable to the activity in today’s world. "Privacy" is such a word, although "not applicable" perhaps is too harsh. Obviously the word has significant applicability in a wide variety of situations. But "invasion of privacy" has become a knee-jerk reaction to virtually every information-gathering activity, even information readily and publicly available and, in some cases, posted, disclosed or distributed by the very individual whose privacy is alleged to have been "invaded."

Please feel free to download a PDF of my presentation, "Social and Mobile and Clouds, Oh My!" [PDF] (Note: Embedded video file sizes are too large to include), and let’s start a conversation about how we use words and how they wind up in laws and regulations. Lawyers work with words. Use them artfully and they provide powerful structures within which society, commerce and all forms of human endeavor function. Use them improperly and they cause confusion, uncertainty, inconsistency and inherently inequitable outcomes.

Seems like I am not the only one to point this out. Take a look at the insightful comments by John Montgomery, COO of GroupM Interaction, North America, as reported in a MediaPost RAW posting on Social Media entitled: If Marketing Terms Could Kill.

Kudos John. I’m with you. Let’s get it right.

FYI, Rimon has teams of lawyers who have experience and follow developments in privacy and data protection, information security and identity theft. If you want to know more, if you need counsel or need help navigating, or if you require legal representation in this or any other area, feel free to call me, Joseph I. ("Joe") Rosenbaum, or any of the Rimon lawyers with whom you regularly work.

White House Releases Privacy Report and Calls For a Consumer Bill of Rights

Earlier today, Secretary of Commerce John Bryson and Federal Trade Commission Chairman John Liebowitz outlined the Obama administration’s strategy for ensuring “consumers’ trust in the technologies and companies that drive the digital economy.” On the heels of their announcement, and although it is dated January 2012, the Department of Commerce released a long-awaited report entitled “Consumer Data Privacy in a Networked World, A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” the administration’s roadmap for privacy legislation and regulation in the years ahead.

The announcement and privacy blueprint envisions a comprehensive and integrated framework for data protection, rather than the current sector-patchwork-quilt approach, and is comprised of four key pillars: (1) a consumer privacy bill of rights; (2) a multi-stakeholder process and approach dealing with how such a bill of rights would apply in a business context; (3) more effective enforcement; and (4) greater commitment to harmonization and cooperation in the international community.

The Report outlines the seven principles of its proposed Consumer Privacy Bill of Rights and, although calling for legislation and regulation to codify and memorialize these rights, also sets out consumer privacy standards that companies are asked to immediately and voluntarily adopt in a cooperative public-private partnership. These seven principles are:

  1. Individual Control Through Choice
  2. Greater Transparency
  3. Respect for Context
  4. Secure Handling
  5. Access & Correction Rights
  6. Focused Collection
  7. Accountability

The Report notes that a company’s adherence to the voluntary codes will be viewed favorably by the FTC in any investigation or enforcement action for unfair and deceptive trade practices. By implication, a company that does not adopt and follow these principles might be used as evidence of a violation of Section 5 of the FTC Act, even if federal legislation is not passed on the subject. The FTC is expected to soon release its Final Staff Report on Consumer Privacy that will be consistent with the Obama administration’s proposed Framework Report. The report reinforces the administration’s commitment to international harmonization, and also touches upon the role state attorneys general in the United States can play. While we are still reviewing the details – and more will likely be forthcoming from the administration in the weeks and months ahead – Legal Bytes will keep you on top of these developments as they arise.

You can read the entire report right here: Consumer Data Privacy in a Networked World, A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.

These are developments that affect all businesses, domestic and multi-national, global and local, consumers and regulators. The complexity and challenges of compliance should not be underestimated, nor should the administration’s commitment to follow the roadmap outlined. Rimon has teams of lawyers who have experience and follow developments in privacy and data protection, from prevention and policy to compliance and implementation. If you want to know more, need counsel, need help navigating, or if you require legal representation in this or any other area, feel free to call me, Joseph I. (“Joe”) Rosenbaum, or any of the Rimon lawyers with whom you regularly work.

Payment Card Industry Takes a Swipe at Virtual Security

Someone in the payment instrument, payment processing, or payment systems environment must be living under a rock if he or she has not heard of or been affected by the Data Security Standards (DSS), or “PCI-DSS” as it has been referred to in the industry, promulgated and released by the Security Standards Council of the Payment Card Industry Association (PCI). Although the original impetus for the credit-card-driven security standards was combating identity theft and credit card fraud in the wake of the data breaches and compromised (or potentially compromised) databases containing sensitive consumer payment account information, the standards have become the de facto starting point for any compliance security standard in the payment industry.

Last week, the PCI Security Standards Council released new comprehensive guidelines for PCI compliance in virtual card holder data environments dealing with consumer payment system and payment transaction security in a virtual environment. Rimon lawyers who work in this area consistently and who have a wealth of experience with information security and financial services, have put together a client alert entitled: "Is the PCI Security Standards Counsel Preparing for Cloudy Weather?"

Credit, debit and prepaid cards; smart cards and chip cards; gift cards and stored value cards; co-branded cards and loyalty rewards programs; corporate cards, fleet cards and purchasing cards; data protection and privacy; information security, identity theft and data breaches; micro, digital and virtual payment systems – E Commerce; The Fair Credit Reporting Act; Regulation E; Regulation Z; Credit Card Act of 2009 (see Credit Card Act of 2009: Act I, Scene 1 or just search the Legal Bytes blog)! Do any of these terms apply to you? Talk to us. It’s what we do. Contact any of the lawyers listed in the Alert, contact me, or contact the lawyer at Rimon with whom you routinely work, and we will make sure we help you or connect you to someone at Rimon who will be happy to do so.

China Announces State Internet Information Office

This post was written by Joseph I. Rosenbaum, Frederick H. Lah, Zack Dong and Amy S. Mushahwar.

On May 4, 2011, the Chinese government announced it was establishing the State Internet Information Office, an office dedicated to managing Internet information. According to the announcement, this office will be responsible for directing, coordinating, and supervising online content management. The office will also have enforcement authority over those in violation of China’s laws and regulations (see, for example, China sets up office for Internet information management). While there are reports that many believe the purpose of the new office will be to censor political and social dissidents (see, China Creates New Agency for Patrolling the Internet, the office may also have a key role in thwarting illegal spamming and other dubious data practices.

Further, many see the establishment of this office as another step forward for the Chinese in terms of establishing their own data-protection regime. China has long been considered as lagging behind other countries in terms of their data-protection standards (quite possibly by design), and with no comprehensive data privacy law, businesses have had little guidance concerning the handling of personal data. China published the draft Personal Information Protection Measures in 2005, but those Measures have not yet been adopted and little progress seems to have been made since then. However, in February 2011, China issued a draft of the “Information Security Technology – Guide of Personal Information Protection” (“Guidelines”) to address the lack of guidance and standards surrounding online information practices in China. The Guidelines include standards with respect to collecting, processing, and using data, and there are provisions related to the transfer of data to third parties. While the Guidelines are technically non-binding, they still provide important guidance for businesses in China on how to protect the online information of China’s citizens. With the Guidelines still under review, Rimon lawyers will continue to monitor developments to see what form the Guidelines will take in the future.

If you have or are considering a presence in China, you need to know and be attentive to many things, if you are to succeed in the Chinese marketplace. That’s why you should contact Frederick H. Lah in our Princeton office, Zack Dong in our Beijing office, Amy S. Mushahwar in our Washington, D.C., office, me, or the Rimon lawyer with whom you regularly work. When you need legal guidance or have questions about regulations that apply online, on the Web, and across the Internet, in almost any part of the world, let us know. We are here to help.

Do Not Track – Diving Deeper Into the Quicksand

Coming on the heels of a bill aimed at preventing children from being tracked, introduced by Rep. Ed Markey (D-Mass.) (see, Rep. Markey Releases a Kids Do Not Track Discussion Draft Bill): Today, Jay D. Rockefeller (D-W.Va.), Chair of the Commerce, Science & Transportation Committee in the U.S. Senate, introduced a Do Not Track Online bill that would empower the FTC to promulgate rules “that establish standards for the implementation of a mechanism by which an individual can simply and easily indicate whether the individual prefers to have personal information collected by providers of online services, including by providers of mobile applications and services . . . ”

A copy of the proposed legislation is available here for you to download and read Do Not Track Online Act of 2011 – Proposed Rockefeller Bill (PDF). Of course, if you need legal guidance, advice or representation as these bills are introduced and make their way through the legislative process, don’t hesitate to call us. We are here to help.

The Tip of the Iceberg – ‘Do Not Track’ Kids Bill Proposed

After several months of anticipation, Rep. Ed Markey (D-Mass.) released his Kids “Do Not Track” discussion draft bill. At face value, this bill appears to have a narrow focus of online behavioral activities toward children, which we normally define under the Children’s Online Privacy Protection Act (“COPPA”) as any individual younger than 13. However, such is not the case. This bill would amend COPPA to expand some marketing provisions to teens under age 18, and may, in effect, require better age screens, given teen savvy (and their propensity to lie about their age).

If enacted, this bill has the potential to create complications when marketing to the crucial college age and young adult market as more sophisticated age screens will require all to enter information that they might not want to share online.

To read the entire Rimon Alert and find out more, just check out Rep. Markey Releases a Kids Do Not Track Discussion Draft Bill.