Swiss-US Privacy Shield

In July, we reported that the EU Court had invalidated the viability of the US-EU Privacy Shield (EU Invalidates the Privacy Shield . . BUT Says Contracts May Save the Day!).  A few weeks ago (September 8, 2020), the Swiss Federal Data Protection and Information Commissioner (FDPIC) also decided to remove the United States from a list of nations that are considered to be providing “adequate level of data protection.”

Unlike the EU Court’s decision, decision by the Swiss FDPIC does not automatically invalidate the applicability of the Privacy Shield, because the list of countries on or off the list is technically not legally binding. That said, if your company is relying on the Swiss-US Privacy Shield to continue to transfer data from Switzerland to the United States, it would not be prudent to assume these transfers will continue to be viewed as complying with the adequate protection standards under Swiss law.  It seems to make sense to re-assess the risks and start relying on corporate policies and regulations, as well as legally binding contract clauses to ensure they are consistent with Swiss data protection law.

Even when the company policies and contract provisions are properly constructed, there still remains the risk that even these protections may be considered inadequate.  For example, if local authorities have the right to obtain the data without safeguards and legal protections consistent with those required under Swiss regulation, the transfer may be considered in contravention of Swiss law.  Similarly, if the entity to which the data is being transferred is not legally obligated, for any reason, to cooperate with the enforcement requirements that may apply under Swiss law this too creates a problem.  While encryption technology exists that can ensure no personal data can become available in another country, that approach only makes sense for pure storage capability (e.g., cloud based storage) but NOT if the data is intended to be used, displayed or otherwise handled in another nation.

While further guidance and information may ultimately be promulgated by the FDPIC, at present, a review of current procedures and data transfers, the exercise of caution and consideration of implementing additional steps to deal with this development in Switzerland, as with the EU Court decision, seems to be a prudent course of action.

At Rimon Law, our professionals are available to answer question about these developments, so feel free to contact me, Joe Rosenbaum, or any of the Rimon lawyers with whom you regularly work for information about this or any other matters.

Bond Meets Bond Street: Mannequins are Watching You Shop

An Italian company, Almax S.p.A., is selling a mannequin (price tag about $5,000) in a development that is being closely watched – literally – by retailers, consumers and, of course, regulators and privacy gurus. The new product, marketed as the EyeSee Mannequin, contains a camera embedded in the mannequins eyes, and according to the company’s website: “This product will do much more; it would make it possible to ‘observe’ who is attracted by your windows and reveal important details about your customers: age range; gender; race; number of people and time spent.”

In Europe and the United States, the mannequins are making sporadic appearances – perhaps in showrooms and even in street-side display windows, gathering data as people saunter by the store gazing into the windows. According to reports, Almax may also be testing auditory capabilities that would allow a mannequin to not only see, but to hear what customers are saying as well. Hey, did you just call that mannequin a dummy?

 


(Image from Almax Website)

 

The EyeSee Mannequin has a camera placed as an “eye” that includes facial recognition technology that records information about passersby, such as their gender and race, and the software guesstimates the approximate age of each person scanned by the camera. Typically, cameras can be used in retail stores for security, but in many jurisdictions the shop owners are required to post signs alerting consumers browsing the aisles that they are subject to being recorded. Now, the EyeSee Mannequin gives retailers the ability to collect and store information for marketing purposes – a commercial purpose that may put the technology squarely under a microscope (these vision puns really must stop), since it collects personal data about individuals without their consent. That said, the current product is only supposed to record information, not any actual photographs or image scans, but . . . it could, couldn’t it?

Need to know more about the legal implications of technology in advertising and marketing? Concerned about your rights (and wrongs) in deploying surveillance equipment and gathering data and information about customers and consumers? Are you up-to-date on the latest privacy and compliance requirements? Not sure? Need to see these issues more clearly? OK, don’t be a dummy (I mean mannequin) and consult your lawyer. Don’t hesitate to contact me, Joseph I. Rosenbaum, or the Rimon lawyer with whom you regularly work. We would be happy to see you, hear you and help you.

Payment Card Industry Takes a Swipe at Virtual Security

Someone in the payment instrument, payment processing, or payment systems environment must be living under a rock if he or she has not heard of or been affected by the Data Security Standards (DSS), or “PCI-DSS” as it has been referred to in the industry, promulgated and released by the Security Standards Council of the Payment Card Industry Association (PCI). Although the original impetus for the credit-card-driven security standards was combating identity theft and credit card fraud in the wake of the data breaches and compromised (or potentially compromised) databases containing sensitive consumer payment account information, the standards have become the de facto starting point for any compliance security standard in the payment industry.

Last week, the PCI Security Standards Council released new comprehensive guidelines for PCI compliance in virtual card holder data environments dealing with consumer payment system and payment transaction security in a virtual environment. Rimon lawyers who work in this area consistently and who have a wealth of experience with information security and financial services, have put together a client alert entitled: "Is the PCI Security Standards Counsel Preparing for Cloudy Weather?"

Credit, debit and prepaid cards; smart cards and chip cards; gift cards and stored value cards; co-branded cards and loyalty rewards programs; corporate cards, fleet cards and purchasing cards; data protection and privacy; information security, identity theft and data breaches; micro, digital and virtual payment systems – E Commerce; The Fair Credit Reporting Act; Regulation E; Regulation Z; Credit Card Act of 2009 (see Credit Card Act of 2009: Act I, Scene 1 or just search the Legal Bytes blog)! Do any of these terms apply to you? Talk to us. It’s what we do. Contact any of the lawyers listed in the Alert, contact me, or contact the lawyer at Rimon with whom you routinely work, and we will make sure we help you or connect you to someone at Rimon who will be happy to do so.

China Announces State Internet Information Office

This post was written by Joseph I. Rosenbaum, Frederick H. Lah, Zack Dong and Amy S. Mushahwar.

On May 4, 2011, the Chinese government announced it was establishing the State Internet Information Office, an office dedicated to managing Internet information. According to the announcement, this office will be responsible for directing, coordinating, and supervising online content management. The office will also have enforcement authority over those in violation of China’s laws and regulations (see, for example, China sets up office for Internet information management). While there are reports that many believe the purpose of the new office will be to censor political and social dissidents (see, China Creates New Agency for Patrolling the Internet, the office may also have a key role in thwarting illegal spamming and other dubious data practices.

Further, many see the establishment of this office as another step forward for the Chinese in terms of establishing their own data-protection regime. China has long been considered as lagging behind other countries in terms of their data-protection standards (quite possibly by design), and with no comprehensive data privacy law, businesses have had little guidance concerning the handling of personal data. China published the draft Personal Information Protection Measures in 2005, but those Measures have not yet been adopted and little progress seems to have been made since then. However, in February 2011, China issued a draft of the “Information Security Technology – Guide of Personal Information Protection” (“Guidelines”) to address the lack of guidance and standards surrounding online information practices in China. The Guidelines include standards with respect to collecting, processing, and using data, and there are provisions related to the transfer of data to third parties. While the Guidelines are technically non-binding, they still provide important guidance for businesses in China on how to protect the online information of China’s citizens. With the Guidelines still under review, Rimon lawyers will continue to monitor developments to see what form the Guidelines will take in the future.

If you have or are considering a presence in China, you need to know and be attentive to many things, if you are to succeed in the Chinese marketplace. That’s why you should contact Frederick H. Lah in our Princeton office, Zack Dong in our Beijing office, Amy S. Mushahwar in our Washington, D.C., office, me, or the Rimon lawyer with whom you regularly work. When you need legal guidance or have questions about regulations that apply online, on the Web, and across the Internet, in almost any part of the world, let us know. We are here to help.

Sens. Kerry & McCain Introduce Commercial Privacy Bill of Rights Act

Sens. John Kerry (D-Mass.) and John McCain (R–Ariz.) have introduced a bill in Congress to legislatively enable a statutory bill of rights for consumers with respect to commercial privacy. You can read the full text of the Commercial Privacy Bill of Rights Act of 2011 (PDF), and Rimon will have a more complete analysis for your reading enjoyment soon; but the bill clearly intends to require that as little data about an individual is collected as possible, and give individuals a right to know how their information is being used. At first reading, the bill does not provide a private right of action, but does contemplate a self-regulatory program, perhaps a nod to the industry initiative that is highlighted in a recent Legal Bytes posting “OBA Self-Regulatory Initiative Gets Boost from Yahoo! & Google.” You can search for privacy, behavioral advertising and/or self-regulatory on our site and you will find more about this on the Legal Bytes blog.

It may be too early to tell just how much faith Congress has in the industry initiative. That said, it would seem somewhat foolish – given that the FTC and many Congressional leaders have argued for and applauded industry self-regulatory measures – not to afford an industry-sponsored, dynamic, self-regulatory program, a chance to work. As we’ve seen so many times before, along with the technology, consumers’ expectations of privacy, their tastes, commercial needs and sensitivities often change rapidly.

As always, if you need guidance for your advertising and marketing efforts, or privacy and data-protection counsel from lawyers who have experience and resources aligned to deal with these issues every day, feel free to call me, Joseph I. (“Joe”) Rosenbaum, or any of the Rimon attorneys with whom you regularly work.

Mobile Marketing & Privacy – Gnus from DataGuidance

In connection with an announcement by the Mobile Marketing Association, Joe Rosenbaum was interviewed by London-based, Rita Di Antonio, Journalist and Editor of DataGuidance (and Managing Editor of Data Protection Law & Policy), a publication of Cecile Park Publishing Ltd. You can read the article online “MMA to discuss ‘comprehensive mobile privacy guidelines’ during January forum”, or download your own copy in PDF Format.

Privacy & Data Security Bills After the Midterm Elections

The midterm elections will likely result in a shift of political power within the House of Representatives. The resultant divided government is likely to impact the current ambitious privacy and data security legislative agenda. Rimon Washington D.C. Data Privacy, Security & Management attorneys Judith Harris, Christopher Cwalina, and Amy Mushahwar have published an analysis of their predictions for 2011 legislative priorities as the incoming crop of legislators move from campaign mode to governance. Please see their article in Information Security.