Privacy and data security professionals worldwide should circle September 1 on their calendars, as it’s the day Russia’s new data localization law goes into effect – and possibly generates major waves far beyond Russian shores. That’s because the law has significant implications for companies that collect personal information from Russian citizens, even if those companies do not have any physical presence within Russia. This post provides an overview of data localization laws generally, with a special focus on Russia’s law and its potential effects.
In an expected but controversial move, Google has rejected a demand by the French Data Privacy authority CNIL to apply the European “Right to be Forgotten” worldwide.
We have covered the E.U.’s Right to be Forgotten before, but here is a quick recap: under the E.U. rule, individuals have the right to require organizations that control personal data about them (“data controllers”) to delete all such data and abstain from further disseminating it. A data controller is required to act on an individual’s request to delete their personal data without delay unless they have a legitimate reason for not doing so. A series of European Court rulings established that search engines such as Google qualify as “data controllers,” and that search engines can be required to “delist” links to content as a means of preventing that content from being disseminated. Most surprising however, is the suggestion in these rulings that Google can be required to delist links from all Google domains, not just from domains in the E.U. or in specific E.U. countries. Continue Reading
In a move that may strike fear into the hearts of mobile phone owners everywhere, the Sixth Circuit recently ruled that a person’s “pocket dials” – those inadvertent calls made from a person’s mobile phone, generally when the phone is in its owner’s pocket, and alternatively referred to as “butt dials” – may not be entitled to an expectation of privacy. Continue Reading
On June 30, 2015, the Governor of Connecticut signed into law S.B. 949, “An Act Improving Data Security and Agency Effectiveness.” The new law updates Connecticut’s data security laws, including by adding a 90-day hard deadline for data breach reporting, requiring companies in some cases to offer data breach victims a year of free identify theft prevention services, imposing new and specific data security program requirements on health insurance companies and other entities subject to Insurance Department regulation, and requiring state agencies to impose certain detailed security requirements on state contractors that maintain personal information. With a near constant stream of data breaches affecting entities from health insurers to retail giants to the government, the law responds to growing fears of data security.
Under the new law, beginning October 1, 2015, a data breach will require any person or entity conducting business in Connecticut to give notice “without unreasonable delay,” but now no later than 90 days after discovery of the breach, to state residents whose personal information was breached or reasonably believed to have been breached. The Connecticut Attorney General stated in a press release that 90 days is an “outside limit” that does not diminish his discretion to take action against entities who “unduly delay” notification. Importantly, the law also requires the provision of at least twelve months of free identity theft prevention and mitigation services, but only in cases where Social Security numbers are breached or reasonably believed to have been breached.
In addition, no later than October 1, 2017, health insurers, pharmacy benefit managers and certain other entities regulated by the Connecticut Insurance Department must implement and maintain a “comprehensive information security program” to protect personal information. While the requirements generally track HIPAA obligations that will likely already apply to these entities, the new requirements go further, for example by requiring encryption of all personal information transmitted on a public Internet network or wirelessly, encryption of all personal information stored on a portable device, specified secure authentication and access protocols, and imposition of disciplinary measures for employees who violate the security policies or procedures. Under the security program, the entities must also prevent terminated, inactive, or retired employees from accessing personal information.
New requirements with respect to state contractors will also take effect. Beginning in July 2015, state agencies must require in every written agreement that private contractors implement and maintain a “comprehensive data-security program.” Among other requirements, contractors will be prohibited from storing data on stand-alone devices (such as flash drives or laptop notebooks) unless expressly permitted to do so in the state contract, and contractors, not the State, must bear any added expense associated with implementing the data security program. In addition, the written agreement must stipulate how costs of data breach notification will be allocated between the state agency and the contractor.
With respect to enforcement, the Attorney General continues to have authority over data breach notification. The Act also newly empowers the Attorney General to bring civil suit against a contractor in breach of the new comprehensive data-security program law, while the Secretary of Office Policy and Management may require contractors to take additional security protections where the type and amount of information warrants such protection. With respect to health insurance entities, the Insurance Commissioner will enforce the new data security requirements.
Companies doing business in Connecticut or contracting with the State of Connecticut should carefully review the added data security and breach notification measures and consider whether revisions of current policies are necessary to comply with the state’s stringent new requirements.
Special thanks to Proskauer summer associate Krista L. White for her contributions to this post.
 S.B. 949 (Ct. 2015).
 “Statement from AG Jepsen on Final Passage of Data Breach Notification and Consumer Protection Legislation,” Connecticut Office of the Attorney General, http://ct.gov/ag/cwp/view.asp?A=2341&Q=566508 (last visited July 13, 2015).
In City of Los Angeles v. Patel, the Supreme Court invalidated a Los Angeles law that allowed law enforcement officials to inspect hotel and motel guest registries at any time, without a warrant or administrative subpoena. The Court ruled that the law violated hotel owners’ Fourth Amendment rights because it “penalizes them for declining to turn over their records without affording them any opportunity for pre-compliance review.”
In reaching its decision, the Court also announced two findings with implications for future lawsuits brought under the Fourth Amendment:
- Facial challenges to statutes are permitted under the Fourth Amendment
- Hotels and motels do not fall under the “pervasively regulated” exception to the warrant requirement
When are U.S. social media companies subject to European data privacy laws? As we reported in 2013, the answer is often contingent on geographic location – where the relevant data is processed. In 2013, for example, a German court ruled that Facebook was not subject to German data protection laws because the relevant data was processed in Ireland, not Germany.
However, in 2014, a different German court at the same level found, in a separate case, that Facebook could be subject to German data protection laws, finding that the relevant data was processed outside the E.U. in the United States rather than Ireland.
But geography isn’t everything. As an Austrian court decision last week makes clear, the location of data processing is not the only potential hurdle for would-be plaintiffs bringing suit against U.S. companies in the E.U. The Vienna Regional Court dismissed a case against Facebook, not because of national borders, but because of the identity of the plaintiff and how he used his Facebook accounts. Continue Reading
Connecticut has joined a list of twenty-one states with a statute designed to preserve the privacy of personal online accounts of employees and limit the use of information related to such accounts in employment decision-making. Legislation directed to online privacy of employees has also passed this year in Montana, Virginia, and Oregon, and such legislation is pending in a number of other states. Continue Reading
A brief rundown of developments in recent weeks in the area of EU data protection law:
EU Data Protection Regulation
On Monday, June 15, the EU Council (comprised, for purposes of data protection reform, of the justice ministers from each of the EU member states) reached an agreement on a draft data protection regulation, marking an important milestone in the ongoing effort to reform and modernize data protection law in the EU. (This development follows the European Commission’s publication of a proposed regulation in January 2012 and the European Parliament’s official agreement to a “compromise” version in March 2014.) Beginning this week, these bodies will begin negotiations to reconcile the three versions with a stated goal of promulgating a final regulation by the end of the year. The regulation will replace the 1995 Data Protection Directive and, once it comes into force, will apply directly in each of the EU member states, creating greater uniformity across the EU in respect of data protection standards.
Check back here next week for an overview of the key differences (and, thus, areas for negotiation) among the positions promulgated by the Commission, Parliament and Council.
As we recently reported, the US and EU continue to negotiate reforms to the US-EU Safe Harbor. It was announced earlier in June that progress is being made, and one EU official told the Wall Street Journal at that time that US officials were being given “another month” to address the EU’s concerns. As we’ve reported in the past, US government access to personal data appears to remain a sticking point.
Concurrent with these negotiations, the European Court of Justice (“ECJ”) also has been considering a broad challenge to the Safe Harbor in the case of Schrems v. Facebook Ireland Ltd. The plaintiff in that case has argued that, given the NSA/Snowden revelations, the Safe Harbor (upon which Facebook—like many other US-based companies—relies to transfer and hold users’ personal data in the US) could not provide adequate protection as a matter of EU law. The ECJ is considering, among other questions, whether a data protection authority can investigate an individual’s claim that the US does not adequately protect data transferred from the EU or whether it must accept as a matter of law that Safe Harbor compliance means data is adequately protected. The case has the potential to have far-reaching effects if the ECJ were to reach the merits of the sufficiency of the Safe Harbor program (as opposed to simply addressing whether the Irish data protection authorities may investigate and/or punting in light of the ongoing reform negotiations). An opinion was originally scheduled to be issued on June 24, 2015, but it was disclosed last week that the opinion will be delayed, and no new publication date has yet been announced.
**This post also appears on Proskauer’s International Labor and Employment Law Blog.**
On Thursday, the Digital Advertising Alliance (“DAA”) announced that it will enforce its previously issued “Application of Self-Regulatory Principles to the Mobile Environment” (the “Mobile Guidance”) beginning September 1, 2015.
Although the Mobile Guidance was initially issued in July 2013, enforcement was delayed pending the DAA’s implementation of an effective choice mechanism for the mobile environment. In February 2015, the DAA released two mobile tools for consumers – the “AppChoices” mobile application and the “DAA Consumer Choice Page for Mobile Web.”
The Mobile Guidance clarifies how the existing Self-Regulatory Principles for Online Behavioral Advertising and MultiSite Data (collectively, the “Self-Regulatory Principles”) apply to mobile web sites and applications. In particular the Mobile Guidance addresses:
- privacy notice, enhanced notice, and controls (opt-out mechanism) for data collected from a particular device regarding application use over time and across non- affiliate applications (“Cross-App Data”);
- privacy notice, enhanced notice, and controls (opt-in consent) for data obtained from a device about the physical location of the device that is sufficiently precise to locate a specific individual or device (“Precise Location Data”); and
- transparency and controls (opt-in consent) for calendar, address book, phone/text log, or photo/video data created by a user that is stored on or accessed through a particular device (“Personal Directory Data”).
After September 1, any entity that collects and uses Cross-App Data, Precise Location Data or Personal Directory Data will be required to demonstrate compliance with the Mobile Guidance, or risk being subject to the DAA accountability mechanisms. The Mobile Guidance will be enforced by the Council of Better Business Bureaus (“CBBB”) and the Direct Marketing Association, the same two entities which have had oversight of the Self-Regulatory Principles since 2011. During that period the CBBB has issued 29 Accountability Program decisions regarding advertisers, ad publishers and ad networks.
On April 23, 2015, Washington State Governor Jay Inslee signed into law a bill strengthening the state’s data breach notification law (amending Wash. Rev. Code §§ 19.255.010 and 42.56.590 and creating a new section). H.B. 1078 makes the following substantial changes to the existing law:
- Under the current law, businesses and agencies that own or license computerized data including personal information about a Washington resident must disclose any breach in the security of the system involving such personal information that is unencrypted. H.B. 1078 expands this requirement to include:
- both computerized and hard copy data that contain personal information that is not “secured;” and
- encrypted information when the person gaining unauthorized access to the data had access to the encryption key or an alternative means of deciphering the “secured” data. The amendment also provides a standard for encryption. Continue Reading