Privacy Law Blog

Safe Harbor 2.0 Agreement Reached; New Program to be Named “Privacy Shield”

Yesterday, the European Commission announced that EU and US officials had reached an agreement to implement a program known as the EU-US Privacy Shield.  Privacy Shield is designed to be the successor to the Safe Harbor program, which the European Court of Justice (CJEU) invalidated last October.  The announcement brings some relief to the many companies that previously had self-certified their compliance with the Safe Harbor program and feared enforcement actions brought by European data protection authorities (DPAs) against those Safe Harbor adherents who had not adopted alternative means of legitimizing transatlantic data transfers after the CJEU’s decision.  However, as the Privacy Shield would not become effective for at least several more months, such enforcement actions are, theoretically, still possible.

Continue Reading

New Safe Harbor Deal Possible by February 1

Companies anxiously watching their calendars to see if a new Safe Harbor program will be introduced before the end of January may get their wish: yesterday, a European Commission official announced that the Commission will inform the European Parliament of the outcome of negotiations for a new Safe Harbor program by Monday, February 1.  This is especially welcome news for those Safe Harbor-certified companies that chose not to implement alternative legal mechanisms to legitimize their transatlantic data transfers (such as model contracts or binding corporate rules) after the Safe Harbor program was invalidated in October, and instead held out hope that a new agreement would be reached by the end of January – the point at which EU member states’ data protection authorities may start taking legal action against those companies engaging in unlawful cross-border data transfers.

Continue Reading

Baby You Can Drive My Car

Consumers can expect many benefits from their cars’ increased data collection programs, running the gamut from simple location services like GPS and OnStar to “networked” cars that can communicate their location with other cars on the road to prevent accidents. In the near-future, data collection will even allow cars to care for themselves: technologies currently exist that can spot and diagnose internal mechanical problems long before such problems would have become apparent to a cars’ owner, and cars are increasingly able to download patches directly from their automaker without ever needing to be taken to a mechanic.

As is usually the case when it comes to big data however, the benefits that come from increased collection also bring dangers. Speaking on a panel at the Washington Auto Show last Wednesday, Federal Trade Commissioner Maureen K. Olhausen advised the crowd that as the collection and disseminated of data by cars continues to increase, the automotive industry will need take reasonable steps to secure car owner and driver information or face the possibility of federal enforcement actions.

Continue Reading

An Ounce of Prevention…Is Tax-Free: IRS Expands Tax Relief to Pre-Data Breach Identity Theft Protection Services

As reported here [http://www.proskauertaxtalks.com/2015/09/irs-provides-some-relief-after-data-hacks/], after last year’s customer data security breaches at major U.S. corporations, the IRS announced special tax relief for identity protection services provided to individuals affected by a security breach.  In response to comments solicited in connection with that announcement, the Treasury Department and IRS have in Announcement 2016-02 [https://www.irs.gov/pub/irs-drop/a-16-02.pdf] extended that relief to no-cost identity protection services provided before a data breach.

Continue Reading

Recent State Enactments Regulating Unsolicited Text Messaging Could Have Broad Implications for Companies that Communicate to Customers’ Mobile Devices

Two states – New Jersey and Connecticut – have recently imposed additional legal conditions on electronic messaging to mobile devices. In a few ways, these laws may raise the bar for companies on compliance when sending text messages and possibly other forms of messaging to mobile devices.

On October 27, 2015, New Jersey Governor Chris Christie signed into law A-617, a bill prohibiting sending text message advertisements to New Jersey residents without the recipient’s prior permission, if the recipient could incur a charge or a usage allocation deduction for receiving the message. Prior permission must be express authorization from the intended recipient specifying the number to which the message may be sent, and may be revoked at any time.  Violators may be penalized by a civil penalty imposed by the New Jersey Attorney General of up to $500 for the first offense and $1,000 each time after. The law also requires telecommunications companies to allow customers to block all incoming and outgoing text messages that result in charges or usage allocation deductions.  The New Jersey law will become effective November 2016. Continue Reading

A Primer on the GDPR: What You Need to Know

Now that it’s been approved by the EU Parliament’s Civil Liberties Committee, Europe’s General Data Protection Regulation (the “GDPR” or the “Regulation”) is well on its way to replacing the 20-year-old Data Protection Directive (the “Directive”) as the EU’s omnibus data protection law.  Although it won’t officially become law until it receives the approval of the EU Parliament, now is the time to study the most important aspects of the GDPR so you can be prepared for the new regime. Continue Reading

GDPR Text Approved

Following yesterday’s announcement that European officials had agreed on the language of the EU’s new General Data Protection Regulation (“GDPR” or “Regulation”), today the EU Parliament’s Civil Liberties Committee approved the text of the GDPR.  The GDPR isn’t law yet, as it still needs to be approved by the EU Parliament next month.  However, the Parliament is expected to approve the Regulation, which would then go into force in 2018.  Once it becomes effective, the GDPR will replace the twenty-year-old EU Data Protection Directive (the “Directive”) and provide a new omnibus data protection law for the EU. Continue Reading

LexBlog