Privacy Law Blog

The European Parliament Approves EU-Wide Standard for Whistleblower Protection

Per our previous post, the European Parliament and the Member States agreed to adopt new rules that would set the standard for protecting whistleblowers across the EU from dismissal, demotion, and other forms of retaliation when they report breaches of various areas of EU law. According to a press release issued by the European Parliament on April 16, 2019, the Parliament approved these changes by an overwhelming majority. The new rules require that employers create safe reporting channels within their organization, protect whistleblowers who bypass internal reporting channels and directly alert outside authorities, including the media under certain circumstances, and require that national authorities provide independent information regarding whistleblowing. This legislation marks a significant departure from the jurisdiction-specific approach that has resulted in disparate protection across Europe, with some jurisdictions, like Germany and France, offering relatively limited protection when compared to other jurisdictions, such as the UK. These changes, if approved by the EU ministers, will set a uniform baseline and therefore considerably increase whistleblower protections in the EU. Member States will have two years to achieve compliance. We will continue to monitor this development.

With Regulators Increasing Focus on Spam Robocalls, Arkansas Follows Others States in Passing Anti-Spoofing Privacy Law

Unwanted robocalls reportedly totaled 26.3 billion calls in 2018, sparking more and more consumer complaints to the FCC and FTC and increased legislative and regulatory activity to combat the practice. Some automated calls are beneficial, such as school closing announcements, bank fraud warnings, and medical notifications, and some caller ID spoofing is justified, such as certain law enforcement or investigatory purposes and domestic violence shelter use.  However, consumers have been inundated with spam calls – often with spoofed local area codes – that display fictitious caller ID information or circumvent caller ID technology in an effort to increase the likelihood consumers will answer or otherwise defraud consumers. To combat the rash of unwanted calls, Congress and federal regulators advanced several measures in 2019 and states have tightened their own telecommunications privacy laws in the past year.  For example, within the last week, the Arkansas governor signed into law S.B. 514, which boosts criminal penalties for illegal call spoofing and creates an oversight process for telecommunications providers.

Continue Reading

In Groundbreaking Settlements, Attorneys General Find Fake Social Media Engagement Illegal

On January 30, 2019, the Office of the New York Attorney General (“NY AG”) and the Office of the Florida Attorney General (“Florida AG”) announced settlements with Devumi LLC and its offshoot companies (“Devumi”), which sold fake social media engagement, such as followers, likes and views, on various social media platforms. According to the NY AG, such social media engagement is fake in that “it purports to reflect the activity and authentic favor of actual people on the platform, when in fact the activity was not generated by actual people and/or does not reflect genuine interest.”

These settlements are the first in the United States to find that selling fake social media engagement constitutes illegal deception and that using stolen social media identities to engage in online activity is illegal. The NY AG emphasized that the New York settlement sends a “clear message that anyone profiting off of deception and impersonation is breaking the law and will be held accountable.”

Continue Reading

EU Agrees to Set the Floor for Whistleblower Protection Across All Member States

According to a press release issued by the European Commission today, the European Parliament and the Member States have agreed to adopt new rules that set the standard for protecting individuals who blow the whistle on breaches of EU law from dismissal, demotion, and other forms of retaliation. This reform, which was first proposed by the European Commission in April 2018, seeks to replace the patchwork of whistleblower protections that currently exist across the Member States with a uniform approach. If formally adopted by the Parliament and Council, the new rules would protect those who report violations of various areas of EU law, including data protection, and Member States could extend protection to other areas of the law as well. Employers would have an obligation to create safe reporting channels within the organization, and whistleblowers, while encouraged to report internally first, also would be protected when reporting to public authorities. Additionally, whistleblowers could safely report violations directly to the media if no action was taken, if a report to the authorities would be futile, or when the violation is an “imminent” or “manifest” danger to the public interest. Lastly, the new rules would require that national authorities inform citizens and train public authorities on various aspects of whistleblowing. We will continue to monitor this development.

What Does Brexit Mean for Data Protection?

With less than a month to go until the UK is due to leave the EU (at 11pm GMT/12pm CET on 29 March 2019), there is still much uncertainty as to whether, and if so how, the UK will exit the EU (commonly dubbed “Brexit”). In light of this uncertainty we outline what will happen, and what should be considered, depending on how things play out especially given the important votes due to take place within the UK Parliament this week.

Continue Reading

Bills Introduced in California Legislature to Expand Scope of Breach Notification Law and Amend the CCPA

California already has some of the strongest data privacy laws in the United States, but within the past week state legislators, with the backing of the California Attorney General Xavier Becerra, have proposed two new bills that would strengthen California’s data privacy laws even more. One bill (SB 561) would amend key sections of the California Consumer Privacy Act (the “CCPA”), which we have previously blogged about when it was first enacted and when it was subsequently amended, and the other bill (AB 1130) would expand the definition of “personal information” under California’s data breach notification law to include biometric information and government-issued ID numbers (e.g., passport numbers).

Continue Reading

How Can Data Privacy Regulations Limit the Ability to Present Evidence in a Litigation?

The French Supreme Court sanctions a company for having produced complete employee pay slips in a litigation.

It is not news that the rules of evidence and data privacy laws may be conflicting. A recent decision of the French Supreme Court[1] illustrates this tension and highlights the need for litigators to take into account data privacy principles before producing evidence containing personal information. Continue Reading

LexBlog