On October 3, 2017, the Irish High Court referred Data Protection Commissioner v. Facebook Ireland Limited & Maximilian Schrems to the Court of Justice of the European Union (CJEU), where the future of standard contractual clauses (SCCs) will be decided (here).
In December 2015—following the CJEU’s landmark decision in Maximillian Schrems v. Data Protection Commissioner invalidating the U.S.-EU Safe Harbor framework—Schrems amended his original complaint to the Irish Data Protection Commissioner (DPC), challenging the validity of data transfers to the U.S. based on the European Commission approved SCCs (available here). Based on the CJEU’s Schrems decision, the Irish DPC petitioned the Irish High Court asking to refer the matter to the CJEU for ruling on the question of whether the European Commission’s SCC decisions are valid under European law. Specifically, the Data Protection Commissioner questioned whether there is an effective remedy under U.S. law compatible with the requirements of Article 47 of the EU Charter of Fundamental Rights for an EU citizen whose data is transferred to the U.S., where such data is subject to electronic surveillance by U.S. agencies for national security purposes. EU citizens have a right guaranteed by Article 47 of the Charter to an effective remedy before an independent tribunal if their rights or freedoms are violated. These include the rights under Articles 7 and 8 to respect for private and family life and protection of personal data.
Continue reading “Irish High Court Refers Future of EU Model Clauses to CJEU”
The Federal Trade Commission’s (FTC) Bureaus of Consumer Protection and Economics will host a workshop to examine consumer injury in the context of privacy and data security on Dec. 12, 2017. Consumer injury is often difficult to quantify generally and especially challenging when there are allegations of a privacy or data security breach or other types of unauthorized access to personal information. The FTC’s workshop will explore how to measure accurately such injuries; what frameworks might be used to assess different injuries as well as how consumers and businesses evaluate the benefits and costs associated with providing, collecting and using personal information.
Continue reading “Mark your calendars! FTC Workshop on Information Injury set for December”
A proposed ballot measure that would require businesses to provide annual disclosures to consumers on the collection or sale of personal information has been filed with the California Attorney General. If 365,880 signatures are obtained, it may appear on the November 2018 ballot.
The initiative is based on California’s “Shine the Light Law” which sets forth the procedures companies must follow in disclosing, upon request of a consumer, what information has been shared with third parties. The law also contains specific language to be included in online privacy policies.
Continue reading “Application for Proposed Ballot Measure: California Consumer Privacy Act of 2018”
Providing data subjects with meaningful information regarding the processing of their personal data and their rights with respect to such processing is an axiom of privacy law—and a key requirement under the General Data Protection Regulation (GDPR).
The significance of this principle of transparency was recently highlighted by the European Court of Human Rights (ECHR) in Bărbulescu v. Romania where the court affirmed an employee’s right to privacy when using communications tools in the workplace due, in part, to the employer’s failure to provide adequate notice regarding its internet monitoring activities. This post briefly discusses the principle of transparency under GDPR and its application to the Bărbulescu case.
Continue reading “GDPR and ECHR Make One Thing Abundantly Transparent: The Significance of Transparency”
It’s not news that various branches of the federal government have been studying a range of privacy and consumer safety issues that arise with ever more connected vehicles. What is new is the Government Accounting Office (GAO)’s report to the House Subcommittee on Research and Technology, Committee on Science, Space and Technology about how current passenger vehicle manufacturers address the many privacy issues that arise with connected vehicle use.
GAO interviewed industry associations and organizations that work on privacy issues and also interviewed 16 automakers that were selected based on their U.S. passenger vehicle sales. GAO reviewed the written privacy policies of the automakers against a set of leading privacy practices and issued a report, Vehicle Data Privacy: Industry and Federal Efforts Under Way but NHTSA Needs to Define its Role, on August 28, 2017.
Continue reading “GAO Report on Connected Vehicles Calls for NHTSA to Define and Document its Role in Vehicle Data Privacy”
Three U.S. companies have entered into consent agreements with the Federal Trade Commission (FTC) for allegedly misrepresenting their participation in the European Union-United States Privacy Shield framework. These are the FTC’s first actions to enforce the EU-US Privacy Shield framework that was put in place in 2016 to replace the US-EU Safe Harbor framework.
Continue reading “The FTC’s First Privacy Shield Enforcement Actions”