Last week, the French data privacy authority fined Google €50 million (about $57 million) for what it called “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” The Commission Nationale de L’informatqiue et des Libertés (CNIL) said that it began its investigation of Google on June 1, 2018 after receiving complaints from two different digital rights advocacy groups on May 25 and May 28, 2018, right when the GDPR was entering into force. In response, the CNIL set out to review the documents available to a user when creating a Google account during Android configuration. Upon that review, the CNIL found two alleged violations of the GDPR, including: (1) a lack of transparency and specificity about essential information such as the purpose of the data processing and the categories and data retention periods of personal data used for personalizing advertisements; and (2) lack of valid consent for ads personalization.

The first alleged violation feeds the second alleged violation here, as the CNIL said users’ consent to ads personalization could not be sufficiently informed when the information presented to them was dispersed over several documents requiring “sometimes up to 5 or 6 actions.” Thus, it isn’t that Google does not provide enough information, but that it does not present the information in one place for the about 20 services that are being offered. And the CNIL stated that the purposes of processing are too vague, meaning a user cannot tell if Google is relying on his or her consent or Google’s own legitimate interests as the legitimate basis of processing. Last, the CNIL found certain of Google’s ads personalization options were pre-checked, although GDPR views unambiguous consent as coming only from an affirmative action such as checking a non-pre-checked box, and that Google’s non-pre-checked boxes for accepting its Privacy Policy and Terms of Service were all-or-nothing consents for all processing activities, whereas GDPR requires specific consent for each purpose. Continue Reading Google Fined by French Regulators for GDPR Gaps

A little more than six months after that day in May when privacy policy updates flooded our inboxes and the GDPR came into force, a new study of small business owners in the UK has found that many people and businesses remain essentially “clueless” about the law and its requirements. Commissioned by Aon, the study found that nearly half of the 1,000 small business owners polled are confused about the privacy and security requirements of the law, which could lead many businesses to be in breach of the GDPR without even realizing it. Some examples of potential violations reported by the businesses included paper visitor books logging all visitors to the business and viewable to subsequent visitors, training materials featuring full details of real-life case studies, the use of personal devices by employees for work purposes, and inadequate storage and disposal of paper records. The study also found that business owners were not clear on what constitutes a data breach – thinking the term did not apply to paper records or personal data that was mistakenly posted or sent to the wrong person by email or fax – nor were they clear on the notification requirements, either to the UK’s data protection authority, the Information Commissioner’s Office (“ICO”), or to affected individuals. These small business owners should avail themselves of the ICO’s recent insight into its GDPR enforcement approach from earlier this month, which indicates that ignorant non-compliance likely won’t be looked at favorably. Continue Reading GDPR Guidance and Other Goings-On

A few months ago we posted an update on the California Consumer Privacy Act, a mini-GDPR that contains serious privacy ramifications for the U.S. privacy landscape. Likely in response to the upcoming 2020 go-live for the California law, various groups have noticed an uptick in lobbying directed at the passage of a federal privacy law that would pre-empt the California law and help harmonize the various state laws. Pushing to the front of that effort is a new draft federal privacy law proposed by Intel.

The Intel law looks to be written specifically to pre-empt the California law, as it contains language that would pre-empt any State law with civil provisions designed to reduce privacy risk through the regulation of personal data. This pre-emption contains limited exceptions for state-data-breach, contract, consumer protection, and various other laws, but it would drive a hole through California’s law. Furthermore, Intel’s proposed law could pre-empt various specific laws such as Illinois biometric data protection law, and because it does not include any notice provision — it would be reliant on the state-breach-notification statutes to find violations in the first place.

Beyond frustrating state attempts at personal information regulation, the law creates penalty caps that result in disproportionate punishments for smaller and mid-size security incidents and allow larger incidents, typical of a larger company, to operate on an eat-the-fine basis. For example: The Equifax breach from earlier this year affected 143 million Americans. If regulators chose to bring an action, the maximum penalties for the action could be up to $16,500 per violation — that means a maximum penalty of 2.3 trillion dollars. The penalty cap however was set at 1 billion dollars, meaning the largest data breaches will face the lowest penalty-per-impacted individual.

Our take

This proposed national privacy law would primarily serve the interests of the largest players in the tech and data industry, while providing harsher relative penalties to smaller and mid-size players. This law or something similar is likely to see serious political debate in the next few years as lobbying efforts intensify. Expect the heat to turn up as we near January 1, 2020.

Shipman & Goodwin attorney William Roberts joins Paige Backman, a Canadian attorney in privacy and data security and partner at Aird & Berlis LLP, as they discuss privacy and data security issues in Canada and the United States and analyze global trends.

Topics include:

  • An overview of laws in Canada and the United States
  • Understanding global trends and the EU’s General Data Protection Regulation
  • Taking a proactive approach to privacy data security issues
  • Highlights from recent privacy and security cases
  • Understanding and avoiding damage awards

When: Thursday, October 25, 2018, 12:00 – 1:00 EDT
Where: Webinar


This CLE program has been approved in accordance with the requirements of the New York CLE Board for a maximum of 1.0 credit hour, of which 1.0 can be applied toward the Professional Practice requirement. This program is appropriate for both transitional and nontransitional attorneys.

Neither the Connecticut Judicial Branch nor the Commission on Minimum Continuing Legal Education approves or accredits CLE providers or activities. It is the opinion of this provider that this activity qualifies for up to one hour toward your annual CLE requirement in Connecticut, including zero hour(s) of ethics/professionalism.

If you are unable to attend the live webinar, but are interested in accessing the archive for on-demand viewing, please click on the registration button to be added to the archive mailing list.

Nielsen, famed global information and measurement company, was hit last week with a shareholder lawsuit in the Southern District of New York alleging that the EU’s new privacy regulation is to blame for missed targets in its Q2 earnings report, and that Nielsen should have known the hit was coming. The proposed class action claims that Nielsen and two top executives not only made false and misleading statements regarding the company’s preparation for the implementation of the GDPR and the increased restrictions it places on the collection of personal data, but also concealed the adverse effects these restrictions would have on Nielsen’s market position. The lawsuit also argues that Nielsen’s reliance on and access to large data set providers, such as Facebook, was far more important for its financial growth than previously disclosed. Nielsen admitted in its reporting of second quarter results that consumer data privacy considerations placed pressure on it, its clients, and its partners, and specifically cited the GDPR as one such consideration. Nielsen also announced in its second quarter earnings report that its current CEO would retire at the end of 2018. In addition to this proposed class action filed last week, several other law firms have posted notices in the financial press indicating they have filed class actions against Nielsen on behalf of investors, and notifying potential class members of deadlines to act or participate.

One of those law firms has also posted in the financial press that it has commenced class action lawsuits on behalf of shareholders against Facebook, mirroring somewhat the claims against Nielsen. The suits allege in particular that Facebook made materially false or misleading claims and failed to disclose that GDPR’s implementation would have a negative impact on the use of Facebook, its revenue growth and profitability due to new restrictions data collection and the imposition of an informed consent requirement in some contexts. Those suits also allege that Facebook failed to disclose that the costs to Facebook of complying with GDPR would have a materially adverse effect on its revenue, projected growth, and overall financial health.

Our take

While traditional shareholder suits related to data privacy and security tend to allege that a company failed to comply with data privacy regulations, such as following a data breach, the allegations in these recently announced suits alter the formulation to say that these companies were unprepared for the negative business impacts of proper compliance, and then lied about it. If these suits are successful, they will have far-reaching implications for the ways that publicly-traded companies and their boards conceptualize and assess “cyber risk” and the impacts of new data privacy regulations on their business models. Regardless of whether they are successful or not, however, they reiterate the need for companies from across the business spectrum to pay attention to data privacy and begin assessing both the burdens and benefits of complying with new data privacy regulations as soon as possible after they are announced.

As we approach the Fall of 2018, data breaches and cybersecurity incidents remain prevalent throughout the U.S. (and the world). No matter what industry you are in, you are susceptible to a breach. This year alone already, breaches have been disclosed by companies such as Saks, Lord & Taylor, Panera Bread, Facebook, Under Armour’s MyFitnessPal App, just to name a few. Those few companies alone account for over 320 million records having been breached. Although not listed, insurance, financial, educational and health care companies and institutions are also not without incident.

In reaction to instances such as those mentioned above, as well as on the heels of Europe’s recently enacted General Data Protection Regulation (“GDPR”), federal and state legislatures throughout the U.S. are in the process of beginning to pass new laws. A few of the trailblazers in new data protection and/or cybersecurity laws are California, Vermont, and New York.

One of the most impactful new laws which companies must be aware of is the California Consumer Privacy Act (the “CCPA”), which follows the GDPR. The CCPA, passed on June 28, 2018, and which will be effective January 1, 2020, is an important law to be aware of because, while it only applies to California citizens, it targets both domestic companies and companies outside of California who do business in the state. It is also largely anticipated that other states will follow in passing similar types of legislation. At its core, this is a consumer friendly law, which will place a great deal of challenges on companies to remain in compliance. Continue Reading Trailblazing States in Data Privacy and Cybersecurity

Two developments last month concerning the EU-US Privacy Shield–which is the mechanism designed by the US Department of Commerce and the European Commission to allow US companies to transfer personal data from the EU to the US–highlight the ongoing tension between the EU and US approaches to privacy, particularly post-GDPR. First, the US Federal Trade Commission announced an agreement with a California company, settling allegations that the company falsely claimed in its website privacy policy to be in the process of self-certification with the Privacy Shield, when it fact it had begun the application process but failed to complete all the steps. The FTC Chairman stated that the settlement “demonstrates the FTC’s continuing commitment to vigorous enforcement of the Privacy Shield.” A few days later, the European Parliament passed a non-binding resolution to suspend the EU-US Privacy Shield unless the US becomes fully compliant by September 1, 2018. Considering that the Privacy Shield does not provide adequate protection, the European Parliament cited among its reasons the fact that non-US citizens have been excluded by the protections of the Privacy Act by executive order, the fact that the US has failed to appoint any independent supervisory authority, and the fact that there is insufficient monitoring and enforcement. Continue Reading Privacy Shield Developments at Home and Abroad

On May 25, 2018, the European Union’s (“EU”) General Data Privacy Regulation (“GDPR”) takes effect, which purports to regulate the control and processing of the data of EU residents, wherever that data is stored. However, the broad territorial scope of the GDPR has not been tested in any court or legal proceeding, leaving many organizations, including United States-based independent schools, scratching their heads over compliance with the law.

What is the GDPR?

For those unfamiliar with the dreaded acronym, the GDPR is a law passed by the EU Parliament in 2016 that imposes a uniform set of data privacy regulations throughout the EU based on several key general privacy principles: transparency and consent, right of access to personal data, right to rectification and erasure (also known as the right to be forgotten), data portability, and the right to object to automated individual decision-making.

Independent schools who actively collect data from EU residents (such as applicants or alumni) are likely to be classified as “data controllers” as that term is defined in the GDPR. Generally, controllers are responsible for: implementing technical safeguards and organizational measures to protect data, implementing “protection by design and default” measures, and ensuring that data processors (such as software vendors) handle data responsibly and in accordance with the schools’ directives. Penalties for failing to comply with the GDPR can be quite steep, ranging up to 20 million Euros, or 4% of an organization’s global annual revenue, whichever is greater.

Continue Reading The GDPR is Coming: Keep Calm and Plan

2018 CAIS Social and Networking Event and Consortium Purchasing Meeting

The European Union passed a sweeping data privacy law that is affecting businesses, organizations and educational institutions worldwide. This law, known as the “General Data Protection Regulation” (or “GDPR” for short), will in many cases dramatically change the manner in which organizations collect, use and disclose the personal information of European Union residents. The GDPR comes into effect on May 25, 2018, and many in the independent school community are asking if, or how, the GDPR may impact the operations, policies and procedures of independent schools in Connecticut. Shipman & Goodwin attorneys Bill Roberts and Ben FrazziniKendrick will offer a brief overview of the GDPR, its potential application to your institution and, if applicable, advice on how to work towards compliance.

When: April 18, 2018, 4:30 PM – 5:45 PM EDT

To register, please click here.