Last week, the French data privacy authority fined Google €50 million (about $57 million) for what it called “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” The Commission Nationale de L’informatqiue et des Libertés (CNIL) said that it began its investigation of Google on June 1, 2018 after receiving complaints from two different digital rights advocacy groups on May 25 and May 28, 2018, right when the GDPR was entering into force. In response, the CNIL set out to review the documents available to a user when creating a Google account during Android configuration. Upon that review, the CNIL found two alleged violations of the GDPR, including: (1) a lack of transparency and specificity about essential information such as the purpose of the data processing and the categories and data retention periods of personal data used for personalizing advertisements; and (2) lack of valid consent for ads personalization.

The first alleged violation feeds the second alleged violation here, as the CNIL said users’ consent to ads personalization could not be sufficiently informed when the information presented to them was dispersed over several documents requiring “sometimes up to 5 or 6 actions.” Thus, it isn’t that Google does not provide enough information, but that it does not present the information in one place for the about 20 services that are being offered. And the CNIL stated that the purposes of processing are too vague, meaning a user cannot tell if Google is relying on his or her consent or Google’s own legitimate interests as the legitimate basis of processing. Last, the CNIL found certain of Google’s ads personalization options were pre-checked, although GDPR views unambiguous consent as coming only from an affirmative action such as checking a non-pre-checked box, and that Google’s non-pre-checked boxes for accepting its Privacy Policy and Terms of Service were all-or-nothing consents for all processing activities, whereas GDPR requires specific consent for each purpose.
Continue Reading

A little more than six months after that day in May when privacy policy updates flooded our inboxes and the GDPR came into force, a new study of small business owners in the UK has found that many people and businesses remain essentially “clueless” about the law and its requirements. Commissioned by Aon, the study found that nearly half of the 1,000 small business owners polled are confused about the privacy and security requirements of the law, which could lead many businesses to be in breach of the GDPR without even realizing it. Some examples of potential violations reported by the businesses included paper visitor books logging all visitors to the business and viewable to subsequent visitors, training materials featuring full details of real-life case studies, the use of personal devices by employees for work purposes, and inadequate storage and disposal of paper records. The study also found that business owners were not clear on what constitutes a data breach – thinking the term did not apply to paper records or personal data that was mistakenly posted or sent to the wrong person by email or fax – nor were they clear on the notification requirements, either to the UK’s data protection authority, the Information Commissioner’s Office (“ICO”), or to affected individuals. These small business owners should avail themselves of the ICO’s recent insight into its GDPR enforcement approach from earlier this month, which indicates that ignorant non-compliance likely won’t be looked at favorably.
Continue Reading

A few months ago we posted an update on the California Consumer Privacy Act, a mini-GDPR that contains serious privacy ramifications for the U.S. privacy landscape. Likely in response to the upcoming 2020 go-live for the California law, various groups have noticed an uptick in lobbying directed at the passage of a federal privacy law

Shipman & Goodwin attorney William Roberts joins Paige Backman, a Canadian attorney in privacy and data security and partner at Aird & Berlis LLP, as they discuss privacy and data security issues in Canada and the United States and analyze global trends.

Topics include:

  • An overview of laws in Canada and the United States
  • Understanding

Nielsen, famed global information and measurement company, was hit last week with a shareholder lawsuit in the Southern District of New York alleging that the EU’s new privacy regulation is to blame for missed targets in its Q2 earnings report, and that Nielsen should have known the hit was coming. The proposed class action claims

As we approach the Fall of 2018, data breaches and cybersecurity incidents remain prevalent throughout the U.S. (and the world). No matter what industry you are in, you are susceptible to a breach. This year alone already, breaches have been disclosed by companies such as Saks, Lord & Taylor, Panera Bread, Facebook, Under Armour’s MyFitnessPal App, just to name a few. Those few companies alone account for over 320 million records having been breached. Although not listed, insurance, financial, educational and health care companies and institutions are also not without incident.

In reaction to instances such as those mentioned above, as well as on the heels of Europe’s recently enacted General Data Protection Regulation (“GDPR”), federal and state legislatures throughout the U.S. are in the process of beginning to pass new laws. A few of the trailblazers in new data protection and/or cybersecurity laws are California, Vermont, and New York.

One of the most impactful new laws which companies must be aware of is the California Consumer Privacy Act (the “CCPA”), which follows the GDPR. The CCPA, passed on June 28, 2018, and which will be effective January 1, 2020, is an important law to be aware of because, while it only applies to California citizens, it targets both domestic companies and companies outside of California who do business in the state. It is also largely anticipated that other states will follow in passing similar types of legislation. At its core, this is a consumer friendly law, which will place a great deal of challenges on companies to remain in compliance.
Continue Reading

Two developments last month concerning the EU-US Privacy Shield–which is the mechanism designed by the US Department of Commerce and the European Commission to allow US companies to transfer personal data from the EU to the US–highlight the ongoing tension between the EU and US approaches to privacy, particularly post-GDPR. First, the US Federal Trade Commission announced an agreement with a California company, settling allegations that the company falsely claimed in its website privacy policy to be in the process of self-certification with the Privacy Shield, when it fact it had begun the application process but failed to complete all the steps. The FTC Chairman stated that the settlement “demonstrates the FTC’s continuing commitment to vigorous enforcement of the Privacy Shield.” A few days later, the European Parliament passed a non-binding resolution to suspend the EU-US Privacy Shield unless the US becomes fully compliant by September 1, 2018. Considering that the Privacy Shield does not provide adequate protection, the European Parliament cited among its reasons the fact that non-US citizens have been excluded by the protections of the Privacy Act by executive order, the fact that the US has failed to appoint any independent supervisory authority, and the fact that there is insufficient monitoring and enforcement.
Continue Reading

On May 25, 2018, the European Union’s (“EU”) General Data Privacy Regulation (“GDPR”) takes effect, which purports to regulate the control and processing of the data of EU residents, wherever that data is stored. However, the broad territorial scope of the GDPR has not been tested in any court or legal proceeding, leaving many organizations, including United States-based independent schools, scratching their heads over compliance with the law.

What is the GDPR?

For those unfamiliar with the dreaded acronym, the GDPR is a law passed by the EU Parliament in 2016 that imposes a uniform set of data privacy regulations throughout the EU based on several key general privacy principles: transparency and consent, right of access to personal data, right to rectification and erasure (also known as the right to be forgotten), data portability, and the right to object to automated individual decision-making.

Independent schools who actively collect data from EU residents (such as applicants or alumni) are likely to be classified as “data controllers” as that term is defined in the GDPR. Generally, controllers are responsible for: implementing technical safeguards and organizational measures to protect data, implementing “protection by design and default” measures, and ensuring that data processors (such as software vendors) handle data responsibly and in accordance with the schools’ directives. Penalties for failing to comply with the GDPR can be quite steep, ranging up to 20 million Euros, or 4% of an organization’s global annual revenue, whichever is greater.


Continue Reading

2018 CAIS Social and Networking Event and Consortium Purchasing Meeting

The European Union passed a sweeping data privacy law that is affecting businesses, organizations and educational institutions worldwide. This law, known as the “General Data Protection Regulation” (or “GDPR” for short), will in many cases dramatically change the manner in which organizations collect, use and