Privacy

We have covered Europe’s General Data Protection Regulation (GDPR) over several posts the past couple of years and even conducted a webcast on the topic last year.  And, we have covered the California Consumer Privacy Act (CCPA) several times as well, including as recently as last week.  But, what about the rest of the wide, wide world?  Do countries in other parts of the world have data privacy policies as well?  Yes.  Do they mimic GDPR policies?  Not necessarily.

As reported in Legaltech News (Data Protection Laws Take Center Stage For Global GC, written by Caroline Spiezio), lawyers are saying that ignoring data privacy changes outside of Europe, or assuming GDPR policies will comply anywhere, may lead to fines or diminished consumer trust in other regions.  For example, Camila Tobón, a Colorado-based data privacy lawyer at Shook, Hardy & Bacon, said many countries in the Latin America follow a consent-based model, which doesn’t allow for the legitimate interest data collection case presented under GDPR. She said many Latin American countries with data privacy laws used Spain’s consent-based version of the 1995 Data Protection Directive (the predecessor to GDPR in Europe) to shape their regulations.

“When Spain incorporated the directive into their law, one noticeable change [from other EU countries] was the lack of legitimate interest for a basis for processing personal data,” Tobón said. “When most Latin American countries were starting to implement their laws in 1999, 2000, 2001, they used the Spanish law as a model, which didn’t include legitimate interest. So what you ended up seeing in Latin America was a consent-based model.”

However, Brazil’s General Data Protection Law, which passed in 2018, includes the case for legitimate interest collection, which closely aligns that country’s laws with Europe’s.  And, other countries in Latin America are working on changes as well.  Chile recently voted to create a national data protection authority. Panama’s National Assembly approved a national data protection regulation last year that currently awaits the president’s signature. An updated Argentine bill to bring the country’s data protection regulations closer to Europe’s with a legitimate interest model and data protection officer requirement is also in the works, with a draft standing in front of Congress.

Beyond Latin America, other countries are making (or considering making) changes as well.  The Corporate Counsel Association of South Africa’s chief executive officer Alison Lee said she expects to see the country implement the Protection of Personal Information Act this year.  Unlike GDPR, POPIA asserts companies also have “personal data” that requires protection. South Africa currently doesn’t require explicit consent to collect data or legitimate interest, but it does require some form of consent.  Nigeria could also see data protection changes, as it has long attempted to pass a specific data protection bill.

So, what about Asia Pacific (APAC)?  Scott Thiel, a Hong Kong-based DLA Piper partner, said, since GDPR’s implementation, he’s increasingly asked questions about data protection in Asia.

“Everyone is sort of finally taking a breath and going, ‘OK, we got through GDPR, we’re somewhere near compliance and that’s great. I assume that works everywhere, does it?’ And the short answer is no, it doesn’t,” Thiel said. “A lot of the approaches to data compliance that work in Europe don’t work in the Asian markets.”

He said many companies have tried applying their GDPR policies to China and other Asian countries and it “just doesn’t” work.  Like Latin America, much of East Asia relies on a consent-based model rather than legitimate interest, Thiel said.  Nonetheless, cybersecurity laws are changing in APAC, as well.  The article has several more details regarding data privacy changes in Latin America, Africa and APAC.  GDPR, with its heavy fines, has gotten a lot of the coverage regarding data privacy compliance, but you can’t ignore requirements in the rest of the world if you’re a multi-national company.  I’m sure Antarctica will come out with their data privacy laws any day now.  ;o)

So, what do you think?  Are you prepared for data privacy changes around the rest of the world?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

As we discussed last year (here and here), the California Consumer Privacy Act (CCPA) is a comprehensive new consumer protection law set to take effect next January 1.  And, as we also reported recently, about half of surveyed companies haven’t even started preparing to be CCPA compliant.  Maybe that’s because they don’t know where to start to comply and don’t know whether the CCPA applies to their business, what rights will Californians have under CCPA and what impact CCPA will have on their privacy policy.  Here are answers to some of those questions.

In the Data Privacy Monitor site by Baker Hostetler (The California Consumer Privacy Act: Frequently Asked Questions, written by Alan L. Friel, Laura E. Jehl and Melinda L. McLellan), the authors address ten frequently asked questions that companies are asking about CCPA (if they’re not asking them, they should be).  Here are the questions they are addressing in this article:

1. Does the CCPA apply to my business? What if we don’t have operations in California?
2. Does the $25 million revenue threshold apply to California revenue specifically, or is it $25 million for the business as a whole?
3. Will the CCPA be amended? What are the open issues?
4. What new rights will the CCPA give to California residents?
5. Will we need to amend our company’s online privacy policy?
6. How do the “copycat” CCPA laws being proposed in other states compare with the CCPA?
7. How does a business confirm that a person making an access or deletion request under the CCPA is a California resident, or who they claim to be?
8. What should our company be focusing on right now, while we wait to see how these various state and federal law proposals shake out?
9. What are the potential penalties for violations of the CCPA?
10. Does my business qualify for one of the CCPA’s exceptions?

I won’t steal any thunder here – the authors give detailed and thoughtful answers to the questions that you will want to check out for yourself.

It’s interesting to note that there are at least 15 state data privacy laws that are working their way through the legislative process – some that are “virtually identical to the CCPA”, others that are similar, but with key differences.  As the authors note, the “prospect of having to comply with dozens of different state laws of this nature has fueled interest in a federal law to harmonize these proposals and provide businesses with clear compliance goals.”  That’s not surprising to me.

As the authors note in their conclusion: “A new era of consumer privacy rights has dawned in the U.S., and businesses will need to have a sound understanding of the personal information they collect, process, use and share to be able to comply with incoming rules and regulations.”  Given recent trends, it certainly appears that virtually every US business will be subject to new and developing data privacy laws sooner rather than later.

So, what do you think?  Is your company subject to CCPA?  If so, has it begun to address CCPA yet?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Usually, I end each blog post with “So, what do you think?”, but this time I’m starting with it.  How many states do you think have some sort of legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information (PII)?  Ten?  Twenty?  Thirty?  You might be surprised.

According to a post by the National Conference of State Legislatures (NCSL) (hat tip to Joe Hodnicki of Law Librarian Blog for the link), all 50 states, plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.

That’s certainly good to know!

Security breach laws typically have provisions regarding who must comply with the law (e.g., businesses, data/ information brokers, government entities, etc); definitions of “personal information” (e.g., name combined with SSN, drivers license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information).

The NCSL post linked to above provides links to each of the states’ and territories’ legislation – some have a single law, code or statute to address the requirements, while others have more than one.  It’s a great reference if you ever have to determine what the laws are in a particular state or territory in terms of compliance requirements – which are already growing because of the General Data Protection Regulation (GDPR) that went into effect last year and the California Consumer Privacy Act (CCPA) which is slated to go into effect next January.  More and more, compliance discovery is becoming a strong emphasis for organizations that need to manage their risk.  It’s good to know that all of the states and territories have security breach laws – the next question is how well are they enforced?

So, what do you think?  Were you surprised that every state and territory has security breach laws?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

It’s only been three weeks, but we’ve already talked plenty about the first big GDPR fine of €50 million (or about $56.8 million) fine to Google for failing to comply with GDPR.  Sure, you’re thinking “that’s Google, I can see how they got fined, but nothing to worry about here”.  Right?  Well, you may want to think again.

As covered in Alston & Bird’s Privacy and Data Security Blog (Google-Style GDPR Fines for Everyone? Bavarian DPA Conducts Website Cookie Practices Sweep, Announces Fines under Consideration, written by Daniel Felz; hat tip to Rob Robinson’s Complex Discovery blog for the link), last week, the Data Protection Authority (DPA) of the German state of Bavaria announced it was considering fining a number of companies under the GDPR for their website cookie practices.  None of these companies appear to be in Google-style tech industries.  The Bavarian DPA’s action potentially signals that cookies, user tracking, and online advertising are not a ‘tech industry issue,’ but instead a priority issue for companies irrespective of their industry – and one that can carry GDPR fine risk.

In an online publication, the Bavarian DPA announced it had conducted a sweep of 40 large companies’ website cookie and user tracking practices.  While the identities of these companies have not been published (as is common in Continental European agency investigations), the Bavarian DPA identified the industries in which the companies were active – and no company was identified as a technology company.  Following its sweep, the Bavarian DPA announced that none of the 40 companies it had audited had built GDPR-compliant cookie/tracking practices into their websites.  As a result, the Bavarian DPA has announced it is considering GDPR fines.  The companies audited were from industries ranging from online retail to sports to banking & insurance to media, even automotive & electronics and home and residential.

The Bavarian DPA found the following violations:

1. Websites lacked the transparency needed for “informed” cookie consent. 30 of the 40 audited websites did not provide sufficiently transparent disclosures to users regarding the website’s use of tracking technology;
2. No “prior” consent was collected from users. The Bavarian DPA indicated that for most of the 40 websites, cookie data was “automatically” sent data to third-party cookie providers as soon as the user visited the website;
3. The consent obtained was not sufficiently “active”. The Bavarian DPA’s position is that cookies and “tracking scripts” should be blocked until “the user has actively consented.” The interesting thing here is that the Bavarian DPA noted that most of the 40 websites used cookie banners to inform users about their use of cookies, but that none of these banners resulted in effective consent being collected from the user.  As the article notes, it may be that none of the websites integrated a cookie-blocking function prior to ‘consent events’ being logged.

As the article notes, the larger point of the Bavarian DPA’s action is that cookie compliance appears to be becoming a front-burner issue for EU privacy regulators – and an issue that can generate fines.  Which means it should probably be a front-burner issue with companies out there as well.  Oh, and by the way, Alston & Bird’s blog also has a countdown to the effective date of the California Consumer Privacy Act (CCPA) — 328 days and counting by the time you read this, so get ready for more compliance challenges in the future.

So, what do you think?  Will this change how companies implement tracking cookies in their websites?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Remember the latest Facebook breach – the one from September of last year that exposed 50 million accounts?  I say “latest” because you have to differentiate these days.  Well, naturally, that breach spawned several lawsuits.  And, the judge presiding over those suits indicated that he will allow Facebook users “bone-crushing” discovery in those lawsuits, saying he’s sympathetic to users’ concerns and that’s worth “real money” — not just “some cosmetic injunctive relief.”

According to LAW360 (Alsup Wants ‘Bone-Crushing’ Discovery Into Facebook Breach, by Dorothy Atkins, subscription required), U.S. District Judge William Alsup said Facebook users don’t know how badly they’ve been harmed yet and he sees the “real anxiety and harm” to individuals who are going to be worried for the rest of their lives that their personal information and pictures were stolen off of the social media platform.

“That is a real problem that is worth money, not just a security package from Equifax,” he said, adding that the amount at stake is a “serious proposition” for Facebook if found liable.

While Facebook’s attorney indicated that it appears that the hackers only took users’ names and email addresses, Judge Alsup appeared skeptical, saying repeatedly that he’s going to allow their attorneys to take “bone-crushing discovery” to find out if that is true.

“I’ve seen too many defendants that say that and … another good lawyer gets in there, with bone-crushing discovery, and we find out it’s not true,” he said.

Judge Alsup added that many Facebook users post highly personal information on the site, and it doesn’t make sense that hackers would only steal a users’ name and email address when they could also take photos and other more sensitive information.

Facebook announced last September that hackers accessed approximately 50 million accounts from July 2017 through September 2018 by exploiting a vulnerability in Facebook’s code through its “View As” feature, which enabled the hackers to steal access tokens — digital keys that allow users to stay logged into Facebook without having to repeatedly re-enter passwords — that the attackers could then use to take over accounts, according to the company.

Judge Alsup also expressed his own frustrations with serving as a federal judge in a digital age, noting that U.S. marshals are currently trying to figure out how to protect the home addresses of federal judges. He also said a hacker recently stole his identity and posed as him online, posting a blog about the now settled, high-profile Waymo v. Uber trade secrets dispute, which Judge Alsup presided over.

“I think most people realized it wasn’t really me,” the judge said.

Whether that’s true or not, it’s clear Judge Alsup is going to have high expectations regarding discovery related to the breach.

So, what do you think?  Will Facebook face “real money” payouts or “some cosmetic injunctive relief”?  And, what about European interests and GDPR possibly yet to come?  Please let me know your thoughts or if you have a topic that you’d like to suggest.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.