Posted on

First Joint Consultations May Foreshadow Effectiveness of Privacy Shield

–  Stephen Díaz, Partner, Rimon, P.C. &  Claudio Palmieri, Of  Counsel Rimon, P.C. (Principal, Studio Legale Palmieri –Rimôn Italia)

On October 6, 2015, the Court of Justice of the European Union invalidated the so-called “Safe Harbor” that previously governed data transfers between the U.S. and the EU (Case C-362/14 – Maximillian Schrems v. Data Protection Commissioner, 6 October 2015).

As you already know if you read our Legal Bytes’ posting in May concerning the US-EU Data Transfer Privacy Shield, personal data cannot be transferred to from the EU to a non-European Union/European Economic Area country, unless that country can ensure “adequate levels of protection” for such personal data. While the European Commission had identified a number of countries that met the ‘adequate protection’ test, the United States was not one of them and without the Safe Harbor understandings, transatlantic exchanges of data – both for commercial and national security reasons – were at risk of being non-compliant with EU regulations!  In an attempt to temporarily address the data transfer issues, the EU and the U.S. proposed a new framework for exchanges of personal data for commercial purposes, known as the EU-U.S. Privacy Shield (“Privacy Shield”) which was formally launched on July 12, 2016.

Further complicating matters, a new EU General Data Protection Regulation (GDPR) comes into effect on May 25, 2018.    In furtherance of a formal and more permanent agreement under the Privacy Shield and in contemplation of the new regulations, representatives of the U.S. and the EU have announced they will meet in Washington, DC during the week of September 18, 2017, for the first Annual Review of the Privacy Shield.  In advance of the meeting, the EU’s official Working Group (WP 29) sent the European Commission their recommendations and consistent with previous pronouncements, they believe the meeting should focus on enforcement of rights and obligations, as well as changes in U.S. law since the adoption of the Privacy Shield.  WP29 recommended discussions focus on these issue and that any formal agreement must deal with both commercial, as well as law enforcement and national security access.

These concerns and considerations are explored in more detail in our full Client Alert: No Certainty in Future of Privacy Shield as Transatlantic Consultations Set to Begin and it is clear that the September consultations may well be an indication of whether the Privacy Shield will prove an adequate regulatory regime for the transatlantic transfer of personal data and whether meaningful progress is likely in the current environment.

If you would like more information, a better understanding or need guidance regarding compliance with these regulations, contact Stephen Díaz Gavin, a Rimon Law Partner based in Washington, DC or Claudio Palmieri is of counsel to Rimon, P.C. and the principal of Studio Legale Palmieri –Rimôn Italia in Rome, Italy. Of course you can always contact me, Joe Rosenbaum, or any of the lawyers at Rimon with whom you regularly work.

 

Posted on

Forensic DNA and Missing Children: The Legal & Ethical Issues

Since 1983, when the day was designated by U.S. President Ronald Reagan as National Missing Children’s Day in the United States and spreading internationally through the Global Missing Children’s Network (GMCN), May 25th has been celebrated as International Missing Children’s Day.  GMAC is a jointly sponsored venture of the U.S. National Center for Missing & Exploited Children (NCMEC) and the International Centre for Missing & Exploited Children (ICMEC),  that focuses on educating parents on steps they can take in protecting their children, as well sharing best practices and information in investigating cases of child abduction, trafficking and illegal adoptions.

This year, I have the distinct privilege and great honor of speaking at the conference for Missing Children and Genetic Identity, organized by the Portuguese Association for Missing and Exploited Children [Associaçāo Portuguesa de Crianças Desaparecidas] and sponsored by Genomed, to be held at Lusófona University in Lisbon on the 25th of May 2017 – International Missing Children’s Day.

The conference will explore the connection between modern genetics and forensic science and on national and international efforts to aide investigations of missing and abused children.  The legal and ethical issues surrounding DNA collection and use, the pros and cons of storing DNA samples and maintaining a database of digital DNA ‘fingerprints’ as well as other bio metric information from individuals – convicted criminals, arrested individuals, victims, family members and even the general public – continues to be hotly debated on the national and international level throughout the world.  In addition to issues of privacy and security, the use and potential abuse of genetic and other bio metric evidence, whether to exonerate individuals or convict guilty individuals, is not just complicated, it is inconsistent across jurisdictional borders.  Sharing of critical information that may help identify a child or investigate a missing person, whether or not a crime may have been committed, is neither assured nor routine – despite the obvious benefits a regulated and carefully constructed information sharing system might be to family members, law enforcement and the forensic scientific community.

The conference, one of many throughout  the world on May 25th, will attract distinguished guests and provide a forum for discussion and shine a much needed spotlight on the legal and ethical challenges and opportunities at the intersection of science, law and law enforcement. I will publish a copy of my presentation and remarks after the conference concludes, but if you would like to know more about the conference, feel free to contact me, Joe Rosenbaum, or the organizers directly.

 

Posted on

US-EU Data Transfer Privacy Shield

Being referred to by the European Union as the most important change in data privacy regulation in 20 years, the new EU General Data Protection Regulation (GDPR) comes into effect on May 25, 2018.  There is even a ‘countdown’ clock on the website and under the GDPR, “Personal Data” means information relating to an identified or identifiable natural person (including email addresses, telephone numbers, addresses and IP addresses).   While the European Commission has determined a number of countries already meet the ‘adequate protection’ test, the United States is not one of them!

As most readers of Legal Bytes already know, personal data cannot be transferred to from the EU to a non-European Union/European Economic Area country, unless that country can ensure “adequate levels of protection” for such personal data.

As background, in July of 2016, a new framework for the movement of personal data between the EU and the US was finalized – EU-U.S. and Swiss-U.S. Privacy Shield Frameworks – which was put into place in an effort to meet the requirements of the EU Data Directive.   However, critics noting the holes in that framework, have generated increasing concern as the 2018 effective date of the new EU GDPR approaches.   A few months ago, immediately following the inauguration ceremony, President Trump issued United States’ Executive Order 13768 (January 25, 2017) that has created even greater concern.  While it is possible a new or refined agreement and framework may be put into place in the months leading up to 2018, there is no certainty.

What do you need to know? What should you consider doing now?   My colleague Jill Williamson has written an article which has been published in Risk & Compliance Magazine, entitled “The Fragile Framework of the Privacy Shield“.   If you want to know more about the privacy and data protection implications of the new framework, its potential risks to your business and what you should be considering as you look to the future, feel free to contact Jill Williamson directly.  Of course, you can always contact me, Joe Rosenbaum, or any of the Rimon lawyers with whom you regularly work.

Posted on

The Paradox of Illumination

I first heard about the paradox of illumination from Lee Loevinger, an extraordinary gentleman I was privileged to know professionally.  Lee was a multi-faceted, multi-talented, thought-provoking lawyer whose sage advice and stimulating ideas continue to resonate with those honored to have known him, and everyone else wise enough to read his work and the words he left behind.

In a nutshell, the paradox of illumination is extraordinarily complex, but simple to describe.  Much like Albert Einstein who, when asked about his theory of relativity and the notion that time is not constant, described it in personal terms: if a man is at dinner for 10 minutes with a beautiful woman, it seems like a fleeting instant; but sit on a burning hot stove for 10 minutes and it seems like an eternity :).

The paradox of illumination can similarly be described on a personal level.  Sit in completely dark room.  Really.  Completely dark.  What can you see?  Nothing.  You know little about your surroundings and can only sense your own body – in fact, you don’t even know how far your surroundings extend beyond your immediate sensations.

Now light a match.  The circle of illumination allows you to see a little of what is around you – but the perimeter and beyond are still dark.  Now light a candle.  The circle of what you can see illuminated by the light is larger than before, but the size of the perimeter beyond which you cannot see is also a lot larger than before.  The larger the light, the larger the area of illumination, but larger by far is the perimeter beyond which we know nothing.

The more we can see and the more we know and understand about the world around us, the larger the amount becomes that we don’t know.  In other words, as the circle of our knowledge grows, so does the amount of knowledge we cannot see and don’t know.  The paradox of illumination is the paradox of knowledge.  Perhaps that is why Michelangelo, when he was more than 87 years old, still said, “Ancora Imparo” (I am still learning).

Posted on

Thought Leadership

Thought leadership is a state of being in which one or more individuals articulate innovative ideas – ideas that stimulate thought and are futuristic or leading-edge.

Thought leadership requires confidence and a willingness to share ideas in the form of insights and principles that inform and guide future considerations.

Thought leadership is often controversial. New or different ideas, like innovative technology, can cause evolutionary change, but can also create disruptive or revolutionary change.

Although not all thought leadership must be actionable, it is often the basis for a re-evaluation of existing pathways, and a guidepost for new roads ahead.

Posted on

2016 Metamorphosis *

Legal Bytes will soon morph** and undergo a transformation***

Watch For It

*    Metamorphosis: A noticeable change in character, appearance, function or condition.

**    Morph: To undergo dramatic change in a seamless and barely noticeable fashion.

*** Transformation: A marked change in appearance or character, especially for the better.

Posted on

White House Releases Privacy Report and Calls For a Consumer Bill of Rights

Earlier today, Secretary of Commerce John Bryson and Federal Trade Commission Chairman John Liebowitz outlined the Obama administration’s strategy for ensuring “consumers’ trust in the technologies and companies that drive the digital economy.” On the heels of their announcement, and although it is dated January 2012, the Department of Commerce released a long-awaited report entitled “Consumer Data Privacy in a Networked World, A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” the administration’s roadmap for privacy legislation and regulation in the years ahead.

The announcement and privacy blueprint envisions a comprehensive and integrated framework for data protection, rather than the current sector-patchwork-quilt approach, and is comprised of four key pillars: (1) a consumer privacy bill of rights; (2) a multi-stakeholder process and approach dealing with how such a bill of rights would apply in a business context; (3) more effective enforcement; and (4) greater commitment to harmonization and cooperation in the international community.

The Report outlines the seven principles of its proposed Consumer Privacy Bill of Rights and, although calling for legislation and regulation to codify and memorialize these rights, also sets out consumer privacy standards that companies are asked to immediately and voluntarily adopt in a cooperative public-private partnership. These seven principles are:

  1. Individual Control Through Choice
  2. Greater Transparency
  3. Respect for Context
  4. Secure Handling
  5. Access & Correction Rights
  6. Focused Collection
  7. Accountability

The Report notes that a company’s adherence to the voluntary codes will be viewed favorably by the FTC in any investigation or enforcement action for unfair and deceptive trade practices. By implication, a company that does not adopt and follow these principles might be used as evidence of a violation of Section 5 of the FTC Act, even if federal legislation is not passed on the subject. The FTC is expected to soon release its Final Staff Report on Consumer Privacy that will be consistent with the Obama administration’s proposed Framework Report. The report reinforces the administration’s commitment to international harmonization, and also touches upon the role state attorneys general in the United States can play. While we are still reviewing the details – and more will likely be forthcoming from the administration in the weeks and months ahead – Legal Bytes will keep you on top of these developments as they arise.

You can read the entire report right here: Consumer Data Privacy in a Networked World, A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.

These are developments that affect all businesses, domestic and multi-national, global and local, consumers and regulators. The complexity and challenges of compliance should not be underestimated, nor should the administration’s commitment to follow the roadmap outlined. Rimon has teams of lawyers who have experience and follow developments in privacy and data protection, from prevention and policy to compliance and implementation. If you want to know more, need counsel, need help navigating, or if you require legal representation in this or any other area, feel free to call me, Joseph I. (“Joe”) Rosenbaum, or any of the Rimon lawyers with whom you regularly work.

Posted on

Robocop Fights Robocalling

In the 1987 film "Robocop", directed by Paul Verhoeven, a terminally wounded cop returns to the police force as a powerful cyborg, albeit with haunting memories, to fight crime and evil. Fast-forward to 2012 and "robo calling."

One of the government’s main consumer cops, the Federal Communications Commission, has acted to tighten rules regarding the use of so-called "robo calling" (ok, it’s auto-dialing systems). The FCC’s official order has not been released, but the following is clear:

  • Express written consumer consent in advance will be required before using an autodialer or prerecorded message
  • You can no longer rely on an "established business relationship" as an exception to the prior written consent requirement
  • Each robocall must include an automated opt-out mechanism
  • Rules governing abandoned or "dead air" calls will be tightened

When the final regulations and order designating the effective date and detailing precisely how these rules will be applied are released, we’ll bring you the news; but in the meantime, you can read more about the FCC’s action and its thinking right here: FCC Approves Order to Tighten Regulatory Treatment of Robocalls Under the Telephone Consumer Protection Act.

As always, if you need legal or regulatory counsel, call me, Joseph I. ("Joe") Rosenbaum, or any of the lawyers highlighted in the full client alert, or, of course, the Rimon lawyer with whom you regularly work.

Posted on

Stealing Limelight from Hollywood, California Shines the Light on Privacy

California’s Shine the Light Act, California Civil Code 1798.83, responded to the perceived need for transparency and provides consumers certain rights in connection with how businesses share information about California residents for purposes related to direct marketing. The regulatory team at Rimon has prepared a Rimon Shine the Light Act Reference Guide; and while the Act doesn’t apply to every business, if it does apply, liability may be as high as $3,000 per violation. You can view the entire blog posting on our sister GRE Law Blog.

As always, if you need guidance from lawyers who have experience and resources aligned to deal with these issues, call me, Joseph I. (“Joe”) Rosenbaum; any of the lawyers highlighted in the posting; or, of course, the Rimon lawyer with whom you regularly work.

Posted on

ICONfusion Creeps Into Interactive Advertising Awareness

Earlier this week, ClickZ reported that the improper use of the Digital Advertising Alliance’s behavioral icon

is threatening to dilute the self-regulatory effectiveness of its campaign to educate consumers on the risks of online behavioral advertising, and enable them to make an informed judgment in seeking to control the use of their browsing behavior across multiple websites. Legal Bytes has previously reported the initial development and launch, as well as the growing acceptance of the industry’s self-regulatory efforts (just search us for “behavioral advertising” or follow the links through any of our prior posts – e.g., Self-Regulatory Ad Industry Effort Continues to Drive Forward). While the icon has gained wide acceptance as part of the advertising industry’s self-regulatory initiative (See Advertising Industry Collaboration Releases Self-Regulatory Online Behavioral Advertising Principles), using it inappropriately or inaccurately may cause consumers to be more confused, rather than educated.

You might be tempted to argue that if advertising that does not involve behavioral information nonetheless includes the DAA icon, what’s the harm? However, if the objective is to educate consumers about the distinctions in how their information is collected and used by advertisers, agencies, network publishers, browser publishers and others in the interactive ecosystem, confusion fuels the concerns already raised by consumer advocacy groups, regulators and lawmakers alike – and that’s counterproductive.

The good news is that the industry campaign to stimulate adoption of the self-regulatory guidelines and the inclusion of the icon in relevant advertising is gaining momentum – a sign the industry can and will police and regulate itself. Innocent mistakes in the name of compliance are certainly better than abuse or ignorance, so let’s not be too quick to throw stones. That said, as consumers increasingly see the icon and begin to appreciate, and take advantage of, the self-regulatory efforts, it behooves the industry to do a better job of making sure the educational component is consistent and not ICONfusing!

As always, if you need more information about the advertising industry’s self-regulatory initiative, advice regarding compliance, or legal help in understanding the dynamic and ever-changing environment of online and mobile interactive advertising, marketing and privacy, call me, Joseph I. (“Joe”) Rosenbaum, or any of the Rimon attorneys with whom you regularly work – our lawyers deal with these issues every day.