Posted on

Swiss-US Privacy Shield

In July, we reported that the EU Court had invalidated the viability of the US-EU Privacy Shield (EU Invalidates the Privacy Shield . . BUT Says Contracts May Save the Day!).  A few weeks ago (September 8, 2020), the Swiss Federal Data Protection and Information Commissioner (FDPIC) also decided to remove the United States from a list of nations that are considered to be providing “adequate level of data protection.”

Unlike the EU Court’s decision, decision by the Swiss FDPIC does not automatically invalidate the applicability of the Privacy Shield, because the list of countries on or off the list is technically not legally binding. That said, if your company is relying on the Swiss-US Privacy Shield to continue to transfer data from Switzerland to the United States, it would not be prudent to assume these transfers will continue to be viewed as complying with the adequate protection standards under Swiss law.  It seems to make sense to re-assess the risks and start relying on corporate policies and regulations, as well as legally binding contract clauses to ensure they are consistent with Swiss data protection law.

Even when the company policies and contract provisions are properly constructed, there still remains the risk that even these protections may be considered inadequate.  For example, if local authorities have the right to obtain the data without safeguards and legal protections consistent with those required under Swiss regulation, the transfer may be considered in contravention of Swiss law.  Similarly, if the entity to which the data is being transferred is not legally obligated, for any reason, to cooperate with the enforcement requirements that may apply under Swiss law this too creates a problem.  While encryption technology exists that can ensure no personal data can become available in another country, that approach only makes sense for pure storage capability (e.g., cloud based storage) but NOT if the data is intended to be used, displayed or otherwise handled in another nation.

While further guidance and information may ultimately be promulgated by the FDPIC, at present, a review of current procedures and data transfers, the exercise of caution and consideration of implementing additional steps to deal with this development in Switzerland, as with the EU Court decision, seems to be a prudent course of action.

At Rimon Law, our professionals are available to answer question about these developments, so feel free to contact me, Joe Rosenbaum, or any of the Rimon lawyers with whom you regularly work for information about this or any other matters.

Posted on

EU Invalidates the Privacy Shield . . BUT Says Contracts May Save the Day!

Today (July 16, 2020), the EU Court of Justice, (the EU’s highest court) struck down the validity of the Privacy Shield – a mechanism that well over 5,000 U.S. companies have been using and relying upon in order to legally justify the transfer of personal data across the Atlantic into the US.  This same court had previously invalidated the “Safe Harbor” protocol, concluding the Safe Harbor failed to adequately protect privacy rights of EU citizens, since it accorded law enforcement in the United States priority over the rights of EU citizens – permitting law enforcement virtually unrestricted access to the data.

This new case began when Max Schrems, an Austrian privacy advocate, complained to Irish data protection regulators that Facebook’s reliance on standard contract clauses to permit data being transferred from the European Union to the United States did not provide adequate protection. Schrems argued that it didn’t prevent intelligence officials and other third parties in the United States from getting at the information. The Commissioner at the Irish Data Protection Authority took the complaint to Ireland’s high court and they referred certain questions regarding the validity of standard contractual clauses to the EU Court of Justice. Although Schrems’ complaint never raised the Privacy Shield issue, it was raised in oral argument before the court, opening the door for the court to include it in their opinion and decision.

While the European Court invalidated the Privacy Shield, it didn’t buy Schrems’ argument that standard contractual clauses should be deemed invalid as a matter of EU law or regulation. They basically said that standard contract clauses could be among the “effective mechanisms” if they required both sides involved in the transfer to ensure information is accorded the equivalent level of protection as required under EU law. They went on to note that the parties should not use those clauses if they can’t comply with that requirement.

As a result, while neutering the Privacy Shield, they did uphold the validity of the use of standard contractual clauses to legally move personal information outside the European Union, if these clauses were effective in providing the same level of privacy protection as the EU requires.

The case is Between the Data Protection Commissioner and Facebook Ireland Ltd. and Maximillian Schrems (Case Number C-311/18) and as always, if you have any questions or need more information about this posting, feel free to contact me, Joe Rosenbaum, or any of the lawyers at Rimon with whom you regularly work.

Posted on

Crisis Management at the Intersection of Marketing, Privacy, Security and Reputation

For those of you interested and available, on Thursday, April 23rd at 1 PM ET, Joe Rosenbaum, NY Partner at Rimon Law and chair of Rimon’s Global Alliance will be conducting a one hour seminar entitled Crisis Management at the Intersection of Marketing, Privacy, Security and Reputation touching on some of the current issues in marketing, privacy, public relations, cybersecurity & reputation management arising from the COVID-19 pandemic.

While the issues raised may well apply in many crisis situations, now, more than ever, as increased numbers of people are working, schooling and playing at home or at other remote locations, the value of online and mobile advertising and promotions has increased substantially. At the same time, the amounts of information being made available by people scrambling for information, trying to keep up with breaking news, and signing up for online, digital services and information, present legal challenges for compliance with both old and newly enacted privacy and data protection regulation. Not coincidentally, online and mobile scammers are seeking to capitalize on the growing number of inexperienced web surfing consumers and cyber criminals are using the opportunity to capture valuable personally identifiable as a result of lax or relaxed security measures. The inaccurate perception that strong security may be an obstacle to utility or speed and simply the increased number of inexperienced users accessing the Internet, provide fertile ground for exploitation. What you should know? What you can do? What you should be telling your clients and employees? What can we all do to help?

To register simply go to REGISTER: Crisis Management at the Intersection of Marketing, Privacy, Security and Reputation

The course is open to lawyers and non-lawyers, is approved for New York bar members who are eligible for 1 CLE credit per course through NY’s Approved Jurisdiction Policy and approved by the California State Bar for 1 hour of CLE credit.  Most other states recognize CA accredited courses and if you would like credit in any other state, please check your local state bar’s regulations.

Posted on

Global Social Media Handbook

I am proud to be among the 22 legal professionals, including 7 of my colleagues at Rimon, who contributed and co-authored a new book entitled Handbook on Global Social Media Law for Business Lawyers, published by ABA Publishing. This comprehensive work, sponsored by the Business Law Section of the American Bar Association, was co-edited by Valerie Surgenor, a partner in the Glasgow, Scotland, law firm MacRoberts LLP and John Isaza, my friend and partner here at Rimon, P.C.   Although principally focused on the United States, there are contributions from foreign lawyers in key regions around the world, including Canada, the European Union, Australia, Russia and Asia.

The Handbook deals with national and international law principles and emerging issues related to social media law, ethics, compliance and governance, including cybersecurity, cyber terrorism and risk management in a social media environment (e.g., hacking, corporate espionage, data loss and data breach); intellectual property issues in social media;  defamation, “fake news” and social media;  implementation of a social media crisis plan; use of social media as a tool in recruitment of employees and the privacy implications to employers;  promotional, endorsement and social media disclosure guidelines promulgated by the Federal Trade Commission in the US; and recent trends in UK and European social media legislation and regulation.  There is a separate chapter that discusses information and records management within the context of social media.

If you are interested, you can order a copy directly from the ABA (Handbook on Global Social Media Law for Business Lawyers) and of course, if you need more information or want to discuss your particular requirements with knowledgeable and experienced professionals, feel free to reach out to me, Joe Rosenbaum, or to any of the lawyers at Rimon with whom you work with regularly.

 

Posted on

First Joint Consultations May Foreshadow Effectiveness of Privacy Shield

–  Stephen Díaz, Partner, Rimon, P.C. &  Claudio Palmieri, Of  Counsel Rimon, P.C. (Principal, Studio Legale Palmieri –Rimôn Italia)

On October 6, 2015, the Court of Justice of the European Union invalidated the so-called “Safe Harbor” that previously governed data transfers between the U.S. and the EU (Case C-362/14 – Maximillian Schrems v. Data Protection Commissioner, 6 October 2015).

As you already know if you read our Legal Bytes’ posting in May concerning the US-EU Data Transfer Privacy Shield, personal data cannot be transferred to from the EU to a non-European Union/European Economic Area country, unless that country can ensure “adequate levels of protection” for such personal data. While the European Commission had identified a number of countries that met the ‘adequate protection’ test, the United States was not one of them and without the Safe Harbor understandings, transatlantic exchanges of data – both for commercial and national security reasons – were at risk of being non-compliant with EU regulations!  In an attempt to temporarily address the data transfer issues, the EU and the U.S. proposed a new framework for exchanges of personal data for commercial purposes, known as the EU-U.S. Privacy Shield (“Privacy Shield”) which was formally launched on July 12, 2016.

Further complicating matters, a new EU General Data Protection Regulation (GDPR) comes into effect on May 25, 2018.    In furtherance of a formal and more permanent agreement under the Privacy Shield and in contemplation of the new regulations, representatives of the U.S. and the EU have announced they will meet in Washington, DC during the week of September 18, 2017, for the first Annual Review of the Privacy Shield.  In advance of the meeting, the EU’s official Working Group (WP 29) sent the European Commission their recommendations and consistent with previous pronouncements, they believe the meeting should focus on enforcement of rights and obligations, as well as changes in U.S. law since the adoption of the Privacy Shield.  WP29 recommended discussions focus on these issue and that any formal agreement must deal with both commercial, as well as law enforcement and national security access.

These concerns and considerations are explored in more detail in our full Client Alert: No Certainty in Future of Privacy Shield as Transatlantic Consultations Set to Begin and it is clear that the September consultations may well be an indication of whether the Privacy Shield will prove an adequate regulatory regime for the transatlantic transfer of personal data and whether meaningful progress is likely in the current environment.

If you would like more information, a better understanding or need guidance regarding compliance with these regulations, contact Stephen Díaz Gavin, a Rimon Law Partner based in Washington, DC or Claudio Palmieri is of counsel to Rimon, P.C. and the principal of Studio Legale Palmieri –Rimôn Italia in Rome, Italy. Of course you can always contact me, Joe Rosenbaum, or any of the lawyers at Rimon with whom you regularly work.

 

Posted on

Missing Children, Genetics & the Law

As I mentioned in my Legal Bytes post a few weeks ago (Forensic DNA and Missing Children: The Legal & Ethical Issues), I had the honor and privilege of being a featured speaker on 25th of May 2017 – International Missing Children’s Day – at this year’s conference for Missing Children and Genetic Identity, organized and chaired by Patrícia Cipriano, President of the Portuguese Association for Missing and Exploited Children [Associaçāo Portuguesa de Crianças Desaparecidas] held at Lusófona University in Lisbon.

Featuring expert investigators, law enforcement, geneticists and forensic scientists, the conference explored how tough police work, forensic science, government legislators, judges and lawyers can work more effectively and cooperatively within and across national borders.  It also reminded us that DNA kits and learning aides for use by parents, coupled with greater educational efforts and more timely reporting, can help save children’s lives and futures.

The conference was attended by notable dignitaries, including Charlie Hedges, Police Expert, Missing Children and European Alert Coordinator for Amber Alert Europe, Professor Maria do Carmo Fonseca, President of the Institute of Molecular Medicine, Professor Maria do Ceu Machado, President of Infarmed, members of Portuguese Assembly of the Republic , senior law enforcement and forensic scientists with closing remarks delivered by His Excellency Dr. Fernando Negrão, a jurist and former Minister of Social Security, Family and Children, Minister of Justice, director general of the Judicial Police and chairman of the Board of Directors of the Institute of Drugs and Drug Addiction.

The conference highlighted the work being done in Portugal and, of course, the work that still needs to be done.  You can read and download the Conference Agenda & Brochure (Lisbon, PT) and feel free to take a look at my presentation Missing Children – Missing Opportunities, Legal Obstacles in our DNA (Rosenbaum) right here on Legal Bytes.

As always, f you would like to know more about this post, the conference, or the topics discussed at the conference, feel free to contact me, Joe Rosenbaum.

 

 

Posted on

Forensic DNA and Missing Children: The Legal & Ethical Issues

Since 1983, when the day was designated by U.S. President Ronald Reagan as National Missing Children’s Day in the United States and spreading internationally through the Global Missing Children’s Network (GMCN), May 25th has been celebrated as International Missing Children’s Day.  GMAC is a jointly sponsored venture of the U.S. National Center for Missing & Exploited Children (NCMEC) and the International Centre for Missing & Exploited Children (ICMEC),  that focuses on educating parents on steps they can take in protecting their children, as well sharing best practices and information in investigating cases of child abduction, trafficking and illegal adoptions.

This year, I have the distinct privilege and great honor of speaking at the conference for Missing Children and Genetic Identity, organized by the Portuguese Association for Missing and Exploited Children [Associaçāo Portuguesa de Crianças Desaparecidas] and sponsored by Genomed, to be held at Lusófona University in Lisbon on the 25th of May 2017 – International Missing Children’s Day.

The conference will explore the connection between modern genetics and forensic science and on national and international efforts to aide investigations of missing and abused children.  The legal and ethical issues surrounding DNA collection and use, the pros and cons of storing DNA samples and maintaining a database of digital DNA ‘fingerprints’ as well as other bio metric information from individuals – convicted criminals, arrested individuals, victims, family members and even the general public – continues to be hotly debated on the national and international level throughout the world.  In addition to issues of privacy and security, the use and potential abuse of genetic and other bio metric evidence, whether to exonerate individuals or convict guilty individuals, is not just complicated, it is inconsistent across jurisdictional borders.  Sharing of critical information that may help identify a child or investigate a missing person, whether or not a crime may have been committed, is neither assured nor routine – despite the obvious benefits a regulated and carefully constructed information sharing system might be to family members, law enforcement and the forensic scientific community.

The conference, one of many throughout  the world on May 25th, will attract distinguished guests and provide a forum for discussion and shine a much needed spotlight on the legal and ethical challenges and opportunities at the intersection of science, law and law enforcement. I will publish a copy of my presentation and remarks after the conference concludes, but if you would like to know more about the conference, feel free to contact me, Joe Rosenbaum, or the organizers directly.

 

Posted on

US-EU Data Transfer Privacy Shield

Being referred to by the European Union as the most important change in data privacy regulation in 20 years, the new EU General Data Protection Regulation (GDPR) comes into effect on May 25, 2018.  There is even a ‘countdown’ clock on the website and under the GDPR, “Personal Data” means information relating to an identified or identifiable natural person (including email addresses, telephone numbers, addresses and IP addresses).   While the European Commission has determined a number of countries already meet the ‘adequate protection’ test, the United States is not one of them!

As most readers of Legal Bytes already know, personal data cannot be transferred to from the EU to a non-European Union/European Economic Area country, unless that country can ensure “adequate levels of protection” for such personal data.

As background, in July of 2016, a new framework for the movement of personal data between the EU and the US was finalized – EU-U.S. and Swiss-U.S. Privacy Shield Frameworks – which was put into place in an effort to meet the requirements of the EU Data Directive.   However, critics noting the holes in that framework, have generated increasing concern as the 2018 effective date of the new EU GDPR approaches.   A few months ago, immediately following the inauguration ceremony, President Trump issued United States’ Executive Order 13768 (January 25, 2017) that has created even greater concern.  While it is possible a new or refined agreement and framework may be put into place in the months leading up to 2018, there is no certainty.

What do you need to know? What should you consider doing now?   My colleague Jill Williamson has written an article which has been published in Risk & Compliance Magazine, entitled “The Fragile Framework of the Privacy Shield“.   If you want to know more about the privacy and data protection implications of the new framework, its potential risks to your business and what you should be considering as you look to the future, feel free to contact Jill Williamson directly.  Of course, you can always contact me, Joe Rosenbaum, or any of the Rimon lawyers with whom you regularly work.

Posted on

Legal Bytes – A New Beginning

A long time ago in a galaxy far, far away……  oops, wrong beginning.

Welcome to the new Legal Bytes blog.  As many of you know, my Legal Bytes blog has been dormant after my recent transition to Rimon, P.C..  Getting set up, ensuring smooth transitions for clients, enhancing the look and feel of the blog has taken a longer than I hoped, but hopefully the bugs are out of the system and it’s now up to me to try my best to make the new Legal Bytes blog worth the wait.  For newcomers, buckle your seatbelts – this isn’t your ordinary legal blog!

What happened? Why does it matter? How does or could it affect you?  Inquiring minds always want to know and in the process of trying to answer those questions for you, I will always try to illuminate and perhaps also entertain you.   In the coming months I’ll entice you into regular readership, enlighten you with timely content, addict you with my trivia contests, entice you to keep in touch and most of all, try to help you better understand how developments in the law and regulation may affect you.

I intend to continue Light Bytes, with interesting quotes and sayings that pique my interest and hopefully yours.  Of course, there was never a question about my trivia contests. After all, who else but a lawyer could call it “Useless But Compelling Facts”?  We have once again made arrangements with the International Law Office (ILO) based in London. I am privileged to have been re-appointed as Editor and exclusive content coordinator for their U.S. Media, Marketing, Sports & Entertainment Newsletter.  Although there will be content you will see exclusively in the ILO newsletter, you may also see many of our Legal Bytes articles re-purposed and ‘internationalized’ in collaboration with much appreciated work of the ILO editorial staff.  I am again excited to be working with such a valued organization and truly great people – shout out to Carolyn Boyle, my Editorial contact.

Want to know what’s on my radar for the year ahead – I won’t spoil all the surprises, drone on about drones, nor will I keep my head in the clouds or the crowds.  I am fascinated by the legal implications of the Internet with Things (yes, I replaced ‘Of’ with “With”).  I’m also concerned about cybersecurity and data protection.   I am intrigued by the growing robustness of augmented reality, which means I don’t have to walk around with those funny goggles or a digital scuba mask to experience the virtual world.  Mobile technology is transforming our world – making digital content, e-commerce and communication available to billions of people that had previously never seen a television, had a bank account or used a telephone.  I would be remiss not to mention social media – maturing and increasingly commercialized – further blurring the distinctions between information, entertainment and advertising; between me as an individual and an employee; between me at play and at work; and between my trademarks and my reputation; and between my insatiable desire to tell the world and my seemingly paradoxical concern over my privacy!

It is a brave new world – so much to know and so much to keep up with.

So stay tuned, and as always, thank you for reading.

Posted on

The Paradox of Illumination

I first heard about the paradox of illumination from Lee Loevinger, an extraordinary gentleman I was privileged to know professionally.  Lee was a multi-faceted, multi-talented, thought-provoking lawyer whose sage advice and stimulating ideas continue to resonate with those honored to have known him, and everyone else wise enough to read his work and the words he left behind.

In a nutshell, the paradox of illumination is extraordinarily complex, but simple to describe.  Much like Albert Einstein who, when asked about his theory of relativity and the notion that time is not constant, described it in personal terms: if a man is at dinner for 10 minutes with a beautiful woman, it seems like a fleeting instant; but sit on a burning hot stove for 10 minutes and it seems like an eternity :).

The paradox of illumination can similarly be described on a personal level.  Sit in completely dark room.  Really.  Completely dark.  What can you see?  Nothing.  You know little about your surroundings and can only sense your own body – in fact, you don’t even know how far your surroundings extend beyond your immediate sensations.

Now light a match.  The circle of illumination allows you to see a little of what is around you – but the perimeter and beyond are still dark.  Now light a candle.  The circle of what you can see illuminated by the light is larger than before, but the size of the perimeter beyond which you cannot see is also a lot larger than before.  The larger the light, the larger the area of illumination, but larger by far is the perimeter beyond which we know nothing.

The more we can see and the more we know and understand about the world around us, the larger the amount becomes that we don’t know.  In other words, as the circle of our knowledge grows, so does the amount of knowledge we cannot see and don’t know.  The paradox of illumination is the paradox of knowledge.  Perhaps that is why Michelangelo, when he was more than 87 years old, still said, “Ancora Imparo” (I am still learning).