By Nicolas Dufour | Dec 2, 2016 | Privacy Summary
Judge’s Ruling Puts Statute of Limitations on CFPB Enforcement Actions
The November 3rd ruling in PHH Corporation v. CFPB will have substantial implications for the CFPB’s authority “to enforce Federal consumer financial protection laws and the Consumer Financial Protection Act (CFPA) prohibition of unfair, deceptive, or abusive acts or practices (UDAAP).” The judge ruled that not only is CFPB’s “single-director-removable-only-for-cause structure” unconstitutional but also that the agency’s administrative enforcement actions are under a three-year statute of limitations (SOL). As a result of this decision, the CFPB may exercise its authority by fast tracking enforcement matters and focusing more on violations of Federal consumer financial protection laws with a SOL of less than three years.
Possible CFPB Effects from the Presidential Election
On November 9th, Republican candidate Donald Trump was elected to be the 45th President of the United States. As a result, his election may have an effect on the Consumer Financial Protection Bureau (CFPB), which is negatively perceived by the Republican Party. According to the party’s platform, “the worst of Dodd-Frank is the Consumer Financial Protection Bureau, deliberately designed to be a rogue agency. If the Bureau is not abolished, it should be subjected to congressional appropriation.” Several scenarios could occur during Trump’s presidency, including: • Abolishment of the CFPB; • Appointment of a CFPB director who would rescind or modify existing CFPB regulations and cease attempts to promote new consumer protections; and • Congress shifting the CFPB to a commission structure with a maximum of three members from the same political party.
FTC Consumer Background Check Guidelines
On November 28th, the Federal Trade Commission (FTC) published an article about consumer background checks when renting an apartment. The FTC recommends that consumers: (i) Check credit reports before applying for an apartment in order to fix any errors beforehand; (ii) Give the landlord correct personal information; and (iii) Provide the landlord personal information about any criminal history or housing court actions.
The Gainesville Sun reported that a Plaintiff won a $3.6 million verdict against First Advantage Background Services over violations of the FCRA.
New California Statute Limits Use of Choice of Law and Choice of Forum Provisions in Employment Contracts
On September 25, the State of California amended the California Labor Code with Section 1925, which limits an employer’s ability to include a choice of law or choice of forum provision in a California employee’s employment contract if the provision applies the law or forum of another jurisdiction. The new statute shall apply to contracts entered into, modified, or extended on or after January 1, 2017. Section 1925 states that an “employer shall not require an employee who primarily resides and works in California, as a condition of employment, ” “to adjudicate outside of California a claim arising in California” or lose “the substantive protection of California law with respect to a controversy arising in California.” There is an exception to the restrictions imposed by Section 1925. A choice of law or choice of forum provision identifying another jurisdiction may be included in an employment contract if the employee “is in fact represented by legal counsel in negotiating the terms of an agreement to designate either the venue or forum in which a controversy arising from the employment contract may be adjudicated or the choice of law to be applied.” If an improper choice of law or choice of forum provision is included in an employment contract, it is “voidable by the employee” and any matter concerning the application of such a provision “shall be adjudicated in California and California shall govern the dispute.” In any adjudication (whether it is litigation or arbitration) concerning the enforcement of the choice of law or choice of forum provision, the employee may be awarded the reasonable attorney’s fees he/she incurs in enforcing his/her rights, as well as injunctive relief.
UK Government to implement the GDPR
The UK Government announced that it would implement the GDPR agreement despite the vote to leave the European Union.
GDPR Contracting Requirements
On October 28th, Fieldfisher published a blog post about the impact that the General Data Protection Regulation (GDPR) will have on global privacy contracting. According to the article, “The GDPR sets out an ambitious and prescriptive list of requirements that must be included in data processing contracts.” Specifically, the GDPR requires that data processors: • Not subcontract without consent; • Ensure that every individual that processes data is “under a contractual or statutory duty of confidence”; • Ensure that the rights of data subjects are protected; • Notify data breaches to the data controller; and • Delete or return personal data once its services are completed, among other things. In response to these new requirements, the author argues that the service providers that can boast the most compliance with the GDPR’s requirements will be the most successful in the data processing market. Furthermore, the article states that these requirements will not just impact the European Union, as companies generally process data originating all over the world.
French Digital Rights Group Challenges EU-US Privacy Shield
On October 25th, the French digital rights group La Quadrature du Net filed a lawsuit against the European Commission’s decision which implemented the EU-US Privacy Shield. La Quatdrature’s goal is to abolish the Commission’s decision that Privacy Shield provides sufficient protection under European Union (EU) law when the private information of EU citizens is transferred to the United States for processing. Transatlantic commerce is worth approximately $260 billion and is dependent on the transfer of data that Privacy Shield provides. Since La Quadrature is a campaign body as opposed to a group of individuals with personal privacy rights to defend, it may face the uphill battle of proving that Privacy Shield is of “of direct and individual concern to it.”
Privacy Shield Challenge
On October 27th, the privacy organization Digital Rights Ireland (DRI) filed a legal challenge against the European Union (EU) – United States (U.S.) Privacy Shield Agreement. DRI filed its motion with the European General Court seeking “an annulment, ” arguing that the Privacy Shield fails to sufficiently protect user privacy. The European Commission (EC) responded, stating, “We don’t comment on ongoing court cases. As we have said from the beginning, the Commission is convinced that the Privacy Shield will live up to the requirements set out by the European Court of Justice which has been the basis for the negotiations.” The U.S. Department of Commerce also responded to the challenge, writing, “The United States stands behind the Privacy Shield Framework and the critical privacy protections it affords individuals in furtherance of supporting robust transatlantic commerce and is ready to explain our safeguards and limitations if necessary.”
German Privacy Sweeps Target 500 firms’ Cloud Transfers
On November 7th, data protection authorities in 10 of 16 German federal states coordinated privacy sweeps to assess businesses’ transfer of personal data to cloud services based outside of the European Union (EU). The data protection authorities presented 500 randomly selected companies with a questionnaire that asked them about their employee and customer data transfers to third countries, especially to the United States (US). The types of services that were highlighted included office apps, cloud storage, email and other communications platforms, customer service ticketing and support systems, and risk management and compliance systems. Companies that conducted such transfers were asked to explain what legal grounds they were using for such transfers, with options ranging from standard contractual clauses and consent, to the EU-U.S. Privacy Shield agreement. The purpose of the investigations was to “get a view about the situation in the market on the one hand, and to increase awareness of the businesses regarding the necessity of using legal grounds for transfers of personal data to third countries.”
China’s New Cybersecurity Law
On November 7th, China passed a new cybersecurity law entitled, the “Network Security Law” which is intended to protect personal information as a civil right and to improve China’s cybersecurity measures. The data localization requirement of the law forces businesses that operate “key information infrastructure” to store all personal information within China, and Chinese officials must approve any transfer of data outside of China. These restrictions apply to any business where the loss of data would jeopardize national security or public interest, including communications, transportation, finance, energy, and electronic government. The effects of the law may damage China’s relationships with multinational businesses, as many foreign companies object to the crossborder data-flow restrictions.
EU – US Data Transfer Protections
On November 24th, the European Parliament announced support from the Civil Liberties Committee for the Umbrella Agreement, which will guarantee new standards for data transfer protections of criminal records between law enforcement from the European Union (EU) and United States. In addition to providing regulatory standards and setting limits on data retention periods, the Umbrella Agreement ensures that European and American citizens will have the right to: (i) Be informed of data security breaches; (ii) Correct inaccurate information; and (iii) Seek judicial redress.
France Adopts Class Action Regime for Data Protection Violations
On November 19, 2016, the French government enacted a bill creating a legal basis for class actions against data controllers and processors resulting from data protection violations. The bill establishes a general class action regime and includes specific provisions regarding data protection violations.
Symantec will Acquire Lifelock
On November 21st, Symantec announced that in order to boost its consumer security business it will acquire identify protection firm Lifelock in a $2.3 billion acquisition deal. According to Symantec’s Chief Executive Officer Greg Clark, the company seeks to provide comprehensive cyber defense for consumers as the consumer security industry shifts from malware protection to broader concerns about digital safety for users. The deal is expected to close in the first quarter of 2017 and will be subject to regulatory approval.
Please Note: Some of the information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or email@example.com.