Federal Developments
FTC- Data Breach Guidance
On October 25th, the Federal Trade Commission (FTC) released a video and guide for businesses about how to respond to data breaches. According to the guide, one of the first things businesses should do in the event of a breach is to “take all affected equipment offline right away.” However, the FTC says to “be careful not to destroy evidence. Monitor all access points to your system. If a hacker stole credentials, you’ll need to change those credentials too, even if you’ve removed the hacker’s tools.” The FTC also says that business should notify law enforcement, the Federal Bureau of Investigations, or the Secret Service. Businesses should also notify any banks that have potentially affected accounts. The FTC encourages businesses to promptly notify all potentially affect consumers “so they can take steps to protect their information.”
https://www.ftc.gov/news-events/press-releases/2016/10/what-do-when-you-suspect-data-breach-ftc-issues-video-guide
Background Screening
On September 29th, The White House announced that the National Background Investigations Bureau (NBIB) has appointed Charles Phelan, formerly with the Northrop Grumman Corp. and the Central Intelligence Agency, as its first director. NBIB was created to replace the Office of Personnel Management’s (OPM) Federal Investigative Services, which suffered a massive data breach in the summer of 2015. Like the Federal Investigative Services, NBIB will oversee all of the background checks for the federal government, but will have a different organizational structure in order to “modernize, strengthen and secure” the federal security clearance process. According to OPM Acting Director Beth Cobert, “NBIB is designed with an enhanced focus on national security, customer service, and continuous process improvement to meet this critical government-wide need now and in the future.” NBIB’s new director has already said that one of his first priorities is to address the long wait time currently required to receive federal security clearance, which he aims to reduce to 40 days.
National Background Investigations Bureau
IAPP reported that the OPM’s new National Background Investigations Bureau has hired KeyPoint Government Solutions, which was involved in the agency’s 2014 data breach.
https://iapp.org/news/a/new-security-clearance-bureau-hires-privacy-company-linked-to-opm-data-breach/
EEOC Background Check Lawsuit
The legal showdown between the State of Texas and the Equal Employment Opportunity Commission (EEOC) over the agency’s background check guidance took another turn on September 23, 2016, when the Fifth Circuit Court of Appeals issued an order withdrawing its previous June opinion and remanding the case to U.S. District Court for the Northern District of Texas. The June 2016 opinion had allowed Texas to proceed with its lawsuit against the EEOC. This order comes on the heels of the Supreme Court’s recent decision in United States Army Corps of Engineers v. Hawkes Co., Inc., 136 S.Ct. 1807 (2016), which examined when a federal agency’s decisions can be challenged in court. This new development calls into question whether the State of Texas can proceed with its lawsuit against the EEOC. In April 2012, the EEOC issued its Enforcement Guidance on the Consideration of Arrest and Conviction Records in Employment Decisions Under Title VII of the Civil Rights Act of 1964 (Guidance). This Guidance advised employers using criminal background checks to ensure that the consideration and use of conviction information should be (1) job-related and (2) consistent with business necessity. Among other things, the Guidance implied that employers should engage in a targeted screening process when considering an candidate or employee’s criminal conviction record, and conduct an individualized assessment before taking an adverse action.
http://www.lexology.com/library/detail.aspx?g=e0631719-6fbe-410b-bf29-e886b3838b78
CFPB- Constitutionality
On October 11th, the U.S. Court of Appeals for the D.C. Circuit ruled 2-1 that the Consumer Financial Protection Bureau’s (CFPB) single-director structure is unconstitutional. The Court declined to shut down the agency but gave the President the authority to remove the CFPB’s director. Judge Brett Kavanaugh explained that, “With the for-cause provision severed, the President now will have the power to remove the director at will and to supervise and direct the director.” Judge Kavanaugh further opined that, “The CFPB therefore will continue to operate and to perform its many duties, but will do so as an executive agency akin to other executive agencies headed by a single person, such as the Department of Justice and the Department of the Treasury.” The ruling was the result of the PHH Corp’s (PHH) challenge of a CFPB enforcement action accusing the company of an illegal kickback scheme. The Court criticized the CFPB’s current structure writing that, “Because the CFPB is an independent agency headed by a single director and not by a multi-member commission, the director of the CFPB possesses more unilateral authority – that is, authority to take action on one’s own, subject to no check – than any single commissioner or board member in any other independent agency in the U.S. Government.”
FTC- Identity Theft Report
On October 14th, the Federal Trade Commission (FTC) released a new Identity Theft Report form on its IdentityTheft.gov website which is intended to serve as a “one-stop resource for people to report identity theft to law enforcement and get a personal recovery plan that responds to their specific identity theft circumstances.” The Report is designed for consumers to present to businesses to inform them that the consumer has reported identity theft to the FTC; The FTC has reported the identity theft to law enforcement; and the business’ records on the consumer may be incomprehensive because of identity theft. The FTC also specifies that if a consumer reporting agency (CRA) receives an Identity Theft Report from a consumer it may have to take additional steps in order to comply with the Fair Credit Reporting Act. Specifically, CRAs should look to the FCRA’s Furnisher Rule and obligations put forth by state law.
https://www.ftc.gov/news-events/blogs/business-blog/2016/10/new-identity-theft-report-helps-your-business-spot-id-theft
https://identitytheft.gov/
FTC- Consumer Health Information
On October 24th, IAPP reported that the Federal Trade Commission (FTC) and the Department of Health and Human Services Office of Civil Rights released joint guidance for companies that share and collect consumer health information in order the ensure compliance with the FTC Act and the Health Insurance Portability and Accountability Act (HIPAA). Specifically, the guidance recommends that companies that share health information: • Obtain consumer’s permission to use or disclose their information through a valid HIPAA authorization form, which must be in plain language and must include the terms and details of how their data will be used; • Ensure privacy policies, terms of use, and HIPAA authorizations are easily accessible to consumers through the company’s interface; and • Ensure such disclosures are legible on different devices, including smart phones.
https://iapp.org/news/a/when-sharing-health-info-companies-must-not-ignore-ftc-act/
https://www.ftc.gov/tips-advice/business-center/guidance/sharing-consumer-health-information-look-hipaa-ftc-act
Court Cases
FCRA Litigation
On October 24th, a New Jersey federal judge administratively dismissed a putative class action against Uber, Inc. (Uber) and background screening company Hirease, Inc. (Hirease) for allegedly violating the Fair Credit Reporting Act (FCRA). According to the Plaintiffs, Uber and Hirease violated the FCRA by failing to provide job candidates with a clear and conspicuous disclosure. The Plaintiffs also accused Uber of failing to follow the preadverse action process in accordance with the FCRA. The judge decided to administratively dismiss the case for a sixty-day period because the parties have reached a settlement agreement. According to U.S. District Jude Claire C. Cecchi, “Absent receipt from the parties of dismissal papers or request to reopen the action within the 60-day period, the Court shall dismiss this action, without further notice, with prejudice and without costs.” Joseph Cuccinello et al. v. Uber Inc. et al., case number 2:15-cv-06604, U.S. District Court for the District of New Jersey.
On October 21st, a proposed class action was filed against Robert Half International, Inc. (Robert Half), a staffing agency, for allegedly violating the Fair Credit Report Act (FCRA). The Plaintiff alleges that he was denied employment based on a background report containing incomprehensive information, including a felony robbery conviction, and that he never had a chance to dispute the information in the report. According to the complaint, “As a result of [Robert Half]’s actions, Plaintiff and the members of the class have been deprived of their consumer rights and have been prevented from timely and effectively contesting the adverse action.” The proposed class includes anyone who was subject to an adverse action over the past five years based on consumer reports procured by Robert Half and who were not given the opportunity to dispute the reports’ findings in advance. The lawsuit seeks damages between $100 and $1, 000 per violation per class member. Black v. Robert Half International, Inc., case number 3:16-cv-06077, in the U.S. District Court for the Northern District of California.
On October 21st, a California federal judge ruled that she will not decertify a proposed class alleging that TransUnion LLC (TransUnion) violated the Fair Credit Reporting act (FCRA) by not allowing consumers to dispute criminal and terrorist alerts on their credit reports. The Plaintiff filed suit after a landlord who used TransUnion’s “SmartMove Report” denied his rental application based on the report’s inclusion of a terrorist alert, which the Plaintiff claims he was never able to dispute. In her decision to uphold the class’ certification, U.S. Magistrate Judge Laurel Beeler disagreed with TransUnion’s argument that the class had failed to prove concrete harm in line with the Supreme Court’s ruling in Spokeo, Inc. v. Robins. According to Beeler, “The court sees little difficulty in concluding that the alleged inaccuracies- being wrongly branded a potential terrorist, or wrongly ascribed a criminal record- are themselves concrete harms.” Patel v. Trans Union LLC et al., case number 3:14-cv-00522, in the U.S. District Court for the Northern District of California.
On October 19th, a Pennsylvania federal judge denied RealPage, Inc.’s (RealPage) motion to dismiss a proposed class action accusing the property management software company of violating the Fair Credit Reporting Act (FCRA). The Plaintiffs allege that RealPage violated the FCRA by furnishing incomprehensive or outdated information about them to landlords. The Plaintiffs also claim that when they requested copies of the reports, RealPage sent incomplete reports that did not properly identify the source of the information. Finally, Plaintiffs allege that RealPage violated the law by failing to provide them with a “Summary of Rights” form. In its motion to dismiss the case, RealPage argued that the Plaintiffs do not have standing to sue in line with the Supreme Court’s ruling in Spokeo, Inc. v. Robins because they have failed to demonstrate concrete harm. However, the judge rejected this argument, finding that, “The classes’ allegations that they did not receive the information to which they were entitled under the statute is, we conclude, sufficient to plead and establish a concrete harm since it goes to the core of the interests Congress sought to protect.” Jenkins v. RealPage, Inc., case number 2:15-cv-01520, and Stokes v. RealPage, case number 2:15-cv-03894, in the U.S. District Court for the Eastern District of Pennsylvania.
On October 17th, a California federal judge denied a proposed $1.1 million settlement between a class of job candidates and S2Verify, a background screening company accused of violating the Fair Credit Reporting Act (FCRA). The lead Plaintiff originally filed the lawsuit against S2Verify when he was denied employment based on arrests included in his report that were over seven years old and for which a conviction did not result. The proposed settlement created a fund of nearly $1.1 million to be paid to 4, 363 class members, which included individuals who applied for employment with nine different companies that hired S2Verify and whose reports contained arrests that were over seven years old and did not result in a conviction. In denying the proposed settlement, the judge ruled that the release is “overbroad” and “is an obvious deficiency and sufficient reason to deny preliminary approval.” The judge also wrote that, “The parties cite to the prior order certifying the class, but nothing on the pages cited- or in the rest of that order- suggests the class’s two surviving claims under the FCRA should be expanded to include ‘any and all claims under the FCRA… arising out of [the class members’] consumer reports prepared by S2Verify.’” Hawkins v. S2Verify et al., case number 3:15-cv-03502, in the U.S. District Court for the Northern District of California.
On October 14th, a California federal judge said that he will dismiss a proposed class action accusing State Farm Mutual Automobile Insurance Company (State Farm) of violating the Fair Credit Reporting Act (FCRA). The Plaintiffs allege that State Farm violated the law by failing to provide job candidates with their rights under the FCRA or a copy of the reports used to make hiring decisions. In dismissing the suit, the judge ruled that the case cannot stand up as a proposed class action because “there are individual errors and mistakes [in the credit reports] you can’t say, ’10, 000 people didn’t get their forms, therefore it’s a class action.’ No, it’s not.” The judge also ruled that the Plaintiffs cannot establish standing in line with the recent Supreme Court ruling in Spokeo, Inc. v. Robins. According to the judge, “The failure of the employer to follow the rules of disclosure is not in and of itself the basis of a lawsuit.” Dutta v. State Farm Mutual Automobile Insurance Company, case number 3:14-cv-04292, in the U.S. District Court for the Northern District of California.
On October 13th, a California federal judge dismissed a putative class action against Bank of America, Inc. (Bank of America) and the companies it used to procure background checks on prospective contractors for allegedly violating the Fair Credit Reporting Act (FCRA). The Plaintiffs alleged that the companies violated the law by routinely procuring background checks on prospective contractors without providing them with a written disclosure. However, the judge dismissed the suit, finding that the lead Plaintiff failed to establish standing “because he has not demonstrated that Defendants’ conduct- as alleged in the complaint- caused harm.” The judge also found that the Plaintiff lacked standing because the case was brought more than two years after the alleged violations, which exceeds the FCRA’s statute of limitations. J. Robert Berrellez v. Pontoon Solutions, Inc. et al., case number 2:15-cv-01898 in the U.S. District Court for the Central District of California.
On October 6th, a putative class action was filed against Valley National Bank (Valley National) for allegedly obtaining consumer reports on job candidates in violation of the Fair Credit Reporting Act (FCRA). Specifically, the Plaintiffs claim that Sterling Infosystems, Inc. (Sterling), which was hired to procure the reports for Valley National, provided candidates with disclosure forms that included extraneous language and that were not “clear and conspicuous” as required by the FCRA. Specifically, the Plaintiffs claim that Sterling’s disclosure form is “printed in small, eye-straining type, and simply contains far more verbiage than is require to inform candidates that a consumer report will be obtained.” The complaint indicates that the potential class of consumers could exceed 1, 000 people and is seeking damages of between $100 and $1, 000 for each member. Philip Faraone, on behalf of himself and those similarly situated, v. Valley National Bank, case number 3:16-cv- 06575, in the U.S. District Court for the District of New Jersey.
On October 6th, U.S. District Judge John J. Tuchi granted JPMorgan Chase Bank NA (JPMorgan or Chase) summary judgment in a Fair Credit Reporting Act (FCRA) lawsuit brought by a job candidate. The Plaintiff alleged that the bank violated the law by failing to provide her with her rights under the FCRA or a copy of a report generated by Fieldprint, Inc. (Fieldprint), a Federal Bureau of Investigations (FBI) fingerprint background check service hired by JPMorgan during the employment process. However, the Judge found that Fieldprint is not a consumer reporting agency covered by the FCRA because it merely transmits the information from the FBI and does not actively evaluate information for a third party. One of the Plaintiff’s attorneys has already said that they will appeal the ruling. According to the attorney, “Incredibly the court ruled that Fieldprint’s background check was not a ‘consumer report’ under the FCRA without even seeing it. To this day, we have never seen what Chase received about [Plaintiff] from Fieldprint.” Mix v. JPMorgan Chase Bank NA, case number 2:15-cv-01101, in the U.S. District Court for the District of Arizona.
http://www.esrcheck.com/wordpress/2016/10/26/jpmorgan-chase-granted-summary-judgment-in-fcra-class-action-lawsuit-over-background-checks/
On October 3rd, the Plaintiff in the Fair Credit Reporting Act (FCRA) lawsuit against T-Mobile USA, Inc. (T-Mobile) filed a memorandum in opposition to the company’s motion to dismiss the suit. Erik Shapiro, the Plaintiff, claims that he called T-Mobile in 2014 to inquire about switching his phone service when a sales representative asked if the company could run a “soft” credit check on him, which would not appear on his credit report. However, Shapiro claims that T-Mobile actually conducted a “hard” credit check, in violation of the FCRA and other California consumer protection laws. In his memorandum countering T-Mobile’s motion to dismiss the case, Shapiro argues that, “But throughout all of its arguments, it seems woefully or intentionally ignorant of the underlying issue in this matter: Defendant performed a hard credit inquiry on Plaintiff Erik Shapiro’s credit after being specifically instructed not to do so and agreeing not to do so, and a hard credit inquiry results in a decrease of the individual’s credit score.” Erik Shapiro et al. v. T-Mobile USA Inc., suit number 2:16-cv-04698, in the U.S. District Court for the Central District of California.
On September 30th, a California federal magistrate said during a hearing that he will likely dismiss a putative class action against Lyft, Inc. (Lyft) for allegedly violating the Fair Credit Reporting Act (FCRA) by failing to disclose to job candidates that it would be checking their credit reports. According to Magistrate Judge Joseph C. Spero, the Plaintiffs have failed to demonstrate “concrete and particularized” injury in accordance with the Supreme Court’s ruling in Spokeo, Inc. v. Robins. Spero commented during the hearing that, “It seems to me the circumstances here are like the first example, like a failure to give notice. It’s a naked procedural violation.” Nokchan v. Lyft, Inc. case number 3:15-cv-03008, in the U.S. District Court for the Northern District of California.
On September 29th, a California federal judge ruled in favor of Experian Information Systems, Inc. (Experian), dismissing allegations that the company violated the Fair Credit Reporting Act (FCRA). The Plaintiff accused Experian of misreporting information on consumer reports after he was informed by the Federal National Mortgage Association, Inc. (Fannie Mae) that his credit history incorrectly contained foreclosures. The Plaintiff had never gone through foreclosure, but had undergone a short sale on his house leading the data set to be improperly interpreted by Fannie Mae and misreported. The Plaintiff filed a proposed class action against Experian, alleging that the company’s number-coding system contributed to the error. The judge found that Experian had taken necessary precautions to ensure that its number-coding system was easily understandable, writing, “Defendant could not be expected to anticipate that Fannie Mae would choose to interpret Defendant’s credit reports contrary to its explicit instructions.” Shaw v. Experian Information Solutions Inc. et al., case number 3:13-cv-01295, in the U.S. District Court for the Southern District of California.
Data Breach Litigation
On October 26th, AMCO Insurance Company, Inc. (AMCO) requested that a Colorado federal judge issue an order releasing them from any liability to provide coverage for The Vitamin Cottage, Inc.’s (Vitamin Cottage) data breach litigation. Vitamin Cottage is currently facing a proposed class action lawsuit that accuses the company of failing to adequately protect sensitive customer information. AMCO argues that Vitamin Cottage’s lawsuit is not covered by their general liability insurance policy because the Plaintiffs suing Vitamin Cottage have not alleged any “physical injury to tangible property.” AMCO further argued that the Vitamin Cottage data breach did not constitute “publication.” Natural Grocers By Vitamin Cottage Inc. et al. v. Amco Insurance Co., case number 1:16-cv-01326, in the U.S. District Court for the District of Colorado.
On October 17th, a class of breach victims filed a motion urging the Eighth Circuit to revive their lawsuit against Scottrade, Inc. (Scottrade) over its allegedly inadequate data security practices, which they argue contributed to the company’s massive data breach that exposed 4.6 million users’ personally identifiable information (PII). Earlier this year, a Missouri federal judge dismissed the suit, finding that the Plaintiffs had failed to demonstrate actual harm, writing, “although Plaintiffs have alleged that the hackers accessed Plaintiffs’ [personal information] and used that for certain business enterprises, Plaintiffs do not allege any of the [information] stolen in the breach has been used to commit any identity theft, fraud, or any other act that has resulted in harm to any Plaintiff.” However, in his motion urging the Court to revive the case, Plaintiff Matthew Kuhns says that he has Article III standing to sue because, “The invasion of Kuhns’ privacy stemming from the disclosure of his PII to hackers is a concrete injury…” The Plaintiff also argues that the federal judge erroneously compared this case to Clapper v. Amnesty International, in which the Plaintiff could not prove risk of harm because his PII had not actually been breached, whereas the Plaintiffs’ PII had been acquired by hackers in the Scottrade case. Kuhns v. Scottrade, Inc. case number 16-32426 in the U.S. Court of Appeals for the Eighth Circuit.
State Developments
Los Angeles Wants to Delay When Employers May Ask About Criminal Histories
A Los Angeles City Council committee voted Tuesday to prohibit most employers in the city from asking about a job candidate’s criminal history until after a conditional offer has been made. State and local governments in California are already prevented from asking whether a person has ever been convicted of a crime until an initial offer of employment has been made. President Obama announced in November that the federal government and its contractors would also stop asking about job candidates’ criminal histories in the preliminary stages of the interview process. The City Council’s Economic Development Committee voted 4-0 to extend that law to businesses with 10 or more employees, as well as to city contractors and subcontractors.
http://www.latimes.com/local/lanow/la-me-ln-ban-the-box-20160927-snap-story.html
Montana Data Breach Notification
On October 7th, the International Association of Privacy Professionals reported that the Montana Department of Justice is publishing a list of reported data breaches on its website following the passage of data breach notification legislation in 2015. According to John Barnes from the state’s Department of Justice, the notification can be submitted in the form of an Excel spreadsheet or a PDF and should include information like the business name, the notification documents that were sent to the Department, the date of the start and end of the breach, and the estimated number of Montanans impacted by the incident.
https://iapp.org/news/a/montana-department-of-justice-listing-data-breaches-on-its-website/
California Amends Labor Code to Prohibit Employers from Using Juvenile Records in Employment Decisions
On September 27, 2016, California Governor Jerry Brown signed Assembly Bill No. 1843, which amends the California Labor Code to prohibit employers from considering certain juvenile records for employment purposes. The amendment is effective January 1, 2017. Subject to certain exceptions, the Labor Code currently makes it unlawful for a private or public sector employer to consider information concerning:
- an arrest or detention that did not result in a conviction;
- a referral to or participation in, any pretrial or post-trial diversion program; and
- a conviction that has been judicially dismissed or ordered sealed.
The Labor Code does not, however, prohibit employers from asking an candidate or employee about an arrest for which the candidate or employee is out on bail or on recognizance pending trial.
Moreover, these provisions do not bar certain health care facilities, as defined in Section 1250 of the Health and Safety Code, from asking candidates to disclose an arrest under any section specified in Section 290 of the Penal Code (for those positions with regular access to patients) or an arrest under any section specified in Section 11590 of the Health and Safety Code (for those positions with access to drugs and medication).
AB 1843 amends the Labor Code to broaden the types of “off limits” information that employers may not consider by prohibiting employers from inquiring about and considering information concerning or related to “an arrest, detention, process, diversion, supervision, adjudication, or court disposition” that occurred while the candidate or employee was subject to the process and jurisdiction of a juvenile court (“juvenile offense history”). The bill also excludes from the Labor Code’s definition of “conviction” an adjudication by a juvenile court or any other court order or action taken with respect to a person who is under the process and jurisdiction of a juvenile court. Health care facilities will now be barred from inquiring into an candidate’s juvenile offense history unless the information concerns an adjudication by a juvenile court in which the candidate was found to have committed a felony or a misdemeanor offense under Section 290 of the Penal Code or Section 11590 of the Health and Safety Code in the five years before the application for employment. However, the health care facility may not inquire about an candidate’s juvenile offense history that has been sealed by a juvenile court. If the health care facility seeks disclosure of permissible juvenile offense history, the facility must provide the candidate with a list that describes the offenses for which disclosure is sought.
Three Major Credit Reporting Agencies to Overhaul Their Business Practices in Mississippi
Attorney General Jim Hood announced today that the nation’s three major credit reporting agencies will overhaul their business practices and offer Mississippians unlimited access to free credit reports over the next three years in order to resolve the Attorney General’s investigation into the agencies’ mistakes on credit reports and deceptive marketing activities. The agencies were accused of putting their own interests ahead of those of Mississippi consumers by failing to properly verify debts and failing to delete paid or expired debts from credit reports. The credit reporting agencies, Experian, TransUnion, and Equifax will pay the state a total of $7.175 million. Starting in November, Mississippi residents will be eligible to receive unlimited free credit reports for three years, one free FICO credit score every year for three years, in addition to other benefits provided by the credit bureaus under terms of settlements with Attorney General Hood. The three credit reporting agencies compile and sell credit reports on almost every Mississippi adult. The reports are the basis for determining whether and on what terms consumers are offered credit cards, student loans, auto loans, mortgages or rental housing. The information on the reports may impact the security clearance of a member of the military, or it may be the difference for employers in determining whether to offer someone a job.
International Developments
U.S.-EU Data Transfers
On September 28th, Irish Data Protection Commissioner (DPC) Helen Dixon issued an explanatory memo about why she decided to take up privacy advocate Max Schrem’s latest challenge against Facebook, Inc. (Facebook) over the company’s use of “model contracts” for international data transfers between the U.S. and the European Union (EU). In her memo, Dixon indicated that she felt an “urgent” need to provide multinational companies clarity about what data transfer methods can be used between the U.S. and EU. According to the regulator, “In commencing the current proceedings, the DPC took account, not just of the significant issues arising in terms of citizens’ data privacy rights, but also of the very significant commercial implications arising from the value of data exchanges to EU-U.S. trading relationships.” Dixon also noted that she “recognized the necessity for an urgent resolution of the matters in question given the requirement of business for legal certainty at a time when the safe harbor decision had been struck down and no alternative was at that point in place.”
EU Data Protection
On October 6th, Ars Technica reported that the Spanish Data Protection Authority (DPA) is investigating the new data sharing agreement between WhatsApp, Inc. (WhatsApp) and its parent company Facebook, Inc. (Facebook). The news comes just a week after Johannes Caspar, the German Data Protection Authority, ordered Facebook to delete the data from German WhatsApp accounts. According to Caspar, “After the acquisition of WhatsApp by Facebook two years ago, both parties assured that data will not be shared between them. The fact that this is now happening is not only misleading of their users and the public, but also constitutes an infringement of national data protection law.” In addition to launching a formal investigation, the Spanish DPA has advised users to carefully read WhatsApp’s new terms and conditions, and has also offered guidance on how to adjust privacy settings. In the U.S., the Electronic Privacy Information Center and the Center for Digital Democracy have called on the Federal Trade Commission to investigate the data sharing agreement.
http://arstechnica.co.uk/tech-policy/2016/10/whatsapp-facebook-data-ads-spanish-watchdog-probe/
https://epic.org/2016/09/consumer-groups-back-call-for-.html
EU-U.S. Privacy Shield Faces Skepticism in the Marketplace
While the Privacy Shield agreement recently negotiated between EU and U.S. governments continues to face skepticism in the marketplace, it is another legal mechanism that poses the biggest threat for trans-Atlantic data flows. According to the results of a comprehensive survey of 600 privacy professionals by the IAPP this summer, more than 80 percent of companies rely on pre-approved “standard contractual clauses” to transfer data from the EU to the U.S. Yet these clauses are currently subject to a legal attack in the Court of Justice of the European Union, which – after striking down the EU-U.S. Safe Harbor arrangement – may invalidate their use. The upcoming Annual Privacy Governance Report 2016 reveals that just 34 percent of companies intend to use the EU-U.S. Privacy Shield framework to transfer data from the EU to the U.S., compared to the 50 percent who used Safe Harbor. Privacy Shield, which was finalized over the summer concurrently with the fielding of the survey, itself faces scrutiny from European regulators and possibly its own court battle. Finally, only 8 percent of companies with fewer than 5, 000 employees see binding corporate rules, a third, and more costly data transfer mechanism, as a viable option going forward.
https://iapp.org/news/a/privacy-shield-faces-skepticism-in-the-marketplace-but-standard-contractual-clauses-pose-the-biggest-risk-for-market-upheaval/?mkt_tok=eyJpIjoiTjJSaFl6VXlaamcwTUdJMyIsInQiOiJhblVnQm9QTzhOeEIzNkdKbjBid2lXeFVzWE5mcUI5eElVZVwvcjRJXC82eHVPdDB4RnpKOWdiTnorUml1NWZ0R2VwTW9VdU1jbjUzK1NVWlljY3o1WWVkY2wwT0FmWjlEOWpITm9XTER3aHpBPSJ9
Privacy Shield Challenge
On October 27th, the privacy organization Digital Rights Ireland (DRI) filed a legal challenge against the European Union (EU) – United States (U.S.) Privacy Shield Agreement. DRI filed its motion with the European General Court seeking “an annulment, ” arguing that the Privacy Shield fails to sufficiently protect user privacy. The European Commission (EC) responded, stating, “We don’t comment on ongoing court cases. As we have said from the beginning, the Commission is convinced that the Privacy Shield will live up to the requirements set out by the European Court of Justice which has been the basis for the negotiations.” The U.S. Department of Commerce also responded to the challenge, writing, “The United States stands behind the Privacy Shield Framework and the critical privacy protections it affords individuals in furtherance of supporting robust transatlantic commerce and is ready to explain our safeguards and limitations if necessary.”
http://www.pcworld.com/article/3136129/cloud-computing/privacy-group-shoots-legal-arrow-at-privacy-shield.html
http://www.techweekeurope.co.uk/e-regulation/surveillance/privacy-shield-legal-challenge-199649
http://fortune.com/2016/10/27/privacy-data-eu-us/
EU Data Privacy
On October 19th, the European Court of Justice (CJEU) issued a ruling in a case brought by Patrick Breyer, a politician and activist with the German Pirate Party, regarding whether dynamic internet protocol (IP) addresses collected by websites, which cannot be used to identify individuals without the assistance of an Internet Service Provider, are considered personal data under Article 2(a) of the European Union’s (EU) 1995 General Data Protection Directive. CJEU ruled that dynamic IP addresses do fall under the definition of personal data, citing the directive’s provision that says that personal data can be “directly or indirectly” attributed to a person. According to CJEU, “The use by the EU legislature of the word ‘indirectly’ suggests that, in order to treat information as personal data, it is not necessary that that information alone allows the data subject to be identified.” IAPP reported on the ruling, and noted that it could have an important impact on the forthcoming General Data Protection Directive, which goes into effect in 2018. According to IAPP, “The judgment in Breyer suggests that data will still be personal even if it requires legal means to make a person ‘identifiable.’ This suggests that the meaning of ‘identifiable’ is very broad.” Patrick Breyer v. Bundesrepublik Deutschland, case number C-582/14, in the Court of Justice of the European Union.
Australia – A New Proposed National Mandatory Notification Law for Data Breaches
Australia finally looks set to have a new national mandatory notification laws for data breaches. The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was introduced to the House of Representatives by the Federal Attorney-General on 19 October 2016 and read for the second time. Debate is expected to continue today. The history of the proposed laws for mandatory notification of serious data security breaches and the exposure Bill released by the Attorney-General’s offices in December last year has been discussed previously in our Alert – Parliament begins consultation on new laws proposing Mandatory Notification of Serious Data Security Breaches. Assuming there is bi-partisan support for the Bill (as there was for the 2013 Bill which nearly made law), it can be expected that the Bill will progress to the Senate. Notwithstanding ongoing reservations about how the assessment and notification obligations can be met in practice and the overall benefits of notification, the passage of this Bill does seem more certain in the current environment and the rationale persuasive.
http://www.lexology.com/library/detail.aspx?g=56af5bc6-b505-45a7-822a-ac28a851870b
Potential Violations of EU Data Privacy Regulations
The Wall Street Journal reports that the Article 29 Working Party sent warning letters to Facebook, WhatsApp, and Yahoo about potential violations of EU data privacy regulations.
http://www.wsj.com/articles/eu-issues-data-protection-warning-to-whatsapp-yahoo-1477647543
Miscellaneous
Penn. – City, County Pledge to Help Eliminate Job Barriers for Former Inmates
According to the Department of Justice, around 70 million Americans have criminal records which hinder their chances of finding jobs. Monday, the city of Pittsburgh and Allegheny County signed the White House’s Fair Chance Business Pledge to help those who have done their time get a second chance. In April of this year, the White House unveiled the pledge as a “call-to-action” for the private sector to improve their communities by eliminating barriers for those with a criminal record and creating a pathway for a second chance. As of August, some 185 companies across the nation had adopted the pledge which includes a promise to consider the criminal history in proper context along with the candidate’s job skills.
http://wesa.fm/post/city-county-pledge-help-eliminate-job-barriers-former-inmates#stream/0
Please Note: Some of the information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or [email protected].
