Singapore Joins the Accountability-based APEC System

While companies work to comply with the General Data Protection Regulation (GDPR), the European law that takes effect on May 25, it is important to remember that countries in other parts of the world also are adopting new approaches to information privacy protection. Companies that plan to do business in new markets should take note of these and understand that the steps they take to comply with the GDPR – particularly with respect to accountability – can lay the groundwork for compliance in other regions. On March 6, 2018, Singapore’s Ministry of Communications and Information announced that Singapore has joined the APEC Cross-border Privacy Rules (CBPR). The APEC CBPR system…

READ MORE

FTC Settles Complaint Against Venmo

On February 27, the Federal Trade Commission (FTC) reached a settlement with Paypal, Inc. relating to the privacy and security practices of Venmo, Paypal’s peer-to-peer payment service. The FTC alleged that Venmo failed to adequately disclose to its users that transfers of funds from their Venmo balances to external bank accounts were subject to review, and such funds could be frozen or removed in cases of suspected fraud. The FTC’s complaint also charges that Venmo misled users about the scope of Venmo’s “bank grade security systems,” as well as the extent to which users could control the visibility of their transactions. Venmo allows individuals to send and receive…

READ MORE

New Guidance about Transparency: Notices Must Be Accurate, Clear and Easy To Locate

Important guidance about the General Data Protection Regulation’s (GDPR) transparency requirements has been released from Europe. The Article 29 Working Party, an advisory body that oversees data protection in the EU, issued a paper that provides practical guidance and clarity about the obligations of data controllers with respect to informing individuals about the collection, use and protection of their data. The GDPR requires that notices must: be concise, transparent, intelligible and easily accessible (Article 12.1); use clear and plain language (Article 12.1); the requirement for clear and plain language is of particular importance when providing information to children (Article 12.1); be provided in writing “or by other means, including where…

READ MORE

Preparing for May 25th, 2018: GDPR Compliance Requires More Than Technology Solutions

Whether you are in the IT department or on the legal team, in recent weeks you’ve no doubt received announcements and advertisements offering technology solutions that promise to help you “achieve GDPR readiness.” While these products can help address certain compliance issues, it’s important to understand their limitations – and that GDPR compliance requires more than technology solutions. Before any tool can be useful, GDPR demands a combination of review, risk analysis and thoughtful decision-making on the part of your company. While software solutions can help with discrete tasks – data mapping, controlling and monitoring who has access to data, and managing consent, to name a few –…

READ MORE

CFTC Imposes $100,000 Penalty for Failure To Supervise IT Provider

On February 12, 2018, the Commodity Futures Trading Commission (CFTC) issued an order requiring AMP Global Clearing, a registered Futures Commission Merchant (FCM), to pay a civil penalty of $100,000 due to its failure to diligently supervise its IT provider in implementing AMP’s Information Systems Security Program. The order came after a third party was able to gain access to AMP customer records without authorization through a vulnerability in AMP’s network. The vulnerability had not been detected in three consecutive quarterly network risk assessments, despite the fact that security breaches resulting from similar vulnerabilities—including a number that occurred on network devices manufactured by the same manufacturer as AMP’s—had…

READ MORE

U.S. Regulators Convene Workshop on Privacy Risks and Harms

Compliance with the European Union’s General Data Protection Regulation (GDPR), scheduled to take effect in May 2018, has taken center stage for companies. But it is important to remember that regulators in the U.S. continue their own work to protect the privacy interests of consumers. The Federal Trade Commission (FTC) took the spotlight on December 12, 2017, when it hosted a one-day workshop titled “Informational Injury” in Washington DC. The event brought together a variety of stakeholders – including industry representatives, consumer advocates, academics and government researchers – to discuss issues related to the injuries consumers suffer when information about them is misused. In opening remarks, Acting FTC Chairwoman…

READ MORE

EU Releases Guidance About the Requirements for Obtaining Valid Consent Under GDPR

Last month, companies working toward compliance with the European Union’s General Data Protection Regulation (GDPR) received guidance about the new law’s consent requirement. The Article 29 Working Party, the advisory body that oversees data protection in the EU, issued a paper that provides practical advice about steps companies must take to ensure the consents for data processing they obtain from consumers are valid under the GDPR. The GDPR provides that for consent to be valid, it must be freely given, specific to the stated purpose for the processing, informed, and based on a clear, affirmative indication given by the data subject. The document provides advice about how regulators interpret…

READ MORE

Uber Breach Highlights Data Security Risks that Exist for All Companies and the Steps Needed To Address Them

In November, Uber disclosed a security breach that occurred in October 2016, when hackers stole from a third-party server data about 57 million Uber drivers and riders. The company also revealed that they took affirmative steps to keep the data breach secret. The New York Attorney General’s office is opening an investigation of the incident, and members of Congress have sent letters to Uber demanding additional details about the breach. This case highlights the importance of having in place appropriate data security, and a plan to respond to security breaches –  to any company. Data security is critical to a company’s brand, reputation and market trust. A company’s…

READ MORE

Australia Joins Asia Pacific Data Privacy Compliance System

Australia’s plan to participate in the APEC Cross Border Privacy Rules System signals growing importance of accountability-based data practices Companies planning to expand their market into the Asia Pacific region should pay close attention to Australia’s recent announcement that it intends to participate in the APEC Cross-Border Privacy Rules (CBPR) system. It signals that accountability and effective data governance now form the basis for lawful data use and transfer across the globe and should serve as the backbone of all companies’ information governance practices. The APEC CBPR system was developed by participating Asia Pacific Economic Cooperation countries (referred to in this context as “economies”) and designed to build consumer, business and regulator trust…

READ MORE