EU-U.S. Privacy Shield Review Report Outlines Steps To Improve Enforcement and Monitor Compliance

The Privacy Shield – a mechanism by which U.S. companies can legally transfer data to the European Union, continues to draw the attention of regulators and policymakers. On December 19, 2018, the European Commission (the Commission) announced the publication of its report on the second annual review of the EU-U.S. Privacy Shield. The report offers companies insight into what aspects of the Privacy Shield officials find most important and what steps are planned to strengthen enforcement and oversee compliance. Background The EU-U.S. Privacy Shield is a framework for transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. Companies must self-certify that they meet the requirements of…

READ MORE

Data Regulators Focus on Artificial Intelligence and Data Ethics at Annual International Meeting in Brussels

Achieved Compliance attended the 40th Annual International Conference of Data Protection and Privacy Commissioners which convened this year in Brussels. This meeting is the largest and most significant gathering of data protection authorities in the world. It provides an important window on the status of data protection law and regulation, the impact of new technology on privacy and what is top of mind for regulators. While companies continue to grapple with the requirements of the General Data Protection Regulation (GDPR), which took effect in May of this year, the law did not take center stage at the annual meeting of regulators. Instead, the focus of this year’s conference was artificial…

READ MORE

FTC Settles Complaint Against Venmo

On February 27, the Federal Trade Commission (FTC) reached a settlement with Paypal, Inc. relating to the privacy and security practices of Venmo, Paypal’s peer-to-peer payment service. The FTC alleged that Venmo failed to adequately disclose to its users that transfers of funds from their Venmo balances to external bank accounts were subject to review, and such funds could be frozen or removed in cases of suspected fraud. The FTC’s complaint also charges that Venmo misled users about the scope of Venmo’s “bank grade security systems,” as well as the extent to which users could control the visibility of their transactions. Venmo allows individuals to send and receive…

READ MORE

New Guidance about Transparency: Notices Must Be Accurate, Clear and Easy To Locate

Important guidance about the General Data Protection Regulation’s (GDPR) transparency requirements has been released from Europe. The Article 29 Working Party, an advisory body that oversees data protection in the EU, issued a paper that provides practical guidance and clarity about the obligations of data controllers with respect to informing individuals about the collection, use and protection of their data. The GDPR requires that notices must: be concise, transparent, intelligible and easily accessible (Article 12.1); use clear and plain language (Article 12.1); the requirement for clear and plain language is of particular importance when providing information to children (Article 12.1); be provided in writing “or by other means, including where…

READ MORE

CFTC Imposes $100,000 Penalty for Failure To Supervise IT Provider

On February 12, 2018, the Commodity Futures Trading Commission (CFTC) issued an order requiring AMP Global Clearing, a registered Futures Commission Merchant (FCM), to pay a civil penalty of $100,000 due to its failure to diligently supervise its IT provider in implementing AMP’s Information Systems Security Program. The order came after a third party was able to gain access to AMP customer records without authorization through a vulnerability in AMP’s network. The vulnerability had not been detected in three consecutive quarterly network risk assessments, despite the fact that security breaches resulting from similar vulnerabilities—including a number that occurred on network devices manufactured by the same manufacturer as AMP’s—had…

READ MORE

The Five Essential Elements of Accountability Under the GDPR Every Business Should Know

The General Data Protection Regulation (GDPR), which comes into effect in May 2018 (only six months from now) has been the subject of countless conference discussions, press stories, and company meetings about the challenges of compliance. The GDPR is a lengthy and complex read, and its requirements – ranging from detailed consent requirements to the need to conduct data protection impact assessments – can seem daunting. What is often lost in the concern about specifics is that the most important change the GDPR represents is the shift in thinking it requires. The GDPR provides that companies change their mindset from one of “check-box” compliance to accountability. It requires…

READ MORE

Achieved Compliance Participates in the 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong

Last month, Achieved Compliance attended the 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong. Stephen Kai-yi Wong, Privacy Commissioner for Personal Data, Hong Kong, hosted the event, which was attended by over 3,000 data protection authorities, privacy professionals, industry representatives and non-governmental organizations. The Commissioners’ Conference convenes annually and offers one of the best opportunities to learn not only about the current state of data protection law, but to understand what is top-of-mind for regulators and what new challenges they see on the horizon. Among its goals is to promote and enhance personal data protection and privacy rights around the world, and to provide a forum…

READ MORE
  • 1
  • 2