New Guidance for Companies that Transfer Data from the EU to the U.S.

The Article 29 Working Party has recently released several new documents of interest to companies that collect and process data about EU residents and who move data from the EU to the United States. First, the Working Party released “Recommendations on the Standard Application for Approval of Data Controller or Processor Binding Corporate Rules for the Transfer of Personal Data.” Binding Corporate Rules (often referred to as BCRs) are one mechanism available to companies to support the legal transfer of data outside the European Economic Area. Article 45 of the GDPR requires that data transferred to a country which has not been deemed to provide an adequate level of data…

READ MORE

Achieved Compliance Participates in the 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong

Last month, Achieved Compliance attended the 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong. Stephen Kai-yi Wong, Privacy Commissioner for Personal Data, Hong Kong, hosted the event, which was attended by over 3,000 data protection authorities, privacy professionals, industry representatives and non-governmental organizations. The Commissioners’ Conference convenes annually and offers one of the best opportunities to learn not only about the current state of data protection law, but to understand what is top-of-mind for regulators and what new challenges they see on the horizon. Among its goals is to promote and enhance personal data protection and privacy rights around the world, and to provide a forum…

READ MORE

U.S. Federal Trade Commission Announces Settlement of First Privacy Shield Enforcement Action

On September 8, 2017, the Federal Trade Commission (FTC) announced settlement of its first enforcement action involving the terms of the Privacy Shield. Three companies – Decusoft, LLC, Tru Communication, Inc., and Md7, LLC were alleged to have violated the Federal Trade Commission Act (FTC Act) by falsely claiming that they were certified to the EU-U.S. Privacy Shield. In fact, they had not completed the certification process required. One of the companies, Decusoft, falsely claimed not to be certified to the Swiss-U.S. Privacy Shield. As part of their settlements with the FTC, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or…

READ MORE

Achieved Compliance Approved for Participation in Privacy Shield: Program Essential to Any Company Moving Data from the EU to the U.S.

Achieved Compliance is pleased to announce that it has been approved to participate in the EU-U.S. “Privacy Shield” program. The Privacy Shield provides companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States. The Privacy Shield updates the Safe Harbor regime that had supported data flows between the jurisdictions since 2000. As a participant in the Privacy Shield, Achieved Compliance meets all EU legal requirements for protection of data about EU citizens. Companies that use Achieved Compliance software and services can rest assured that we are committed to protecting data…

READ MORE

You Can’t Outsource Liability for Failure To Protect Data – Fine Issued for Negligence in Overseeing a Vendor’s Performance

If a recent decision of the French Data Protection Authority (CNIL) is any indication, companies can expect that data protection authorities will hold them responsible for ensuring that the vendors they contract with can secure and protect the company’s personal data. On July 27, 2017, the French Data Protection Authority (CNIL) fined the Hertz Corporation €40,000 when information about approximately 35,000 users was exposed to inappropriate access because of the negligence of a vendor in charge of designing the Hertz France website. The privacy office’s enforcement committee July 18 held that Hertz failed to meet its data security obligations. The enforcement audit of the company’s website determined that a…

READ MORE

UK Authority Warns Small Companies: “Data Protection Laws Apply to You” Fining an SME £60,000 for Failing To Take Basic Steps

The UK Information Commissioner’s Office sent a clear signal last month that it is paying close attention to the data protection measures taken by small and medium sized companies. In a statement published June 27, 2017 titled “Warning to SMEs as firm hit by cyber attack fined £60,000” (i.e. about $80,000 U.S.), the ICO announced an action against Boomerang Video, a small Internet company based in Berkshire, England, for failure to take appropriate steps to secure customer information. ICO enforcement manager, Anne Poole said: “Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.  “If a company is subject to…

READ MORE

You Are Making Promises in Your Privacy Policy – False or Misleading Statements Can Lead to the Payment of Damages

A new privacy law signed last month is a reminder that data protection and privacy are not just issues for companies who must comply with the EU’s General Data Protection Regulation (GDPR). In the United States, regulators at the state level are turning their attention to companies who collect and use personal information – and they are putting in place their own rules about how it should be protected and managed responsibly. A newly signed Oregon law is an example of how states are moving towards interpreting unfair competition laws to cover statements make in a privacy policy. This trend has been seen in many states. California, Connecticut,…

READ MORE

The Countdown Is On – One Year to GDPR & SMEs Lag In Competitiveness and Compliance

This week marks exactly one year until EU individuals will have new rights with respect to how all businesses must protect personal data. Whether a particular business is big or small, based in the EU or based in the US, each must fully comply with the game-changing General Data Protection Regulation (GDPR). GDPR took center stage in Berlin recently, when policymakers, businesses, and regulators from 20 countries met in Berlin at the 7th annual European Data Protection Days conference. Nearly every speaker emphasized the challenges the regulation raises for small and medium sized companies (SMEs) and the critical need for those companies to comply. Companies of all sizes…

READ MORE

Non-Compliance with EU Law Is Still Not an Option

U.S companies hoping to avoid compliance with the requirements of EU law may want to think twice. It’s really time to get on with it. Despite early rhetoric from the Trump Administration, discussions between the U.S. Department of Commerce and the EU Commission last week indicate that the best course for businesses involving data about EU citizens is to take the steps necessary to comply. U.S. officials sent a clear message that they stand behind the commitments of their predecessors to promote compliance by U.S. businesses, at least with respect to the Privacy Shield. This likely reflects a broader U.S. government position that is pro-compliance. EU Justice Commissioner…

READ MORE