LITIGATION SUPPORT TIP OF THE NIGHT

The International Trade Administration of the United States Department of Commerce has provided for a privacy shield framework which enables American organizations to self-certify that they comply with the data protection requirements in effect in the European Union. The Privacy Shield continues as a valid data transfer mechanism after the GDPR came into effect on May 25, 2018. Organizations can self-certify at www.privacyshield.gov. The process involves the following steps:

1. U.S. businesses have to be under the jurisdiction of the FTC or the Department of Transportation.

2. Prepare a privacy policy, which specifically states that it adheres to the Privacy Shield Principles, and must include a link to www.privacyshield.gov. The privacy policy must be made available. Organizations with a web site, must include a link to where the policy can be viewed.

3. An Independent Recourse Mechanism must exist to resolve complaints about non-compliance at no cost to the individual.

4. Fees must be paid to the International Centre for Dispute Resolution-American Arbitration Association to handle arbitrations brought by EU citizens.

5. Organizations may verify that they are in compliance through a self-assessment or by engaging a third party.

6. A contact must be designated to handle any complaints or questions about the Privacy Shield.

7. The information needed to self-certify should be reviewed.

8. The self-certification must be submitted to the Department of Commerce.

This past week, California passed legislation which affords its citizens many of the same protections as the EU's General Data Protection Regulation. The California Consumer Privacy Act of 2018 gives Californians the right to know the data companies have collected about them; the right to have such data deleted; the right to prevent the sale of such information; and the right to know which third parties their data is shared with. The State has the power to enforce the act, and individuals also can bring their own private actions in the event their data is breached. The CCPA even has its own web site: https://www.caprivacy.org/

The California Constitution was amended in 1972 to include a right to privacy. The Act declares that the right to control the use of personal information is part of this right of privacy.

Here are some notable provisions of the Act.

Upon receiving a data deletion request from a consumer, a business not only has to delete its own records, but also must, "direct any service providers to delete the consumer’s personal information from their records." Cal. Civil Code § 1798.105(c). However service providers are given an out. They can retain the personal information if it is necessary to complete a commercial transaction initiated by the consumer; detect security problems or fraud; or engage in research in the public interest.

Businesses are required to have a link on their homepage entitled, "Do Not Sell My Personal Information" that enables consumers to opt out of the sale of their information. § 1798.135(a)(1). The business then can't contact the consumer to request the sale of the information again for another 12 months.

When non-encrypted or non-redacted personal information is compromised in a data breach, the consumer will have a right to bring an action for damages of between $100 - $750 per incident, or actual damages - whichever is greater. Injunctiive or declaratory relief is also available. § 1798.150(a)(1).

The Tip of the Night for March 17, 2017, noted that Maximilian Schrems had filed an update to his initial complaint against Facebook contesting its Standard Contractual Clauses as a means to transfer data outside of the safe harbor scheme. On April 12, 2018, The Irish High Court referred this new case to the Court of Justice of the European Union. The CJEU is to provide answers to the following questions:

1. When data is transferred by an EU private company to a private company in a third country and may be processed in the third country for the purposes of national security, foreign affairs and law enforcement does EU law apply?

2. In such a case does EU law or the laws of member states apply?

3. In assessing the level of protection in a third country, should only its domestic laws and international treaties be considered, or should administrative and regulatory policies also be considered?

4. Does data transferred from the EU to the United States under the Standard Contractual Clauses decision violate individual rights?

5. Does US law provide for a judicial remedy for the breach of his or her EU data privacy rights? If so, do limitations on such a remedy for US national security exceed what is necessary in a democratic society?

6. What level of protection should be provided for personal data transferred via Standard Contractual Clauses?

7. If a data importer is required to make personal data available to security services, are the safeguards adequate?

8. If surveillance laws in the country of the data importer violate EU rights an the data protection authority use its powers to suspend data flows?

9. Does the Privacy Shield decision constitute a finding of general applicability binding on data protection authorities that the US provides an adequate level of protection?

10. Does the Privacy Shield ombudsman decision ensure that the US provides an adequate remedy to data subjects whose personal data is transferred to the United States under Standard Contractual Clauses?

11. Does the Standard Contractual Clauses decision violate Article 7 (respect for private and family file and communications); Article 8 (protection of personal data); and Article 47 (right for a judicial remedy)?