Changes in Global Privacy Affect Small Business Too

Privacy 1

Changes in Global Privacy Affect Small Business Too

In case you missed it, on October 6, 2015 the Court of Justice of the European Union (CJEU) issued a long-awaited privacy ruling in the case involving Maximilian Schrems, the Ireland Data Protection Authority (DPA) and Facebook. Back in 2000, the EU Commission decided that personal data sent to US organizations that sign up to the Safe Harbor scheme is adequately protected. Safe Harbor organizations self-certify compliance with certain privacy principles, and the scheme is enforced by the US FTC.


Simply put, Schrems sued to prohibit transfer of his personal data from Facebook Ireland to Facebook in the U.S. due to widely perceived flaws in U.S. data protection following the Edward Snowden NSA revelations.

Why it Matters

Over 5,000 U.S. companies “self-certify” under Safe Harbor, and their European partners and customers rely on Safe Harbor for data transfers into the U.S. The decision may impact many small to medium sized business who use social media for marketing and business development, as well as businesses that use cloud-based services for gathering, processing and sharing data. Transfers of Personally Identifiable Information (PII) from the EU to the U.S must either be authorized by national data protection authorities, or be able to rely on one of the legal exceptions.

Although the Safe Harbor companies publicly committed to apply the Safe Harbor Privacy Principles to the personal data they brought into the U.S. (and some companies passed these commitments on to other entities under Onward Transfer agreements), companies that disregard those commitments, with regard to either stored data or new data transfers, could expose itself to FTC enforcement against “unfair or deceptive practices” or judicial complaints based on U.S. contract, fraud, or tort law, as well as to enforcement in the EU – such as complaints before labor tribunals, courts, and data protection authorities.

Don’t Panic, Yet

While the decision is likely to have a significant impact on the transfer of personal data from the EU to U.S. recipients, EU leaders say it’s not time to panic yet. Experts have pointed out the alternative legal bases for transatlantic data transfers that exist, such as contracts, Binding Corporate Rules or actual, express consent. Many businesses may be able to use these methods and continue their transatlantic data transfers.

Domestic Developments

At the same time, California leads the U.S. in enacting new privacy legislation. Last week California passed legislation that may equate to what the EU wants to see on the federal level. According to §1546.1 b) of CalECPA any government entity must have a warrant, wiretap order, order of electronic reader or a subpoena if they want to compel any individual or a service provider to disclose information stored on their devices (mobile phones, computer, tablets, tv, servers you name it). §1546.1 c) states that government agencies cannot access, either physically or remotely, a device unless they have a warrant, wiretap order, consent of the authorized possessor of the device, if the government in good faith, believes there is an emergency that could jeopardize someone’s life or physical integrity (in which case they’ll have to get a warrant within 3 days later) or in case the devices are confiscated from inmates in state prisons.

Concerned about whether your business is at risk for violating EU data protection rules? Don’t be. We offer a FREE, no-obligation one (1) hour consultation to identify potential issues. The professionals at the Adler Law Group can help you review, enhance and adopt standardized contracts and implement methodologies for approaching these challenges by setting objectives, determining scope, allocating resources, and developing agreements that will efficiently and effective manage risks, while keeping pace with the business.

Please call: (866) 734-2568, click:, or write: David @

Illinois Updates Eavesdropping Law, Ambiguities Remain

Illinois has recently enacted a revised version of the Eavesdropping Act. (720 ILCS 5/14, et. seq.) Prior to 2015, Illinois was a “two-party consent” state. The Act prohibited recording police and other public officials without their consent. There were several prosecutions under the old version of the law. The new law makes it legal to make such recordings in public without consent.

Under the old law, the statute had the effect of barring the recording of loud arguments on the street, political debates in the park, or even public interactions between citizens and police officers. While the new law attempts to create a balance between privacy and the need to preserve the details of conversations with authorities, it is being criticized for creating a new set of problems.

Chief among the concerns from both criminal defense attorneys and prosecutors are the definitions of “surreptitious” and “reasonable expectation” of privacy.

For example. although the statute protects one right o secretly record one’s conversations, the reality is that with today’s ubiquity of cell phones, even if someone has a cell phone out on the table or is checking a cell phone during the conversation, it may be unclear whether that person is also using the cell phone to record a conversation.

Furthermore, the concept of a “reasonable expectation of privacy” is problematic. Critics say that ultimately this opens the door for a debate about whether one’s expectation of privacy was a reasonable or not.

Lastly, some have criticized the Act for creating a fast track for police to conduct surveillance on citizens private communications without a warrant. The law allows police to get a approval from a local states attorney under a broad set of circumstances as opposed to having to go in front of a judge and show probable cause.

Given these ambiguities in the law, many believe that it will take time and lawsuits in order to clarify some of the boundaries of these issues.

The New Wave of Data-Breach Outrage

You can almost feel it, like a power-line buzz in the air. If 2014 was the year that consumers and legislators woke up to the real threat to privacy and information security, 2015 may be the year that sees a shift in both enforcement and penalties.

On February 5, Anthem, Inc., the country’s second-largest health insurer by market value announced a security breach resulting in unauthorized access to tens of millions of current and former customer and employee accounts, Bloomberg reports.

Of particular concern is that the compromised data included social security numbers and birth dates, etc. Very different than having a credit card number stolen.

Last week, a group of 10 state attorneys general (AGs) sent a letter chastising Anthem for the length of time it took to notify the public of the breach. The letter was written on behalf of Arkansas, Connecticut, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania and Rhode Island.

Some observers have commented that current encryption technology can limit the amount of data that even “authorized users” can view at one time, making it more difficult to compromise massive amounts of data.

In this situation, the breach occurred through misuse of an authorized user’s credentials, so encryption alone would not have worked. While most companies give universal access to data to some employees (senior level or IT), for the encryption approach to work, no one person or set of credentials should allow access to all data.

In the end, the new “best practices” approach may be a combination of encryption plus controls to limit the amount of data that any one set of credentials can access.

When it comes to addressing data privacy risks, it is often difficult to determine whether you should slow down, change course, signal for help, or simply muddle through. Often, teams tasked with managing privacy need to quickly identify potential issues, assess the risk, and implement controls to steer clear of unneeded exposure. The privacy professionals at the Adler Law Group can help you adopt Privacy Impact Assessments – or similar tools – and standardize a methodology for approaching these challenges by setting objectives, determining scope, allocating resources, and developing practices that will efficiently and effective manage privacy, while keeping pace with the business. For a free consultation, call us at (866) 734-2568, send and email to or visit our web site


Do You Understand Your Data Privacy Rights?

Data Privacy Day was started in 2007 in response to widespread lack of understanding about how personal data was being protected. Today, 91% of adults “agree” or “strongly agree” that consumers have lost control over how personal information is collected and used by companies, according to a recent Pew Research Center Survey.

Data is one of the natural resources of the 21st century. It should be treated like all other precious resources. Understanding, responsibility, and accountability are key. Ubiquitous Internet connections, unprecedented processing power and speed combined with staggeringly large databases have the ability to help both the private and public sectors. However, there is a growing split between the benefits of data-driven activities and perceptions of decreased privacy rights needs to be addressed. There is a balance that needs to be found between the responsibility of governments and that of businesses in ensuring an adequate level of protection to citizens and consumers, while supporting technological innovation.

The purpose of Data Privacy Day is raise awareness among digital citizens and empower them with understanding how their data is being collected, stored and consumed. Often, that starts with being educated about the privacy policies of online companies and web properties.

The National Cyber Security Alliance (NCSA) officially kicked off today’s Data Privacy Day events with a broadcast from George Washington University Law School featuring Federal Trade Commissioner Maureen Ohlhausen and privacy and security experts from industry and government.

Whether you are a consumer, an application developer, a technology platform provider, consultant, or enterprise that relies on the collection, analysis and commercialization of data (who doesn’t these days) Adler Law Group can help you navigate this emerging area by 1) assessing and prioritizing privacy risks, 2) creating a baseline understanding of data assets, data flows and contractual commitments, 3) developing internal Privacy Polciies and processes, and 4) creating and delivering training programs for executives and employees that increases awareness and mitigate risk.

Is Your Company’s Web Site Privacy Policy Compliant With New California Law?

Privacy Law Update: California “Do Not Track” 

Two California laws went into effect at the beginning of the year that  require additional notifications to consumers.  The California Online Privacy Protection Act (“CalOPPA”) requires that web sites, mobile apps and other online services available to California residents (in reality anyone with a web site that may be accessed by a CA resident) post a privacy policy that gives notice to consumers regarding behavioral or interest-based advertising practices (“OBA”).

Disclosures must explain:
1. If a web site operator allows other parties to use tracking technologies in connection with the site or service to collect certain user data over time and across sites and services; and
2. How it responds to browser “do not track” signals or other mechanisms designed to give consumers choice as to the collection of certain of their data over time and across sites and services

In addition, the “California Shine the Light Act” requires that companies (except non-profits and businesses with less than 20 employees) collecting broadly defined personal information from California consumers on or offline either: (a) give consumers a choice as to the sharing of that information with third parties (including affiliates) for direct marketing purposes; or (b) provide notice of, and maintain, a method by which consumers can annually obtain information on the categories of information disclosed the names and addresses of the recipients of that data, and a description of the recipients’ business.

If an e-commerce service offers tangible goods or services, or vouchers for them, to California consumers, it must give certain notices to consumers, including how they can file a complaint with the CA Department of Consumer Affairs.

Are you  concerned about how to disclose how your service responds to “Do Not Track” signals or similar tools and settings, and whether third parties are permitted to collect personally identifiable information about consumer online activities over time and across different websites when a consumer uses that online service? We may be able to help. We can review your policies, your information gathering and sharing practices, and advise on whether there is room for improvement.

Please contact us for a no-fee consultation.

Amended California Do Not Track Disclosure Law Requires Websites Disclose Do Not Track Signal Response

At the end of August, the California passed an amendment to the California Online Privacy Protection Act that will require commercial websites and services that collect personal data to disclose how they respond to Do Not Track signals from Web browsers.

AB 370, as introduced by California Assemblyman Al Muratsuchi, requires a business that discloses a customer’s personal information to a third party for direct marketing purposes to provide the customer, within 30 days after the customer’s request, as specified, in writing or by e-mail the names and addresses of the recipients of that information and specified details regarding the information disclosed.

This bill, available here, would declare the intent of the Legislature to enact legislation that would regulate online behavioral tracking of consumers.