Bernstein Shur Monthly – December 2018
Data Breach Notification Laws Update
By: Andrea J. Shaw, Shareholder
Last month we discussed the importance of having a Data Breach Response Plan in place. This month we are highlighting some of the updates you may need to make to that plan given the legislative activities that have occurred to date in 2018.
We all know that data breaches are costly and complex. One driver behind this is the requirement to potentially comply with 50 different state data breach laws. 2018 has seen a fair amount of movement in this space. The information provided below is a high-level summary of recent state legislation that has changed what “data elements” a given state may require consumer and/or regulatory notice if those elements are breached. These are in addition to the typical standbys (social security number, driver’s license number and financial account numbers)
Data Elements Update:
Data Element: Usernames and passcodes, insurance numbers, heath data, passport number, taxpayer ID number, biometric data and any private e-sign or authentication key unique to an individual.
Effective Date: June 1, 2018
State: South Dakota
Data Element: Usernames and passcodes, employee ID numbers “in combination with any required security code, access code, password or biometric data”
Effective Date: July 1, 2018
Data Element: Passport numbers, state ID numbers and biometric data
Effective Date: August 1, 2018
Data Element: Student , military or passport ID number; medical information; health insurance ID number; biometric data and usernames and passwords
Effective Date: September 1, 2018
Colorado amended its law to require notification within 30 days of a determination that a breach occurred. Alabama, Arizona and Oregon laws require notification no later than 45 days after discovering a breach. Louisiana and South Dakota have gone to a 60-day time frame for notification.
Worried that you missed something? The team of privacy experts at Bernstein Shur are here to help. We can review your incident response plan so you can “Be Shur” it is up to date and you will be in compliance with the latest legislative updates across the country. Contact Andrea Shaw, Shareholder, to discuss your needs.
Client Alert: Does the GDPR Apply to my Organization?
Guidance from EU authorities clarifies the scope for U.S. organizations
By: Eric Langland, CIPP/E, CIPP/US
Many U.S. organizations receive personal data from EU residents, whether or not the organization is active in the EU market. With its laundry list of compliance obligations and hefty fines, it’s no surprise these organizations frequently ask whether the EU’s General Data Protection Regulation (GDPR) applies to their collection of EU resident personal data.
Fortunately, EU authorities have spoken. In draft guidelines (view here) issued recently, the European Data Protection Board (EDPB) elaborated on the territorial scope of the GDPR. Perhaps the most significant developments in the EDPB’s guidance were (1) the addition of a “targeting” requirement for organizations outside the EU that offer goods or services to residents in the EU, and (2) the requirement for companies monitoring the behavior of EU residents to analyze or build a behavioral profile with the data. As a result, the guidance restricts the GDPR’s scope for organizations outside the EU.
While the EDPB’s guidance covers a range of areas, here are the key takeaways from the guidance regarding the offering of goods or services to, or monitoring the behavior of, EU residents by organizations outside of the EU.
Offering Goods or Services to EU residents
Merely possessing or processing the personal data of EU citizens alone is not sufficient to bring a U.S. based organization under the purview of the GDPR. Instead, the organization offering goods or services to EU residents must “target” individuals in the EU. The guidance provides a list of nine factors to consider when determining whether an organization is targeting EU residents by offering them goods or services: (1) the organization makes reference to the EU or member states with regard to the goods or services offered; (2) the organization outside the EU has launched a marketing campaign in the EU, or pays a search engine operator to facilitate access by EU residents; (3) the nature of activity at issue is international, e.g., tourism; (4) the organization references dedicated contact information for EU residents; (5) the organization uses an EU or member state domain name, e.g. “. de” or “.eu”; (6) the organization provides travel instructions for residents in the EU to a place where the service is provided; (7) the organization references clientele in the EU; (8) the use of a language or currency that is different from the one used in the non-EU organization’s country; and (9) the organization offers to deliver goods or services in an EU member state.
An EU resident visits the website of a U.S. company and signs up to join its weekly newsletter. The EU resident provides her name, email address, and home address. The company does not market its goods or services to residents in the EU, nor does it have a regional office, subsidiary, or sales representative in the EU. Furthermore, it does not monitor (see discussion on monitoring below) the behavior of EU residents. The U.S. company is not targeting its goods or services to EU residents and is not subject to the GDPR.
A bank in the United States has customers who are German citizens but reside in the United States. The bank directs all of its services to customers in the United States and has no presence in the European Union. The bank is not targeting EU residents and is not subject to the GDPR.
A website owned by a Boston-based company, with its servers and IT personnel in the United States, offers services for the creation, printing, and shipping of family photo albums. The website is available in English, French, Dutch and German. Payment can be made in euros and sterling. The printed products can be shipped to Europe. The company is subject to the GDPR because accepting euros, offering delivery to the EU, and presenting the website in languages spoken in the EU would meet the EDPB’s definition of “targeting” EU residents.
A university in New Hampshire allows prospective students to apply for admission on its website. Admission is open to any student with the sufficient level of education and English language skills. The university does not market the program to EU residents and only takes payment in U.S. dollars. An EU resident applies to the program and submits her personal information through the website. The university is not subject to the GDPR because none of its activities fall within the definition of “targeting” individuals in the EU.
Same fact pattern as above, but the university partners with an EU university or hires a study abroad company to market its program in the EU. The GDPR applies because the university is now targeting EU residents by advertising its program in the EU.
Monitoring the behavior of EU residents
Even if an organization outside the EU does not offer goods or services to EU residents, it may be subject to the GDPR if it “monitors” the behavior of individuals in the EU. “Monitoring” includes not only tracking user behavior online through cookies and other technologies, but also geo-location activities, CCTV, online surveys, and others. However, monitoring alone will not necessarily trigger the GDPR. According to the guidance, monitoring implies that the organization “has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behavior within the EU.”
A company in the United States provides advice to retailers about customer shopping trends by tracking customer movements via Wi-Fi throughout shopping centers. The company is advising a French shopping mall and collects the geo-location information of French shoppers through their smart phones. The company uses this information to build a shopping profile of each customer. The U.S. company is subject to the GDPR. The tracking of geo-location and subsequent profiling constitutes “monitoring” under the GDPR.
A U.S. company uses an analytics tool on its website to track visitors’ behavior—e.g., length of visit, pages visited, content viewed, etc. It does not market its good or services to EU residents, but it collects data from EU residents when they visit the website. The company does not include EU resident data in the analysis and profiling that results from the processing of its analytic data. Although the company engages in monitoring, the GDPR will not apply if the company does not reuse the EU residents’ data in a profile or behavioral analysis.
The EDPB provides valuable guidance regarding the “targeting” and “monitoring” of EU residents by organizations outside the EU. U.S. organizations with EU resident data will need to analyze their data processing activities to determine whether they fall within the GDPR’s territorial scope. In addition to the GDPR, EU member state law and the EU’s ePrivacy Directive may apply to your organization’s processing of EU resident data.
The EDPB’s guidance on the GDPR’s territorial scope is open for public comment until January 18, 2019.
Eric Langland is an attorney at Bernstein Shur. His practice focuses on helping organizations build data privacy programs and comply with data privacy laws. Previously, he was the privacy officer and in-house counsel for a large German company’s operations in the United States. He holds the International Association of Privacy Professionals’ CIPP/E and CIPP/US certifications.