Wednesday, December 16, 2015

New European Privacy Plan Released!

Yesterday the European Parliament and Council announced they have (finally) agreed upon a new General Data Protection Regulation (the GDPR).  This is really big news for all U.S. companies that do business in Europe or with Europeans!

The GDPR has not yet been voted into law, but the agreed-upon language is probably quite close to the final law.  The International Association of Privacy Professionals (of which I'm a certified member) has published a great, concise list of the key provisions, which I commend to you:

• The law applies to any controller or processor of EU citizen data, regardless of where the controller or processer is headquartered.

• Notification of a data breach that creates significant risk for the data subjects involved must be made within 72 hours of the discovery of the breach.

• New powers are provided to data protection authorities, including the ability to fine organizations up to four percent of their annual revenue.

• Many organizations will now be required to appoint a data protection officer.

• Personal data may only be collected for “specified, explicit and legitimate purposes."  The text also introduces principles of “data minimization,” “accuracy,” “storage limitation” and “integrity and confidentiality.”

• The GDPR requires “accountability,” which means the “controller shall be responsible for and be able to demonstrate compliance” with the law.

• Processing of data will only be allowed with explicit consent, to perform a contract, to comply with a legal obligation, to protect the vital interests of the data subject, or to perform a task in the public interest.

• That consent has to be demonstrable upon demand, can be retracted by the data subject at any time.

• There will still be variation from member state to member state.

• Children under the age of 16 will need to get parental approval to give consent unless the member nation passes a law to lower the age no lower than 13.

• Special categories of personal data are established that include genetic, biometric, health, racial and political data, among others.

• Data controllers have to provide any information they hold about a data subject free of charge and within one month of request.

• A “right to erasure” is established, where controllers are required to delete personal data...even if the data has been made public already.

The next legislative step is for the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs ("LIBE Committee") to vote on the text tomorrow  (December 17) and if it passes, the full Parliament is expected to vote in January.

There is much more to come on this very significant development.  I will be sharing commentary on Twitter (@MattCordell and @PrivacyLawNC) and on LinkedIn as I come across it.


Tuesday, December 1, 2015

New N.C. Privacy Statute Becomes Effective


Several new North Carolina laws become effective today, December 1st, 2015. Among them are some privacy law enhancements including provisions that are known as the "revenge porn" statute. [Session Law 2015-250] Just over half of the states currently have such laws on the books, and about nine states' statutes create a civil remedy. The statutes are designed to address a troubling trend of people posting intimate images or video of another person, usually a former partner, on the internet to gain "revenge" by humiliating the person. Some states' courts recognize common law legal theories that can be used to combat this activity, but many states concluded that a specific statute was necessary and appropriate. As of today, North Carolina is among them.

The new statute makes it unlawful to "disclose a private image" if all five of the following facts and circumstances are present:

   (1) Intent. The person knowingly discloses an image of another person with the intent to coerce, harass, intimidate, demean, humiliate, or cause financial loss to the depicted person (or cause others to do so).

  (2) Identifiable. The depicted person must be identifiable from the disclosed image itself or information provided in connection with the image.

   (3) Private Parts or Conduct. The depicted person's intimate parts are exposed or the depicted person is engaged in sexual conduct in the image.

  (4) Lack of Consent. The person discloses the image without the affirmative consent of the depicted person.

  (5) Expectation of Privacy. The person discloses the image under circumstances such that the person knew or should have known that the depicted person had a reasonable expectation of privacy.

A violation of the statute is a felony and gives the person who is the subject of the image a right to sue the offending person. In a lawsuit, the subject of the image can recover his or her actual damages (which are assumed to be the higher of $1,000 per day for each day of the violation or $10,000); punitive damages (to punish the offender); and attorneys' fee and other litigation costs. A court can also order the destruction of the image(s). The lawsuit must be filed no later than one year after the discovery of the offense, and no later than seven years after the last known disclosure of the image.  

The criminal penalties may be subject to a Constitutional challenge in the future, because the First Amendment guarantees rights that the statute could be interpreted to limit. Similar statutes in several other states have been challenged on Constitutional grounds. It will be interesting to see how North Carolina's statute will fare when the inevitable challenge comes.

You can read more about the statute here.