USA and Europe (EU) do have a different way of looking into privacy. This PPT is about who is responsible and what kind of rules are in place. This is a A Medved Consultants LLC Presentation. This may not be considered as a legal advice.

1. TITLE
A Medved Consultants LLC Presentation
March 2018
DISCLAIMER: This briefing is for information only. It is not intended as legal advice.
For legal advice regarding any of the issues discussed in this briefing, you should
consult an attorney who is a specialist in this field.
USA and EU Data Privacy Issues for Corporate
Decision Makers!

2. INTRODUCTION
▸ USA and EU Data Privacy rules contrasted:
▸ General corporate responsibilities.
▸ Data Privacy rules.
▸ Handling Data Breaches.
▸ Consequences of Data Breaches
▸ Data Privacy Notices and Privacy by Design
▸ Implementing Data Protection Policies
The Issues:!

3. INTRO 2
▸ The CEO and the BOD are legally liable….
▸ Bell vs. Michigan Council - Finding of negligence for not
providing consumers protection from identity theft.
▸ Wolfe vs. MBNA - Finding of corporate financial liability for not
verifying a credit application.
▸ American Express vs. Vinhee - Judgement against AMEX because
they were unable to introduce corporate records as evidence
because authenticity could not be proved.
Cybersecurity is NOT exclusively a CIO or IT Responsibility!

4. INTRO 3
‣ Take-away: IT Department was not fined, an IT manager was not held
personally liable….. the Corporation had to either pay a substantial fine or
compensate the plaintiffs monetarily.
‣ Who is responsible?
‣ Under financial sector privacy laws - i.e. Gramm-Leach-Bliley and Sarbanes-
Oxley responsibility lies with the CEO and CFO.
‣ FTC consent decrees involving non-sector regulated companies are
increasingly being charged with failure to provide a sufficient level of security
for personal information. The CEO and corporate officers can be sued for
failure to exercise a level of “duty of care”.
Corporate Responsibility for Sector Privacy Violations!

5. INTRO 4
‣ Consider the forthcoming May 2018 implementation of
Europe’s new General Data Protection Regulation (GDPR)
‣ Serious implications for U.S. businesses.
‣ Facebook v. Europe - Austrian law student compels
FACEBOOK to provide him with 1000 pages of his
personal data and other Europeans are asking for their
personal data as well.
And, if you thought these rulings applied only to
financially-related transactions…!

6. DATA PRIVACY RIGHTS 1
‣ USA: No overarching data privacy law…
‣ State laws
‣ Sectoral privacy laws: HIPAA, COPPA, GBL, FCRA
‣ FTC consent decrees - “unfair or deceptive trade
practices” standard applied to data breach negligence
plus the FTC can levy a fine in cases where stated levels
of security are not observed.
Data Privacy Rights - USA v. Europe!

7. DATA PRIVACY RIGHTS 2
‣ In the USA, a legal standard for compliance is emerging.
‣ Statutes and regulations define “reasonable” and “appropriate”
security.
‣ The definition of reasonable and appropriate is…
‣ Ensuring the availability of systems and information.
‣ Controlling access to systems and information.
‣ Ensuring the confidentiality, integrity and authenticity of information
Data Privacy Rights - USA v. Europe!

8. DATA PRIVACY RIGHTS 3
‣ Europe: One all-inclusive data privacy law
‣ Data Subject - is the owner of her data, not the organization (defined
as the Data Controller) that collects the data.
‣ Personal Data - broadly defined, not only “personally identifiable
information”, but also ethnic, sexual orientation, religious data and
Internet generated data: IP address, browser, browsing habits and
more.
‣ Data Controllers (the collecting entity) and Data Processors (internet
providers including cloud services) have duties to the Data Subjects.
Data Privacy Rights - USA v. Europe!

9. DATA PRIVACY RIGHTS 4
‣ Duties of Data Controllers:
‣ Protect the integrity of the data from data breaches. When they occur,
report to the EU Supervisory Authority within 72 hours and when a “high
risk” breach occurs, inform each Data Subject.
‣ Have the ability to provide all data requested by the Data Subject.
‣ Be able to correct or erase erroneous data when the Data Subject
requests.
‣ Delete Personal Data upon request of the Data Subject. - right to be
forgotten.
Data Privacy Rights - USA v. Europe!

10. HANDLING DATA BREACHES
▸ Both EU and USA require a “duty to warn” mandate in the event of a data breach.
▸ EU: 72 hours maximum to inform Supervisory Authority of a data breach;
requirement to provide Data Persons with details: extent, information compromised,
remedies.
▸ USA: A common law duty exists to provide security for personal information. (Bell
vs. Michigan Council - court ruled that plaintiff owed defendant a duty to protect
from identity theft.)
▸ Not only data, but all messages and information recorded electronically or stored on
the corporate system must be protected.
▸ This includes personal data, corporate financial data, transcription records, tax
records, e-mail.
Handling Data Breaches!

11. FINANCIAL CONSEQUENCES OF DATA BREACHES
▸ EU: Massive fines, up to €10million or 2% of worldwide sales ,
whichever is greater. Added financial costs to be borne by Data
Processor to inform Data Subjects.
▸ USA:
▸ Consent decrees issued by the Federal Trade Commmission; e.g .
2011 consent decree with FACEBOOK allows for $40,000 per user
affected.
▸ State and federal court decisions levying fines on violators in cases
involving negligence.
Financial Consequences of Data Breaches!

12. DATA PRIVACY NOTICES AND PRIVACY BY DESIGN 1
▸ USA: Free-form Privacy Notices are the norm. Sample fill-in-
the-blank forms available on Internet.
▸ FTC provides a Privacy Notice format, only applicable to
financial data (GLB act) - (
https://www.ftc.gov/tips-advice/business-center/guidance/how-
comply-privacy-consumer-financial-information-rule-gramm)
▸ No precise standard exists for what must be contained in a
privacy notice - FTC standard is “say what you mean, and mean
what you say.”
Data Privacy Notices and Privacy by Design!
!

13. DATA PRIVACY NOTICES AND PRIVACY BY DESIGN 2
▸ EU: Article 25, Data Protection by Design and by Default, GDPR mandates Privacy by Design in
constructing Privacy Notices;
▸ Privacy begins “at the time of the determination of the means of processing” and …(a)t the time
of processing itself”.
▸ Requires Data Processor “by default” to ensure that only personal data needed for a specific
purpose is processed.
▸ Obligation applies:
▸ Amount of personal data collected;
▸ Extent of processing of personal data;
▸ Period of storage;
▸ Accessibility of data by Data Subject.
Data Privacy Notices and Privacy by Design!

14. IMPLEMENTING INFORMATION PROTECTION PLANS 1
▸ Keep in mind; this is not a list of rules; rather it describes a process.
▸ Identify your corporation information assets.
▸ Conduct periodic risk assessments in order to identify the specific threats and
vulnerabilities.
▸ Develop and implement security controls.
▸ Monitor and test the program.
▸ Continually review and adjust the program using independent audits, “red
teams” and evaluation.
▸ Oversee your third party service providers.
USA: Implementing Information Protection Plans!

15. IMPLEMENTING INFORMATION PROTECTION PLANS 2
‣ Article 35 - Data Protection Impact Assessment (DPIA).
‣ A risk management approach.
‣ Poses high risk to Data Persons in event of compromise.
‣ Use advice and expertise of Data Protection Officer (DPO) in
conducting the DPIA.
‣ Cases of automated processing, including profiling resulting in
decisions having “legal effects” on Data Subjects.
‣ Systematic monitoring of a publicly accessible area on a large
scale.
GDPR: Implementing Information Protection Plans!

16. IMPLEMENTING INFORMATION PROTECTION PLANS 3
‣ Supervisory Authority establishes and publicizes a list of the data processing operations subject to
a DPIA.
‣ Requirements for a DPIA:
‣ Systematic description of the proposed processing operations; purpose of the processing and
including a description of the legitimate interest of the data Controller.
‣ Assessment of necessity and proportionality of processing operations in relation to the purposes.
‣ Assessment of risks to rights and freedoms of Data Subjects.
‣ Measures envisaged to mitigate risks; including safeguards, security measures and mechanisms
designed to protect personal data.
‣ Be Article 40 compliant; many implications…..
GDPR: Implementing Information Protection Plans
(cont’d)!
!

17. ARTICLE 40 CODES OF CONDUCT
▸ Requirement for Data Processors to devise Codes of Conduct as guidelines for the processing of
personal data:
▸ Fair and transparent processing;
▸ Identification of legitimate interests of Data Controllers;
▸ Collection and pseudoymisation of personal data;
▸ Information provided to public and data subjects;
▸ Exercise of the rights of data subjects;
▸ Protection of children and parental consent requirements;
▸ Notification of personal data breaches;
▸ Rules for transfer of data to third countries , international organizations or out-of-court
proceedings and other dispute resolution procedures for resolving disputes between data
subjects and Data Controllers;
Article 40 - Codes of Conduct!

18. SOURCES/ACKNOWLEDGEMENTS
Current EU working papers on GDPR Processing and Automated Decision Taking were provided by Stefan
Schippers of B.E.E.P. bvba. Thanks, Steven. Also thanks to Professor Jane Cross and my fellow students at
Nova Southeastern University for their inspiration in our recently concluded Privacy Law course.
Sources:!
1. Article 29 Data Protection Working Party, WP251rev.01, Guidelines on Automated individual
decision-making and profiling for the purposes of Regulation 2016/679, 03 October 2017, revised
and adopted on 06 February 2018.
2. General Data Protection Regulation (GDPR), (https://gdpr-info.eu/)
3. How to Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley
Act, Federal Trade Commision (https://www.ftc.gov)
4. The State of Information Security Law, A Focus on the Key Legal Trends, Thomas J. Smedlinghoff,
(http://ssm.com/abstract=1114246)
Sources and Acknowledgements!