December 16, 2015

New European Privacy Plan Announced

Earlier this week, the European Parliament and Council announced they have (finally) agreed upon a new General Data Protection Regulation (the GDPR).  This is really big news for all U.S. companies that do business in Europe or with Europeans.

The GDPR has not yet been voted into law, but the agreed-upon language is probably quite close to the final law.  The International Association of Privacy Professionals (of which I'm a certified member) has published a great, concise list of the key provisions, which I commend to you:

• The law applies to any controller or processor of EU citizen data, regardless of where the controller or processer is headquartered.

• Notification of a data breach that creates significant risk for the data subjects involved must be made within 72 hours of the discovery of the breach.

• New powers are provided to data protection authorities, including the ability to fine organizations up to four percent of their annual revenue.

• Many organizations will now be required to appoint a data protection officer.

• Personal data may only be collected for “specified, explicit and legitimate purposes."  The text also introduces principles of “data minimization,” “accuracy,” “storage limitation” and “integrity and confidentiality.”

• The GDPR requires “accountability,” which means the “controller shall be responsible for and be able to demonstrate compliance” with the law.

• Processing of data will only be allowed with explicit consent, to perform a contract, to comply with a legal obligation, to protect the vital interests of the data subject, or to perform a task in the public interest.

• That consent has to be demonstrable upon demand, can be retracted by the data subject at any time.

• There will still be variation from member state to member state.

• Children under the age of 16 will need to get parental approval to give consent unless the member nation passes a law to lower the age no lower than 13.

• Special categories of personal data are established that include genetic, biometric, health, racial and political data, among others.

• Data controllers have to provide any information they hold about a data subject free of charge and within one month of request.

• A “right to erasure” is established, where controllers are required to delete personal data...even if the data has been made public already.

The next legislative step is for the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs ("LIBE Committee") to vote on the text tomorrow  (December 17) and if it passes, the full Parliament is expected to vote in January.

There is much more to come on this very significant development. 


December 1, 2015

PSA: New North Carolina Laws Become Effective Today (December 1, 2015)

The law is ever-changing, which is part of the reason I find it fascinating.  Several new North Carolina laws become effective today, December 1st.  Many of them are criminal laws, but some that may be of interest to business owners and managers including the following:
 - Electronic signature and notarization on vehicle titles [SL 2015-270 / SB 370]
 - An omnibus regulatory reform bill [SL 2015-286] that, among other things:
  • Repeals the offense of "using profane or indecent language on public highways, except in certain counties;
  • Repeals the offense of refusing to relinquish party telephone line in emergency;
  • Exclusion of volunteers and officers of certain nonprofits from the definition of "employee" for purposes of the Worker's Compensation statute;
  • An expansion of the "Good Samaritan" law to allow well-intentioned people to break into a car, boat or aircraft to assist a person in need; and
  • Numerous environmental law changes.

 - Privacy law enhancements (including the so-called "revenge porn" law) [SL 2015-250 / HB 792] (See for more.)

You can find out more about each of these laws and more in the N.C. General Assembly's summary, available here.