Upcoming Privacy Events

Posted on December 20, 2011 by Privacy and Data Protection Practice Group

Philip Gordon will be speaking on a range of privacy and data protection issues at the following upcoming events:

Date: January 11, 2012
Conference: BNA
Location: Webinar
Topic: Phil Gordon and Michael McGuire, Shareholder and Chief Information Security Officer at Littler, will co-present “The Challenges of Bring Your Own Device (BYOD) to Work Policies”
Description: With employees demanding the ability to use their personal smart phones and tablets for business purposes and employers looking for new ways to reduce cost and increase productivity, the trend towards “dual-use devices” in the workplace will undoubtedly continue to pick up stream. This webinar will provide practical recommendations for both areas so that your organization understands the risks of saying “yes” to requests from C-level executives or department chiefs to connect their smartphones or tablets to the corporate network.
For more information and to register, please visit: www.bna.com/own-device-19107/.

Date: February 1, 2012
Conference: ACI Privacy & Security of Consumer and Employee Information (pdf)
Location: The Westin Washington, DC City Center, Washington D.C.
Topic: “Mobile Devices, Applications, and Workforces: Minimizing the Threats Posed Through Proven Security Measures”
Description: Phil Gordon will moderate a panel of experts discussing, among other things, how to:

  • Raise employee awareness and educate employees in the handling of sensitive data
  • Safeguard company equipment and wireless devices and minimize damage in the event of breach 
  • Protect corporate networks from the use of multiple portable devices while preserving employee rights
  • Establish policies and procedures to strengthen and maintain data security

For more information and to register, please click here (pdf).

Date: February 9-10, 2012
Conference: Littler Global Employer – Latin America Conference
Location: Miami, Florida
Topic: “The Legal and Operational Challenges of Complying with New Latin American Data Protection Laws”
Description: In the past two years, Colombia, Costa Rica, Mexico, Peru, and Uruguay have enacted broad data protection laws which generally follow the E.U. Model but also have a distinct Latin flavor. These laws require employers to fundamentally rethink the way that they handle employees’ personal data in these countries and impose significant restrictions on the transfer of employees’ personal data within the corporate group. This presentation will provide a detailed explanation of the key requirements of Mexico’s new privacy law and pending regulations, identify key similarities and differences among the new privacy laws in these five countries, and make practical recommendations for harmonizing multi-national compliance efforts from a legal and operational perspective. Joining in the discussion are speakers Michael McGuire, Shareholder and Chief Information Officer at Littler, Javiera Medina, Shareholder in Littler’s Mexico office and Dr. Rainer Lorenzo, Senior Director, Legal & Business Affairs, HBO Latin America.
For more information and to register, please visit: www.littler.com/events/global-employer-latin-america.

Date: March 9, 2012
Conference: IAPP Global Privacy Summit
Location: Washington Marriott Wardman Park, Washington D.C.
Topic: “Who Are Your Applicants and Employees Anyway? Conducting Lawful Social
Media, Criminal History and Credit Checks”
Description: This session will examine background checks against the backdrop of vendor limitations, social media, new state laws, and FTC regulation. The presentation will cover recent legal developments affecting the permissible scope of background checks and provide practical steps an organization can take to conduct lawful background checks.
For more information and to register, please visit: www.privacyassociation.org/events_and_programs/global_privacy_summit/.

Photo credit: CrackerClips
Tags: , , , , , , , , , , , , ,
  • Print
  • Trackbacks
  • Share Link

Multinationals Certified to the U.S.-E.U. Safe Harbor Agreement Beware: The Federal Trade Commission Has Bared Its Enforcement Teeth

Posted on October 13, 2009 by Privacy and Data Protection Practice Group

European FlagSince its inception in the year 2000, the U.S.-E.U. Safe Harbor Agreement has attracted nearly 2,000 multinationals seeking to establish a lawful basis to transfer to the U.S. the personal data of their consumers and employees who reside in the European Union (E.U.). To obtain the benefits of the Safe Harbor, these organizations are required to (a) certify to the U.S. Department of Commerce that they have implemented the seven Safe Harbor principles, (b) post for their employees and/or customers (depending upon the type of personal data being imported from the E.U.) a Safe Harbor privacy policy that embodies those principles, and (c) implement policies and procedures to ensure that the organization processes personal data received from the E.U. in compliance with the privacy policy. The Safe Harbor certification must be updated annually.

Until just a few weeks ago, the Federal Trade Commission (FTC), which enforces the Safe Harbor, had not commenced a single enforcement action in the nine years that the Safe Harbor has been in effect. Last week, the FTC requested public comment on six separate settlements of complaints alleging that multinationals had violated the Safe Harbor by representing to the public that they were current members of the Safe Harbor even though their certification was not up-to-date. Notably, the settlements do not include any monetary penalties, but instead would enjoin the targets from future misrepresentations about their Safe Harbor status.

The lessons learned include the following:
 

  • Multinationals must take compliance with all of the Safe Harbor’s requirements seriously; there is now some enforcement risk.
  • The nature of the enforcement risk is uncertain. The FTC’s charges required virtually no enforcement resources. The agency had to do nothing more than compare the target’s statements in their publicly posted Safe Harbor privacy policy against the certification records maintained by the Commerce Department. These settlements do not (at least yet) reflect the agency’s intention to perform on-site audits to determine whether the multinational’s internal process for handling personal data actually conforms to the seven Safe Harbor principles embodied in the organization’s Safe Harbor privacy policy.
  • The next, most likely enforcement step would be the FTC’s request to review the mandatory, annual self-assessment or third-party assessment of Safe Harbor compliance. The FTC would not have to expend any resources to “look behind” the assessment to find a violation. The failure to conduct the required annual assessment itself would be a violation.
  • Given the above, multinationals certified to the Safe Harbor should promptly confirm that their certification is current and conduct an assessment of their compliance with the Safe Harbor if they have not performed one during the preceding year. To the extent the assessment reveals any gaps in compliance, the gaps should be closed.

This entry was written by Philip L. Gordon.

Photo Credit: S. Solberg J.
Tags: , , , ,
  • Print
  • Trackbacks
  • Share Link