rmogull
commented
7 years ago Great feedback... much of it integrated into the latest revision. We did, however, ignore copy editing for now since the document will go to a professional editing team. We focused on integrating content-level suggestions.
Introduction - there is a paragraph starting with "Specific areas covered include". Should cross-border data transfers be addressed as well? There is a mention about issues relating to moving data into cloud computing, but nothing relating to cross-border data transfers. For example, the transfer of personal data from the EU to a country outside the EU, such as the United States (Privacy Shield). I am happy to prepare and add such a section if there is an interest.
Overview - the section General Legal Issues - in the paragraph beginning with "The EU's requirements", there is a sentence in brackets: "(There is also a new accompanying Directive that must be given effect within each member state by May 6, 2018.)" Why is this in brackets - should this be a footnote instead? The sentence is also not clear since there is no indication on what the accompanying directive does or says. I propose to replace that sentence with the following: A Directive was also issued in relation to the processing of personal information relating to individuals by authorities for the prevention, investigation, detection or prosecution of crimes, and this Directive must be implemented by each EU member state by May 6, 2018.
Next paragraph, the sentence "From the perspective of non-EU corporations, one major difference between the Directives and the Regulation is in how the new Regulation is enforced." The Regulation is not yet enforced, it will only come into effect on May 25, 2018. The sentence should therefore be in the future, as follows: "... how the new Regulation will be enforced".
Next paragraph starting with "From the perspective of non-EU corporations", the sentence "European data privacy was enforced outside the EU under the terms of individual national laws, as well as treaties with the EU. This includes agreements like EU - US Safe Harbor or its replacement, the EU - US Privacy Shield" is inaccurate. Under the current Directive, organizations are in scope if they are located within the EU or make use of (automated) equipment located within the EU. However, if there is a transfer of data from the EU to a country outside the EU, there needs to be an "adequacy decision" by the EU commission stating that such country offers an adequate level of protection of personal data due to its domestic law or the international commitments it has entered into. This is why the Safe Harbor or Privacy Shield was put in place.
The same paragraph states "under the new DPR, EU law is directly binding on any corporation that processes the data of EU citizens, regardless of whether they have any European presence. It remains to be seen what the efficacy of this enforcement regime will be." The new DPR actually goes further than that, since it applies to all organizations offering goods or services to EU citizens, but also to organizations that monitor (online) behavior of EU citizens, in so far as the behavior takes place in the EU.
Paragraph starting with "Beyond these well-known examples, the United States has a huge number of smaller laws", at the ending of the paragraph, since the topic is on the FTC's power to regulate "unfair trade practices", I propose to add at the end a sentence such as the following: "Since 2002 and the Eli Lilly settlement, the FTC has brought more than 50 data security enforcement actions pursuant to section 5 of the FTC Act."
Just below, I propose to add a brand new paragraph which would be this: "There is an increasing focus by government agencies on data protection and security issues. For example, in March 2016, the Consumer Financial Protection Bureau (“CFPB”) released a consent order entered between it and Dwolla, a company providing an online money transfer and payment processing platform to consumers. According to the CFPB's consent order, the company made false representations concerning its data security practices and engaged in deceptive acts and practices in connection with the offering of consumer financial products or services. The company was ordered to pay a $100,000 penalty and fix its security practices."
In the paragraph starting with "Alternately, the company may have entered into contracts (such as service agreements)", just under the chart, there is a sentence "| | Prohibition against cross border transfers | ". Shouldn't this be a new paragraph? Also, it should be "cross-border" and not "cross border".
I propose to add a new paragraph at the ending of the section on "Prohibition against cross-border transfers", like this: "The development of cloud-based services raises a number of issues due to the nature of cloud technology, where data flows from one country to the other due primarily to load balancing and auto provisioning considerations. In the Microsoft Corporation v. United States of America ruling (2d Cir. 2016), the US Department of Justice sought to obtain from Microsoft all emails and private information associated with a certain account hosted by Microsoft on its web-based Outlook platform. The account's emails were stored on a server located in Ireland, one of many data centers held by Microsoft around the world. The court found that US law (in particular, the US Stored Communications Act) "does not authorize courts to issue and enforce against US-based service providers warrants for the seizure of customer e-mail content that is stored exclusively on foreign servers."