We are living in an era of online shopping, where consumers are more willing to hand over personal information for goods and services, and are less suspicious of whom they are divulging their personal information to. As a result, online businesses are in possession of a vast amount of their customers’ personal information. The recent hack of Sneaker Platform Stock-X reminds us yet again of the importance of businesses maintaining comprehensive and up to date security processes, and in particular, the necessity of having an adequate data breach response plan in place.
Stock-X, a platform for the re-sale of sneakers and apparel, was recently hacked, exposing over six million users’ personal data, including their real name, username, password, shoe size and trading currency. According to a Report by TechCrunch, Stock-X’s initial response was to reset customer passwords, stating that it was due to system updates. A spokesperson for Stock-X later disclosed to TechCruch that Stock-X was alerted to “suspicious activity”. TechCrunch reports; however, an unnamed data breach seller had contacted it claiming more than 6.8 million records were stolen from Stock-X in May, and that the records had been put up for sale and sold on the dark web for $300.Read More
A new trans-Atlantic data transfer framework has been agreed between the European Commission and the United States this week. Known as the ‘EU-US Privacy Shield’, the new arrangement is intended to offer greater legal certainty for businesses and afford EU citizens increased protection when their data is transferred across the Atlantic to the US.
The new regulations will replace the US-EU Safe Harbor framework, which was invalidated by the European Court of Justice last October on the basis that the generalised access that public authorities had to the data and content of electronic communications violated fundamental privacy rights. Read our earlier blog post on the Safe Harbour decision here.
The key features of the new EU-US Privacy Shield are:
- Stronger obligations on US companies to protect the personal data of EU citizens
- More robust enforcement powers granted to both EU and US regulators, including greater monitoring and prosecution by the US Department of Commence and Federal Trade Commission (FTC)
- Clearer conditions, limitations, redress avenues and safeguards for data transferred across the Atlantic
- Expanded obligations for US companies to prove compliance
- Several new avenues for EU citizens to lodge complaints about data misuse, including the establishment of a new independent privacy Ombudsman
The new Privacy Shield is still awaiting final approval from the College of Commissioners and will be subject to further review by the Article 29 Working Party before it is introduced. Much of the detail has not been released, so while the principles have been articulated, the impact on the obligations of affected companies is still far from clear.
Read the European Commission press release here for further details.
Our US and EU colleagues have drafted a more detail description which can be accessed here for further information.
On 26 October 2015, European Commissioner Vera Jourová, announced that the European Union had agreed in principle with the US on a new trans-Atlantic data-transfer agreement. Commissioner Jourová made the announcement in a speech, before the Committee on Civil Liberties, Justice and Home Affairs, which addressed the recent judgment of the European Court of Justice that invalidated the safe harbour scheme between the two countries (Schemes decision). Commissioner Jourvá said, “there is agreement…in principle, but we are still discussing how to ensure that these commitments are binding enough to fully meet the requirements of the Court.” She also added that she expected both sides to make progress on the remaining technical points of discussion by mid-November, when she is scheduled to visit the US. The European Commission is also planning on issuing an explanatory Communication on the consequences of the Schemes decision so that businesses and industry have ‘clear explanations and a uniform interpretation of the ruling.’ The European Commission are also working towards a pending deadline set by European data protection authorities who have said that if, by the end of January 2016, no appropriate solution is found with the U.S. authorities, they will take all necessary and appropriate steps (including enforcement action) to enable data transfers to the U.S. that respect fundamental rights.
The European Commission’s press release can be found here.