News – Privacy Associates International LLC
- UK Data Protection (Charges and Information) Regulations 2018 (3/13/2018)
The Regulations, laid before Parliament on 20 February 2018 and still in draft form, set out the circumstances in which data controllers are required to pay a charge and provide information to the Information Commissioner from 25th May 2018. There are three different tiers of fee and controllers are expected to pay between £40 and £2,900. The fees are set by Parliament to reflect what it believes is appropriate based on the risks posed by the processing of personal data by controllers. The Regulations will replace the previous regime under the Data Protection (Notification and Notification Fees) Regulations 2000 (S.I. 2000/188). In addition, the ICO has issued Data Protection Fee – A Guide for Controllers. This guidance deals specifically with the requirements of the 2018 Regulations.
- FTC Releases Annual Summary of Complaints Reported by Consumers – Top Three Categories Debt Collection, ID Theft, and Imposter Scams (3/13/2018)
The FTC produces the Consumer Sentinel Network Data Book annually using reports received by the Consumer Sentinel Network. These include reports made directly by consumers to the FTC, as well as reports received by state and federal law enforcement agencies, national consumer protection organizations, and non-governmental organizations. The data book includes complaints from 2.68 million consumers, a decrease from 2016 when 2.98 million consumers submitted reports about fraud, identity theft and other types of consumer concerns. Despite this, consumers reported losing a total of $905 million to fraud in 2017 — $63 million more than in 2016. The data book includes national statistics, as well as a state-by-state listing of top report categories in each state, and a listing of metropolitan areas that generated the most complaints per capita. This year the FTC has developed a mini site to make the information in the 2017 data book more accessible for the public.
- U.S. v. Microsoft Decision Could Create Ripples Across the Atlantic (3/12/2018)
The GDPR made a recent appearance in U.S. Supreme Court arguments in connection with the United States v. Microsoft litigation. The case raised the issue of whether the United States may issue a search warrant to a U.S. based electronic communications service for data held on a server outside of the United States (in this case, Ireland). At the heart of the case is a 2016 ruling in favor of Microsoft and other tech companies by the Second Circuit limiting the geographic reach of the Stored Communications Act to data stored in the United States. Among the many amicus briefs filed on behalf of Microsoft was one submitted by the European Commission asserting the European Union’s interest in ensuring that the Supreme Court proceed based on a correct understanding of EU law. The case concerns personal data stored in a datacenter in the European Union that is operated by an EU-based subsidiary of Microsoft. Storing such data and transferring it from the European Union to the United States constitutes data “processing” to which the EU data protection rules apply. In the European Union’s view, any domestic law that creates cross-border obligations should be applied and interpreted in a manner that is mindful of the restrictions of international law and considerations of international comity. Depending on the outcome, the Supreme Court’s decision could set up a future conflict for companies seeking to comply with both U.S. and EU laws.