Articles Posted in Internet Law

Department of Justice Seal
The Justice Department Criminal Division recently released guidance on what it considers when deciding how a corporation’s compliance program factors into its investigation and the ultimate decision as to whether to bring charges, negotiate pleas or enter into other agreements with corporations under investigation.    The Evaluation of Corporate Compliance Programs, released on April 30, 2019,  is an expansion of the 2017 guidance document issued by the Criminal Division Fraud Section.

Prosecutors Must Ask Three Fundamental Questions

Prosecutors will ask three fundamental questions to determine if a corporation’s compliance program was effective at the time of the offense and at the time of charging:

Digital Code

Computer Code

Voice recordings violate the General Data Protection Regulation (GDPR) when companies fail to provide callers the ability to opt out according to a ruling earlier this month by the Denmark Data Protection Authority.  Under the GDPR, voice recordings are considered personal data.  Therefore, companies that communicate with EU residents need to understand what the GDPR requires from a compliance perspective to avoid unwanted violations.

This Call May Be Monitored …. Requires Affirmative Consent

Digital Code

Computer Code

The State Office for Data Protection Supervision (BayLDA) in Bavaria recently conducted an audit on 40 websites and concluded all 40 websites were in violation of the GDPR.  The audit revealed, as discussed below, that all websites failed to provide its users with clear and concise information regarding the use of cookies in direct violation of the GDPR.  Interestingly, none of the 40 companies were technology based companies.  This should serve as a stark warning to all companies that compliance with the GDPR is not something only technology companies must comply with but applies across all sectors.

Cookie Banners  

Data

Binary Code

The General Data Protection Regulation (GDPR) was approved by EU Parliament back in May 2017.  The GDPR, in a nutshell, was designed to replace an inconsistent set of data privacy laws with a comprehensive law that protected all European Union residents.  Please click here for my original post on the GDPR.  While the GDPR has been in effect for over a year, the law gave companies until May 25, 2018 to comply.  Well, that deadline has come and gone.  If you fail to comply, regulators can impose a fine of up to 4% of worldwide revenue.  This is NOT a typo!  4% of worldwide revenue up to 20 million euros.

Currently, there are no grace periods if your company still has not complied with the GDPR.  Additionally, as the ability to enforce compliance is less than 1 week old, there is no precedent out there that we can use as guidance.  Regulators for EU member states have indicated different going forward approaches to enforcement.  While one state regulator has inferred that even if full compliance has not yet been achieved, the efforts made to attain compliance will be taken into account as a mitigating factor.  Alternatively, other state regulators have simply stated that if we have reason to impose a fine we will impose a fine.  In this regard, the newly created European Data Protection Board was recently created.

Picture of cell phoneLast month the Pennsylvania Supreme Court held that accessing any information from a cell phone without a warrant violates the fourth amendment to the constitution.  The Fourth Amendment states in a nut shell that we shall be free from unreasonable searches and seizures.  In this particular criminal case, the police powered on a cell phone that was recovered at the scene of an arrest.  The police officers at the scene powered on the phone, determined its number, connected it to a crime and obtained a warrant to monitor a phone number that was found in the cell phone.  This action ultimately led to the arrest of the owner of the cell phone that the police powered on without a warrant.  The PA Supreme Court stated there is  “no exception for what police or courts may deem a ‘minimally invasive search.”  The Court reasoned that a person’s expectation of privacy rests in the phone itself and even went so far as to compare the opening and powering on of a cell phone as tantamount to walking through the front door of someone’s house without a warrant.

Protection of Digital Rights

The Pennsylvania Supreme Court’s decision continues the movement towards the protection of digital rights.  While this case centered on criminal activity, it has clear implications in the business world.  SEC or DOJ investigations, internal audits and civil litigation will be impacted by this decision.  With virtually every adult in the business world possessing a cell phone, understanding one’s rights and obligations in this digital world can mean the difference between jail and freedom, termination for cause versus without cause, or turning over trade secrets when you are under no obligation to do so.  The laws that encompass digital privacy are rapidly changing.  Indeed, I have had several New Jersey litigation cases where opposing counsel was not aware of New Jersey’s Social Media Law that prohibits employers from requiring employees to provide access to their social media accounts (5th amendment issues).  Without this information, opposing counsel was not able to access the information needed to prove her case.

courthouse

Image of courthouse pillars

A Delaware business client recently asked me to review his commercial privacy policy to see if his website complied with current online privacy protection requirements.  Not surprisingly in this fast pace and constantly changing digital landscape – the website failed because it did not clearly provide a link to its privacy policy on the home page.  And this is putting aside the May 25, 2018 GDPR compliance deadline that is fast approaching and its severe financial consequences for noncompliance.  The Delaware Privacy Online Act Delaware Online Privacy Protection Act has three stated goals but for purposes of this alert, I will focus on only on the commercial purpose.  Operators of an internet service must  conspicuously post its “privacy policy” if it collects personally identifiable information of Delaware residents.  To better understand this, let’s break this down into its component parts.

Operators of an Internet Service

o35ansa
The General Data Protection Regulation, more commonly known as the GDPR, replaced an inconsistent country by country approach to how companies were required to handle the personal data of European Union (EU) residents.  The EU Parliament approved the GDPR  last month and all companies, including US companies, must be compliant by May 25, 2018 or face heavy fines that can be up to 20 million euros or 4% of a company’s prior year world-wide revenue, whichever is higher.   This is not a typo.  Now that I have your attention, let’s break the GDPR down to 2 important questions.

Does my US business offer goods or services to EU residents?  If the answer is yes, you are subject to the GDPR.

First, what is a EU resident?  A EU resident is any individual that resides in any of the 28 member states that form the EU.  This applies to anyone who resides in the EU.  Citizenship is NOT required.  Second, there is no requirement that the company offering the goods or services be located in the EU.  All that is required is that the individual resides in the EU.  The GDPR focuses on the EU resident, known as the “data subject” and not the “data controller”. Consider the following, does your company have a website?  If your website collects data from a EU resident you fall under the purview of the GDPR regardless whether you have a physical business location in the EU or any business transaction was consummated between your business and the EU resident.  The mere surfing of a Pennsylvania business’s website by a EU resident makes your business subject to the GDPR.

Cyber Security For the Small Business

Cyber Security Month

October is Cyber Security Month. If your company uses any kind of computers, cell phones, networks, software, etc. to go about its business, then this month applies to what you do day in and day out. Having these technologies makes our lives more advanced and efficient but they also leave us open to security issues. Business large and small have to have plans and processes in place for how they deal with their digital technologies BEFORE something terrible happens.  It can seem like a big undertaking for the little guy given that the big guys seem to be hit time and time again. Yahoo for example, was recently the victim of yet another network security breach. One might ask what can a small business do with limited funds?   After all, if large companies with departments solely dedicated to thwarting cyber intrusions cannot stop hackers, what can a small business do?  The answer is simple – plenty.

  • Understand Your Business Network

A woman living in Staten Island must pay her flooring contractor $1,000. What did she do wrong; a negative review on Yelp.com. While the first amendment (freedom of speech) generally lets you critique your home improvement contractors (and anyone for that matter) and comment upon their quality of work and professionalism, the Judge in this case stated that the home owner went too far when she called her contractor a “con artist” and that he “robs” his customers and it is a “scam”.

Under Pennsylvania tort law, libel is defined as “a maliciously written or printed publication which tends to blacken a person’s reputation or expose him to public hatred, contempt or ridicule, or injure him in his business or profession.” Specifically, in an action for libel a plaintiff in Pennsylvania has the burden of proving each of the following:

  1. The defamatory character of the communication;
Contact Information