Posts Tagged: "GDPR"

The last few years have seen unprecedented changes in the legal landscape concerning data protection and privacy. The European Union General Data Protection Regulation (GDPR) became enforceable in May 2018. In July 2018, the California Consumer Privacy Act (CCPA) was enacted, and it became effective January 1, 2020. In response to the GDPR and the CCPA, many businesses are updating their privacy policies to comply with these laws. While crafting these updates, drafters should be cognizant of the effect such policies could have not only in the short term, but also down the road. For example, in the bankruptcy context, the content of a company’s privacy policy is important. If a privacy policy does not inform customers that their data may be sold in a bankruptcy proceeding, courts are likely to impose restrictions on the sale of that data. These restrictions can significantly decrease the value of such assets. Because of this reality, drafters should keep a few considerations in mind as they update privacy policies to comply with new laws and maximize the value of data assets.

As the European Union’s landmark Global Data Protection Regulation (GDPR) was set to go into effect in 2018, the Internet Corporation for Assigned Names and Numbers (ICANN) engaged in a series of important, albeit belated, community consultations, with the objective of resolving perceived community concerns with legal compliance of the “Look Up” system (previously called the “WHOIS” system) with data protection laws, such as the GDPR. The end result of the consultations resulted in ICANN adopting a “Temporary Specification” (Temp Spec) – a new contractual provision allowing its accredited-registrars and registries to perform a wholesale redaction of the registration data that has historically been made available to the public.

On September 24, the Court of Justice of the European Union (CJEU) delivered its decision in case C-507/17, Google v. CNIL regarding the territorial scope of the “right to be forgotten”. Google Inc. had filed an appeal with the French Council of State (FCS), the Highest Administrative Court in France, requesting the annulment of a decision by the French Data Protection Authority (CNIL), which imposed a penalty of EUR 100,000 (approximately USD 110,300) on Google. The case arises from a request to Google by a natural person for deletion of certain links from the list of results displayed following a search of his name (“request for de-referencing”). In response, Google refused to remove certain content from all versions of the domain name of its search engine (i.e., worldwide), leading to the penalty imposed by the CNIL. The FCS then made a request for preliminary reference to the CJEU for guidance on the interpretation of the “right of de-referencing”, popularly known as the “right to be forgotten”.

The GDPR’s entry into force has forced HR teams across the US and EU to re-evaluate the ways in which they justify the use of personal data relating to their employees, applicants and contractors. Whilst compliance priorities will vary between businesses, all US headquartered organizations with a presence or personnel in the UK should be particularly mindful of their enhanced obligations to satisfy multiple conditions under both the GDPR and the UK’s new Data Protection Act 2018 (“DPA 2018”) before collecting certain special categories of personal data.

The WHOIS database provides technical information about the date of creation and expiration of a domain, as well as contact information for the registrant of a website, including name, physical address, email address, and phone numbers. GoDaddy and WHOIS.com appear to have selectively redacted the information only for registrants providing an EU contact address. However, given the difficultly of determining which domain owners are EU citizens, many registrars, such as Tucows, removed data for all domains regardless of where the registrant is located. In light of this WHOIS blackout, the GDPR has effectively made it easier for counterfeiters and infringers to evade detection.

It has been a big last couple of years for the European Union in the political and business spectrums; what with Brexit and changes to the cybersecurity paradigm. The latter, in particular, will see even bigger changes once the European Union’s General Data Protection Regulation (GDPR) becomes instantiated into law. The scope of this initiative is as broad as it comes, and will alter how business is done in technology, cybersecurity, marketing and even human resources… GDPR takes measures to ensure that EU citizens have individual rights exceeding any claims made by any company that deals with collecting, processing or storing their data; as such, there are guidelines that cover how an organization should properly track all such information in order to facilitate compliance checks.

It has been a long time coming, but the General Data Protection Regulation (GDPR) is almost here. This new privacy regulation requires substantial changes to the collection and storage of data and will affect multiple disciplines, including the brand protection industry. One of the ‘victims’ of the new law is the WHOIS database. How will these changes affect its records?