On January 2, 2021 the National Defense Authorization Act (“NDAA”) became law.  Importantly, the NDAA included sweeping legislative reforms to anti-money laundering (“AML”) laws, which are now codified in the Anti-Money Laundering Act of 2020 (“AMLA”) (NDAA §§ 6001-6511). Designed to enhance national security concerns, these AML amendments will significantly impact financial institutions, certain types of businesses—both domestic and foreign, and High Net Worth Individuals (“HNWIs”).  While HNWIs legitimately seek to maintain confidentiality in their corporate entities or wealth management structures, the AMLA will make that more difficult and potentially more dangerous.
Continue Reading The New Anti-Money Laundering Act of 2020 and Potential Effects on Foreign Businesses and High Net Worth Individuals

As we get settled into the reality of living with both CCPA and GDPR, companies are looking for new approaches for keeping their privacy houses in order. CCPA reminds us that there is no end to new legislation: proposals are already coming in from states as varied as Nebraska, New Hampshire and Virginia. Similar legislative trends exist around the globe. How can companies be prepared to address this ever shifting legislative landscape? There are a few essential steps privacy officers can take, including (1) aligning the privacy team’s efforts with the underlying corporate mission, (2) having a clear understanding of both the company’s data and its use practices, and (3) having infrastructure in place that will allow for updates to notices and rights.
Continue Reading Getting Prepared for a Decade of Privacy

CNIL, the French data privacy regulator, issued a 400,000 euro ($448,358) fine against a company for GDPR violations stemming from sensitive information collected on its website. Investigating a complaint, the CNIL discovered that the online real estate company Sergic allowed customer information to be freely accessed online and kept that information longer than needed. By editing the text of a certain URL, a Sergic user could retrieve sensitive files that another home rental candidate had uploaded into the website. This security defect led the trove of nearly 300,000 tax and identity documents to be accessible to anyone who thought to change the text of that URL. The CNIL said that this website design flaw affected the confidentiality of data in violation of Article 32(1)(ii) of GDPR.
Continue Reading French Regulator Says “Oui” to GDPR Fines for Under-Protected and Over-Retained Data

The French data protection authority CNIL has received 3,767 data protection complaints since EU’s General Data Protection Regulation (GDPR) came into effect on May 25, 2018. According to CNIL this is a 64 percent increase compared to the same four-month period last year. CNIL also reported that it has received 600 data breach notifications during the same period. CNIL is in the process of developing new French regulatory tools under GDPR. It has already developed and proposed strict new biometric privacy regulations, and has nearly finalized a certification program for company Data Protection Officers. It is now developing regulations related to customer relations, human resources, and health monitoring.
Continue Reading Dramatic Increase in French Privacy Complaints Since GDPR

French data protection authority CNIL has issued a fine against company Assistance Centre d’Appel related to the use of biometric technology in the workplace. During an audit at the end of 2016, CNIL found that the company was using fingerprint timeclocks to track employee hours without prior authorization from CNIL as required by the French Data Protection Act. In France, an employer may not use biometric data to monitor employees’ hours absent prior approval from CNIL, which is only granted in exceptional circumstances. During the 2016 audit, CNIL also found that the company was recording employee phone calls without informing the employees or other call participants, and lacked adequate workstation security. While the company has since ceased the use of fingerprint timeclocks, a 2018 audit by CNIL revealed that the company had failed to properly inform telephone call participants about call recording, and that workstations remained insecure. The fine was set at € 10,000, which was based upon the partial compliance of the company and its finances. The company only employs fourteen workers. In publishing its decision, CNIL stated that it sought to remind employees of their rights and employers of their obligations, particularly with respect to biometrics in the workplace. CNIL also intended to remind companies of the consequences for failing to respond to and comply with CNIL notices of default.
Continue Reading France Imposes Fine for Unauthorized Use of Fingerprint Timeclocks