Whistleblowers, Internal Reporting, and GDPR Compliance

By Varun Chari

The adage “Between a Rock and a Hard Place” has long captured the predicament of the employee-whistleblower who must decide whether to report company fraud. However, with the Securities & Exchange Commission (SEC) providing incentives to whistleblowers to report internally and the General Data Protection Regulation (GDPR) imposing legal restrictions on the collection of personal data, the adage now better describes the employer’s situation. U.S. transnational companies are pressured with the task of restructuring their internal compliance procedures to incorporate the requirements imposed by the GDPR[1] or risk potential liability for failing to do so. This Article will first explain this development by providing a brief background on the SEC whistleblower incentive scheme and the GDPR. Next, this Article will discuss the procedural requirements companies are subject to when they process a whistleblower or third-party’s personal data. Finally, this Article will propose best practices that companies should implement when processing a whistleblower claim internally.

Continue reading “Whistleblowers, Internal Reporting, and GDPR Compliance”

“Alexa, can you keep a secret?” An Analysis of 4th Amendment Protection Regarding Smart Home Devices

By Rebecca Levin

I.     Introduction

On November 5, 2018, Judge Steven M. Houran of Strafford County, New Hampshire ordered Amazon to provide authorities with audio recordings from an Amazon Echo device in the investigation of the stabbing of two women in January 2017.[1]  Judge Houran wrote the Echo device may possess recordings that give insight into the murders given the device’s location in the home where the women were found.[2]  Currently, Amazon is objecting to the legality of this order and has yet to hand over the recordings, stating they will not release the information “without a valid and binding legal demand properly served on us.”[3]  While this dispute is in the early stages; this clash over privacy rights between the government and Amazon is not the first of its kind.[4]

On February 22, 2016, in Benton County, Arkansas, prosecutors charged James Bates with the murder of Victor Collins.[5]  After the Chief Medical Examiner ruled Collins’s death a murder, law enforcement obtained a search warrant for Bates’s home where they seized an Amazon Echo device under the assumption that through use of this device Amazon possessed audio recordings that could help solve the murder in question.[6]  Prosecutors surmised the Amazon Echo inadvertently recorded audio from the night of November 21, 2015 given the device played music on the night of the alleged murder and could have inadvertently recorded evidence of the murder.[7]  Ultimately, Amazon dropped their objection to releasing the recordings when James Bates voluntarily consented to their release on March 3, 2017.[8]  These cases highlight the question of what level of protection home smart devices receive under one’s right to privacy.  This article will explore how the current laws protect smart home device users under the Fourth Amendment.

Continue reading ““Alexa, can you keep a secret?” An Analysis of 4th Amendment Protection Regarding Smart Home Devices”

The European Commission on the Privacy Shield: All Bark and No Bite?

By: Kimberly A. Houser[*] and W. Gregory Voss[**]

Introduction

Much has been written about the difference in the privacy laws of the European Union and the United States and ideologies behind the two regimes.[1]  One risk of the increasing divergence in views on privacy is the potential halting of data transfers from the European Union to the United States by the European Commission (EC).  As data is a significant driver of the world economy,[2] special care must be taken both to ensure that data is able to cross borders easily, and individuals’ rights to data protection are respected.

The General Data Protection Regulation (GDPR)[3] prohibits the transfer of personal data outside of the European Economic Area (EEA) to countries without “adequate” privacy protections.  As the United States is considered to have insufficient protections, the EC requires that an approved mechanism, such as the Privacy Shield—its agreement with the United States that permits U.S. companies to self-certify that they will meet certain minimum privacy protections[4]—be used for such transfers.  Alternative mechanisms include standard contractual clauses (SCCs).[5]  Suspension of any one approved mechanism may call into question the legitimacy of the others.

Continue reading “The European Commission on the Privacy Shield: All Bark and No Bite?”