Some days ago I read that the publisher of a gay magazine from New Jersey (XY) filed a bankruptcy and their creditors aimed to take the database containing information about their subscribers. The publisher also maintained a website, and had more than a million custumers which had given personal information, including (obviously) their sexual preferences. Well, it's sure that the only thing that could be valuable in that business was that database, like in most cases. The controversy reached the FTC, which sent to the publisher's business partners a letter telling them that any sell, transfer or disclosure of the information could be illegal and against the privacy policy promised by XY, where it stated that 'the information would not be given or sold to anybody'. They could violate the FTC Act and commit unfair or deceptive trade practices.
Finally the parties reached this agreement: the publisher must destroy all the information, and retain only some personal information to give some back issues to customers that asked for. The EFF describes the real problem:
…the Bankruptcy Code itself doesn't handle this scenario very well. Companies that possess customers' personal information are likely — through their own privacy policies — to give themselves permission to sell that information if they go out of business or have a change in ownership. And in the rare case where a company promises its customers that their personal information will never be disclosed to anyone, a bankruptcy court can still allow the data to be leased or sold if that transfer wouldn't otherwise violate the law.
In such cases, Spanish legislation is permissive, as stated in Royal Decree implementing our Data Protection Law. Companies don't have to foresee this event:
Should the data controller change as a result of an operation of merger, demerger, global assignment of assets and liabilities, contribution or transfer of business or branch of business activity, or any corporate restructuring operation of a similar nature contemplated by company law, a disclosure of data shall not be deemed to have occurred, without prejudice to compliance by the data controller of the provisions of Article 5 of Organic Law 15/1999, of 13 December.
So easy. That's not considerated a disclosure, because creditors in XY Magazine case which would be given the database by a court, would be the legitimate 'data controllers'. They will only have to inform the customers about the new situation, and respect the initial conditions given to them by the initial company. But USA companies are obligated by their own privacy policies, written when they don't think absolutely being in bankruptcy…
It’s been a surprise. Apple’s new iphone launch hided a treacherous manoeuvre: to collect the location data of its users. We were used to Google tricks, but here we have a novelty. Again an example of unique privacy policy, and multiple and international users… with their different legislations.



