Special Focus on “Safe Harbor 2.0,” Privacy Shield and E.U. Data Transfers: Alston & Bird’s privacy team has been closely following the development of Privacy Shield, the proposed successor to the E.U.-U.S. Safe Harbor framework. Our coverage includes:
- Revised Safe Harbor Agreed: Introducing the New “E.U.-U.S. Privacy Shield” European Commission and U.S. officials announce reaching a “political agreement” on a new Safe Harbor framework to be called the “E.U.-U.S. Privacy Shield.”
- Statement from Peter Swire on Revised Safe Harbor Agreement. Peter Swire issued this statement following news of a revised Safe Harbor framework.
- E.U. Working Party Discusses Data Transfer Framework. The Article 29 Working Party (WP29) released a much-awaited statement on the consequences of the European Court of Justice decision that invalidated the Safe Harbor framework. Companies will be relieved to find that alternative transfer mechanisms, such as Model Contracts or Binding Corporate Rules, are not at risk for the moment. Instead, the WP29’s main focus is on the new “E.U.-U.S. Privacy Shield” that will replace the Safe Harbor framework.
- A Brief Overview of the Privacy Shield. Alston & Bird has written a one-page summary of the Privacy Shield to help U.S. organizations initially evaluate whether the new framework represents a viable mechanism to legitimize the transfer of personal data from the E.U.
- Art. 29 Working Party Issues Formal Opinion Opposing Privacy Shield. Several hours after holding a closely watched press conference, the Article 29 Working Party released its highly anticipated formal opinion on the adequacy of the Privacy Shield. In its formal opinion, the WP29 clearly indicates that it does not see the current draft as providing adequate protection for E.U. data transferred to the U.S.
Other Features
E.U. Data Protection and Privacy Coverage:
Examining the Judicial Redress Act. The Judicial Redress Act has recently been touted as a critical step toward developing a revised “Safe Harbor 2.0" framework. The law extends the 1974 “Privacy Act” and provides qualifying non-U.S. individuals with limited rights to review, copy and request amendments to records about themselves maintained by federal government agencies.
Article 29 Working Party announces its 2016 Action Plan for GDPR Preparedness. During a press conference held on February 3, the president of the Article 29 Working Party discussed the group’s 2016 action plan for the new General Data Protection Regulation (GDPR). The plan lays the groundwork required to prepare the E.U. data protection authorities for their new role under the GDPR and to ensure a smooth transition as the WP29, established under the Data Protection Directive, is superseded by the European Data Protection Board (EDPB). The EDPB will be tasked mainly with ensuring a coordinated and consistent application of the regulation throughout the E.U.
Alston & Bird Issues Cyber Alert on the EU Network Information Security Directive. Alston & Bird attorney Jim Harvey issued an advisory on the E.U.’s forthcoming Network Information Security Directive. National laws passed to implement the directive will impose substantial new compliance responsibilities on providers of “essential services,” as well as on a broad range of “digital service providers” – potentially even if a digital service provider's only E.U. presence is a website. Companies subject to the directive will be obligated to implement internal cybersecurity measures and meet other requirements.
GDPR Approved by Parliament, Set to Become E.U. Law. The GDPR is now officially adopted and will become the law of the land in the E.U. Twenty days after its publication, it will enter into force – i.e., either in May or June 2016.
Turkey’s New Data Protection Law. Turkey’s new “Law on the Protection of Personal Data” has entered into effect following passage by the Turkish Parliament in late March and official publication last week. The new law adopts a broadly European model for data protection and helps clarify key aspects of the regulation of personal data under Turkish law.
U.S. Data Protection and Privacy Coverage:
Big Data: FTC Issues Report Cautioning that Use of Big Data may Violate Federal Consumer Protection Laws or Raise Ethical Considerations. On January 6, the FTC issued a report on the commercial use of big data, “Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues,” summarizing the results of a September 2014 workshop and numerous public comments, including a paper and workshop comments by Alston & Bird attorney Peter Swire. The report addresses the commercial use of big data (as opposed to the collection, compilation or analysis of such data) and cautions against uses that have the potential to be exclusionary, discriminatory or that may violate applicable consumer protection laws.
The Importance of Strategic Vendors in Breach Response. Alston & Bird recently issued an advisory, co-authored by attorneys Jim Harvey and Karen Sanzaro, on the complexities of managing a data breach that implicates strategic third-party vendor relationships.
President Obama Announces Cybersecurity National Action Plan. On February 9, President Obama unveiled his new Cybersecurity National Action Plan (CNAP), a comprehensive approach to confront cybersecurity challenges. As articulated in the CNAP Fact Sheet released by the White House, CNAP takes “near-term actions and puts in place a long-term strategy to enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security.”
SEC Continues to Focus on Cyber-related Disclosures. Participating in a panel at the “SEC Speaks” event on February 19, Stephanie Avakian, deputy director of the SEC’s Enforcement Division, expressed that the agency continues to focus on cybersecurity as a top priority in 2016. Avakian discussed the SEC’s cybersecurity concerns in three contexts: (1) failure of registered entities to follow Rule 30(a) of Regulation S-P in protecting customers’ records and information; (2) illicit securities trading following theft of material non-public information; and (3) cyber-related disclosures by public companies.
Working Paper on Internet Service Providers and Privacy Released. On February 29, The Institute for Information Security and Privacy released its latest working paper, “Online Privacy and ISPs: ISP Access to Consumer Data is Limited and Often Less than Access by Others.” Alston & Bird’s Peter Swire, who is also a professor at the Georgia Institute of Technology Scheller College of Business, authored the paper, along with Alston & Bird attorney Alana Kirkland and policy analyst Justin Hemmings, who is also a research associate at Georgia Tech’s Scheller College of Business.
CFPB Brings First Enforcement Action on Data Security. On March 2, the Consumer Financial Protection Bureau (CFPB) for the first time brought an enforcement action related to data security. The CFPB consent order imposes a $100,000 fine and five years of regulatory oversight for online payments provider Dwolla. The action sends a clear message that the CFPB intends to actively regulate the data security representations of consumer finance service providers.
Administration Seeks to Renegotiate Controversial Cybersecurity Export Control. The Obama administration will reportedly seek to renegotiate a controversial cybersecurity export control rule as part of Commerce Department regulations under the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies.
FTC Announces Study of PCI-DSS Assessment Companies. On March 7, the FTC issued a press release announcing that it had issued orders to nine Qualified Security Assessor companies, which are certified to assess whether entities involved in payment card processing, such as merchants, are compliant with the Payment Card Industry Data Security Standards. The FTC orders request that each entity submit a special report within 45 days providing information on the assessment process and the companies themselves.
FCC Proposes New Privacy Rules for Internet Service Providers. On March 10, the FCC proposed new privacy and data security rules for Internet service providers that if passed, would regulate how ISPs collect, use, share and protect customers’ data. The notice of proposed rulemaking that FCC Chairman Tom Wheeler circulated for consideration by the full Commission is previewed in a three-page fact sheet that sets forth the proposed rules, which are built on the three core principles of choice, transparency and security.
HHS/OCR Announces Launch of HIPAA Audit Program Phase 2. The Department of Health & Human Services’ Office for Civil Rights (OCR) announced the launch of Phase 2 of its HIPAA Compliance Audit Program. In this phase, OCR will review the policies and procedures that covered entities and business associates have adopted and implemented to meet certain standards and implementation specifications of the HIPAA privacy, security and/or breach notification rules.
Department of Justice Indicts Seven Iranians for State-Sponsored Hacking. The Department of Justice has announced the indictment of seven Iranian hackers alleged to work for the Iranian government on charges stemming from a coordinated string of distributed denial of service attacks primarily against U.S. financial institutions from 2011 to 2013. One of the hackers is also charged with breaking into the supervisory control and data acquisition systems of a dam in Rye, New York, outside of New York City, in 2013.
Tennessee Updates Data Breach Statute. On March 24, Tennessee Governor Bill Haslam signed SB 2005 into law. The statute will now require organizations that have experienced a data breach to notify individuals within 45 days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement. Other changes are discussed in the post.
Alston & Bird in the News/Announcements
- Kim Peretti, partner and co-chair of Alston & Bird’s Cybersecurity Preparedness & Response Team, has been named to Cybersecurity Docket’s inaugural “Incident Response 30.”
- Video is now available of the debate between Alston & Bird’s Peter Swire and European privacy activist Max Schrems.
- Peter Swire is quoted by the Washington Post regarding the controversy surrounding the FBI’s recent attempts to decrypt one of the San Bernadino terrorist attacker’s mobile phones.
Events
- Alston & Bird broadcast a live webcast, Transferring Data from the E.U.: The Privacy Shield and Data Transfer Under the GDPR on April 28. Peter Swire presented as part of Alston & Bird’s series on the “Roadmap to the GDPR.” Please click here to access the recording of the program (enter first name, last name, company name and email to view the replay).
- May 16, 2016, IAWatch, Cybersecurity for Financial Services CLE. Kim Peretti will participate on a panel titled “Governance and Risk Assessment: Evaluating Risks and Tailoring Controls.”
- May 25-26, 2016, Georgetown Cybersecurity Law Institute. Kim Peretti will moderate a session titled “Regulator Report: How is Government Addressing Cybersecurity in Key Sectors?”
- June 7, 2016, Alston & Bird live webcast, Planning to Implement the GDPR: What Companies Should Do First.
The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice.