Updates on the EU:
German DPA Publishes First Privacy Shield Guidelines, Requires German-Law Contracts for Transfers. On June 7, 2016, the European Commission adopted the EU-U.S. Privacy Shield. One question that many organizations had following the Privacy Shield’s adoption was how it would be implemented by the Data Protection Authorities (DPAs) of EU member states. Recently, the DPA of the German state of North Rhine-Westphalia issued what appears to be the first series of DPA-crafted FAQs about how it views, and intends to enforce, the Privacy Shield.
ECJ Declares IP Addresses Are Personal Data. The European Court of Justice (ECJ) has issued its long-awaited decision in Breyer v. Germany. The ECJ concluded that dynamic IP addresses held by website operators other than ISPs can constitute personal data when “the possibility to combine a dynamic IP address with the additional data held by the [ISP] constitutes a means likely reasonably to be used to identify the data subject.” The ECJ stated this would not be the case when “the identification of the data subject [is] prohibited by law,” i.e., if legal rules prohibit ISPs from transmitting subscriber data to website operators.
EU-U.S. Privacy Shield Faces Judicial Attack. The EU-U.S. Privacy Shield is already under challenge before the European courts after having been approved only some months ago by the European Commission. The European courts’ website records that an action for annulment has been brought by Digital Rights Ireland, the privacy and digital rights advocacy organization, before the General Court of the European Union.
The French Digital Republic Act: The New Powers of the French Data Protection Authority and Enhanced Rights of Individuals. On October 7, the French Digital Republic Act was adopted following a widely publicized consultation process. The Act constitutes a first step in the implementation of the General Data Protection Regulation (GDPR). The Act in particular establishes new powers for the French data protection authority (DPA) and new rights for individuals.
Updates for the Financial Services Industry:
New York State Financial Services Regulator Issues Proposed Cybersecurity Regulations. On September 13, 2016, Governor Andrew Cuomo announced the issuance of proposed “first-in-the-nation” cybersecurity regulations for entities regulated by the New York Department of Financial Services (DFS), including jurisdictional banks, insurance companies, and other financial institutions. Once finalized, the regulation will become effective on January 1, 2017, at which point a 180-day “transitional period” will go into effect, during which entities would need to come into compliance with the new requirements. Many financial institutions are already subject to cybersecurity regulation pursuant to the Gramm–Leach–Bliley Act (such as via the Interagency Guidelines Establishing Information Security Standards); however, the proposed rules are highly detailed and more prescriptive in a number of respects.
Bank Regulators Issue Advance Notice of Proposed Rulemaking on Cyber Risk Governance and Management Regulations. On October 19, 2016, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) issued a joint advance notice of proposed rulemaking, “Enhanced Cyber Risk Management Standards,” that would constitute a marked expansion of the agencies’ cybersecurity regulations. The proposed rules would apply a robust set of cyber risk management standards to large jurisdictional entities and would in most cases apply across the enterprise.
FTC Seeks Public Comment on Safeguards Rule and Proposed Changes. The Federal Trade Commission (FTC) has announced it is seeking public comment on its Safeguards Rule as part of a systematic review of all FTC rules and guides. The Safeguards Rule came into force in 2003 after the Gramm–Leach–Bliley Act required that the FTC and other agencies establish administrative, technical, and physical information security standards for financial institutions. Of particular note is the FTC’s call for comments on whether it should reference or incorporate other standards, such as PCI-DSS or NIST standards, which may signal a shift from the FTC’s previous resistance toward using express standards in defining reasonable security.
D.C. Circuit Holds CFPB Is Unconstitutionally Constructed, Removes For-Cause Removal Protection from CFPB Director. On Tuesday, October 11, 2016, the D.C. Circuit Court issued its opinion in PHH Corp. v. Consumer Financial Protection Bureau, holding that the Consumer Financial Protection Bureau (CFPB) was unconstitutionally structured. In the majority opinion, Judge Kavanaugh described the position of CFPB director as, in terms of unilateral authority, “the single most powerful official in the entire U.S. Government, other than the President.” The court’s ruling severs the for-cause removal protection provision for the director from the Dodd–Frank Act, repositioning the CFPB as an executive, rather than independent, agency.
Supreme Court Denies Cert in Leading Case on Internet Tracking and Analytics. The U.S. Supreme Court recently declined to review In re Google Inc. Cookie Placement Consumer Privacy Litigation—a consolidated class action alleging that Google and third-party advertisers evaded web browser privacy settings, causing cookies to be placed on plaintiffs’ computers. Given the Court’s denial of review, significant questions remain regarding the applicability of the Wiretap Act to Internet communications. The Third Circuit’s opinion offers guidance to online advertisers, data privacy attorneys, and other courts as they examine the applicability of the Wiretap Act to cookie-related activities.
Eighth Circuit Decision Interpreting Spokeo Shows Impact of Supreme Court Decision on Privacy Actions. In issuing its decision in Braitberg v. Charter Communications, the Eighth Circuit recently became the first federal appellate court to issue a published opinion interpreting Spokeo and, as predicted, shows that the Supreme Court’s ruling will have a significant impact on the viability of privacy-related claims. The Eighth Circuit reiterated the language from Spokeo that a “concrete injury must ‘actually exist,’ and it must be ‘real,’ not ‘abstract.’”
Centers for Medicare and Medicaid Services Issues Emergency Preparedness Requirements That Address Cyber-Attacks. The Centers for Medicare and Medicaid Services (CMS) issued a final rule on September 8, 2016, establishing national emergency preparedness requirements for providers and suppliers participating in Medicare and Medicaid in response to “inconsistency in the level of emergency preparedness amongst healthcare providers.” Providers and suppliers subject to the rule must comply by November 15, 2017. Notably, CMS describes cyber-attacks as a potential risk to assess when implementing the emergency preparedness requirements.
California Updates Data Breach Notification Statute for 2017. California, which has historically been one of the states at the vanguard of data breach notification issues, has made an update to its statute that takes effect on January 1, 2017. The update will require companies to notify affected individuals of a data breach of encrypted information if “the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable.”
In the News
On October 31, George Washington University’s Center for Cyber & Homeland Security released a new report titled Into the Gray Zone: The Private Sector and Active Defense Against Cyber Threats. Michael Zweiback is a member of the active defense task force that released the report.
- November 30, 2016. International Association of Amusement Parks and Attractions EMEA Digital Summit, Using Digital Technology to Enhance the Guest Experience and Increase Visitors. Jon Filipek will present on the panel “Achieving an Immersive Guest Experience.”
- December 7, 2016. Alston & Bird’s Roadmap to the GDPR: Breach Notification and Breach Response. Alston & Bird’s Jim Harvey and David Keating will be joined by Aegon Group’s Senior Digital & Privacy Counsel Sabstiaan ter Wee.
- January 30–31, 2017. American Conference Institute’s 21st Advanced Global Legal and Compliance Forum on Cyber Security and Data Privacy & Protection, “Emerging Threats and Developing Remedies: Smart Devices and Connected Data Sources.” Dominique Shelton will be a speaker on this panel.
- January 31, 2017. Association of Corporate Counsel, Cybersecurity Summit. Kim Peretti will participate in a panel on security risk management.
- February 2, 2017. American Bar Association’s Consumer Protection Conference, “Diverse Enforcement and Investigative Techniques and How to Deal with Them.” Kim Peretti will present on this panel.
- April 4, 2017. Incident Response Forum 2017. Kim Peretti will present.
- April 19–20, 2017, IAPP Global Privacy Summit 2017, “Choice & Consent: Who’s Governing the Cookies and Tags on Your Web Sites?” Dominique Shelton will be a speaker on this panel.
The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice.