Updates on the EU:
An English-Language Primer on Germany’s GDPR Implementation Statute. Expanding on his recent article for Bloomberg BNA, Alston & Bird associate Dan Felz offers a multipart primer on Germany’s new GDPR implementation statute. The series clarifies Germany’s approach to important issues such as data protection officers, employee privacy, data use (including new rules on health care), data subject rights, and more.
Professor Peter Swire Publishes His Expert Testimony from Schrems 2.0. Peter Swire, Elizabeth and Thomas Holder Chair at the Georgia Tech Scheller College of Business and senior counsel at Alston & Bird, has made public his expert testimony from the landmark Irish High Court case Data Protection Commissioner v. Facebook Ireland Limited & Maximilian Schrems. Under the Irish Court’s rules, Swire was asked to provide an independent opinion on U.S. surveillance law to assist the court in its decision. Swire’s testimony highlights U.S. systemic remedies, U.S. individual remedies, Foreign Intelligence Surveillance Court oversight, and the broader implications of the challenge to standard contractual clauses.
UK Will Soon Introduce a New Data Protection Bill. The UK Department for Digital, Culture, Media & Sport presented a new data protection bill to Parliament in September. This new bill will replace the current UK Data Protection Act of 1998 and will effectively incorporate the EU General Data Protection Regulation (GDPR) in the UK legal system. The new bill is one of the main goals of the recently elected government, and its primary aim is to ensure that the UK upholds the same data protection principles as the rest of the EU upon leaving the Union.
Data Processing at Work: New Challenges Toward Compliance. The Article 29 Working Party (WP29) recently issued an opinion that discusses the processing of employee personal information. The WP29 focuses on the use of new technologies by employers and assesses requirements in light of the upcoming GDPR.
Facebook Fined for WhatsApp Data Linking Fallout. On May 18, the European Commission fined Facebook €110 million for misrepresentations made in its application for competition clearance of the company’s acquisition of WhatsApp. In its merger application, Facebook claimed that it would be unable to automatically match Facebook and WhatsApp accounts. However, WhatsApp later introduced functionality enabling the linking of WhatsApp user phone numbers and Facebook user identities. This is the first time since the new Merger Regulation entered into force in 2004 that the EC has imposed a fine for the provision of misleading information during a merger clearance.
Swire Discusses European Data Economy at European Political Strategy Centre Policy Hearing. Peter Swire, Alston & Bird Senior Counsel and Nancy J. and Lawrence P. Huang Professor of Law and Ethics at the Georgia Institute of Technology’s Scheller College of Business, recently participated in a policy hearing held by the European Political Strategy Centre, the in-house think tank of the European Commission. Swire joined five other experts in answering a series of questions posed by the Centre’s moderators on how Europe can build its data economy to compete globally, protect fundamental privacy rights, and guard against anticompetitive behavior.
French CNIL Releases GDPR Compliance Toolkit. On March 15, the French data protection authority (CNIL) released its six-step GDPR compliance program as well as GDPR-tailored templates for use by companies in compliance efforts (the “GDPR Toolkit”). The GDPR Toolkit is helpful because it provides guidance that companies may directly include in their privacy programs. Companies with sophisticated privacy programs may also use the GDPR Toolkit as a reality check against CNIL’s expectations and, more generally, European data protection authorities’ standards and expectations for GDPR compliance.
Working Party Welcomes the Draft ePrivacy Regulation, yet Expresses Grave Concerns. The WP29 recently issued its first opinion for 2017, focusing on the EU Commission’s proposed ePrivacy Regulation. The EC’s proposal, which was published in January of this year, aims to modernize the existing ePrivacy Directive, which concerns the protection of personal data in the context of electronic communication services. In its opinion, the WP29 generally welcomed the proposed regulation but expressed several points of concern and suggested amendments.
ICO Seeks Extra Resources for GDPR Enforcement. On March 13, Elizabeth Denham, head of the Information Commissioner’s Office (ICO), the UK data protection authority, publicly expressed her intention to massively recruit new personnel in an effort to prepare for the European Union’s GDPR. Denham later told the press that the ICO would hire approximately 200 people.
Germany Proposes Bill Requiring Social Network Takedowns – with €50 Million Fines. Recent media reports indicate that Germany is considering legislation that would fine social networks for failing to combat fake news and hate speech. German Justice Minister Heiko Maas introduced a “Draft Law to Improve Law Enforcement in Social Networks” (“NetzDG”). The NetzDG aims to curb “hate-based criminality” on large social networks that have the potential to drive public opinion, and to improve law enforcement access to evidence held by social networks.
Italy Imposes Record Data Protection Fines. On March 10, Italy’s data protection authority, Il Garante per la protezione dei dati personali (the “Garante”), announced that it had ordered fines totaling more than €11 million on five companies operating in the money transfers sector for breach of Italian data protection law. The sanctions have been described as the largest privacy fines ever imposed in the European Union.
UK Launches Public Consultation on GDPR Consent Guidance. The ICO issued guidance on consent under the GDPR on March 2, explaining its recommended approach to compliance and the definition of a valid consent. This guidance provides examples and practical advice to assist companies in deciding when a consent is unbiased and when other alternatives must be sought.
Updates on the U.S.:
FTC Updates Data Security Guidance for Businesses. In June, the Federal Trade Commission released a new guide for businesses on implementing sound data security protections and procedures. In “Protecting Personal Information: A Guide for Business,” the FTC offers “10 practical lessons” based on the numerous enforcement actions brought by the FTC. The guide offers insight into the thinking of this key federal regulator.
Eighth Circuit Affirms Dismissal of Scottrade Data Breach Suit. The Eighth Circuit recently affirmed a district court’s dismissal of a putative class action brought by customers of the brokerage firm Scottrade in the wake of an alleged data breach impacting Scottrade in 2013. The named plaintiffs had asserted several contract-based claims against Scottrade, alleging that Scottrade had violated its contractual obligations to take adequate steps to safeguard the personal identifying information of its customers.
Anthem Settles Data Breach Litigation for Record-Setting $115 Million. Health insurance giant Anthem agreed to the largest data breach settlement to date, ending multidistrict consumer litigation over a 2015 data breach for $115 million. The data breach, which resulted from a hacker-orchestrated cyberattack following the theft of an employee password, exposed personally identifiable information and protected health information of nearly 80 million people.
Northern District of Illinois Dismisses Barnes & Noble Data Breach Lawsuit. Earlier this month, the Northern District of Illinois entered an order dismissing with prejudice a putative class action concerning a security breach affecting PIN pad devices at numerous Barnes & Noble locations. The lawsuit was brought by consumers who had used credit and debit cards at Barnes & Noble during the breach.
Data Monetization and State Privacy Laws. On June 8, magazine publisher Trusted Media Brands settled a class action lawsuit for $8.2 million after purportedly disclosing the personal information and magazine choices of customers to third parties. The lawsuit alleged that the publisher’s actions violated Michigan’s Video Rental Privacy Act (VRPA), demonstrating the sometimes hidden legal risks of data monetization.
Fourth Circuit Allows Wikimedia Upstream Suit to Proceed. On May 23, the Fourth Circuit issued its opinion on Wikimedia Foundation v. NSA/CSS. The court vacated and remanded the NSA’s previously successful motion to dismiss Wikimedia’s Fourth and First Amendment claims against the NSA’s Upstream surveillance program, while a 2–1 majority upheld the dismissal of the eight other organizations joined as co-plaintiffs. The court held that Wikimedia’s complaint contained sufficient factual allegations to determine Article III standing and that the district court misapplied Clapper v. Amnesty International’s analysis of speculative injury.
Court Holds Forensic Investigator’s Report Is Protected from Disclosure. Third-party forensic investigations performed at the direction of counsel are part and parcel of virtually every data breach. There has been little case law, however, directly addressing the extent to which the attorney-client privilege and/or work product doctrine protects those forensic investigations from disclosure. Last week, the Central District of California held that, under the specific facts at issue, information is indeed protected by at least the attorney work product doctrine.
President Trump Signs Long-Awaited Cyber Executive Order. On May 11, President Trump signed a long-awaited Executive Order on cybersecurity. The Order directs executive agencies to complete a risk management report based on the NIST Cybersecurity Framework and also requires the Department of Homeland Security and other agencies to undertake activities in support of effective cybersecurity risk management for operators of critical infrastructure. More generally, the Order directs several agencies to submit reports to the President on a varied set of cybersecurity-related topics.
New Mexico Data Breach Legislation Passes. New Mexico recently became the 48th state to pass some form of data breach notification legislation, leaving Alabama and South Dakota as the last holdouts. The Data Breach Notification Act was signed by New Mexico Governor Susana Martinez on April 6. The law applies to persons that own or license New Mexico residents’ personal identifying information, defined as an individual’s first name or first initial and last name in combination with a social security number, driver’s license number, government-issued ID number, account number plus security or access code or password, or biometric data.
Alston & Bird Issues Cyber Alert on the New Chinese Cybersecurity Law and Regulations. On June 26, Alston & Bird’s Kim Peretti, Justin Hemmings, and Emily Poole issued an advisory on recent changes in Chinese cybersecurity law. The new law asserts greater control over all data collection and generation in China, as well as the processing of data from Chinese data subjects. While the law entered into force on June 1, there is still uncertainty about how the law will be interpreted and enforced, including which companies are subject to the law.
Are You Ready for Compliance with the Amended Act on Protection of Personal Information in Japan? Japan’s Act on Protection of Personal Information (APPI) dates back to 2003 and went into effect in 2005. Japan’s legislature, the National Diet, passed extensive reforms to modernize the APPI in September 2015. The Amended Act on Protection of Personal Information came fully into effect on May 30, 2017.
Australia Adopts New Data Breach Notification Legislation. On February 13, Australia became one more nation-state adopting data breach notification legislation. In recent House and Senate votes, the Australian Parliament amended the Privacy Act of 1988, introducing mandatory data breach notification requirements for entities regulated by the Privacy Act. The recent bill requires entities with revenue over $3 million AUD and certain credit reporting bodies and recipients of tax file number information to notify both the Australian Information Commissioner and affected individuals “as soon as practicable” when an “eligible data breach” occurs.
In the News
Peter Swire was quoted by CBS News on Uber’s practice of paying for data culled from anonymous users’ emails.
Kim Peretti was quoted in Law360 on the worldwide ransomware cyberattack and on President Trump’s Executive Order on the country’s cybersecurity infrastructure. (subscription required)
Kim Peretti discussed the “WannaCry” ransomware global cyberattack in The New York Times.
- October 4-6, 2017, Washington, DC – Privacy + Security Forum. David Keating will be a speaker for the October 6 presentation of “Emerging Consumer Tracking and Analytics Technologies.”
- October 20, 2017, Atlanta, GA – Technology Law Institute. Sponsored annually by the Privacy & Technology Section of the State Bar of Georgia, this all-day CLE event will feature Peter Swire as the keynote speaker. In addition, David Teske and Lauren Giles will be presenting on blockchain developments, and Al Leach (Alston & Bird’s assistant director of technology operations) will host a presentation on law firm security. Digital Download editor Michael Young will present on children’s privacy.
- October 26, 2017, Atlanta, GA – GDPR Compliance Conference Series at the Alston & Bird Atlanta office. Co-sponsored with the Alliance of Global Privacy Solutions Providers.
- October 30, 2017, Tysons Corner, VA – ACC National Capital Region Seminar. Kim Peretti will be presenting. More details to follow.
- November 7, 2017, Brussels, Belgium – GDPR Compliance Conference Series at the Crowne Plaza Brussels. Co-sponsored with the Alliance of Global Privacy Solutions Providers. This event will take place in advance of the November 8–9 IAPP Europe Data Protection Congress.
- November 16, 2017, Washington, DC – ABA Section of Antitrust Law 2017 Fall Forum. Kim Peretti will serve as a speaker for Panel V: Data Security & Privacy - Counseling the “Hot Topics.”