Updates on the EU
Privacy & Data Security Team Launches GDPR Tracker Website. The Alston & Bird Privacy & Data Security Team recently launched the General Data Protection Regulation (GDPR) Tracker website, which provides users access to a unique overview and insights into national legislation EEA Member States have issued to implement the GDPR.
100 Days Until GDPR Effective Date – Sharing Our GDPR Experience. In less than 100 days, the GDPR will go into effect. This means that as of May 25, 2018, each national supervisory authority will have the authority to apply and enforce the GDPR. Read our thoughts on what happens next.
An English-Language Primer on Germany’s GDPR Implementation Statute. Expanding on his recent article for Bloomberg BNA, Alston & Bird associate Dan Felz continues his multipart primer on Germany’s new GDPR implementation statute. The series clarifies Germany’s approach to important issues such as data protection officers, employee privacy, data use (including new rules on health care), data subject rights, and more.
ECJ Rules against Schrems Class Action, Sets Up Jurisdictional Questions for GDPR Class Actions. The European Court of Justice ruling sets a precedent limiting the availability of EU-wide class actions under the GDPR. This ruling will likely result in further litigation going forward.
ePrivacy Regulation Trialogue Negotiations Pushed Back to Fall 2018; Final ePrivacy Regulation May Not Be in Place Until 2020. A spokeswoman from Germany’s Economic Affairs Ministry recently stated that trialogue negotiations for the European Parliament, European Council, and the European Commission to agree on finalized ePrivacy Regulation text will not begin until the fall of 2018. A final ePrivacy Regulation text may not be agreed upon until near the end of 2018 or in 2019, with the ePrivacy Regulation potentially entering into force closer to 2020.
Data Protection Litigation to Become a New Reality in Belgium. On November 16, 2017, the Belgian Senate adopted an “Act on the Establishment of the Data Protection Authority.” Following Austria, Germany, and the UK, Belgium is the fourth EU Member State to pass a domestic statute implementing the GDPR. The new Belgian Act sets forth the structure and legal organization of the data protection authority (DPA), which will serve as the successor of the current Belgian Privacy Commission. More importantly, the Act significantly broadens the DPA’s powers and provides for a detailed set of procedural rules. It opens the door to a potential increase in data protection litigation in Belgium.
EU DPAs and the Future of Privacy Shield. The Article 29 Working Party (WP29) announced in November 2017 that it will legally challenge the adequacy of the Privacy Shield Framework unless the U.S. government addresses certain “prioritized concerns” by May 25, 2018. The Privacy Shield provides a framework that helps more than 2,500 participating U.S. companies legally transfer EU personal data to the U.S.
Challenge to Privacy Shield Dismissed by EU General Court. In October 2016, we reported that digital rights advocacy group Digital Rights Ireland (DRI) had brought an action to annul the EU-U.S. Privacy Shield. DRI filed its challenge before the General Court of the European Union, which is the court of first instance in the EU system with exclusive jurisdiction over challenges to the validity of EU legal acts. In November 2017, the General Court dismissed DRI’s challenge, meaning the Privacy Shield remains valid and in force.
Article 29 Working Party Issues Guidance on Administrative Fines. This guidance provides a helpful overview of how supervisory authorities will consider and assess fines under the GDPR. While the guidance lacks a detailed explanation of how fines will be calculated, it is clear that entities subject to the GDPR should carefully, continually review their GDPR compliance efforts in light of the potential penalties.
WP29 Issues Guidelines on Automated Individual Decision Making and Profiling in the GDPR. On October 18, 2017, the WP29 published guidelines clarifying the new profiling and automated decision-making provisions of the GDPR. These guidelines make clear that European Union regulatory authorities and the WP29 believe that technological developments that facilitate the creation of individual profiles, such as Big Data analytics, AI, and machine learning, have created new risks to data protection.
Updates on the U.S.
SEC Issues Guidance on Cybersecurity for Public Companies. The Securities and Exchange Commission has released new guidance on cybersecurity issues for public companies. A cross-practice team from our Securities Litigation, Cybersecurity Preparedness & Response, and Securities Law Groups examines the new guidance and considers the effects of the SEC’s expectations.
The CLOUD Act: A Welcome Legislative Fix for Cross-Border Data Problems. On February 6, 2018, Peter Swire co-authored an article on Lawfare.com about the introduction of the CLOUD Act and how it will help clarify which law enforcement agencies can access data stored in cloud computing systems.
Lenovo Wins Second Motion to Dismiss in Adware Class Action. In February 2018, a California district court dismissed—for the second time—consumer claims that technology giant Lenovo Inc. violated New York’s deceptive acts and practices statute by selling laptops with preinstalled VisualDiscovery software that allegedly invades users’ privacy and exposes users to security breaches. In reaching this decision, the court concluded that dismissal was warranted for two reasons: (1) the plaintiffs lacked standing; and (2) the plaintiffs failed to adequately allege actual damages.
NIST Releases Updated Cyber Framework V1.1. On December 5, 2017, the National Institute of Standards and Technology (NIST) released a revised draft of its proposed updates to its Framework for Improving Critical Infrastructure Cybersecurity. The revised draft includes a new section on communicating with stakeholders about cybersescurity requirements, addresses stakeholder concerns over cybersecurity supply chain risk management and measuring cybersecurity risks and benefits, and addresses a number of new topics. NIST has updated both the Framework and its accompanying Roadmap.
Bill Proposes Jail Time for Executives Who Conceal Data Breaches. On November 30, 2017, a group of U.S. senators reintroduced a bill, known as the Data Security and Breach Notification Act, that seeks to impose criminal liability of up to five years of jail time on any corporate executive convicted of “intentionally and willfully” concealing a data breach.
Virginia Amends Data Breach Notification Law. Virginia amended the state’s data breach notification law, effective July 1, 2017, to expand notification requirements for employers and payroll service providers to data breaches that involve “unauthorized access and acquisition of unencrypted and unredacted computerized data containing a taxpayer identification number in combination with the income tax withheld for that taxpayer.” The expanded notification obligation is subject to the same likelihood of harm threshold that applies in the original law.
In the News
February 12, 2018 – Kim Peretti was quoted in the National Law Journal on how the new GDPR rules may impact American consumers affected by European data breaches. (subscription required)
January 17, 2018 – Kristy Brown, Cari Dawson, Dominique Shelton, and Donald Houser are noted in Law360 for representing Wendy’s in defense of a customer data breach suit and push for class certification. (subscription required)
- IAPP Global Privacy Summit 2018
March 27–28, 2018, Washington, DC. Peter Swire will be a speaker in the session “Privacy and Competition – Big Issues for Big Data.”
- RSA Conference 2018
April 16–20, 2018, San Francisco, CA. Kim Peretti will be a speaker in the April 17 session “Hot Topics in Cyber-Law 2018,” as well as the April 18 session “Do Not Prepare for a Data Breach—On Second Thought, Prepare!”
- Incident Response Forum 2018
April 18, 2018, Washington, DC. Jim Harvey will be a speaker in the session “Managing Data Breaches Across Borders.”
- Georgetown Law’s 6th Annual Cybersecurity Law Institute
May 23–24, 2018, Washington, DC. Kim Peretti will be moderating the session “We Need to Investigate: Overseeing a Cyber Investigation.” Kristy Brown will be a speaker in the session “State of the Law: 2017–2018 Cybersecurity Law Review.”