Updates on the GDPR and EU
German DPAs Issue DPIA Blacklists; Many Companies Likely to Be Affected
One of the GDPR’s core going-forward obligations is the duty to conduct data protection impact assessments (DPIAs) on processing activities that create a “high risk” to individuals’ privacy and the safeguards that have been implemented to protect individuals’ privacy. German DPAs have begun to issue blacklists, binding on companies within their jurisdiction, requiring that certain activities be conducted in conjunction with a DPIA. These include large-scale processing of location data relating to individuals, general Big Data analytics, and large-scale processing of HR data with potential for significant effects on employees (among others).
On GDPR Day, Austrian DPA Issues First Binding DPIA Whitelist
On the day the GDPR entered into force, the data protection authority (DPA) of Austria issued what appears to be the first binding whitelist approved by the DPA of an EU Member State. The Austrian DPA lists 22 processing activities that do not require a DPIA. Among the most salient are customer/supplier management, accounting, logistics, and bookkeeping; HR administration; CMR and marketing for own-business purposes; building access controls; IT user access rights management; CCTV monitoring in limited circumstances; and event planning.
Alston & Bird Issues Data Protection Paper on Accurate Retrieval of Personal Data Under the GDPR
Alston & Bird’s Peter Swire and DeBrae Kennedy-Mayo, with support from Senzing Inc., published a white paper titled “The Importance of Accurate Retrieval of Data Subjects’ Personal Data in Complying with GDPR Individual Rights Requirements.” The paper briefly describes the individual rights that are most salient under the GDPR, including the right of data subjects to access their personal data and rectify inaccuracies in such data. It then examines key technical issues for pulling together the relevant data in a company’s many databases while excluding the irrelevant data.
Belgian Privacy Commission Issues DPIA Blacklist and Whitelist Recommendations
The Belgian Privacy Commission issued recommendations regarding activities that require and do not require a DPIA. These recommendations highlight the need for DPIAs for sensitive processing activities, such as activities involving biometric data, systematic and automated collection and recording of behavior, and large-scale processing of data for predictive purposes. At the same time, the whitelist focuses on processing that is in line with legitimate business needs or interests.
Irish High Court Refers Schrems 2.0 to the ECJ
On April 11, the Irish High Court referred the Schrems 2.0 case to the Court of Justice of the European Union (ECJ) with 11 questions for the ECJ to answer. The sole issue in the case is whether the European Commission’s decisions regarding standard contractual clauses (SCCs) are valid, which is reflected in the 11 questions posed.
Privacy Commissioner of Hong Kong Issues a GDPR Guidance Document
The Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) announced the publication of the “European Union General Data Protection Regulation (GDPR) 2016” guidance document. The PCPD explains that the publication was issued to raise awareness among organizations and businesses in Hong Kong of the possible impact of the new regulatory framework for data protection in the GDPR.
Council of the European Union Publishes New Draft ePrivacy Regulation
The Council of the European Union published a new draft of the ePrivacy Regulation on March 22. This draft aims to facilitate discussion as the ePrivacy Regulation nears finalization. Of particular interest to companies are the provisions relating to cookie settings and direct marketing communications.
Belgian Court Uses Novel Argument to Assume International Jurisdiction over Non-EU Facebook Entities
On February 16, the Brussels Court of First Instance rendered a judgment in proceedings brought by the Belgian Privacy Commission against Facebook. The court found in favor of the Privacy Commission, granting claims directed at three Facebook entities for allegedly improperly tracking the online behavior of Internet users on Belgian territory through the use of social plug-ins, cookies, and pixels and ordering all three Facebook entities to cease the placement and collection of cookies with tracking capabilities without obtaining the user’s informed consent and offering an opt-out mechanism.
German DPAs Publish Model GDPR Processing Records – Translations Provided
Under Article 30 of the GDPR, companies will need to inventory all “processing activities under [their] responsibility” and memorialize them in a written record setting forth the purposes of processing operations, international transfers, and retention periods. Germany’s Conference of Independent Federal and State Data Protection Authorities has published Article 30 “model processing records” along with guidelines for such records.
Canada Publishes Final Regulations on Mandatory Reporting of Privacy Breaches
On April 18, the Canadian government published final regulations that include mandatory privacy breach notification, reporting, and recordkeeping obligations under Canada’s federal data protection law, the Personal Information Protection and Electronic Documents Act (PIPEDA). These new obligations will come into force on November 1, 2018.
DHS and FBI Issue a Joint Technical Alert with UK Warning of Russian State-Sponsored Cyber Attacks
On April 16, the Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and United Kingdom’s National Cyber Security Centre issued a joint technical alert (TA) warning of the worldwide cyber exploitation of network infrastructure devices by Russian state-sponsored cyber actors. The TA explains primary targets are government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors. The affected systems include generic routing encapsulation (GRE) enabled devices, Cisco smart install (SMI) enabled devices, and simple network management protocol (SNMP) enabled network devices.
Singapore Joins the APEC CBPR and PRP
On March 6, Singapore announced that it has become the sixth country to participate in the Cross-Border Privacy Rules System (CBPR) as of February 20, 2018, joining the United States, Mexico, Canada, Japan, and Republic of Korea, and the second country to participate in the Privacy Recognition for Processors System (PRP) alongside the United States.
Updates on the U.S.
Momentum Building for California’s Consumer Right to Privacy Act Ballot Initiative
In early May, a group called Californians for Consumer Privacy gathered enough signatures for the California Consumer Privacy Act to qualify for the November 2018 ballot. The ballot initiative builds on existing California laws directed at protecting the privacy of California consumers’ personal information, including the Shine the Light law and the California Online Privacy Protection Act.
Georgia Court of Appeals Reaffirms Lack of Duty to Safeguard Personal Information
The Georgia Court of Appeals recently reaffirmed its prior conclusion that there is no duty to safeguard personal information under Georgia law. In McConnell v. Georgia Department of Labor, the court of appeals addressed whether a plaintiff whose social security number and other personal identifying information (PII) had allegedly been negligently disclosed by an employee of the Georgia Department of Labor stated a negligence claim in connection with the unauthorized disclosure.
SEC Announces Its First Enforcement Action over Cyber-related Disclosures
The Securities and Exchange Commission’s $35 million settlement with Altaba Inc., the successor in interest to Yahoo! Inc., is the first civil penalty of its kind for a data breach and underscores the agency’s increasing focus on public companies’ cybersecurity disclosure obligations. A cross-practice team from our Securities Litigation and Cybersecurity Preparedness & Response groups examined the SEC action in an advisory published on April 27.
Seventh Circuit Affirms Dismissal of Schnuck Markets Data Breach Lawsuit
The Seventh Circuit recently affirmed the dismissal of a putative class action brought by financial institutions against Schnuck Markets Inc. following a data breach impacting Schnuck beginning late 2012. The plaintiffs attempted to assert claims of negligence, negligence per se, various contract claims, and violation of Illinois consumer protection laws, alleging damages in the form of employee time to investigate and resolve fraud claims, payments to indemnify customers for fraudulent charges, and lost interest and transaction fees based on changes in customer card usages.
The CLOUD Act and Its Impact on Cross-Border Access to the Contents of Communications
On March 23, President Trump signed the $1.3 trillion omnibus spending bill into law, including the Clarifying Lawful Overseas Use of Data (CLOUD) Act, and in doing so established a sea change in the rules for cross-border government access to the contents of electronic communications.
In Order, FTC Recognizes Lower Notice Requirements for “Consumer-Expected” Data Collection
The Federal Trade Commission has granted a petition by Sears Holding Management seeking modification of a 2009 commission order. The notable 2009 order settled allegations that Sears had improperly failed to provide notice of data collection by certain software the company offered to consumers. Sears argued that the 2009 order placed it at a “competitive disadvantage” in the mobile application marketplace. The now-modified order enables Sears to conduct certain “consumer-expected” forms of data collection and use without requiring heightened notice or consent under the 2009 order.
In the News
June 2018 – Kim Peretti authored an article, “Working with the Government After a Breach,” in Legal BlackBook’s CyberInsecurity.
June 5, 2018 – Alex Brown hosted a Legal Talk Network podcast episode by the American Bar Association Section of Antitrust Law on data protection laws in the U.S. and EU.
May 30, 2018 – Jim Harvey was ranked in “IP Stars” 2018 by Managing Intellectual Property as a leading intellectual property practitioner.
May 7, 2018 – Alston & Bird’s Privacy & Data Security team was ranked in Chambers USA.
May 5, 2018 – Jim Vincequerra is quoted in Business Insider about how Cambridge Analytica could auction PII or transfer such data to a third party.
May 2018 – Kim Peretti was featured in a Q&A by Legal BlackBook on how companies are working with law enforcement agencies in response to data breaches.
May 1, 2018 – Alston & Bird’s Privacy & Data Security team was ranked by Above the Law as a leader in data privacy law.
April 20, 2018 – Maki DePalo was quoted in The Nikkei on the need for American businesses to be able to respond to evolving privacy and security concerns.
April 5, 2018 – Peter Swire was cited in The Economist on how the GDPR has accelerated the development of global privacy infrastructure.
- International Consortium of Minority Cybersecurity Professionals 2018 National Conference
September 19, 2018, Atlanta, GA. Jim Harvey will be a panelist in the session “Building a Culture of Cybersecurity Professionals.”