Selected Developments in U.S. Law
SEC Creates Event and Emerging Risk Examination Team
Following the Office of Compliance Inspections and Examinations’ (OCIE) recent and detailed risk alert on the threat of ransomware, the SEC announced that it has created the Event and Emerging Risk Examination Team (EERT) as a part of OCIE. The EERT will engage with registrants about emerging threats and current market events to provide oversight to firms facing such risks or events and to help the SEC be well positioned to respond to significant market events or issues with systemic impact.
The NYDFS Brings First Enforcement Action Under the Cybersecurity Regulation
On July 21, the New York Department of Financial Services (NYDFS) brought its first enforcement action under its Cybersecurity Regulation against a large title insurer for failing to protect sensitive personal information. The NYDFS is seeking civil monetary penalties, an order requiring the company to remedy the alleged violations, and any other relief deemed just and appropriate. Although a previous NYDFS investigation resulted in a consent order in July 2019, the NYDFS reported that this is the first enforcement action under the regulation since it began to take effect on March 1, 2017.
SEC’s OCIE Issues Ransomware Risk Alert
On July 10, OCIE issued a risk alert noting the increasing sophistication of ransomware attacks on SEC registrants and service providers to SEC registrants. The risk alert is notable for its encouragement of financial services market participants more broadly and not just SEC registrants to monitor Cybersecurity and Infrastructure Security Agency (CISA) alerts, and for the specificity of the cybersecurity measures it includes as recognized defenses to current ransomware threats.
California Amends Bill to Extend Exemptions for Employment and Business-to-Business Information Under the CCPA
Even as enforcement of the California Consumer Privacy Act (CCPA) begins, there is uncertainty about whether and when employment information and business-to-business data will become fully subject to the CCPA. On June 25, the California state Senate amended AB 1281 to extend until January 1, 2022 exemptions from the CCPA for certain employment information and personal information involved in business-to-business communications and transactions.
California Privacy Rights Act Will Be on November Ballot
The California secretary of state has announced that the California Privacy Rights Act (CPRA) will be on California’s November 3, 2020 ballot. If approved by California voters, the CPRA would significantly update and amend the CCPA that went into effect at the beginning of this year. The organization that submitted the CPRA for inclusion on the ballot has stated its polling shows 88% of Californians would support a ballot measure expanding privacy protections.
Mactaggart Petitions State Court to Prevent the California Privacy Rights Act from Being Excluded from November’s Ballot
On June 8, Alastair Mactaggart, Celine Mactaggart, and Richard Arney filed a petition for writ of mandate in the Superior Court of the State of California to prevent the CPRA from being disqualified from the general election ballot on November 3, 2020. The CPRA, if presented on November’s ballot and passed, would amend the CCPA, which took effect on January 1, 2020.
The FTC Expands Its FCRA Enforcement Activity in Action Against Retailer
Most businesses are already familiar with the Fair Credit Reporting Act and the various requirements to protect the fairness, accuracy, and privacy of consumer credit information. However, a recent FTC enforcement action against retailer Kohl’s Department Store Inc. has brought a rarely used provision of the statute to light.
California AG Publishes Final CCPA Regulations, Seeks Possible July 1 Effective Date
Since the CCPA entered into force on January 1, 2020, many companies have been closely following the development of CCPA regulations by the California Attorney General’s Office. The AG’s Office released an initial draft of the CCPA regulations in October 2019, prompting over 3,000 pages of public comment. This initial draft was followed by a first round of modifications in February 2020, as well as a second round of modifications in March 2020. Each round of modifications generated further public comment.
Proposed Federal Privacy Legislation Tackles COVID-19 Data
Data collection and analysis is becoming a key weapon in the fight against COVID-19 both in the U.S. and around the globe. But as governments and tech companies roll out a variety of applications and contact tracing tools, legislators from both sides of the political aisle are questioning how to handle the data being collected, analyzed, and shared.
The California Privacy Rights Act of 2020 – Key Impacts
Alastair Mactaggart and his group, Californians for Consumer Privacy, announced the collection of over 900,000 signatures in support of its ballot initiative, a number far exceeding the approximately 620,000 required for placement on the November ballot. The initiative clarifies some key issues under the law but is likely to be unwelcome by businesses because it creates potentially substantial new compliance costs and obligations.
EU and UK Updates
EU Announces First Sanctions Under EU Cyber Sanctions Regime
On July 30, the European Council announced sanctions against six individuals and three organizations for their involvement in a series of cyberattacks that have caused significant damage in the EU and around the world over the last several years. The announcement follows the EU’s adoption last year of Decision (CFSP) 2019/797, which established the EU Cyber Sanctions regime, recognizing targeted “restrictive measures,” including sanctions, as a vital tool for deterring and responding to cyberattacks that constitute an external threat to the EU or its Member States.
EDPB to Publish FAQs on Data Transfers
Germany’s federal data protection authority (DPA) announced that the EDPB has finalized an initial set of FAQs on international transfers in light of the recent Schrems II judgment. Per Germany’s federal DPA, the EDPB FAQs are envisioned to be a “living document.” The version will contain answers to questions that European DPAs were asked “very frequently” in the previous week. They may be updated over time.
EDPB Clarifies Brexit Obligations for Holders of Binding Corporate Rules Which Have the UK ICO as Their Lead Authority
On July 22, the EDPB released an information note on binding corporate rules (BCRs) that provides guidance for groups of undertakings and enterprises that have the UK Information Commissioner’s Office as their competent supervisory authority. Binding corporate rules are a means of legitimizing transfers of personal data outside the European Economic Area (EEA) under the EU’s General Data Protection Regulation (GDPR).
European Data Protection Board Statement Provides Preliminary Insight into Use of Standard Contractual Clauses Following Schrems II Judgment
On July 17, the EDPB published a statement on the outcome of the Schrems II judgment passed by the CJEU the day before. The judgment invalidated the EU-U.S. Privacy Shield and issued a number of clarifications and caveats on the use of standard contractual clauses (SCCs). In the statement, the EDPB acknowledged that the Privacy Shield is no longer available as a data transfer mechanism and points out that EU and U.S. authorities should create a new legal framework to replace it.
Geopolitical Implications of the European Court’s Schrems II Decision
On July 16, the CJEU invalidated the EU-U.S. Privacy Shield, a principal legal method for the transfer of personal data from the EU to the U.S. The CJEU ruling further cast doubt on SCCs, the other means of effecting such international transfers. In an article for The Lawfare Institute, Alston & Bird Senior Counsel Peter Swire and Georgetown University Law Center professor Kenneth Propp explore the geopolitical implications of this groundbreaking ruling.
UK National Cyber Security Centre Advisory: Russian Attackers, APT29, Targets Companies Involved in COVID-19 Vaccine Development
On July 16, the UK National Cyber Security Centre and Canada’s Communications Security Establishment released an advisory linking APT29 (also known as “the Dukes” or “Cozy Bear”) to attacks against COVID-19 vaccine development in Canada, the U.S., and the UK. The advisory stated that APT29 is “almost certainly part of the Russian intelligence services.” APT29/Cozy Bear was previously linked to the attack against the Democratic National Committee’s networks during the last presidential election cycle.
EU DPAs Announce Post-Schrems Enforcement Plans
The CJEU issued its much-anticipated decision in the Schrems II case. As we analyze in detail in an earlier blog post, the CJEU’s decision invalidates the Privacy Shield while leaving SCCs formally intact – although relying on SCCs may become more complicated than in the past. A number of European DPAs have issued statements indicating how they may enforce based on the CJEU’s judgment.
Schrems II: CJEU Invalidates EU-U.S. Privacy Shield and Emphasizes Exporter Obligations When Using Standard Contractual Clauses
The CJEU handed down its long-awaited judgment in the Schrems II case about the validity of two means of legitimizing transfers of personal data outside the EEA under the GDPR. In somewhat of a surprise judgment, the CJEU invalidated the EU-U.S. Privacy Shield and held that SCCs remain valid as a legal mechanism of transferring personal data from EEA-based controllers to recipients outside the EEA.
Marking GDPR Anniversary, Peter Swire Warns About EU-U.S. Data Transfer Challenges
On May 25, the GDPR ended its second full year in effect. To mark the occasion, the International Association of Privacy Professionals collected expert perspectives on the impact and future of the GDPR, including an essay by Alston & Bird Senior Counsel Peter Swire. In his contribution, Swire highlights the risks that EU court decisions interpreting the GDPR may pose to transfers of data out of the EU.
European Data Protection Board Clarifies Guidelines on Consent to Address Cookie Walls and Scroll-to-Accept Practices
On May 4, the EDPB adopted updated guidelines on the meaning of “consent” under the EU’s GDPR. The two key changes clarify that websites and other services cannot use cookie walls because they do not permit valid consent to be collected and actions such as scrolling or swiping through a webpage will not under any circumstances constitute valid consent under the GDPR.
Managing Intellectual Property Names 11 Alston & Bird Attorneys as “IP Stars”
Eleven Alston & Bird attorneys have been named “IP Stars” by Managing Intellectual Property in its 2020 rankings of the world’s leading intellectual property (IP) practitioners and practices, including Jim Harvey, a partner in Alston & Bird’s Privacy & Data Security Group.
Maki DePalo, David Park Honored by Georgia Asian Pacific American Bar Association
Maki DePalo, partner in Alston & Bird’s Privacy & Data Security Group, and David Park, partner in the firm’s Financial Services & Products Group, were honored by the Georgia Asian Pacific American Bar Association (GAPABA) at its “New Partners & Counsel Virtual Celebration.”
- July 28, 2020 – In the presentation “Schrems II: What Happened and What to Do,” David Keating, Wim Nauwelaerts, and Peter Swire discussed what happened in the Schrems II case and what it means for your data transfer and protection programs.
- July 15, 2020 – Kim Peretti served as a moderator for the webinar “Decoding Cybersecurity for Corporate Boards: Experts Weigh In,” co-hosted by Alston & Bird’s Women in Cyber™ and New York University Center for Cybersecurity.
- July 15, 2020 – Wim Nauwelaerts and Daniel Felz spoke on the panel “International Privacy Laws and Enforcement” at the program 2020 Essential Cybersecurity Law, hosted by the University of Texas at Austin School of Law.
- June 19, 2020 – Kim Peretti was a panelist at the conference “Heightened Cybersecurity and Privacy Risks: Convergence in a COVID-19 World,” hosted by Sandpiper Partners.
- June 16, 2020 – David Keating provided an update on the California Consumer Privacy Act at the National Retail Federation General Counsels Forum Summer Meeting.
- June 10, 2020– Amy Mushahwar and Jon Knight spoke at “COVID-19 Return to Work: Scaling & Securing Your Remote Work Environment for Long-Term Success - Part II” hosted by Protiviti.
- June 3, 2020 – Amy Mushahwar and Jon Knight spoke at “COVID-19 Return to Work: Scaling & Securing Your Remote Work Environment for Long-Term Success - Part I” hosted by Protiviti.
In the News
- August 5, 2020 – Wim Nauwelaerts article “Early EDPB Guidance in the Wake of Schrems II Signals Where E.U.-U.S. Data Transfers Are Headed” was published by the Cybersecurity Law Report. Wim Nauwelaerts, Yung Shin Van Der Sype, and Paul Greaves summarized the article in “EDPB Guidance on the Schrems II Ruling: An Early Response to the Cry for Clarity” on Alston & Bird’s Privacy & Cybersecurity Blog.
- July 23, 2020 — Amy Mushahwar’s article “6 Ways GCs Can Assess Insider Threat Risk” was published by Law360.
- July 22, 2020 — Wim Nauwelaerts and Paul Greaves’s article “European Union: The Court of Justice’s Decision in Schrems II: Transferring Data Outside of Europe Just Got More Complicated” was published by Mondaq. The article follows their co-authored contribution on EU law to a comparative Cybersecurity Law guide published by Mondaq on July 16, 2020.
- July 17, 2020 – Peter Swire co-wrote the article “Geopolitical Implications of the European Court’s Schrems II Decision” in Lawfare on the Schrems II judgment, which has created enormous uncertainty about how companies in good faith should proceed with their cross-border data activities.
- July 16, 2020 – Peter Swire’s article “‘Schrems II’ Backs the European Legal Regime into a Corner — How Can It Get Out?” was published on the International Association of Privacy Professional’s (IAPP) website.
- April 24, 2020 – Kim Peretti was quoted in Law.com on launching Alston & Bird’s Women in Cyber™ network to connect female executives and encourage discussion on cybersecurity’s enterprise risks and legal challenges.
For additional updates, please be sure to visit our blog at www.alstonprivacy.com.