GDPR, CCPA and beyond: Changes in data privacy laws and enforcement risks to monitor in 2019

By Jeewon Kim Serrato (US) and Daniel Rosenzweig (US) on February 27, 2019 Posted in Compliance and risk management, Enforcement

Norton Rose Fulbright - Data Protection Report blog

With significant enforcement activity and new laws being enacted or proposed since the start of the year, regulators in the EU and the US, several US states, and the US Congress are showing they mean business in terms of data privacy.

To help companies best protect consumer data and remediate enforcement risks, we provide below an overview of the following:

two noteworthy recent EU and US regulator enforcement actions;
changes in the US state data privacy law landscape, including the proposal from the California Attorney General’s Office to expand enforcement authority and class action litigation under the California Consumer Privacy Act; and
US Congress’ consideration of a first-ever comprehensive US federal privacy law.

EDPB issues new opinion on interplay between Clinical Trials Regulation and the GDPR

By David Kessler (US), Christoph Ritzer (DE), Sven Jacobs (DE), Anna Rudawski (US) and Max Kellogg (US) on February 19, 2019 Posted in Compliance and risk management, Enforcement, Regulatory response

On January 23, 2019, the European Data Protection Board (“EDPB”) issued an opinion on the interplay between the Clinical Trials Regulation (“CTR”) and the General Data Protection Regulation (“GDPR”). See our previous blog posts on the GDPR here and here. The opinion also addresses GDPR requirements regarding (1) the legal basis for processing personal data in the course of a clinical trial protocol (primary use) and (2) the further use of clinical trial data for other scientific purposes (secondary use).

Even though the CTR already entered into force on June 16, 2014, the regulation’s application depends on the development of a fully functional EU clinical trials portal and database which is projected to be operational in 2020. In anticipation of the CTR’s applicability, the EDPB’s Opinion 3/2019 provides much needed clarification on the interplay between the GDPR and the CTR[1] and allows companies to update their processes and agreements to conduct clinical trials that comply with both regulations. Continue reading

Companies’ right to privacy

By David Kessler (US) and Susan Ross (US) on February 13, 2019 Posted in Compliance and risk management, Dispute resolution and litigation, United States

Data Protection Report - Norton Rose Fulbright

On January 3, 2019, the federal trial court in Manhattan issued a preliminary injunction, temporarily halting a new local law aimed at required disclosures by home-sharing platforms, such as Airbnb and HomeAway, to the city. The court granted the preliminary injunction on the basis that the city’s broad requirement that the services turn over detailed customer information on a monthly basis likely violated the Fourth Amendment to the U.S. Constitution—infringing the privacy rights of the companies, rather than the users. In contrast, the court ruled that the companies’ Stored Communications Act claim did not meet the standard for a preliminary injunction. (Airbnb, Inc. v. City of New York, Case 1:18-cv-07712-PAE (S.D.N.Y. Jan. 3, 2019)). Continue reading

German antitrust authority prohibits Facebook from combining users’ personal data

By Christoph Ritzer (DE), Maxim Kleine (DE) and Natalia Filkina (DE) on February 12, 2019 Posted in General

On 7 February 2019, the German antitrust authority (Bundeskartellamt, the FCO) ruled against Facebook combining user personal data from different sources, saying it was exploiting its position as a dominant social media company in violation of the EU data protection laws.

The FCO said that Facebook abused its market dominance in:

collecting, merging and using personal data; and
failing to provide a choice to its customers to prevent collection of their data.

Consequences of the German antitrust authority’s decision

Facebook can no longer combine the personal data gathered from its own website, Facebook-owned services (like WhatsApp and Instagram) with personal data gathered from third-party websites through the “Like” or “Share” features of a user’s Facebook account.

Combining of personal data collected from different sources, according to the FCO, requires a user’s voluntary consent, if one takes account of Facebook’s dominant position in the market for private social networks. The FCO emphasised that Facebook is therefore not permitted to force its users to consent to the collection of their data from different sources under the Facebook terms of use.

According to Andreas Mundt, President of the FCO, Facebook, as a consequence of its dominant position, must not abuse its dominance. This means that Facebook, as a dominant company, is subject to “special obligations under competition law”, and therefore Facebook “must take into account that Facebook users practically cannot switch to other social networks.”

Voluntary consent to combining data from different sources

Voluntary consent requires that the user has a choice to deny Facebook access to certain data without losing access to Facebook’s services. The only real choice the user had is either to accept the comprehensive combining of its data, or to refrain from using the social network altogether. This constitutes “bundling” ( on a “take it or leave it” basis), which, according to the FCO, constituted an abuse of Facebook’s dominant position in the market for private social networks.

Therefore, the FCO concluded, the use of Facebook’s services must not be subject to a user’s “mandatory consent to their data being collected and combined in this way.” It emphasised that:

“ … personal data is nowadays an essential competitive factor. Especially for Facebook, personal data is the essential factor for establishing its dominant position. The attractiveness and value of the advertising spaces increase with the amount and detail of user personal data. As a market-dominating company, Facebook must, therefore, comply with the laws applicable in Germany and Europe, especially in relation to the collection and processing of personal data.”

The decision, of course, does not concern Facebook’s processing of personal data generated from its own website, which the FCO acknowledged is a legitimate core business model for data-based social networks like Facebook.

Is the decision final?

Facebook is reported to have said that it rejects the decision and that it intends to appeal within the one-month frame before the decision becomes final. If the decision is upheld, Facebook will be required to allow users to give their specific consent to the combination of data collected from other Facebook-owned sources and from third-party websites.

Our take

This is not a decision of a data protection supervisory authority, but it is widely influenced by the GDPR which also discourages bundling of consents and requires freely given consent. The German antitrust authority used typical antitrust arguments from bundling decisions. The decision has some similarity to the arguments made by CNIL in the French decision against Google (see Data Protection Report, First multi-million Euro GDPR fine: Google LLC fined €50 million under GDPR for transparency and consent infringements in relation to use of personal data for personalized ads).

From now on, online businesses which undertake large-scale data collection and processing should consider whether activities relating to the collection, combination and use of personal data from different sources could also constitute market dominance under anti-trust laws.

Comments at CCPA public forum in Los Angeles highlight tensions between businesses and consumer rights groups

By Jeewon Kim Serrato (US) and Arleen Fernandez (US) on January 31, 2019 Posted in Compliance and risk management

On January 25, 2019, the California Attorney General’s Office held a public forum in Los Angeles to solicit feedback on the California Consumer Privacy Act of 2018 (“CCPA”) as it prepares to draft regulations which must be adopted on or before July 1, 2020. CCPA provides new rights to California consumers with respect to the collection and use of their personal information. The CCPA authorizes the Attorney General to promulgate regulations that will establish procedures to facilitate consumers’ rights. The Attorney General’s Office does not answer questions at these forums; rather, the forums are designed to solicit feedback on the rulemaking categories enumerated in the text of the law, including, but not limited to, the definition of personal information and rules and procedures for how businesses must comply with a consumer’s request to opt out of the sale of personal information. Continue reading

First multi-million Euro GDPR fine: Google LLC fined €50 million under GDPR for transparency and consent infringements in relation to use of personal data for personalized ads

By Marcus Evans (UK), Lara White (UK) and Cécile Auvieux (FR) on January 25, 2019 Posted in Compliance and risk management, Cybersecurity, Enforcement, Regulatory response

On January 21,2019 the French data protection authority (the CNIL) imposed a major fine on the U.S. Google entity, Google LLC. It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net.

We focus here on four key aspects of the decision: (a) why the Irish Data Protection Commission (Irish DPC) did not take the case; (b) the consent mechanism failings; (c) the privacy policy failings; and (d) the amount of the fine. Continue reading

European Commission adopts adequacy decision on Japan

By Lara White (UK) and Shiv Daddar (UK) on January 24, 2019 Posted in Regulatory response

On January 23^rd 2019, the European Commission adopted its adequacy decision in relation to the export of personal data from the European Union (EU) to Japan. Concurrently, Japan has adopted an equivalent decision in relation to the export of personal data from Japan to the EU. Such mutual decision is the result of two-years of dialogue and negotiations between both parties.

According to a joint statement issued by Věra Jourová (Commissioner for Justice, Consumers and Gender Equality) and Haruhi Kumazawa (Commissioner of the Personal Information Protection Commission of Japan), “these mutual adequacy findings create the world’s largest area of safe data transfers. They build on the high degree of convergence between the two systems, which rest notably on an overarching privacy law, a core set of individual rights and enforcement by an independent data protection authority.”

As detailed in the European Commission’s press release, prior to the European Commission’s adoption of the adequacy decision, Japan put in place a number of additional safeguards to ensure that personal data originating from the EU is adequately safeguarded under Japanese privacy laws. Such safeguards include:

adopting a set of Supplementary Rules applicable to Japanese companies receiving personal data from the EU to align differences between the EU and Japanese data protection regimes. These include strengthening protection of sensitive data, data subjects rights and the rules on onward transfer of personal data originating from the EU. Such rules are enforceable by the Japanese data protection authority and courts;
assurances from the Japanese government that access by Japanese public authorities to personal data originating from the EU for criminal law enforcement and national security purposes would be limited to what is necessary and proportionate and subject to independent oversight by the Japanese data protection authority and effective redress mechanisms; and
a complaint-handling mechanism administered by the Japanese data protection authority to investigate and resolve complaints from EU data subjects about access to their personal by Japanese public authorities. Our take The EU’s adequacy decision is an important step in streamlining the flow of personal data between the EU and Japan. Whilst EU-based organisations will still need to put in place appropriate data processing and data sharing provisions with Japanese counterparties, they will no longer be required to enter into additional export arrangements such as the EU Model Clauses, thereby eliminating the time, workload and formalities associated with such mechanisms.
The adequacy decision reflects the European Commission’s commitment to engage with key trading partners in Asia. In line with this, it has also been in dialogue with South Korea since 2015 with the aim of working towards an adequacy finding, although these discussions remain ongoing at this stage.
The EU’s adequacy decision compliments the EU-Japan Economic Partnership Agreement (coming into force in February 2019) which will inevitably increase the flow of data, including personal data, between both territories (see press release here).
The mutual adequacy findings will allow for the free flow of personal data from the EU to Japan and vice-versa.

Our take

The EU’s adequacy decision compliments the EU-Japan Economic Partnership Agreement (coming into force in February 2019) which will inevitably increase the flow of data, including personal data, between both territories (see press release here).

The EU’s adequacy decision is an important step in streamlining the flow of personal data between the EU and Japan. Whilst EU-based organisations will still need to put in place appropriate data processing and data sharing provisions with Japanese counterparties, they will no longer be required to enter into additional export arrangements such as the EU Model Clauses, thereby eliminating the time, workload and formalities associated with such mechanisms.

The adequacy decision reflects the European Commission’s commitment to engage with key trading partners in Asia. In line with this, it has also been in dialogue with South Korea since 2015 with the aim of working towards an adequacy finding, although these discussions remain ongoing at this stage.

Parliament fails to approve the EU Withdrawal Agreement: Data protection implications

By Lara White (UK), Marcus Evans (UK) and Miranda Byrne Hill (UK) on January 16, 2019 Posted in Compliance and risk management

On 25 November 2018 the UK Government and the EU agreed a draft withdrawal agreement which set out the terms of the UK’s departure from the EU and made a political declaration on the framework for their future relationship, as provided for under Article 50(2) of the Treaty on European Union (Withdrawal Agreement). The purpose of the Withdrawal Agreement is to set out the terms of the UK’s departure from the EU and provide a transition period during which a more nuanced and ambitious future relationship can be agreed.

Had the UK Parliament approved the Withdrawal Agreement, it would have become a legally binding international treaty. However, following yesterday’s Parliamentary vote, approval of the Withdrawal Agreement has not been given by the UK Parliament and the UK therefore faces continued uncertainty with regard to its future relations with the EU. The imminent withdrawal date of 29 March 2019 (Withdrawal Date), presents two principal scenarios in the context of data protection:

1. “No-deal” Brexit: no agreement is reached before the Withdrawal Date

Whilst the UK Government may continue to seek further concessions from the EU over the period to the Withdrawal Date in order to obtain Parliamentary approval (and we set out in the second section of this post, below, what should happen if the current Withdrawal Agreement (or one with similar data protection provisions) is ratified). However, if no alternative proposals can be agreed (including any alternative models, such as the so called “Norway” or “Canada plus” options), the UK will cease to be a member of the EU on the Withdrawal Date and, from that date, the UK’s European Union (Withdrawal) Act 2018 (Withdrawal Act) will apply to transpose directly applicable EU laws into UK law.

This means that the obligations and provisions of the GDPR as they exist at the Withdrawal Date would continue to apply in the UK (alongside the UK’s Data Protection Act 2018). The UK would become a “third country” for the purposes of EU data protection regulation.

The impact on the data protection landscape would be as follows:

No UK “adequacy” – EEA to UK transfers: to continue to enable personal data to move from the EU to the UK without additional formalities, the UK would need to be subject to an “adequacy” decision from the EU. This would not be agreed before the Withdrawal Date, and it is entirely uncertain as to how long it will take for one to be given. The lack of an “adequacy” decision would mean that EU Model Clauses would need to be put in place in circumstances where there are transfers of personal data from the EU to UK (either intra-group or between organisations), in order to legitimise the export of personal data from the EU to the UK (unless Binding Corporate Rules or another export mechanism can be put in place);
UK to non-EEA/ white list transfers: the UK Government intends to recognise data transfers from the UK to the EEA and to EU Commission-approved adequate countries as being possible without further formalities. It also intends to recognise data transfers under EU Model Clauses and EU-approved Binding Corporate Rules without further formalities. In order for the EU / US Privacy Shield to apply to data transfers from the UK, all US organisations relying on the Privacy Shield in respect of personal data transfers to the US would need to update their public commitment to comply with the Privacy Shield to include the UK. The US Department of Commerce’s International Trade Administration provides template language for making this public statement. UK data exporters would need to check these changes have been made;
Consider location of processing activities: because of the EU’s antipathy to certain processing operations being undertaken outside the EEA in countries without an adequacy finding, pan-European organisations / groups should consider whether heavy/sensitive data processing activities (such as e-disclosure, HR processing or anti-financial crime activities) should be moved into EU-based entities;
Additional EU and/or UK representatives for non-EU controllers: non-EU controllers that offer goods or services to data subjects in the EU and the UK would need to consider whether they need to have both EU and UK representatives. UK controllers with no presence in the EU, but which offer goods and services to data subject in the EU, would also need to appoint an EU representative;
Multiple Data Protection Authorities: organisations that operate across Europe would no longer be able to use the “one stop shop” and have a lead Data Protection Authority in the UK in relation to cross-EU border activities. Such groups will have to prepare to liaise with both an EU and a UK Data Protection Authority, for example, when reporting personal data breaches that concern/affect individuals in the UK and EU member states; and
Two data protection regimes: as the UK would be a “third country”, in theory personal data may be subject to two parallel data protection regimes, where processing is caught under the UK domestic data protection regime (consisting of the GDPR implemented into national law, and the Data Protection Act 2018) and the GDPR as an EU Regulation. Although generally aligned at present, these regimes may diverge over time, giving rise to potential conflicts. The UK would also have no vote or presence on the European Data Protection Board.

2. A transition period: agreeing a withdrawal agreement before the Withdrawal Date

Following the voting down of the Withdrawal Agreement, the Prime Minister will need to come back to Parliament within three days with a statement on what she proposes to do next. No doubt this will include her continuing to seek further concessions from the EU over the coming weeks and / or softening the UK’s own “red lines” in order to reach an agreement with the EU that the UK Parliament could ratify.

If the Withdrawal Agreement (with or without any revisions) is subsequently ratified by the UK Parliament, the UK will cease to be a member of the EU on the Withdrawal Date but a transition period expected to last until the end of December 2020 (the Transition Period) would commence. During the Transition Period, the parties would attempt to agree the terms of the future relationship between the UK and the EU.

The Withdrawal Agreement provides that, during this Transition Period, EU law continues to apply to the UK, and references to “Member State” in EU law shall be construed as including the UK. This means that transfers from the EEA to the UK could continue for the time being without any further measures being put in place, and gives the UK some time to try and obtain an “adequacy” decision from the European Commission (so that EEA to UK transfers can continue unaffected after the Transition Period too).[1] It also appears to mean that transfers from the UK to non-EEA jurisdictions would remain unaffected, and the expectation from the UK data protection authority and the US Department of Commerce’s International Trade Administration seems to be that the Model Clauses and the Privacy Shield could apply un-amended until the end of the Transition Period.

As to the UK’s participation in the European Data Protection Board, the Withdrawal Agreement provides that the UK would cease to participate in the EU’s decision-making bodies. Therefore, unless a special provision were to be made for the UK’s data protection authority (the ICO), it appears that the ICO would not participate in the European Data Protection Board from the Withdrawal Date. The Withdrawal Agreement also provides that the UK will no longer participate in the “one stop shop” and consistency mechanisms. Instead, as with a no-deal Brexit, organisations would have to prepare to liaise with both a European and UK data protection authority, and revisit assessments they have made about their main establishment and lead authority.

Response priorities

Some UK businesses have worked through the consequences of both a no-deal Brexit and the main establishment / one stop shop impact of the Withdrawal Agreement being ratified before the Withdrawal Date. Many have not, having regard to the difficulty in calling the likelihood of no-deal, Withdrawal Agreement or remain outcomes.

Businesses which are starting contingency planning now should focus, first, on the consequences of the loss of the “one stop shop”, as this will apply in both the no-deal and Withdrawal Agreement scenarios. They should then move on to focus on identifying affected data transfers and suitable export mechanisms, particularly if they think their EU customers will refuse to transfer personal data to them without such a mechanism.

Those businesses either in the UK and outside the EU, or outside both the UK and the EU, should review if they need a new UK or EU representative.

Finally, we would not expect non-compliance enforcement by data protection authorities to be particularly quick following a no-deal Brexit; we would expect most of the pressure to come from EEA counterparties.

[1] The political declaration in the Withdrawal Agreement provides that, during the Transition Period the EU will work towards granting the UK an adequacy decision and to find ways for the UK and EU data protection authorities to cooperate. So ideally the UK will be given an adequacy finding, and some form of cooperation (not likely to be anyway near as extensive as the “one stop shop”) will be implemented before the Transition Period expires. If not, at the end of the Transition Period the position will be much the same as at no-deal Brexit.

California Attorney General’s Office begins CCPA rulemaking process with first public hearing while Congress debates new federal privacy law

By Jeewon Kim Serrato (US) and Arleen Fernandez (US) on January 14, 2019 Posted in Compliance and risk management, Enforcement, Regulatory response

UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK | Norton Rose Fulbright

The California Consumer Privacy Act of 2018 (“CCPA”), California’s new privacy law which takes effect on January 1, 2020, requires the Attorney General to adopt implementing regulations that further the objectives of the CCPA. Much concern has been raised about the law as currently written, including by Attorney General Xavier Becerra himself. With regulations set to be issued on or before July 1, 2020, the Attorney General’s Office will host six public forums to give key stakeholders an opportunity to provide feedback on the law and help shape the implementing regulations. Continue reading

Transition period under New York Cybersecurity Regulation ends March 1, 2019

By Kathleen Scott (US), Susan Ross (US) and Tristan Coughlin* (US) on January 7, 2019 Posted in Compliance and risk management, Cybersecurity, Enforcement, Fintech, General, Vendor management and transactions

The two-year transitional period under the New York State Department of Financial Services (“DFS”) Cybersecurity Regulation, 23 NYCRR 500 (the “Regulation”), will expire on March 1, 2019, with the final remaining requirement becoming effective. Entities covered by the Regulation that utilize third party service providers, which include not only banks and insurers, but also other financial services institutions and licensees regulated by the DFS, will be required to implement third-party risk management programs by March 1.