The European Parliament asks for the suspension of the privacy shield

Norton Rose Fulbright - Data Protection Report blog

On July 5, the European Parliament passed a non-binding resolution, asking the European Commission, the EU’s executive body, to suspend the Privacy Shield framework. The EU-US Privacy Shield, designed by the US Department of Commerce and the European Commission, provides a mechanism for companies to transfer personal data between the EU and the US while remaining compliant with EU data protection laws. The European Commission passed the data-sharing privacy framework on July 12, 2016, after its precursor, Safe Harbor, was struck down by the European Court of Justice on October 6, 2015.  Since the European Parliament’s resolution is non-binding, the European Commission could choose to ignore it.  However, the Commission will no doubt take the Parliament members’ concerns into consideration in its annual review of the Shield which is due in September.  Further discussions on whether to renegotiate the Privacy Shield is also on the table since the Shield is based on the now defunct EU directive 95/46, which the European Union General Data Protection Regulation replaced when it went into effect on May 25, 2018.

The Parliament’s resolution cites a number of reasons for asking the Commission to suspend the Privacy Shield pending US compliance, including the recent reauthorization and amendment of Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) which allows US intelligence agencies to collect information on non-US persons located outside of the US and the March 2018 Clarifying Overseas Use of Data (“CLOUD”) Act, which allows US law enforcement agencies to access personal data stored abroad. The resolution also cites the improper use of 2.7 million EU citizens Facebook data by Cambridge Analytica, and the failure of the US to appoint a sufficiently independent ombudsperson as required by the Privacy Shield and gives a deadline of September 1, 2018 for the US to become fully compliant.  According to the Parliament, the Privacy Shield “does not provide the adequate level of protection.”

Despite the Parliament Members’ call for a suspension, it does not appear that a full suspension of the Privacy Shield program is likely.  A spokesperson for the European Commission has stated that although “there is some room for improving [the Privacy Shield’s] implementation . . . [the Commission] will continue to work to keep the Privacy Shield running.”  The resolution by the Parliament does, however, add to the mounting pressure by the Shield’s critics to renegotiate the agreement and create uncertainty for the 3,300 plus US companies that rely on the framework to transfer personal data between the US and the EU.

This resolution comes after the High Court of Ireland referred a case challenging a major social media company’s data-transfer methods and the Privacy Shield to the European Court of Justice.  The case presents a threat to the Privacy Shield framework and will be closely followed by US and European businesses.

The FTC has brought four enforcement actions under the Privacy Shield framework (one of which is the settlement announced on July 2 against a California company which allegedly made a false claim that it was in the process of being certified as complying with the Privacy Shield framework).  The FTC has entered into consent decrees with more than 50 companies accused of lax data security since 2008 but its ability to bring enforcement actions took a hit recently in the 11th US Circuit Court of Appeal’s ruling on June 6, 2018, in LabMD, Inc. v. Federal Trade Commission.  In a milestone ruling, the 11th Circuit said the FTC’s cease and desist order against LabMD, a cancer-screening company that went out of business in the course of litigating against the commission, was unenforceable because it required the company to meet a vague standard of reasonableness.  If the ruling stands, it would significantly constrain the FTC’s ability to bring enforcement actions and will require the FTC to find a specific fact or circumstance that ties to the Constitution, statute or common law violation and not simply bring a general data security claim.  With the FTC designated as the agency responsible for enforcing the Privacy Shield framework, the courts’ interpretation of the FTC’s enforcement powers will be closely watched by both the US and European regulators.

Our take

While it is unlikely at this time that the European Commission will  suspend the Privacy Shield, the European Parliament’s resolution creates further friction between the US and the EU related to data sharing across the Atlantic.

Moreover, the resolution further highlights the EU’s ongoing dissatisfaction with the US’s approach to privacy.  While the dissatisfaction generally stems from the US’s legislative agenda which is viewed by the European critics as favoring national security concerns over privacy rights, there is also a general perception in the EU that the privacy protections in the U.S. are not adequately enforced.  For companies that are engaged in data transfers between the EU and the US, we will continue to monitor challenges to the EU-US Privacy Shield framework.

Special thanks to Philippe Schiff* for his assistance in drafting this post.

*Summer associate – not admitted to practice law.

US states pass data protection laws on the heels of the GDPR

Data Protection Report - Norton Rose Fulbright

Several U.S. states have recently introduced and passed legislation to expand data breach notification rules and to mirror some of the protections provided by Europe’s newly enacted General Data Protection Regulation (“GDPR”). See our previous blog posts on GDPR here and here.   Like their European counterparts, these state laws are intended to provide consumers with greater transparency and control over their personal data.  The California and Vermont laws, in particular, go beyond breach notification and require companies to make significant changes in their data processing operations. See our earlier post on the  California Consumer Privacy Act (“CCPA”) here. Continue reading

California passes major legislation, expanding consumer privacy rights and legal exposure for US and global companies

Norton Rose Fulbright - Data Protection Report blog

On June 28, 2018, California lawmakers enacted the California Consumer Privacy Act of 2018 (the “CCPA”) a sweeping, GDPR-like privacy law which is intended to give California consumers more control over how businesses collect and use their data. The new law is set to take effect on January 1, 2020 which means the California legislature may still consider changes to the new law in the coming months and years. Lawmakers moved swiftly to pass the bill to preempt a November ballot initiative that would have codified more stringent rules. Many industry players preferred this legislative approach over the now-abandoned ballot initiative because, under California law, approved ballot initiatives can only be changed through another ballot initiative. Now that the law has passed—some critics argue, without adequate public debate because of this rush to avoid a costly and contentious battle over the ballot initiative in November—we can expect a fuller review of the law’s impact and more conversations about consumer protection and privacy rights in the US. For companies that have implemented a compliance plan for European Union data subjects under the EU General Data Protection Regulation (“GDPR”), this law means many of the similar protections will now need to be extended to California residents. Read more below for a summary of what was included in the law that was passed yesterday.

While the CCPA incorporates most of the ballot measure’s major provisions and adopts similar types of requirements as we saw under GDPR, there are notable differences in several key areas (for more information on the ballot measure and GDPR, see here and here). Here are our ten takeaways:

  • Covered entities. Far more entities are covered under the CCPA than under the ballot measure, as the new law applies to businesses that collect information from California residents and meet at least one of the following thresholds: (1) have over $25 million in annual gross revenue; (2) buy, receive, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (3) derive 50 percent or more of their revenue from the sale of consumers’ personal information. The law is enforceable in California and applies to California users, but given the nature of data processing, most companies will need to consider whether to apply the rules to all users.
  • Disclosure requirements. At or before the point of collection, businesses must inform consumers the categories and specific pieces of personal information collected about the consumer, the sources from which that information is collected, the purpose for collecting or selling such personal information, the categories of personal information sold, and the categories of third parties to whom the personal information is shared. It also requires a description of consumers’ rights and the categories of personal information the business has sold in the preceding 12 months.
  • Consumer access and data portability rights. Businesses that receive verifiable consumer requests must promptly take steps to disclose and deliver, free of charge to the consumer, the personal information requested by the consumer. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to easily transmit this information to another entity. Businesses must provide consumers with two or more ways for submitting requests for information under the mandated disclosure provisions, including, at a minimum, a toll-free telephone number and a website address if the business has a website. The required information must be delivered within 45 days of receiving the request from the consumer (GDPR’s response deadline is 30 days).
  • Right to opt-out of data sharing. Consumers will have the right to direct businesses to stop selling their information to third parties. In order to comply with this “opt-out,” business must conspicuously post their privacy policies as well as a link titled “Do Not Sell My Personal Information.” The link must provide consumers with an easy mechanism that directs businesses to stop selling their information.
  • Right to be forgotten. Individuals will be able to require to direct Covered Entities to delete their personal information. Similar to GDPR, the law does contain some exceptions, including: information necessary to complete transactions; detect security breaches; protect against illegal activity; or to enable internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
  • Right to opt in for children. The law also imposes new requirements on the sharing of personal information for children under the age of 16, effectively raising the age from the nationally recognized age of 13 which was set by the Children’s Online Privacy Protection Act (“COPPA”). Covered Entities are prohibited from selling information about consumers between the ages of 13 and 16 without the consumers’ explicit consent (opt-in) and must obtain parental consent before selling information about a consumer under the age of 13.
  • Expanded definition of “personal information.” Personal Information includes not only traditional forms of personally identifiable information, but also IP addresses, geolocation, and “unique identifiers” such as device IDs, cookie IDs, and Internet activity information including browsing history and search history. Inferences drawn from the types of information described above “to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” are also included under the definition of personal information, similar to the definition of ‘profiling’ under GDPR which restricts the use of personal data to analyze or predict aspects a person’s personal preferences, interests, reliability, behavior, location or movements. The new right to access and deletion in California would be extended to these data categories.
  • Private actions. Unlike the ballot measure, the CCPA significantly limits private actions by giving the state Attorney General exclusive power to enforce the law, except in data breach cases where the Attorney General declines to prosecute within 30 days of being notified of a consumer’s intent to bring suit. Even where a consumer is allowed to proceed with an action, they must give companies 30 days’ written notice and an opportunity to “cure” the noticed violation within that time period. Similarly, businesses will have 30 days to cure any violations after receiving notice of noncompliance from the state Attorney General.
  • Damages. The CCPA also provides for damages in data breach cases to $750 per consumer per incident. In proceedings instituted by the Attorney General, entities that are found to have intentionally violated the law can face penalties of up to $7,500 per violation.
  • Prohibited practices. Businesses are prohibited from discriminating against consumers that exercise their rights under the law. Specifically, businesses cannot deny consumers goods or services, charge consumers different prices or rates (or otherwise impose a penalty), or provide consumers a different quality or level of goods or services. A business can, however, provide consumers with “financial incentives,” including compensation, for allowing the business to collect, sell, or not delete consumers’ personal information. While the CCPA is somewhat more business-friendly than its sister ballot measure, it nonetheless gives consumers unprecedented control over their personal information and creates new and onerous challenges for companies that do business in California. While the new law purports to reduce litigation by limiting private actions, businesses should still brace themselves for an active enforcement climate. For now, it looks like companies that restructured their operations to comply with GDPR will have to expand their efforts for California. And given the high likelihood that other states will follow suit, it is likely we will see a wave of GDPR-like activity in the United States ahead of that 2020 deadline.

Our take

While the CCPA is somewhat more business-friendly than its sister ballot measure, it nonetheless gives consumers unprecedented control over their personal information and creates new and onerous challenges for companies that do business in California. While the new law purports to reduce litigation by limiting private actions, businesses should still brace themselves for an active enforcement climate.

Overall, the CCPA is the first US state law to incorporate certain provisions already enacted in Europe under GDPR, which went into effect on May 25. Much like how California was the first US state to enact a mandatory breach notification law in 2002 and now as of 2018 all 50 states have enacted similar laws, we expect more states to follow California’s lead in expanding disclosure obligations and opt out rights.

For now, it looks like companies that restructured their operations to comply with GDPR will have to expand their efforts for California. And given the high likelihood that other states will follow suit, it is likely we will see a wave of GDPR-like activity in the United States ahead of that 2020 deadline.

With GDPR and now the new California law, managing personal data and keeping it secure is getting more expensive. Much like how the retailers have outsourced payment risk with tokenized payments, we can expect to see more outsourcing of consumer privacy risk by using third party service providers who would store and maintain permissions, allowing businesses to access the data only when they need it. For example, blockchain initiatives, such as using smart contracts to govern permissions and access to customer data or providing consumers with control to withdraw their consent or change the types of data they share, may experience growth in light of these legislative changes.  Businesses will need to continue to look for technological solutions to help ease their compliance burden and manage risk when they engage in buying and selling of personal data.

US Supreme Court expands digital privacy rights in Carpenter v. United States

US Supreme Court expands digital privacy rights in Carpenter v. United States

On June 22, 2018, the US Supreme Court issued a 5-4 decision in Carpenter v. United States,  holding that the federal government needs a warrant to access cellphone location records.

In the decision, the Court agreed that there should be a higher standard for accessing location records due to their intrusive nature. Continue reading

Retailers must upgrade online credit card processing security by June 30

Data Protection Report - Norton Rose Fulbright

By June 30, 2018, retailers accepting digital (online) credit card transactions must cease using encryption protocols known as SSL or TLS 1.0. Retailers must transition to TLS 1.1 or higher (such as the popular TLS 1.2) or else lose the ability to accept credit card payments. Continue reading

One week into GDPR – what you need to know

Norton Rose Fulbright - Data Protection Report blog

Websites go dark, complaints are filed within an hour, European Commission suffers an embarrassing data leak, and the US Commerce Secretary warns about the unintended trade impact of the law – all in the first week of the GDPR

The European Union’s far-reaching General Data Protection Regulation (GDPR) went into effect on 25 May amid much anticipation.  Although the date itself was seen as a watershed moment, what comes after will reveal the full impact of the law.  Even for those businesses that have declared that their GDPR compliance efforts have completed, the work of maintaining and updating their privacy and data protection framework will need to continue well after 25 May.  We have also yet to see how 28 EU member states and the Court of Justice of the European Union will interpret the law.

In the days leading up to 25 May, millions of inboxes were filled with updated privacy notices and requests for marketing consent and pop-up notices for cookies were added to websites across the globe, as many businesses contemplated if and how the new law applies to them.  Just in the first week, we are seeing glimpses of what lays ahead.  Certain American news publications decided to shut themselves off to European users on their websites, a first series of complaints were filed against US tech giants and their subsidiaries, and the European Commission, in an embarrassing turn of events, was found to have had a data leak on one of its websites,  Just five days after the law has gone into effect, Wilbur Ross, the US Commerce Secretary, published an opinion piece in the Financial Times, that warns: “EU data privacy laws are likely to create barriers to trade.” 

We take a look at the initial reactions and events that occurred in the first week following the implementation of the  GDPR, provide some insight into the GDPR’s impact on the digital economy and trade and provide, as we always do, some practical tips for how to manage privacy and cybersecurity risks in this ‘new era’.

Continue reading

GDPR is upon us: are you ready for what comes next?

Norton Rose Fulbright - Data Protection Report blog

The wait is finally over—this Friday the European Union General Data Protection Regulation (GDPR) will come into force. For many readers of this post, a huge amount of work will have been done in recent months in building up to compliance with the new regime. However, the challenges of GDPR certainly don’t end on the date this law goes into implementation. We have shared below some interesting points that we’ve seen arising recently, all of which relate to how things are likely to develop from today onwards, including enforcement predictions, challenges related to operationalizing data subject access procedures, and how the GDPR may change the data privacy litigation landscape in Europe.

For many organizations that are based outside the EU and took the “wait and see” approach, our checklist may come in handy, which gives an illustrative overview of the requirements likely to impact most types of businesses and the practical steps that organizations need to take to meet those requirements.  We also have a chatbot powered by artificial intelligence that helps clients to determine whether the GDPR applies to their business.

Continue reading

OCR proposes to share HIPAA data breach settlements with victims

Data Protection Report - Norton Rose Fulbright

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) plans to issue an advance notice of proposed rulemaking this November on potentially sharing HIPAA breach settlements with victims.

Continue reading

UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK

Data Protection Report - Norton Rose Fulbright

The UK NIS Regulations (implementing the NIS Directive) come into force in the UK today (10 May 2018). These Regulations have received limited press attention, in part due to the emphasis that has been placed on GDPR implementation. However, the NIS Regulations represent a significant change in the legal environment relating to cybersecurity in the UK. Continue reading

FTC, privacy, vendor due diligence and opt-in consent

Norton Rose Fulbright - Data Protection Report blog

On April 30, 2018, the U.S. Federal Trade Commission (FTC) released for public comment an administrative complaint and proposed consent agreement with mobile phone manufacturer BLU Products Inc. and its owner and president. Although the FTC has entered into many settlements relating to privacy and data security, this proposed settlement is particularly noteworthy for two reasons: (1) the FTC allegation that a company’s failure to implement appropriate security procedures to oversee a vendor’s security practices (including a lack of vendor due diligence) can violate Section 5 of the Federal Trade Commission Act; and (2) the proposed remedy includes a separate notice and affirmative opt-in consent relating to collection, use, and sharing of certain consumer information. BLU does not admit or deny any of the FTC’s allegations. Continue reading