August 2016

On August 4, 2016, the Federal Communications Commission (FCC) released a declaratory ruling clarifying the scope of the Telephone Consumer Protection Act’s (TCPA) consent requirements to send robocalls and automated text messages to wireless phone numbers.  The ruling was in response to Blackboard, Inc.’s request that the FCC declare “all automated informational messages sent by an educational organization” as within the scope of the TCPA’s “emergency purpose” exception.  While the FCC granted Blackboard’s request in part, it also expanded its ruling to address automated messages provided by utilities.

On June 30, 2016, Google withdrew its appeal from the UK Supreme Court in the landmark case of Google v. Vidal-Hall after the parties reached a settlement. In the ruling on appeal, the Court of Appeal had ruled that damages for emotional distress, without any pecuniary loss, may be awarded under the Data Protection Act 1998 (the “Act”). With the appeal withdrawn, this ruling will remain valid. Therefore, companies that operate in the UK may wish to consider this ruling when conducting risk analyses and responding to litigation.

The Article 29 Working Party (WP29) has issued an opinion on the evaluation and review of Directive 2002/58/EC (the ePrivacy Directive). In its opinion, WP29 notes the need for a thorough revision of the rules in the ePrivacy Directive to take into account the technological developments in the digital market and the recent adoption of the General Data Protection Regulation (the GDPR).

Introduction

Since 2002, the ePrivacy Directive has provided a set of security and privacy measures to be applied specifically in the context of electronic communications in the EU. These measures were laid down to “particularise and complement” the Data Protection Directive 95/46/EC.

In its opinion dated July 19, 2016, WP29 notes the need for the ePrivacy Directive to be reviewed and for a new legal instrument that is consistent across the EU, which supplements and complements the obligations of the GDPR, and which is broad enough to cover the wide range of electronic communications services that exist today.

On July 26, 2016, the White House issued the United States Cyber Incident Coordination Directive (Presidential Policy Directive PPD-41, including an Annex).  The Directive sets forth the principles governing the Federal Government’s response to cyber incidents, including incidents affecting private entities that are part of U.S. critical infrastructure.  The Directive is designed to improve coordination between government agencies and to clarify inter-departmental involvement in response to a cyber incident.