On December 29, the FTC revealed the full agenda for PrivacyCon, a Washington, D.C. conference scheduled to take place on January 14, 2016. Participants will examine current research and trends related to consumer privacy and data security. The event will host panels on the following topics: (i) the current state of online privacy; (ii) consumers’ privacy expectations; (iii) big data and algorithms; (iv) economics of privacy and security; and (v) security and usability.
On February 2, the members of the European Commission approved a new framework for transatlantic data flows: EU-US Privacy Shield. The European Commission and the United States agreed to a deal that reflects the requirements set forth in the Court of Justice of the European Union’s (CJEU) October 6, 2015 decision declaring the old Safe Harbor framework invalid. The agreement aims to protect “fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.” Specifically, the drafters of the new framework attempt to provide (i) robust obligations on U.S. companies to ensure that they are protecting Europeans’ personal data, such as strengthened monitoring by the Department of Commerce and the FTC and increased cooperation with European Data Protection Authorities; (ii) written commitments by the U.S. that “the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms”; and (iii) effective protection of Europeans’ rights regarding how their data is handled, including several redress possibilities and the creation of an Ombudsperson to whom they can raise inquiries or complaints. Commenting on the agreement, Commission Vice-President Ansip stated, “[t]oday’s decision helps us build a Digital Single Market in the EU, a trusted and dynamic online environment; it further strengthens our close partnership with the US.” In the upcoming weeks, the U.S. will prepare to put in place the new framework while Vice-President Ansip and Commissioner Jourová prepare a draft “‘adequacy decision,’” which could be “adopted by the [Commission] after obtaining the advice of the Article 29 Working Party (WP29) and after consulting a committee composed of representatives of the Member States.” Read more…
FTC Announces Record Settlement with Identity Theft Protection Company over Alleged Failures to Adhere to a 2010 Court Order
On December 17, the FTC announced a $100 million settlement with an Arizona-based identity theft protection company for violating the terms of a prior federal court order. In 2010, the District Court of Arizona prohibited the company from engaging in deceptive advertising and required it to secure consumers’ personal information. According to the FTC’s contempt charges, the company violated the terms of the prior order primarily by (i) failing to establish and maintain an adequate information security program to protect consumers’ personal information, such as social security numbers, and credit card and bank account numbers; (ii) falsely advertising that it protected consumers’ sensitive data by using the same sophisticated protections that financial institutions use; (iii) falsely advertising that it would send consumers alerts “as soon as” it received any indication that the consumer was a victim of identity theft; and (iv) failing to sufficiently create and retain records regarding the sale or provision of products or services related to identity theft.
On November 5, the FCC resolved its first ever data security action against a cable company with a $595,000 settlement. According to the FCC, the company did not have adequate data security measures in place for employees and contractors with access to the company’s electronic data systems. In 2014, the company’s electronic data systems were breached by a third party who, by pretending to be from the company’s IT department, convinced a customer service representative and a contractor to enter their account information into a fake website. The third party hacker allegedly used the information to gain access to customers’ personally identifiable information, subsequently sharing the information with another hacker and posting the information on social media sites. The cable company did not use the FCC’s breach-reporting portal to report the breaches. In addition to the civil money penalty, the settlement requires the company to: (i) identify and notify all customers affected by the breach and provide them with one year of free credit report monitoring; (ii) designate a senior corporate manager who is a certified privacy professional; (iii) conduct privacy risk assessments; (iv) implement a written information security program; (v) maintain reasonable oversight of third party vendors and implement multi-factor authentication; (vi) implement a more robust data breach response plan; (vii) provide privacy and security training to third party vendors and employees; and (viii) regularly file compliance reports with the FCC.
Recently, German data protection authorities issued a position paper to address potential consequences of the Court of Justice of the European Union’s (CJEU) Schrems ruling on the handling of personal data. The first section of the paper summarizes the ruling, noting that the court found the Safe Harbor decision overly restrictive of the “supervisory powers of the European data protection supervisory authorities and does not follow the requirements of the provisions that empower the Commission to decide on the level of protection of a third country.” The remaining four sections of the paper consider the following: (i) the European Commission’s options to either adopt a new decision which declares U.S. law provides an adequate level of protection, or to push for an international treaty to include a data protection agreement with the U.S.; (ii) the legal basis for the transfer of personal data; (iii) private bodies’ use of standard contractual clauses, concluding that private bodies must “consider terminating the underlying standard contract with the data importer in the U.S. or suspending data transfers”; and (iv) enforcement concerning private bodies, noting that authorities will examine “whether orders against private bodies must be issued and on which basis data transfers to the United States must be suspended or banned.”
On October 25, the FTC and seven members of the Global Privacy Enforcement Network (GPEN) launched GPEN Alert, a new information-sharing system designed to enhance coordinated efforts to protect consumer privacy. The FTC and seven data protection authorities from Australia, Canada, Ireland, the Netherlands, New Zealand, Norway, and the United Kingdom signed an MOU to participate in GPEN Alert. GPEN Alert is based on the FTC’s Consumer Sentinel Network and will allow participating agencies to confidentially share information about privacy investigations and enforcement actions.
On October 19, the FTC announced the agenda for its upcoming workshop entitled, “Follow the Lead: An FTC Workshop About Online Lead Generation.” As consumers search the internet for goods and services, they are often times asked to provide sensitive personal and financial information that a lead generator may then subsequently transfer to third-party marketing companies. The workshop will examine consumer protection issues raised as a result of the practices of the lead generation industry, and is scheduled to host the following panels in Washington, DC on October 30: (i) Introduction to Lead Generation Marketplace and Mechanics; (ii) Case Study on Lead Generation in Lending; (iii) Case Study on Lead Generation in Education; (iv) Overview of Consumer Protection Concerns and the Legal Landscape; and (v) Looking Ahead – Protecting and Educating Consumers.
On October 16, the Article 29 Working Party (Working Party) released a statement regarding the October 6 Court of Justice of the European Union’s decision to invalidate the adequacy of the U.S.-EU data protection Safe Harbor framework. The EU Court recently declared that the Safe Harbor Framework fails to “ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union.” In response to the EU Court’s decision, the Working Party provided the following guidance on the implementation of the judgment: (i) a broad analysis of third country domestic laws and international commitments must be applied when determining if data transfers meet adequacy standards; and (ii) Member States and European institutions should hold open discussions with U.S. authorities to “find political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights.” The Working Party noted that it will continue to monitor the Irish High Court for developments concerning the Schrems opinion, but that “[i]f by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”
On October 6, Governor Jerry Brown (D-CA) signed into law AB 964/Chapter 522, which, among other things, defines “encrypted” as it pertains to data breach notification requirements for business and public agencies. Current California law provides that when a business’s security system or data is breached, the business must disclose the breach to “any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” Effective January 1, 2016, the bill – for the purpose of data breach notification requirements – defines “encrypted” as “unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information technology.”
Special Alert: Cross-Border Data Transfers Significantly Impacted by EU Court Decision Invalidating Adequacy of U.S.-EU Data Protection Safe Harbor Framework
On October 6, the Court of Justice of the European Union (CJEU) in Schrems v. Data Protection Commissioner (“Schrems”) declared “invalid” a decision of the European Commission that the United States-European Union Safe Harbor framework (Safe Harbor) provides adequate protection for personal data transferred from the European Union (EU) to the United States (U.S.). Thousands of U.S. companies have registered with the U.S. Department of Commerce in order to permit the transfer of personal data from the EU to the U.S.
The EU’s 1995 Data Protection Directive (Directive) requires that the transfer of personal data from an EU country to another country take place only if the other country ensures an adequate level of data protection. For the past 15 years, per a 2000 decision by the Commission of the European Communities, U.S. companies participating in Safe Harbor have been deemed to meet adequacy standards. Advocate General (AG) Yves Bot of the CJEU issued an opinion in September (“AG Opinion”) calling that 2000 decision invalid. AG Bot’s opinion declared that the existing framework governing that exchange of data fails to “ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union” because that framework, in AG Bot’s view, contains holes that can allow access to European’s personal data by the NSA and other U.S. security agencies. “[T]he law and practice of the United States allow the large-scale collection of the personal data of citizens of the [EU] which is transferred under the [framework] without those citizens benefiting from effective judicial protection.” And while the FTC and private dispute resolution providers have the power to monitor possible breaches of the framework by private companies, neither has the power to monitor possible breaches by U.S. security agencies. AG Bot stated his belief that, even with an adequacy decision, national Data Protection Authorities retain the power to assess the sufficiency of national data protection regimes outside the EU to which personal data will be transferred. Read more…
European Court of Justice Ruling on Validity of U.S.-EU Data Sharing Agreement Scheduled for October 6
Following up on an opinion issued on September 23 by the European Court of Justice Advocate General Yves Bot, the European Court of Justice is scheduled to issue its ruling on the validity of the U.S.-EU Safe Harbor Program on October 6. The High Court’s swift decision to issue judgment follows an opinion from the Advocate General advocating that the 2000 data sharing agreement between the U.S. and the European Union is invalid and inadequately protects Europeans’ personal data. Previous InfoBytes coverage can be seen here. The case is Schrems v. Data Protection Commissioner.
In an opinion that has the potential to seriously disrupt how U.S. companies can share data from Europe, on September 23, Advocate General (AG) Yves Bot of the Court of Justice of the European Union (CJEU) declared that the existing framework governing that exchange of data fails to “ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union.” This is because that framework, in AG Bot’s view, contains holes that can allow access to European’s personal data by the NSA and other U.S. security agencies. “[T]he law and practice of the United States allow the large-scale collection of the personal data of citizens of the [EU] which is transferred under the [framework] without those citizens benefiting from effective judicial protection.” And while the FTC and private dispute resolutions have the power to monitor possible breaches of the framework by private companies, neither has the power to monitor possible breaches by U.S. security agencies.
The EU’s 1995 Data Protection Directive (“Directive”) requires that the transfer of personal data from an EU country to another country take place only if the other country ensures an adequate level of data protection. For the past 15 years, per a 2000 decision by the European Commission, U.S. companies participating in the U.S.-EU Safe Harbor Framework for personal data protection have been deemed to be compliant with that requirement. AG Bot’s opinion, however, calls that 2000 decision invalid. “To my mind, the existence of a [Commission] decision” on the sufficiency of a country’s personal data protection regime “cannot eliminate or even reduce” the powers of each EU member state’s Data Protection Authority, under Article 28 of the Directive, to independently assess the sufficiency of that country’s personal data protection regime. This opinion thus turns the power back over to individual EU countries to assess U.S. companies’ personal data protections, potentially leading to a fractured and technologically daunting state of digital commerce in Europe.
Negotiations are underway for a new U.S.-EU Safe Harbor Framework, but if AG Bot’s opinion is followed, no Framework would prevent country-by-country determinations of the sufficiency of a U.S. company’s personal data protections.
On September 22, the SEC ordered a Missouri-based investment adviser to pay a $75,000 penalty, settling allegations that the investment adviser failed to implement required written cybersecurity policies and procedures prior to a data breach affecting the firm’s clients. According to the SEC, in July 2013, the investment adviser’s third party-hosted web server was hacked by a then unknown source compromising the personally identifiable information of more than 100,000 individuals. Subsequent investigations determined that the breach originated in China, and, to date, the firm’s clients have suffered no financial injury. In addition to the $75,000 penalty, the firm was censured and agreed to cease and desist from committing or causing any future violations of the Safeguards Rule.
To coincide with the announcement, the SEC also issued an Investor Alert, “Identity Theft, Data Breaches, and Your Investment Accounts,” which provides actions retail investors can take to protect their investment accounts in the event of a data breach or identity theft.
On September 16, U.S. Attorney General Loretta Lynch addressed the European Cybercrime Center at Europol, where she highlighted recent and planned DOJ initiatives related to global cybercrime and cyber threat efforts and stressed the DOJ’s commitment to information-sharing with international law enforcement authorities. Lynch noted that the U.S. and the European Union recently signed an “Umbrella” Data Privacy and Protection Agreement aimed at strengthening the countries’ ability to take on crime and terrorism while protecting personal privacy. In addition, Lynch revealed that the DOJ intends to temporarily assign a U.S. attorney from the DOJ’s Criminal Division to work alongside European authorities to enhance collaboration and information-sharing.
On September 9, FTC Chairwoman Edith Ramirez delivered remarks at the Start For Security workshop, an FTC initiative intended to provide start-ups and developers with the resources and information necessary to integrate effective data security strategies into their products. In her remarks, Ramirez advised companies to establish a “culture of security” by: (i) embedding privacy and security into the development process of apps and other products; (ii) testing the product to ensure that security defaults work properly and controls are secure; and (iii) establishing a “bug bounty” program or a contact point for when flaws, bugs, and vulnerabilities in software are discovered.