Updates in Privacy and Data Security from 2016 & How to Prepare

Updates in Privacy and Data Security from 2016 & How to Prepare for the Year Ahead

Alan Charles Raul Partner [email protected] Andrea T. Shandell Associate General Counsel [email protected]

January 25, 2016

mailto:[email protected]


Agenda

• Cybersecurity

– Cyber incidents in 2016

– Government measures to increase security and cooperation

– Steps to protect against and respond to cybersecurity incidents

• Big Data

– Overview and challenges

– FTC on big data

• Judicial, Regulatory and Enforcement Actions

• Developments in the EU

– EU-U.S. Privacy Shield

– GDPR

– WP29 Guidance on Data Portability, DPOs and Lead Supervisory Authorities

– ePrivacy Directive

• Developments from around the world

• Looking Forward: Congress and the Trump Administration

SIDLEY AUSTIN LLP 2

Cybersecurity Incidents in 2016

• Cybersecurity Incidents are becoming more varied and costly

– 2016 Verizon Breach Investigation Report shows that breaches are prevalent in public,

financial and entertainment sectors; financial gain is still a primary motive for hackers

– Information also targeted for political/social pursuits

• Russian state-sponsored hacking of DNC and RNC computer servers, and other Republican,

state-level organizations

• Ashley Madison

– Large numbers of individuals affected by incidents

• Russian hacker reportedly selling 117 million email and password combinations of LinkedIn

users on the dark web

• Yahoo reported newly-discovered data breach of 1 billion accounts; prior disclosure of 500

million users affected by state-sponsored hackers

– 2016 Cost of Data Breach Study from the Ponemon Institute indicates that the average

cost of a data breach for companies participating in the study increased from $3.79 to

$4 million

• The largest financial consequences of experiencing a breach are often business impacts and

costs rather than legal liability or settlements

SIDLEY AUSTIN LLP 3

Cybersecurity – Government Measures in 2016

• December 2015 - Cybersecurity Information Sharing Act

– Facilitates two-way information sharing by insulating companies that provide cyber threat

data to the government from potential liability

– Provides companies with authority to monitor and operate defensive measures on their

networks to protect against cyber risks and vulnerabilities

– Designates DHS as coordinator of cyber threat information sharing; DHS should disclose

cyber threat information it has received to other agencies and the private sector

• February 2016 - Cybersecurity National Action Plan (Pres. Obama)

– Comprehensive effort to boost the nation’s digital defenses

– Features $19 billion budget for cybersecurity spending, $3 billion of which will be devoted

to updating agency systems; creates a Federal Chief Information Security Officer to

guide the spending

– Creates Commission on Enhancing National Cybersecurity, housed within the

Department of Commerce; Commission issued a report on Dec. 1, 2016 providing

recommendations to strengthen cybersecurity in public and private sectors

– Creates Senior Agency Official for Privacy at each agency, as well as Federal Privacy

Council, an interagency forum to improve government privacy practices

SIDLEY AUSTIN LLP 4

Cybersecurity: Government Measures in 2016

• July 2016 - Presidential Policy Directive 41 on United States Cyber Incident

Coordination

– Directs executive branch agencies to coordinate more effectively in responding to

cybersecurity incidents, and to provide more concerted investigative and protective

assistance to private-sector victims of cyber attacks

• September 2016 - DoT’s National Highway Traffic Safety Administration

cybersecurity best practices regarding interconnected cars

– Guidance is directed to car manufacturers and vehicle system and software designers to

increase focus on security and privacy by design

– The guidance is aimed at guarding against malicious hacking and other cybersecurity

risks to internet-connected cars and other vehicles

– Key tenets of the plan include:

• Identifying the biggest risks

• Protecting vehicle control systems and personally identifiable information

• Quickly detecting, addressing, and recovering from security incidents, including a documented

process for responding to incidents and vulnerabilities

• Increased employee training

SIDLEY AUSTIN LLP

5

Cybersecurity: Preparation and Response to Cyber Incidents

• October 2016 – The Federal Deposit Insurance Corporation, the Federal

Reserve, and the Office of the Comptroller of the Currency approved an

ANPR that invites comment on potential enhanced cybersecurity risk-

management and resilience standards that would apply to large and

interconnected entities under their supervision

– The proposal would require banking organizations with total U.S. assets of $50 billion or

more to have procedures allowing their sector-critical systems to recover from a cyber

attack within two hours

– The proposal would also impose additional governance, risk management, and audit

requirements such as:

• Demonstrating effective cyber risk governance

• Continuously monitoring and managing cyber risk within the risk appetite and tolerance levels

approved by their boards of directors

• Establishing and implementing strategies for cyber resilience and business continuity in the event

of a disruption

• Establishing protocols for secure, immutable, transferable storage of critical records

• Maintaining continuing situational awareness of their operational status and cybersecurity posture

enterprise-wide

6


• January 2017 - National Institute of Standards & Technology (NIST) Issued

Draft Revision to its Cybersecurity Framework

– NIST Cybersecurity Framework - Voluntary, final framework released February 12, 2014

• Five core functions for dealing with cybersecurity risk: identify, protect, detect, respond, recover

• August 2016 - The FTC published blog post “The NIST Cybersecurity Framework and the FTC,”

identifying ways FTC enforcement actions are aligned with the NIST Cybersecurity framework,

including their shared focus on identification of risks, protection against those risks, detection of

events, and response and recovery

– Emphasized that the FTC has adopted (and will continue to follow) a reasonableness standard

– Following NIST faithfully does not necessarily mean that a company would escape FTC action

• 2017 Updates in draft NIST Framework include:

– New section on cybersecurity metrics in the description of Framework implementation,

including a detailed discussion of types of measurement

– A discussion of “correlation to business results,” which recognizes that “the relative cost

effectiveness of various cybersecurity activities is an important consideration,” but is a

complex factor that varies within a company from the board level to senior executives,

and to those who report to senior executives

7


• December 2016 – The New York State Department of Financial Services

issued revised proposed regulations setting forth minimum requirements

for NYDFS-regulated entities to address cybersecurity risk

– NYDFS adopts a “risk based” approach to addressing cybersecurity risk

– Covered entities are required to:

• Maintain a cybersecurity program and annually certify the program to DFS through board (or senior

officer) approval

• Maintain a cybersecurity policy and establish a written incident response plan which address all of

the areas dictated by the proposed regulations

– The proposal, which is a revision of a more onerous September 2016 proposal, retains

prescriptive requirements pertaining to penetration testing, access privileges, application

security, cybersecurity personnel and intelligence, third-party service provider

management, data retention, breach notice, training and monitoring

– Such specific and mandated detail is, as NYDFS recognizes, “first in the nation”

8


• January 2017 – National Association of Corporate Directors

released handbook on cyber risk oversight

– Report emphasizes that in addition to information loss or disruption, cyber

attacks can have a severe impact on reputation and brand

– Identifies five key principles to guide boards in preparing and responding to

cyber risks:

• Approach cyber security as an enterprise-wide risk management issue, not just an IT

issue

• Understand the legal implications of cyber risk

• Have adequate access to cybersecurity expertise, and regular discussions on cyber

risk management

• Set the expectation that management will establish enterprise-wide cyber risk

management, with adequate staffing and funding

• Board discussions should include the identification of the risks to avoid, accept,

mitigate or transfer to insurance, and ways to achieve each one

9


• Preparing for cybersecurity incidents:

1. Develop information governance controls

2. Identify, map and assess compliance with legal and regulatory

obligations at federal, state and international levels

– Determine cybersecurity vulnerabilities and risks

3. Establish legal work plan for cybersecurity crisis prevention and crisis

management

– Whose accountable for what? What are the company’s vulnerabilities? How

can privilege be preserved?

4. Develop and maintain internal and external privacy policies

5. Establish written policies, procedures and training programs

6. Deploy appropriate information security safeguards for vendors/service

providers, including reporting and due diligence

10


7. Understand process for Board oversight of cybersecurity

– Risk oversight is a key competence of the Board

– Regular reporting on threats, planning and execution

– Insist on testing the system (internal and penetration)

8. Identify consulting resources

– Outside counsel

– Computer forensic resources

– Credit monitoring, mailing and call center services

9. Implement secure technology design

10.Test and update all assessments, safeguards and protocols

SIDLEY AUSTIN LLP 11


• Responding to cyber incidents in the first 24 hours:

– Mobilize crisis management team

• Get the facts, but remember that early information can often be inaccurate

– Inventory stakeholder groups

• Be sure all audiences are being addressed

• Specify communications approaches for each

– Gauge stakeholder perceptions and expectations

– Centralize communications

• Determine single contact points for inquiries from media, consumers, employees and others

• Consider a centralized communications center (“war room”) and establish protocols for on-site

media management

– Prepare and deliver immediate messages

– Implement real-time media monitoring and rapid response

– Evaluate the need for additional resources



• Additional steps:

– Determine the scope of the incident or compromise

– Check physical security measures and their logs

– Take immediate measures to prevent further compromise/unauthorized access

– Determine whether and what notifications, reporting or consultation is necessary or

appropriate

– Prepare for possible litigation from impacted consumers and investigations from federal

and state agencies

– If information involves foreign data subjects, consult legal counsel from the impacted

jurisdictions and assess foreign legal obligations

– Document all actions taken (including notifications)

• FTC guidance for businesses on how to respond to data breaches:

– Encourages businesses to take affected equipment offline immediately and to monitor all

access points to the system

– Directs businesses to notify law enforcement of breaches and to alert the financial

institutions that may be affected


Big Data – the Value in Data

• FTC 2017 Cross-Device Tracking Report:

– Identifies benefits of cross-device tracking, such as a seamless experience for users,

improved fraud detection and account security, and better marketing

– Identifies challenges, such as transparency (consumers are surprised to find browsing

behavior on one device transfers to another); broad scope of connections; limited

choices to control it; security concerns

– The FTC recommends:

• Transparency and truthful disclosure of tracking activities

• Providing consumers choices on how cross-device activities are tracked

• Refraining from cross-device tracking on sensitive data such as health, financial, and children’s

information without affirmative consent

• Maintaining reasonable security, such as only keeping data necessary for business purposes

• Data is an important corporate asset

– In 2016 the market was worth $40 billion; it may be worth $66.8 billion by 2021

– Emerging data analytics tools and vast datasets – expanding collection and use of

personal information, online tracking, transactional history, social networks, etc.


Trends Enabling or Affecting Big Data

15

• Ability to generate, collect, communicate, share, and access data from more people, devices and sensors

• Devices and consumer transactions capture more kinds of information than ever before

• More powerful computing and vastly cheaper data storage

• Data science developing quickly and improving algorithms

Technological Developments

• Mobile, location tracking, Social Media, Cloud

• Sharing information increasingly common and more comprehensive

• Media (and some consumers) voicing amorphous privacy concerns (often conflating governmental surveillance and commercial privacy)

Consumer Trends

• Desire to monetize data and deploy more sensors • Deliver more tailored experiences

• Anticipate consumer desires

Business Trends

• Big Data can help save money, save lives, defend the homeland, etc.

• Fear of unknown implications

• Balancing innovation and consumer protection

Government Trends

Connections Are Growing Exponentially

16

Connected

Car

Connected

Health

Connected

Home

FTC Big Data Report (January 6, 2016)

• “Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues”

– Does not focus on prior themes of notice, choice, security

– Addresses commercial use of consumer information

– Focuses on impact of big data on low-income and underserved populations

• Continues familiar theme of ambivalence about potential of big data

– “Big data analytics can provide numerous opportunities for improvements in society”

• “more effectively matching products and services to consumers”

• “create opportunities for low-income and underserved communities

• “helping target educational, credit, healthcare, and employment opportunities to low-income and

underserved populations”

– “At the same time, …potential inaccuracies and biases might lead to detrimental effects

for low-income and underserved populations”

• “companies could use big data to exclude low-income and underserved communities from credit

and employment opportunities”


FTC Big Data Report – cont’d

• No single law comprehensively addresses big data analytics

– But, businesses should not assume big data analytics operate without legal restraint

– Report intended to alert businesses to potential implications of existing laws for big data

– Potential accountability even if initial data inputs seemed benign to data scientists, and

even if the adverse impacts were neither intended nor readily foreseeable

• FTC’s future big data law enforcement could seek to follow the “disparate impact” track of civil

rights law

• FCRA requirements triggered when company makes a credit or employment or

insurance decision based on a consumer report

– “Only a fact-specific analysis will ultimately determine whether a practice is subject to or

violates the FCRA, and as such, companies should be mindful of the law when using big

data analytics to make FCRA-covered eligibility determinations.”

• Problems with data quality, accuracy, and representativeness, as well as

imperceptible biases, can lead to mistaken inferences that could hurt consumers

• One could imagine future FTC actions alleging “unfair” injury to consumers

(that was substantial, not be easily avoided, and not outweighed by benefits)


FTC Big Data Report – cont’d

• FTC concludes:

– “Our collective challenge is to make sure that big data analytics continue to provide

benefits and opportunities to consumers while adhering to core consumer protection

values and principles.”

– “The Commission will continue to monitor areas where big data practices could violate

existing laws, including the FTC Act, the FCRA, and ECOA, and will bring enforcement

actions where appropriate.”

• FTC recommends companies:

– Consider whether data sets are missing information from particular populations and, if

so, take appropriate steps to address this problem

– Review data sets and algorithms to ensure that hidden biases are not having an

unintended impact on certain populations

– Remember correlations are not necessarily meaningful; balance risks of using results

where policies could negatively affect certain populations

– Maintain human oversight of data and algorithms when big data tools are used for

important decisions, such as those implicating health, credit, and employment

– Consider fairness and ethical considerations using big data to advance opportunities for

previously underrepresented populations


CFPB Treatment of Big Data

Per CFPB economist Bryce Stephens (Jan. 2016):

• CFPB continuing to develop its approach to analyzing use of big data

• Concern where fair lending issues that cause disparate impact

• Creditor should determine whether

– Big data factor is highly correlated to discriminatory impact

– Any good basis to continue to use that factor

– Any better variable for same purpose without discriminatory impact

• CFPB is unlikely to object to use of big data to reconsider credit

applications that would otherwise be denied

• CFPB will closely scrutinize use of big data to deny credit in the first

instance


Big Data in the Insurance Sector

• Survey indicates big data use will change significantly in next two years

• Insurers will gather data from greater number of sources:

– Website use, email and phone calls, social media, smart home (household devices and

systems), automobile telematics that monitor driving, retail loyalty cards

– Using sites like Facebook and Twitter, insurers could infer their customers’ behavior and

risk profile

• National Association of Insurance Commissioners exploring insurers’ use of big

data for claims, marketing, underwriting and pricing

– Hearing (April 3, 2016) addressed:

• Definition of “big data”

• Sources of big data and examples of data points

• How data and predictive analytics are being used for different lines of insurance

• Benefits and concerns surrounding big data

• Data points valuable to state insurance regulators

– Consumer groups concerned over potential discrimination in coverage


2016 Judicial Developments

• Spokeo decision

– The Supreme Court in Spokeo, Inc. v. Robins ruled that plaintiffs who allege

violations of statutes that contain a private right of action and statutory

damages do not have automatic standing to sue

• The Court instead found that to meet the constitutional requirement of

standing, the plaintiff must establish not only the ‘‘invasion of a legally

protected interest’’ defined by Congress, but also that the plaintiff suffered a “concrete and particularized” harm to that interest

• The Court acknowledged that while intangible injuries can be “real” and “concrete,”

such injuries can give rise to standing only where they pose some de facto risk of

harm to the plaintiff. “Bare” or immaterial procedural violations will not suffice

• The class action against Spokeo, an “online people search engine,” alleged that

Spokeo circulated false information about individuals online

• The case has been remanded to the Ninth Circuit to determine whether and how the

plaintiff’s suffered “concrete” injury



• Conflicting rulings on standing in class-actions post-Spokeo?

– The Third Circuit recently ruled in In Re: Horizon Healthcare Services Inc. Data

Breach Litigation that Spokeo does not preclude class actions where the

alleged injury is intangible

• The plaintiffs alleged that laptops containing sensitive personal information were

stolen, and that the health insurer Horizon Healthcare had violated FCRA

• The court noted “even without evidence that the Plaintiffs’ information was in fact used

improperly, the alleged disclosure of their personal information created a de facto

injury”

– But the Eighth Circuit ruled in September in Braitberg v. Charter

Communications that a cable customer alleging the unlawful retention of

personal data did not meet Spokeo’s test because it failed to identify a

“material risk of harm”



• Apple Encryption Case

– The Justice Department tried to use the All Writs Act to force Apple to unlock the iPhone

of one of the San Bernardino shooters

– The case raised the question of whether the All Writs Act permits a court to order a

company to provide technical assistance—including compelling a company to write

code—to unlock encrypted devices

– Tech industry and privacy advocates opposed DOJ actions and potential legislation on

the grounds that it would weaken privacy and security for users

– Judge Orenstein, a magistrate judge in the Eastern District of New York, denied a similar

government request to order Apple to help unlock the phone of a convicted drug

trafficker

• “[The government’s] preferred reading of the [All Writs Act] – which allows a court to confer on the

executive branch any investigative authority Congress has decided to withhold, so long as it has

not affirmatively outlawed it – would transform the AWA from a limited gap-filing statute that

ensures the smooth functioning of the judiciary itself into a mechanism for upending the separation

of powers by delegating to the judiciary a legislative power bounded only by Congress's superior

ability to prohibit or preempt. I conclude that the constitutionality of such an interpretation is so

doubtful as to render it impermissible as a matter of statutory construction.”



• LabMD Case

– A data security company allegedly obtained sensitive data from LabMD via a peer-to-

peer file-sharing program.

– Allegedly, after LabMD refused to purchase the company’s security products, it reported

the alleged data security vulnerability to the FTC

– The FTC accused LabMD of unfair practices in failing to provide reasonable and

appropriate security for customers’ personal information, which was allegedly likely to

cause harm to customers

– In 2015, an Administrative Law Judge dismissed the case, finding that the FTC failed to

prove LabMD’s practices were likely to cause substantial customer injury

– In July 2016, upon appeal to the full Commission, the FTC reversed the ALJ decision.

Although LabMD stopped operating in 2014, the FTC ordered LabMD to implement

several information security compliance measures because the Lab still maintains

medical records

– LabMD appealed to the Eleventh Circuit and filed a motion to stay the FTC’s order



• LabMD Case (Continued)

– The Eleventh Circuit granted LabMD’s motion to stay

• The Eleventh Circuit found that LabMD would likely succeed on the merits because of “compelling

reasons why the FTC’s interpretation may not be reasonable”

– The court found that it was “not clear” that 15 U.S.C. § 45 (the FTC Act) could reasonably be

read to cover intangible harms like the ones cited by the FTC or that “likely to cause” in the

statute could reasonably “include something that has a low likelihood”

• The court also found that the cost of complying would be detrimental to LabMD, and even if LabMD

ultimately prevailed, it would not be able to recover the costs from the FTC due to sovereign

immunity

– Six amici have joined so far, including the U.S. Chamber of Commerce, which has

argued that the FTC has extended its authority too far

• “ Although the FTC plays an important role in protecting consumers, its “unfairness” authority does

not include setting and enforcing—whether through litigation or consent orders—general data-

security policy”

• “Perversely, the FTC does not seek to punish the perpetrators of data theft, but the businesses that

have been victimized on the untenable theory that vulnerabilities in their data-security policies

constituted “unfair” trade practices. In short, the FTC’s effort to set cybersecurity policy is classic

regulatory overreach. Section 5 of the Act does not grant it the legal authority to act as a roving

regulator of data-security standards.”



• Microsoft Warrant Case

– A panel of the Second Circuit held in Microsoft Corp. v. USA that electronic

communications stored exclusively on foreign servers cannot be reached by U.S.

prosecutors under the Stored Communications Act

• The U.S. had sought a warrant for the communications of one of Microsoft’s email customers;

some of the data in question was stored on a server in Ireland

• On Jan. 24, 2017, an evenly divided Second Circuit denied rehearing en banc:

– Judge Carney’s concurrence:

• “The dispositive question in the case, as we see it, might be framed as whether Microsoft’s

execution of the warrant to retrieve a private customer’s electronic data, stored on its servers in

Ireland, would constitute an extraterritorial application of the SCA in light of the statute’s “focus,”

determined in accordance with Morrison and RJR Nabisco.”

• “We recognize at the same time that in many ways the SCA has been left behind by technology. It

is overdue for a congressional revision that would continue to protect privacy but would more

effectively balance concerns of international comity with law enforcement needs and service

provider obligations in the global context in which this case arose”



• Microsoft Warrant Case (continued)

– Excerpts from the dissents:

• Judge Cabranes:

– “In sum, the government obtained a warrant based on a showing of probable cause before a

judicial officer of the United States. That warrant required Microsoft’s office in Redmond,

Washington, to disclose certain emails that happened to be electronically stored in its servers

abroad, but to which Microsoft had immediate access in the United States. Because the location

of a provider’s disclosure determines whether the SCA is applied domestically or

extraterritorially, the enforcement of the warrant here involved a domestic application of the

SCA. The panel should have affirmed the District Court’s denial of Microsoft’s motion to quash.”

• Judge Jacobs:

– “Oddly, the majority then holds that the relevant “territorial” “focus” is user privacy. But privacy,

which is a value or a state of mind, lacks location, let alone nationality. Territorially, it is nowhere.

Important as privacy is, it is in any event protected by the requirement of probable cause; so a

statutory focus on privacy gets us no closer to knowing whether the warrant in question is

enforceable.”

– “Localizing the data in Ireland is not marginally more useful than thinking of Santa Claus as a

denizen of the North Pole. Problems arise if one over‐thinks the problem, reifying the notional:

Where in the world is a Bitcoin? Where in my DVR are the images and voices? Where are the

snows of yesteryear?”


2016 Regulatory Developments

• October 2016 – FCC adopted privacy rules applicable to broadband internet

service providers (stay tuned for Congressional Review Act consideration)

– Rules aim to provide customers more “meaningful choice, greater transparency and

strong security protections”

– New requirements include:

• More stringent consent requirements:

– Opt-in: ISPs are required to obtain opt-in consent from consumers in order to use and share

sensitive information, including precise geo-location and health information, financial data, etc.

– Opt-out: ISPs are allowed to use and share non-sensitive information unless a user opts-out

– Exceptions to customer approval requirements, such as using customer information to provide

broadband services

• Transparency – ISPs must provide clear notice for how they collect, use and share customer

information

• ISPs must engage in reasonable data security practices; must notify the Commission, FBI and

Secret Service of data breaches

– FTC comment letter to the FCC in May of 2016 – emphasized the privacy risks that

create challenges for consumers and businesses, and made constructive suggestions on

transparency, choice, and security


2016 Enforcement Actions

• March 2016 - $8.5 million settlement between Wells Fargo and California AG

over alleged privacy violations, including allegedly recording consumers’ phone

calls without telling consumers they were doing so

– In addition to civil penalties, the settlement included prosecutor costs, and $500,000 to

statewide organizations dedicated to advancing consumer protection and privacy rights

• September 2016 - HHS reached a $400,000 settlement with Care New England

Health System of Providence, Rhode Island for failing to update business

associate agreements on behalf of each of the covered entities under its

common control since 2005

• October 2016 - Vermont AG settled with a software vendor after a security

breach, and advised other vendors that the state will likely begin more

aggressive enforcement

• October 2016 - A federal judge sentenced a former Warner Chilcott sales

manager to pay a $10,000 fine and serve 12 months probation for his part in the

wrongful disclosure of individually identifiable health information

– The sales manager pleaded guilty to violating HIPAA in November 2015 after unlawfully

obtaining confidential medical information from patients, without their consent, to push

through prescriptions for a drug with poor insurance coverage


Updates from the European Union


EU-U.S. Privacy Shield: A Brief Introduction

• Data transfers between the EU to the U.S. formerly occurred through the Safe

Harbor Framework (or standard contractual clauses, BCRs, consent, etc.)

• 6 October 2015 – Schrems Judgment - Court of Justice of the European Union

rules that Commission Decision 2000/520/EC approving the Safe Harbor

Framework was invalid

• 2 February 2016 – European Commission announces that a political

agreement had been reached on a new framework on transatlantic data

flows – the “EU-U.S. Privacy Shield”

– Additional obligations on companies handling the personal data of Europeans and robust

enforcement

– Reinforced oversight by the Commerce Department, European Commission, and DPAs

– Clear safeguards and transparency obligations on U.S. government access

– Effective protection of EU citizens’ rights with several redress possibilities

• 12 July 2016 – European Commission deemed the EU-U.S. Privacy Shield

adequate to enable data transfers under EU law


EU-U.S. Privacy Shield: More Recent Developments

• February 2016 – President Obama signed the Judicial

Redress Act

– Gives EU citizens access to U.S. courts to enforce privacy rights where

personal data transferred to the U.S. for law enforcement purposes

– Subject to Attorney General determination, extends the rights afforded to U.S.

citizens under the Privacy Act 1974 to EU citizens, allowing them to file

litigation against U.S. Agencies under the Privacy Act

• 12 Jan 2017 – Swiss Government announced approval of

the Swiss-U.S. Privacy Shield Framework, whose

requirements are similar to those of the EU-U.S. Privacy

Shield


EU-U.S. Privacy Shield: Certification Review and Oversight

• August 2016 – U.S. Department of Commerce began accepting

certifications to the Privacy Shield

– Over 1,300 companies have self-certified so far

• As part of Certification process, Department of Commerce:

– Verifies that subscribing companies meet the requirements of the Principles and

Supplemental Principles for certification

– Updates the list of companies, removes companies that fail to comply, and

maintains a list of companies removed from the list

– Monitors compliance

– Receives and facilitates the resolution of complaints of non-compliance from DPAs

– Refers cases of false participation ex officio to the FTC or DoT, where privacy

policies falsely indicate ongoing participation in the Privacy Shield


EU U.S. Privacy Shield: Certification Basics

• Certification is voluntary; compliance once certified is not

• To certify under the Privacy Shield, organizations must:

– Be subject to the investigative and enforcement powers of the FTC or the DoT

• Financial companies and telecommunications carriers not regulated by the FTC

are not eligible

• The EU may add additional sectors or agencies in the future

– Publically declare commitment to comply with Privacy Shield

Principles

– Publically disclose privacy policies in line with the Principles

– Fully implement the Principles


The Impact on Companies: Privacy Shield Principles

1. Notice

2. Choice

3. Accountability for Onward Transfers

4. Security

5. Data Integrity and Purpose Limitation

6. Access

7. Recourse, Enforcement and Liability


SIDLEY AUSTIN LLP

What Additional Obligations Does Privacy Shield Entail for Companies?

• The Privacy Shield requires that companies

– Provide enhanced notice provisions, including, for example, requiring that companies link to the Privacy Shield List and the independent recourse mechanism on their website(s)

– Enter into contracts with third-party controllers to which personal data is disclosed, and retain liability for the onward transfer

– Take reasonable and appropriate steps to ensure that agents process personal data in line with Privacy Shield principles and on request provide a copy of the contract or relevant provisions to the Department of Commerce

– Provide independent recourse mechanisms at no cost to individuals; where processing HR data of EU individuals, a participating U.S. company must commit to cooperate with DPAs

– Retain records on the implementation of the Privacy Shield privacy practices and make them available on request

– Comply with individuals’ right of access to information that more closely resemble those in the EU

• Companies that were previously members of the Safe Harbor framework who want to join the Privacy Shield framework need to sign up again (i.e., there are no transition arrangements)

37

Privacy Shield: Enforcement

• December 2016 – Article 29 Working Party Published Privacy Shield

FAQs

– WP29 will assume the role of “EU centralized body” – the EU body responsible for

addressing complaints regarding data transferred to the U.S. for commercial purposes

and further accessed for national security purposes

– FAQs explain to European businesses steps they must take before transferring personal

data under the Privacy Shield to U.S.-based counterparts, such as understanding the

scope and validity of certification, and identifying the legal basis for transfer

– FAQs explain to European individuals the process for making complaints against

businesses for breaches of the Privacy Shield Principles

• German data protection authorities are auditing 500 companies’ international transfers of

data outside of the European Economic Area to ensure compliance with the EU-U.S.

Privacy Shield, Binding Corporate Rules and Model Contracts, where applicable


SIDLEY AUSTIN LLP

Status of Other EU Data Transfer Options

• 3 Feb. 2016 – Article 29 Working Party confirmed Binding Corporate Rules and

Model Contracts are still valid data transfer mechanisms but are under review

along with the Privacy Shield

• Binding Corporate Rules

– Internal rules adopted by multinational companies and approved by the EU that govern

international transfers of personal data within companies

• Model Contracts / Standard Contractual Clauses

– Contract clauses approved by the EU that provide adequate safeguards for transfers of

personal data to data controllers or processors outside the EU/European Economic Area

(“EEA”)

• Under Privacy Shield, companies and DPAs will conduct individual “essential

equivalency” tests

– To evaluate approval of BCRs; complaints under BCRs

– Complaints under MC/SCC Clauses

• In near term, enhanced scrutiny of MC/SCCs and BCRs likely; stay tuned for

DPA guidance

39

Privacy Shield and International Data Transfers: Challenges

• Challenges to the adequacy of the Privacy Shield and other International

Data Transfer Mechanisms

– Challenges to European Commission’s adequacy decision on the EU-U.S. Privacy

Shield:

• La Quadrature du Net - Coalition of French privacy organizations challenging adequacy of the

Privacy Shield to protect personal information, particularly in light of U.S. surveillance and bulk

data collection practices

• Digital Rights Ireland – Irish privacy advocacy group has also challenged the adequacy of the

Privacy Shield, asking the Court of Justice of the European Union to declare the European

Commission’s adequacy decision a “manifest error”

– Irish Data Protection Commissioner has sought declaratory relief in the Irish High Court

and a referral to the Court of Justice of the European Union to determine the validity of

standard contractual clauses, or model clauses, as a mechanism to transfer data out of

the European Union

• The plaintiff is Max Schrems, the plaintiff whose case lead to the invalidation of the U.S.-EU Safe

Harbor Framework

• The U.S. government has received approval to participate


SIDLEY AUSTIN LLP

Closing Thoughts on Privacy Shield

• The Privacy Shield is an impressive array of findings, commitments and

obligations

– One step closer to ameliorating transatlantic digital tension

• Assurance from the U.S. that EU data are not subject to mass or indiscriminate

surveillance demonstrates importance to U.S. of addressing broader international

surveillance concerns (whether fair or unfair)

• Judicial Redress Act adoption shows the importance to the U.S. of respecting EU

privacy interests

• Demonstration that both sides can be reasonable to serve the best interests of

both U.S. and EU citizens, consumers and businesses

• Substantive convergence on data privacy is actually closer than the rhetoric

would suggest

• Privacy Shield should be helpful to promote international digital trade, citizen

rights, and perhaps greater political harmony on privacy issues across the

Atlantic

• BUT: privacy groups and NGOs will continue to criticize and oppose

41

EU: General Data Protection Regulation (GDPR)

• 14 April 2016 – European Parliament adopted the GDPR, giving companies

and member states two years to implement the Regulation before its May

25, 2018 effective date

– It replaced the existing Data Protection Directive 95/46, and aims to create a single data

protection law for the EU

• The Regulation will apply to a business processing personal data:

– (1) in the context of establishments in the EU; or

– (2) outside the EU where it carries out activities aimed at offering goods or services to

individuals in the EU or that monitor or collect data from individuals in the EU

• The Regulation will apply to U.S. companies that have personal data on

European citizens even if not a European business

• Harms associated with non-compliance

– Fines of up to the greater of 4% of the annual worldwide gross revenue or €20 million for

failure to comply

– Claims by individuals or representative organisations

– Damages will now be permitted for non-financial loss e.g. for distress


Preparing for the GDPR: 12 Steps

• UK Information Commissioner’s Office suggests that companies begin preparing

now to gain buy-in from key personnel and put new procedures in place, and has

issued 12-step guidance for companies:

1. Awareness – assure decision makers and key players are aware of the GDPR

and can start identifying problem areas

2. Information you hold – document the personal data your company holds,

where it came from, and who you share it with, perhaps in the form of an

information audit

3. Communicating privacy information – review current privacy notices and

create a plan to make any necessary changes such as complying with new

requirements to explain the legal bases for processing data, your retention

periods, and the rights of individuals to complain to their DPAs



4. Individuals’ rights – ensure your company’s procedures cover all the rights

individuals will have, such as how to delete personal data or provide it

electronically and in a commonly used format

• Main rights include subject access, correction of inaccuracies, information erasures, preventing

direct marketing, preventing automated decision-making and profiling, and data portability (new to

the GDPR)

5. Subject access rights – update procedures and plan how to handle requests

given requirements to provide additional information; consider whether to allow

people to access their information easily online

• Companies will have to comply with requests in just a month rather than 40 days

• Develop policies and procedures to demonstrate why you may refuse a request for access where

it is manifestly unfounded or excessive

6. Legal basis for processing personal data – identify the legal basis for data

processing, and document it

• For example, individuals whose data is processed based on consent may have stronger rights to

have their data deleted than others



7. Consent – review how your company seeks, obtains and records consent

• Controllers must be able to demonstrate how consent was given, so ensure you have an effective

audit trail

• Consent cannot be inferred from silence, pre-ticked boxes or inactivity

8. Children - put systems in place to verify children’s ages and gather parental or

guardian consent for data processing

• GDPR requires a parent or guardian’s consent to process children’s personal data

• Privacy notices must be written in language that children will understand

9. Data breaches – ensure your company has procedures to detect, report and

investigate data breaches, including assessing the data you hold, and

developing policies and procedures for managing breaches

• Breach notification obligations will apply across the board under the GDPR



10. Data protection by design and data protection impact assessments:

familiarize yourself with Privacy Impact Assessments (DPIAs), assess where

they may be necessary, and adopt a privacy by design approach

• They may be necessary in high risk situations such as deploying new technology or engaging in

profiling that may significantly affect individuals

11. Data Protection Officers – consider whether your company needs to

designate a data protection officer and assess whether current approach to data

protection compliance will meet the GDPR

• Appoint a data protection officer if required (such as public authorities or where

activities involve regular and systematic monitoring of data subjects on a large scale)

12. International – identify your company’s data protection authority if you operate

internationally (even if data is not transferred abroad, but substantially affects

data subjects internationally)

• Lead DPAs are determined based on where your company has its main

administration or where data processing decisions are made

• It may be helpful to map out where your organization makes its most significant data

processing decisions


More EU Developments: WP29 Guidelines

• WP29 Jan. 2017 Guidelines on Data Portability:

– Data portability allows data subjects to receive personal data they’ve provided

to a controller, and transmit it to another controller

– The right covers data provided knowingly and actively by the data subject,

and applies to personal data generated by a subject’s activity

– Data controllers should develop means to answer data portability requests,

such as download tools and Application Programming Interfaces

• WP29 Jan. 2017 Guidelines on Data Protection Officers:

– Even when not required, organizations may find it useful to designate DPOs

on a voluntary basis

– They must be given sufficient autonomy and resources


More EU Developments: WP29 Guidelines

• WP29 Jan. 2017 Guidelines on Lead Supervisory

Authorities:

– Whether processing of personal data “substantially affects”

data subjects in more than one Member State is determined on

a case by case bases

– Provides guidance on identifying where a company’s lead DPA

should be

• E.g., for a multinational bank with HQ in Frankfurt, two lead DPAs may exist

if Vienna office decides on and implements processing of insurance data,

while Frankfurt office decides on and implements processing of banking

data

• No “forum shopping” in borderline cases; data controllers and processors

bear the burden of proof


More EU Developments: Proposed ePrivacy Regulation

• ePrivacy Directive (Directive 2002/58/EC on Privacy and Electronic

Communications)

– Aims to ensure that communications over public networks maintain respect for

fundamental rights, data protection and privacy

• January 2017 – European Commission released draft ePrivacy Regulation

to replace the ePrivacy Directive

– Regulation would be directly applicable to EU member states; implementation of

Directives is left up to member states

– Brings over-the-top communications service providers, including social networks and

search engines, into the scope of the EU’s e-Privacy law

– Gives users the right to object to a company processing their data and provides for

compensation awards if they suffer “material or non-material damage as a result of an

infringement”

– Forces regulators to work together where breaches occur across borders

– Potential effective date is May 2018, same as the effective date for the GDPR


More EU Developments

• September 2016 - European Data Protection Supervisor opinion on the coherent

enforcement of fundamental rights in the age of big data

– The EDPS emphasized the importance of the protection of personal data rights in light of

the rise of data “monopolies.”

– The EDPS made three recommendations:

• Greater protection of individuals in big data mergers

• The creation of a Digital Clearing House

• The creation of a common area on the web without fear of unfair interference

• December 2016 - The CJEU ruled that companies cannot be broadly required to

retain the personal data of customers, and any EU country adopting legislation

imposing such obligations is in breach of EU law

– Countries are allowed to require companies to retain traffic and location data for certain

law-enforcement purposes, but retention must be strictly tailored to crime prevention

– The ruling affects laws in Sweden and the U.K., as well as other EU countries that still

have broad data retention requirements

– Tailored data retention laws must also contain “substantive and procedural conditions”

for appropriate national authorities to access the retained data


Updates from Around the World

• Argentina adopted model contractual clauses following EU guidelines;

companies can use the clauses in contracts to simplify and expedite the

international transfer of corporate data

– Argentina is one of only a small number of countries with data protection regulations that

the EU has certified as adequate to protect the privacy of personal data transferred

outside of the EU

• The U.S. and Japan have agreed to cooperate on the development and

expansion of APEC’s Cross Border Privacy Rules

– U.S. and Japanese officials have pledged to meet regularly to work with stakeholders,

expand awareness of the CBPR system, and encourage participation with other APEC

members

– The FTC has started to bring enforcement actions in the U.S. for violations of APEC’s

CBPR

• Israeli intelligence officials assert that Hamas has been luring Israeli soldiers to

chat with fake social media profiles

– Soldiers were downloading video chat applications that were actually malware, enabling

remote attackers to access the location data, files, microphone and camera of cell

phones


Updates from Around the World: Data Localization Laws

• Russia has blocked LinkedIn for storing personal data of Russians on servers

outside the country

– Russia not only requires personal data of Russian citizens to be retained on servers in

Russia, but in 2016 it also began requiring that online communication service providers

retain data on Russian users, and share it upon request

– LinkedIn was also collecting data from unregistered users, such as IP address, device

model number and cookie files, which is considered to be personal data in Russia

– Apple and Google have removed LinkedIn from their app stores in Russia at Russian

request

• A new Chinese cybersecurity law requires “critical information infrastructure

operators,” including tech, energy, transport, water services, finance and e-

government service companies to store “important business information” on

servers that are located in China

– The law also requires that companies obtain security certifications for network equipment

and software, monitor and report security incidents to the government, and provide

“technical support” to security agencies to aid in investigations

– The law also requires that business information and data on Chinese citizens that is

gathered within China be kept on domestic servers


Updates from Around the World: Data Localization Laws

• Canada’s Radio-television and Telecommunications Commission issued

its first compliance and enforcement decision under the country’s anti-

spam law

– Blackstone Learning Corporation allegedly sent unsolicited emails advertising

educational services

– The Commission rejected Blackstone’s argument that it had implied consent to

send the emails because the email addresses were publically available.

– It found that in order to obtain such consent, email addresses must be

“conspicuously published,” unaccompanied by a statement indicating that an

individual does not want to receive unsolicited electronic messages, and that

the messages must be relevant to the recipients in a business or official

capacity


Looking Ahead: The 115th Congress

• Encryption-piercing bill to force tech firms to help investigators unlock

secure devices?

• Reauthorization of Section 702 of the Foreign Intelligence Surveillance

Act? (Otherwise it will expire this year.)

• Repeal of USA Freedom Act (which imposed limitations on intelligence

agency collection of bulk telecommunications metadata), and could

negatively impact international data transfers if repealed?

• Senators have proposed a Senate Select Committee on Cybersecurity

– U.S. Senate Armed Service Committee has already created a Cybersecurity

Subcommittee

• Congressional Review Act consideration for FCC’s ISP privacy rules


Looking Ahead: The Trump Administration

• President Trump has called for a 90-day review of cybersecurity vulnerabilities

with an emphasis on critical infrastructure; former Mayor Rudy Giuliani to lead

the review and serve as cybersecurity advisor

• President Trump has issued an Executive Order withdrawing the U.S. from the

Trans-Pacific Partnership

– TPP contains digital commerce provisions that would prohibit forced data localization and

barriers to the free flow of data across borders

• Other potential moves that could effect international data transfers?

– Withdrawal from Presidential Policy Directive 28?

• It extended to citizens of foreign countries safeguards that require that surveillance of Americans

be targeted carefully for defined and legitimate purposes.

• These safeguards essentially protect the privacy interests of innocent foreigners whose electronic

communications are scooped up by the NSA merely as incidental collections to the agency’s actual

targeting of malicious individuals.

• They are key to the viability of the EU-U.S. Privacy-Shield

• Impact of cuts in federal spending on cybersecurity?


Sidley’s Data Matters Blog


http://datamatters.sidley.com/

http://datamatters.sidley.com/

Alan Charles Raul

Partner

Washington, D.C.

+1 202 736 8477

+1 202 736 8711 FAX

[email protected]

ALAN RAUL is the founder and leader of Sidley Austin LLP’s highly ranked Privacy,

Data Security and Information Law practice. He represents companies on federal,

state and international privacy issues, including global data protection and

compliance, data breach incident response, cybersecurity governance, Big Data,

consumer protection and technology issues, and Internet law. His practice involves

litigation and counseling regarding consumer class actions, FTC, FCC, State

Attorneys General, Department of Justice and other government investigations,

enforcement actions and regulation, and internal investigations.

Alan previously served as Vice Chairman of the Privacy and Civil Liberties Oversight

Board. The Board advises the President, agency heads and Congress regarding the

impact of the government’s efforts to combat terrorism on privacy and civil liberties.

Alan also served as Associate Counsel to President Ronald Reagan where he

represented the White House in connection with the Iran-Contra investigations. He

subsequently served as General Counsel of the Office of Management and Budget in

the Executive Office of the President, and as General Counsel of the U.S.

Department of Agriculture.

Alan is a member of the U.S. Chamber of Commerce Litigation Advisory Committee

on Data Security, Privacy and Intellectual Property, of the Practising Law Institute’s

Privacy Law Advisors Group, and as an ex officio member of the American Bar

Association’s Cybersecurity Legal Task Force. He serves on the Executive

Committee of the Federalist Society’s Administrative Law Practice Group. Alan is a

frequent author and speaker on privacy, cybersecurity and related issues. He is

editor and contributing author of The Privacy, Data Protection and Cybersecurity Law

Review (Law Business Research Ltd, 1st ed. Nov. 2014 and 2nd ed. Nov. 2015).

Alan holds degrees from Harvard College and the Harvard Kennedy School of

Government, and from Yale Law School. He clerked for Judge Malcolm R. Wilkey of

the U.S. Court of Appeals for the D.C. Circuit.


PRACTICES

• Government Strategies

• Privacy, Data Security and Information Law

• Supreme Court and Appellate

• White Collar: Government Litigation & Investigations

INDUSTRY

• Life Sciences

• Financial Services

• Technology

• Media and Entertainment

ADMISSIONS & CERTIFICATIONS

• U.S. Supreme Court, 1988

• U.S. Court of Appeals, 2nd Circuit, 2009

• U.S. Court of Appeals, D.C. Circuit, 1982

• U.S. District Court, S.D. of New York, 2003

• District of Columbia, 1982

• New York, 1982

EDUCATION

• Yale Law School (J.D., 1980)

• Harvard University (M.P.A., 1977)

• Harvard University (A.B., 1975, magna cum laude)

CLERKSHIPS

• U.S. Court of Appeals, D.C. Circuit, Malcolm R. Wilkey

Andrea T. Shandell

Associate General Counsel and Chief

Ethics Privacy Officer

Gannett Co, Inc.

McClean, Virginia [email protected]

.


Andrea provides legal, counseling, compliance and training services to the Law

Department of Gannett Co., Inc. in the areas of privacy, data security, circulation law,

litigation, ethics, compliance and media and marketing services business operations.

Prior to providing services to the Law Department, Andrea was a trial lawyer, mostly

representing personal injury litigants. In addition, Andrea taught at the University of

Maryland in its Paralegal Studies program. Andrea also edited a book on medical

malpractice litigation.

Andrea graduated from the University of Pennsylvania and from Duke University

School of Law. She is admitted to the bars of Virginia, Maryland and the District of

Columbia. She is a Certified Information Privacy Professional (CIPP).

Andrea is active in the Association of Corporate Counsel - National Capital Region

(formerly known as Washington Metropolitan Area Corporate Counsel Association

[WMACCA]), including serving as VP/External Relations (2015), on the Board of

Directors (2014 – present) and as Chair of the High School Outreach/Street Law

program. Andrea is also active on the IT, Privacy and eCommerce committee of the

Association of Corporate Counsel (ACC); in Digital Content Next and in the Legal

Affairs Committee of the National Newspaper Association. She served on the

Corporate Counsel Section Council of The Virginia Bar Association 2008 - 2011.

Andrea regularly speaks at continuing education events for several associations on

topics of privacy, data security, litigation management and marketing compliance.


59

Questions?

Alan Raul: [email protected]

www.Sidley.com/InfoLaw

This presentation has been prepared by Sidley Austin LLP as of November 3, 2016 for educational and informational

purposes only. It does not constitute legal advice. This information is not intended to create, and receipt of it does

not constitute, a lawyer-client relationship. Readers should not act upon this without seeking personalized advice

from professional advisers.

Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, New York, Los Angeles, San Francisco, Palo Alto, Dallas, London, Hong Kong, Houston, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin (NY) LLP, a Delaware limited liability partnership (New York); Sidley Austin (CA) LLP, a Delaware limited liability partnership (Los Angeles, San Francisco, Palo Alto); Sidley Austin (TX) LLP, a Delaware limited liability partnership (Dallas, Houston); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm.

For purposes of compliance with New York State Bar rules, Sidley Austin LLP’s headquarters are 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000.


Beijing Chicago Houston New York Singapore

Boston Dallas London Palo Alto Sydney

Brussels Geneva Los Angeles San Francisco Tokyo

Century City Hong Kong Munich Shanghai Washington, D.C.

1,900 LAWYERS and 20 OFFICES

located in commercial, financial

and regulatory centers

around the world

Documents

Updates in Privacy and Data Security from 2016 & How to Prepare