WARNING: U.S. Federal Government Continues to Warn the Private Sector to Prepare Itself for Russian Cyberattacks

The White House, the Cybersecurity and Infrastructure Security Agency (“CISA”), and other federal agencies continue to warn companies to prepare themselves for cyberattacks from Russia as the conflict in Ukraine continues. In a Statement issued on March 21, 2022, President Biden urged businesses to “harden your cyber defenses immediately by implementing the best practices we have developed together over the last year.” CISA has urged companies to review the website for its “Shields Up” cybersecurity initiative regularly for reports on cybersecurity developments and guidance on optimizing defenses.

Takeaway: As always, check to be sure that: (1) critical patches are up to date; (2) multi-factor authentication is enabled on all company accounts; (3) you have considered adding an “EDR” (endpoint detection and response) product into your company’s environment; and (4) logging is enabled. On the response front, be sure your incident response plan is up to date and that key employees are aware of what to do in the event an attack occurs. Review your company’s cyber insurance policy to be sure that levels are adequate, that ransom is covered and that the act of war exclusion will not apply to nation state sponsored attacks. Finally, continue to remind employees to be extra vigilant for phishing emails and to be mindful of cybersecurity hygiene in this heightened environment.

_____________________________________________________

EU and U.S. Move Closer to New Trans-Atlantic Data Privacy Framework

On March 25, 2022, European Commission (“EC”) President Ursula von der Leyen and President Biden announced that the United States (“U.S.”) and the European Union (“EU”) reached an agreement in principle on a new framework for transatlantic data flows (“Framework”). If the Framework is approved, companies will be able to use it for EU – U.S. data transfers via self-certification presumably similar to the process that was in place for the Privacy Shield. This successor to the Privacy Shield, however, remains uncertain as EU concerns about U.S. government access to EU personal data, and the availability of independent redress for aggrieved EU data subjects, will remain sticking points for EU authorities.

A White House fact sheet describes the U.S. as having made “unprecedented commitments” aimed at (i) strengthening the privacy and civil liberties safeguards governing U.S. signals intelligence activities; (ii) establishing a new redress mechanism with independent and binding authority; and (iii) enhancing its existing rigorous and layered oversight of signals intelligence activities. These commitments will be formalized in an Executive Order issued by President Biden. The Executive Order will be reviewed by the EC and will form the basis for the EC’s adequacy decision – and that will be where the rubber hits the road. The EC will be particularly focused on whether meaningful protections will be put in place, including:

• Binding privacy and civil liberty safeguards that will sufficiently limit access by U.S. intelligence agencies to EU data flowing to the U.S.; and
• A new two-tier redress mechanism, including an independent Data Protection Review Court, to replace the State Department Ombudsman created under the Privacy Shield. The EC maintained that the Ombudsman lacked independence.

In a just-issued statement, the European Data Protection Board (“EDPB”) addressed both of these concerns, making clear that it will examine whether the processing of EU personal data by the U.S. for national security purposes is aligned with the GDPR’s purpose limitation and proportionality requirements.

The announcement of the Framework could signal the “beginning of the end” of nearly two years of legal uncertainty for EU – U.S. data transfers following “Schrems II”. However, Max Schrems has already signaled that his organization, NOYB, will test the Framework in European court -- in part because an Executive Order does not have the same enduring force as a law enacted by Congress to limit U.S. access to EU personal data.

Takeaway: Ironically, approval of the Framework by European authorities could enable companies to take the position that the U.S. offers “adequate” privacy protections to EU data subjects. This could obviate the need to conduct transfer impact assessments for EU – U.S. data transfers (as currently required by the SCCs), or implement supplemental protective measures. Developments concerning the Framework and the progress of the Executive Order should be closely monitored. If the Framework is adopted, companies considering using it may wish to delay doing so to see how any legal challenges play out and how the EU or U.S. authorities interpret the Framework – either through official guidance or enforcement.

_____________________________________________________

Utah Enacts Comprehensive Consumer Privacy Legislation

On March 24, 2022, Utah’s comprehensive consumer privacy law, the Utah Consumer Privacy Act (“UCPA”), was signed into law. Utah is the most recent state to enact a comprehensive state privacy law, following in the footsteps of California, Colorado and Virginia. The UCPA will take effect on December 31, 2023.

Subject to certain exceptions, the UCPA applies to organizations that determine the means and purposes of processing personal data (“Controllers”) and organizations that process personal data on behalf of Controllers (“Processors”). The UCPA applies to Controllers and Processors that (i) conduct business in Utah or produce a product or service targeted to Utah residents; (ii) have annual revenues greater than $25 million; and (iii) either (a) control or process personal data of 100,000 or more consumers during a calendar year or (b) derive over 50% of gross revenue from the sale of personal data in addition to controlling or processing the personal data of 25,000 or more consumers.

Under the UCPA, Utah consumers will have rights similar to those offered under other recently-implemented U.S. state privacy laws. These include the right to (i) confirm whether a Controller is processing their personal data and to access that data; (ii) delete their personal data; and (iii) data portability. Utah consumers will also have the right to opt-out of (i) sales of their personal data and (ii) the use of their personal data for targeted advertising. A “sale” of personal data is narrowly defined under the UCPA as “the exchange of personal data for monetary consideration by a controller to a third party.” The UCPA does not give consumers a right to correct inaccuracies in their personal data. Controllers will be required to respond to authenticated rights requests within 45 days.

Certain organizations are not subject to the UCPA, including (i) financial institutions and affiliates of financial institutions governed by the Gramm-Leach-Bliley Act; (ii) higher education institutions; (iii) nonprofits; and (iv) covered entities that are subject to the Health Insurance Portability and Accountability Act. The UCPA will not give rights to consumers acting in the employment or commercial contexts, which is understood to be equivalent to the California Consumer Privacy Act’s current carve-outs for employee data and “B2B” data.

The UCPA does not offer a private right of action. The statute will be enforced by the Utah Attorney General. It includes a right to cure any potential violations before enforcement action is taken. Violations under the UCPA can result in a fine of up to $7,500 per violation, as well as payment of any actual damages to the consumer.

Takeaway: Businesses should evaluate whether they are caught by the UCPA and determine what exemptions may apply to their processing of personal data. If within scope, businesses should begin to evaluate their data privacy policies and procedures and monitor for any further developments or regulations in preparation for the UCPA’s December 31, 2023 effective date. Due to the UCPA’s similarities to the other U.S. state privacy laws, the UCPA is not expected to create any significantly unique obligations for businesses beyond those imposed by the California, Virginia and Colorado laws.

_____________________________________________________

EU Institutions Reach Agreement on Key Terms of Digital Markets Act

On March 24, 2022, the EU Commission, Council and Parliament reached a political agreement on the key terms of the future Digital Markets Act (“DMA”), signaling the start of a new era of Big Tech regulation, and digital enforcement as a whole.

The DMA, first put forward by the EU Commission in December 2020, aims to subject so-called "gatekeepers" to a set of new obligations – mainly inspired by previous competition law cases in the digital sector, as well as unfair trade practices regulation – to strengthen fairness in the digital sector. According to the latest reports, a company providing core platform services will be presumed to be a gatekeeper if it (i) generated at least EUR 7.5bn in revenue in Europe for the last three years or has a market capitalization exceeding EUR 75bn and (ii) has at least 45 million monthly end users and 10,000 yearly business users. The EU Commission can also designate companies that do not meet these thresholds as “gatekeepers” under certain strict conditions.

Once the DMA is formally adopted and in force, designated gatekeepers will have to comply with a flurry of obligations, including interoperability requirements, prohibitions on self-preferencing and data access provisions. The DMA also strengthens the privacy obligations with which gatekeepers will need to comply by requiring users’ explicit consent for the combination and cross-use of data. Gatekeepers will also be required to ask for this consent more than once a year if the user previously refused to provide it. Gatekeepers would need to provide less data intensive alternative versions of their services for users opposed to data combination.

The agreed text strengthens the EU Commission’s enforcement powers, granting it the power to impose fines of up to 10% of a gatekeeper’s worldwide turnover in the preceding financial year for noncompliance, increased to 20% in cases of repeated infringements, with the possibility of imposing a ban on mergers and acquisitions in cases involving systemic non-compliance.

Some areas of the DMA remain uncertain. For example, it is unclear which directorate general of the EU Commission will be leading the enforcement of the DMA: DG COMP, in charge of competition law, or DG CONNECT, responsible for the digital single market. There also are concerns relating to the resources needed for enforcement, which will likely lead to heated discussions in the upcoming EU budget debate. According to Commissioner Vestager, the hope is that the DMA will enter into force in October 2022 with gatekeepers required to comply by February 2024.

Takeaway: The political agreement on the DMA is a significant step in Big Tech enforcement that will change the digital regulatory landscape. It also confirms the EU’s leading role in this sector, and the EU enforcement authorities clearly hope that the DMA will inspire similar regulations worldwide. All companies active in the online space – not only gatekeepers – should keep a close watch on the DMA.

_____________________________________________________

EDPB Adopts Guidelines on use of Dark Patterns in Social Media Interfaces

On March 14, 2022, the European Data Protection Board (“EDBP") published guidelines on how to assess and avoid dark patterns that could infringe GDPR on social media interfaces (the “Guidelines”). Interested parties can submit comments until May 2022, via this link.

Dark patterns are defined as display settings that lead users to make unintended, unwilling and potentially harmful decisions regarding the processing of their personal data. Dark patterns can be separated into interface-based patterns, i.e., relating to the way the content is displayed to the user, and content-based patterns, i.e., referring to the wording and information provided.

The Guidelines provide for a classification of dark patterns into five categories, with various subtypes, usefully summarized in an Annex. The Guidelines also provide numerous examples of how dark patterns can be implemented throughout the life cycle of a social media account, from onboarding to account deletion. They also explain what would constitute dark patterns with regard to privacy information and management during the use of the account.

Dark patterns warrant attention as they can infringe many provisions of the GDPR, especially article 5, providing for fair processing, accountability and transparency, and article 7 relating to informed consent.

Aside from identifying problematic dark patterns, the Guidelines also include best practices for designing interfaces and for drafting consent and privacy wording. The Guidelines could be a useful tool for all companies with respect to their compliance efforts with GDPR and other regulations, such as consumer protection laws, or the upcoming Digital Services Act adopted by the EU Parliament in January 2022 (see Cyber Bits issue 7).

Takeaway: The new Guidelines are a must read for any company interacting with users online, to promote awareness of the pitfalls and risks associated with practices that regulators may characterize as dark patterns. Social media providers in particular should review these Guidelines carefully and assess whether their interfaces comply with the new rules or put them at risk of infringing GDPR.