Global Privacy & Cybersecurity Update Vol. 15

by Jones Day

Jones Day


Regulatory—Policy, Best Practices, and Standards

FTC Comments on Improvements to IoT Device Security

On June 19, the Federal Trade Commission ("FTC") submitted comments to a working group organized by the Department of Commerce's National Telecommunications and Information Administration regarding draft guidance on "key elements" to consider when informing consumers about security updates with Internet of Things ("IoT") devices. According to the FTC, such "key elements include whether the device can receive security updates, how it will receive them, and when support for the device would end." The guidance is part of a multi-stakeholder effort to enhance security updates and patchability of IoT devices.

DOJ Issues Framework for Vulnerability Disclosure Programs

In July, the U.S. Department of Justice ("DOJ") Criminal Division's Cybersecurity Unit released a framework to help public and private-sector organizations comply with the Computer Fraud and Abuse Act. The framework aims to assist organizations with instituting formal vulnerability disclosure programs to help detect security issues that could lead to the compromise of sensitive data and the disruption of services.

NICE Issues Cybersecurity Workforce Framework

On August 7, the National Initiative for Cybersecurity Education ("NICE") released Special Publication 800-181, the NICE Cybersecurity Workforce Framework. The publication is intended to serve as a standard reference to "provide organizations with a common, consistent lexicon that categorizes and describes cybersecurity work by Category, Specialty Area, and Work Role." Organizations or industries "can use the publication to develop additional publications or tools that meet their needs to define or provide guidance on different aspects of workforce development, planning, training, and education."

NIST Contemplates New Safeguards for Information Systems and IoT

On August 15, the National Institute of Standards and Technology ("NIST") issued a new draft fifth revision of its Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations. According to a senior NIST policy adviser, the revised draft "covers the overlap in security and privacy for systems, as well as the ways in which they are distinct [and] also enhances the ability for both professional teams to collaborate yet still maintain their respective authorities." The draft was "[d]eveloped by a joint task force of representatives from the civil, defense and intelligence communities" and "represents an ongoing effort to produce a unified information security framework for the federal government."

Regulatory—Consumer and Retail

FTC Provides Additional Insights on Reasonable Data Security Practices

On July 21, the FTC began publishing a series of blog posts using hypothetical examples to inform businesses on reasonable best practices to protect and secure consumer data. The examples are based on closed investigations, FTC law enforcement actions, and questions from businesses. The blog posts follow the FTC Acting Chairman's pledge to provide more information to businesses about practices that contribute to reasonable data security.

FTC Hosts Cybersecurity Roundtables with Small Businesses

On July 25, the FTC hosted its first in a series of roundtables with small business owners. The program, titled "Engage, Connect, and Protect Initiative: Small Business and Data Security Roundtable," discussed pressing challenges small businesses face in protecting the security of computers and networks.

FTC Approves Modifications to Children's Privacy Compliance Oversight Program Proposal

On July 27, the FTC approved changes to a private compliance and data security company's self-regulatory guidelines regarding children's privacy. The adopted changes require that companies in the program annually assess whether third parties collect personal information from children.

Regulatory—Defense and National Security

Sixth Annual Cyber Guard Exercise Simulates Destructive Cyberattacks against Critical Infrastructure

On July 5, Cybercom, the Department of Homeland Security, and the FBI co-led the sixth annual Cyber Guard training exercise. The exercise involved more than 700 cyber operators who rehearsed a whole-of-nation response to destructive cyberattacks against U.S. critical infrastructure.

Regulatory—Financial Services

Colorado Adopts New Cybersecurity Rules for Broker-Dealers and Investment Advisors

On June 19, the Colorado Division of Securities adopted new cybersecurity rules applicable to broker-dealers purchasing securities in Colorado and investment advisers who do business in the state. The rules establish general guidelines for reasonable cybersecurity practices and mandate a number of specific practices, including the establishment and maintenance of written procedures reasonably designed to ensure cybersecurity. The rules became effective on July 15.

SEC Acting Director Addresses Role of Big Data, Machine Learning, and Artificial Intelligence

On June 21, the Securities and Exchange Commission ("SEC") Acting Director and Chief Economist gave a keynote address titled "The Role of Big Data, Machine Learning, and AI in Assessing Risks: A Regulatory Perspective" at the Annual Operational Risk North America Conference. The director discussed the role of artificial intelligence in assessing risk and the spin-off field of "Regtech" to make compliance and regulatory-related activities easier, faster, and more efficient.

SEC Chairman Testifies on Planned Cybersecurity Initiatives

On June 27, the SEC Chairman testified to the Senate Subcommittee on Financial Services and General Government regarding the Commission's 2018 Budget Request, observing that the SEC's Office of Compliance Inspections and Examinations ("OCIE") planned to increase its examinations to ensure that cybersecurity infrastructure is "secure and resilient."

SEC OCIE Issues Risk Alert with Observations from Cybersecurity Examinations

On August 7, OCIE staff released a risk alert containing the staff's observations from its Cybersecurity 2 Initiative, an examination of 75 investment advisers, broker dealers, and investment companies to assess industry practices and legal and compliance issues related to cybersecurity preparedness. While the staff noted a general increase in preparedness among the firms it examined, it also observed a number of issues that firms should consider in order to improve their cybersecurity policies and procedures.

Regulatory—Health Care/HIPAA

Malware Attack of Medical Equipment Provider Targets 550,000 Patients

On June 26, a medical equipment company revealed that it suffered a breach of its network server, affecting patient health information of approximately 550,000 current and past customers, as well as 1,160 current and past employees of the company and its affiliates.

Task Force Issues Six Recommendations for Health Care Cybersecurity

In June, the Health Care Industry Cybersecurity Task Force published its "Report on Improving Cybersecurity in the Health Care Industry." The report noted the condition of health care cybersecurity and outlined six key recommendations: (i) define and streamline leadership, governance, and expectations; (ii) increase security and resilience of medical devices and health IT; (iii) develop workforce capacity to prioritize cybersecurity; (iv) improve awareness and education; (v) identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure; and (vi) improve information-sharing of industry threats, risks, and mitigations.

FDA Issues Draft Guidance on Electronic Privacy, Security, and Reliability Criteria for Clinical Trial Records

In June, the Food and Drug Administration ("FDA") published draft guidance on electronic privacy requirements for clinical trial records. The guidance details: (i) "Procedures that may be followed to help ensure that electronic records and electronic signatures meet FDA requirements and that the records and signatures are considered trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper"; and (ii) "the use of a risk-based approach when deciding to validate electronic systems, implement audit trails for electronic records, and archive records…." For more information, see the Jones Day Alert.

HHS Launches Improved Online Reporting Tool

On July 25, the U.S. Department of Health and Human Services ("HHS") Office for Civil Rights ("OCR") unveiled a revised web tool that identifies recent breaches of health information and educates the industry on the occurrence, investigation, and resolution of breaches. OCR noted that the revised HIPAA Breach Reporting Tool, originally released in 2009, features enhanced functionality that highlights breaches currently under investigation, a new archive that includes the resolution of previous breaches, improved navigation, and consumer tips.

Litigation, Judicial Rulings, and Agency Enforcement Actions

FTC Settles with Loan Application Company for Unlawfully Selling Consumer Data On July 5, the FTC settled with a lead generation business for unlawfully selling consumer loan application data to "a variety of entities without regard for how the information would be used or whether it would remain secure." According to the FTC's press release, the company "promised to protect and secure the sensitive information consumers provided," but "sensitive personal and financial information was shared and sold indiscriminately without consumers' knowledge or consent." The settlement, which includes a judgment for $104 million, is suspended based on defendants' inability to pay.

Ninth Circuit Backs Gag Orders on FBI Data Requests

On July 17, the Ninth Circuit overruled a constitutional challenge to the FBI's use of national security letters ("NSLs") that bar service providers from telling users about government requests for their data, ruling that the disclosure restrictions do not violate the First Amendment. The Ninth Circuit concluded that the nondisclosure agreement contained within NSLs is a content-based restriction on speech that is both subject to and withstands strict scrutiny and therefore did not violate the Constitution.

Treasury Department Fines E-Currency Exchange $110 Million for Money Laundering

On July 27, the Department of the Treasury's Financial Crimes Enforcement Network fined one of the world's largest digital currency exchanges $110 million and charged both the exchange and one of its operators with handling payments related to criminal activity, including the recent hack against a Bitcoin exchange.

Circuit Courts Interpret Standing Post Spokeo

On August 1, a Seventh Circuit panel declined to revive Fair Credit Reporting Act ("FCRA") lawsuits against a large cable television company and student loan provider, finding that the plaintiff had not demonstrated that he suffered injury to establish standing under the U.S. Supreme Court's Spokeo decision.

  • On August 1, the D.C. Circuit revived a putative class action brought by policyholders against a large insurance company over a 2014 data breach, finding that the alleged heightened risk of identity theft and medical fraud was enough to establish standing under the U.S. Supreme Court's landmark Spokeo decision.
  • On August 15, the Ninth Circuit, on remand from the U.S. Supreme Court, ruled that the plaintiff claimed a sufficiently concrete injury against Spokeo to meet the Article III standing requirements established by the Supreme Court. The Ninth Circuit held that the plaintiff met the standing bar by alleging an intangible statutory injury without any additional harm because Congress had crafted the FCRA provisions at issue to protect consumers' concrete interests in accurate credit reporting about themselves.

Advertising Company Reaches $31 Million Settlement with Car-Listing Service

On August 3, a large classified advertising company filed a stipulated judgment of $31 million to settle and release claims against a used-car listing service that scraped contact information and other content from the advertising giant's website. According to the agreement, the listing service copied content from the advertising company's website, including users' contact information and pictures, and sent emails to the users seeking more information, which it then used to create unauthorized advertisements on its own website.

33 State Attorneys General Settle Data Breach with Major Insurance Company

On August 9, a coalition of 33 state Attorneys General announced a $5.5 million settlement with a major national insurance company and a subsidiary for a 2012 data breach that resulted in the loss of personal information belonging to more than 1.2 million Americans. The data breach was allegedly caused by the failure to apply a critical security patch, and lost data included Social Security numbers, driver's license numbers, credit scoring information, and other personal data.

FTC Settles Charges with Tax Preparation Service for GLBA Violations

On August 29, the FTC announced a settlement with a tax preparation service for violations of the Safeguards Rule and Privacy Rule under the Gramm-Leach-Bliley Act ("GLBA"). The FTC alleged that hackers were able to gain full access to nearly 9,000 accounts and subsequently used that information to engage in tax identity theft. The FTC cited deficient security practices, which included a failure to "conduct a risk assessment to identify reasonably foreseeable internal and external risks to security," and a failure to "implement adequate risk-based authentication measures that would have helped reduce the chances of an attack from hackers who had used stolen credentials." As part of the settlement, the tax preparation service must obtain biennial third-party assessments of its GLBA compliance.

FTC and State Attorneys General Settle with Computer Manufacturer for Security Vulnerabilities on Laptops

On September 5, the FTC and 32 state Attorneys General agreed to settle charges that a major computer manufacturer "harmed consumers by pre-loading software on some laptops that compromised security protections in order to deliver ads to consumers." In its press release, the FTC detailed how pre-loaded software created vulnerabilities that enabled potential hackers to access consumer information and communications. As part of the settlement, the company is prohibited from misrepresenting features about the software on its devices and must implement a 20-year comprehensive software security program subject to third-party audits.


House Passes DHS Reauthorization Bill with New Cybersecurity Provisions

On July 20, the House of Representatives passed the Department of Homeland Security Reauthorization Act, which contains new cybersecurity directives and Department functions that were absent from the original 2002 legislation. The bill, which awaits consideration in the Senate Committee on Homeland Security and Governmental Affairs, reorganizes the department's cybersecurity policy office, promotes information-sharing, and requires the department to implement a cybersecurity risk model for the airline industry.

House Passes SELF DRIVE Act

On September 6, the House of Representatives unanimously approved the Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution ("SELF DRIVE") Act. The bill is the first piece of federal legislation that aims to regulate the manufacture, testing, and use of autonomous, or self-driving, cars in the United States. For more information, see the Jones Day Alert.


New Mexico Data Breach Notification Law Takes Effect; Virginia and Delaware Amend Laws

On June 16, New Mexico's data breach notification law became effective, leaving Alabama and South Dakota as the only states without such laws. The law governs data breach notification requirements for entities storing and using personal identifying information about New Mexico residents and also establishes requirements for securing and disposing of that information. The bill generally requires notification to affected consumers in the event of a breach within 45 days of discovery of the breach.

Virginia and Delaware Amend Laws

Virginia amended its data breach notification law effective July 1, adding a requirement that employers or payroll service providers give notice to the Attorney General's office if payroll information is compromised. Delaware likewise amended its data breach notification law. Among other requirements, the law expands the definition of "personal information" to include medical history, health insurance policy numbers, and unique biometric data. It also requires, subject to certain exceptions, that the data collector notify the Delaware Attorney General if the affected number of residents exceeds 500 and that notice be made no later than 60 days after the data breach. Finally, if the data breach included a Social Security number, the data collector must offer, at no cost to the Delaware resident, credit monitoring services for a period of one year. The amendment becomes effective on April 14, 2018.

New Jersey Adopts Law to Limit Retailers' Use of Identification Data

On July 21, New Jersey Governor Chris Christie signed a bill to restrict how retailers collect and use consumers' personal information stored on identity cards. The law will limit the purposes for which retailers may scan identification cards to verifying identity for credit card purchases or for other credit approval purposes, verifying age for age-restricted goods, carrying out contracts, preventing fraud, or as required by law. Retail stores may collect only a person's name, address, and date of birth; the state that issued the ID card; and the ID card number. The law goes into effect on October 1.


Canadian and Chinese Governments Agree to Refrain From State-Sponsored Hacking

On June 22, the Canadian Prime Minister's Office issuedJoint Communique summarizing the second meeting of the Canada-China High-Level National Security and Rule of Law Dialogue. During the discussion, the two countries reached an agreement that neither "would conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors."

Ministers and Attorneys General Issue Joint Communique Recognizing Cooperation to Address Cyber Threats

On June 27, the Interior Ministers, Immigration Ministers, and Attorneys General of Australia, Canada, New Zealand, the United Kingdom, and the United States met in Ottawa to discuss national security challenges facing their nations. In a subsequent Joint Communique, the Ministers and Attorneys General noted "the robust cooperation underway between our five countries on cyber issues" and the countries' "collective efforts to study and assess key emerging issues and trends in cyber security to prevent, detect and respond to cyber threats."

Information Technology Association of Canada Releases Cybersecurity Recommendations for 2018 Canada Budget

On August 4, the Information Technology Association of Canada released a submission outlining 24 recommendations across nine areas for the federal government's 2018 budget. The submission listed cybersecurity as one of nine areas of focus and made a number of recommendations, including that the government "[a]ppoint an externally focused Chief Information Security Officer for Canada" to act as a liaison between the government, businesses, and the public, and "centralize cyber security leadership within the federal government and provide Shared Services Canada with the necessary investments to protect the Government of Canada's cyber perimeter and critical infrastructure."

The following Jones Day lawyers contributed to this section: Jeremy Close, Jeff Connell, Steve Erkel, Tyler Harris, Jay Johnson, Tyson Lies, Dan McLoon, Mary Alexander Myers, Kara O'Connell, Mauricio Paez, Nicole Perry, Alexa Sendukas, Anand Varadarajan, and Jenna Vilkin.



MCTIC Launches "Internet of Things" Consultation

On June 6, the Ministry of Science, Technology, Innovation and Communications (Ministério da Ciência, Tecnologia, Inovações e Comunicações) ("MCTIC") launched a new consultation (source document in Portuguese) to sponsor the "National Internet of Things Plan" developed by the federal government. The contributions will be used to draw up a map of companies and scientific and technological institutions that offer IoT technologies, products, services, and solutions in Brazil.

MCTIC Issues Public Consultation on Strategy for Digital Transformation

On August 1, MCTIC launched a public consultation (source document in Portuguese) regarding the Brazilian Strategy for Digital Transformation, which includes guidelines and targets for the digitization of the Brazilian economy in the coming years. The proposal was drafted by an Interministerial Working Group coordinated by MCTIC, and it will be open to public comment for 30 days. The final version will be sent as a draft decree to the Presidency of the Republic.


Colombian Data Protection Authority's Total Fines Exceed US$1 Million

On June 8, the Colombian Industry and Commerce Superintendence (Superintendencia de Industria y Comercio) ("SIC") issued a notice (source document in Spanish) that since 2010, SIC has imposed a total of 619 fines exceeding US$1 million. The most frequent breaches, which represent most of the sanctions imposed by SIC, consist of breaches of the habeas data provided in Law 1266 of 2008. To address such violations, SIC has issued 1,094 orders to correct, update, and delete personal data contained in corporate databases.

SIC Launches Public Consultation on Draft Regulation for Cross-Border Data Transfers

On July 18, SIC launched a consultation on a draft regulation (source document in Spanish) regarding cross-border data transfers. The draft regulation establishes the criteria SIC would use to determine if a third country provides an adequate level of data protection. The data regulation also provides an updated list of countries granted adequacy status for purposes of cross-border transfers. The criteria discussed include the existence of rules for lawful data processing, the recognition of data subjects' rights and obligations for data controllers and data processors, and the presence of a supervisory authority.


Ibero-American Data Protection Network Approves New Standards for Personal Data Protection

During the 15th Annual Ibero-American Data Protection Conference held on June 20-22, the Ibero-American Data Protection Network issued the Standards for Personal Data Protection for Ibero-American States. The standards establish a common framework of data protection principles and rights for the different national legislations throughout the Ibero-American region.


Mexican Government Issues Working Document on National Cybersecurity Strategy

On July 12, the Mexican government issued (source document in Spanish) a working document for National Cybersecurity Strategy. The document sets forth guidelines for individuals, companies, and public entities on how to use information and communication technologies in a secure manner that promotes the economic, political, and social development of Mexico. The Strategy has four strategic pillars: economy, society, government, and national security. The Strategy is also informed by eight cross-cutting principles: legal framework; development capacity; coordination and collaboration; research and development; technical standards and criteria; measurement and assessment; awareness, culture, and prevention; and critical information protective infrastructure. Following the Strategy guidelines will be mandatory for the executive branch of the federal government, while other public and private-sector entities may adopt it in a voluntary and cooperative manner.

INAI Issues Security Recommendations for Social Media Users

On July 28, the National Institute for Transparency, Access to Information, and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) ("INAI") issued recommendations (source document in Spanish) to avoid risks when using personal data in social media. Given the prevalence of social media use, INAI suggests that social media users avoid contact with unknown users, adequately log out when accessing accounts from a cybercafé or a public computer, create safe passwords that contain diverse elements, select an adequate privacy and security configuration for social media accounts, refrain from conducting business transactions through social media, disclose personal information in social media only in a controlled and responsible manner, and create awareness among family members and friends of the importance of responsibly using social media.

INAI Issues Recommendations for Biometric Identification Systems in Mobile Banking

On July 30, INAI issued recommendations (source document in Spanish) to avoid risks when using biometric identification systems with financial institutions. These guidelines advise users to be informed about the risks related to the processing of biometric data in order to make adequate decisions, be aware of the privacy policy and/or notice of mobile banking apps, download mobile banking apps only from authorized markets, authorize the use of biometric data only when necessary, provide as little biometric data as possible, and use biometric authentication services as a secondary method to complement other security methods.


Ministry of Justice and Human Rights Signs Personal Data Protection Commitment

On July 8, the Ministry of Justice and Human Rights (Ministerio de Justicia y Derechos Humanos), through the Directorate General of Personal Data Protection and along with 11 representatives of taxi and transport services companies that provide services via virtual applications, enacted a resolution (source document in Spanish) concerning the protection of users' personal data. This resolution, or "commitment," followed several claims that taxi drivers were using clients' personal data to sexually harass them. According to the resolution, companies will train taxi drivers in order to avoid sexual harassment, work on the implementation of clauses regarding data protection in their contracts, and strengthen measures that protect the confidentiality of users.

The following Jones Day lawyers contributed to this section: Guillermo Larrea, Daniel D'Agostini, and Mónica Peña Islas.


European Union

EU and U.S. Establish Arbitration Mechanism under Privacy Shield

On June 14, the European Commission and the U.S. Department of Commerce ("DoC") agreed to an arbitration mechanism that Europeans whose personal data has been transferred to certified U.S. companies may invoke if they believe their data protection rights under the Privacy Shield have been infringed. For the mechanism to become fully operational, the Commission and the DoC must agree on a list of arbitrators.

EDPS Releases Opinion on Proposal for Single Digital Gateway Regulation

On August 1, the European Data Protection Supervisor ("EDPS") released an Opinion on the proposal for a regulation establishing a single digital gateway under the "once-only" principle. The "once-only" principle is "aimed at ensuring that citizens and businesses are requested to supply the same information only once to a public administration, which can then re-use the information they already have." The proposal seeks to create a technical system for specified cross-border procedures. Among the critiques offered in the opinion, EDPS suggests "clarifying that the Proposal does not provide a legal basis for using the technical system for exchanging information for purposes other than those provided for in the four directives listed or otherwise foreseen under applicable EU or national law, and that the Proposal does not aim to provide a restriction on the principle of purpose limitation under the GDPR [General Data Protection Regulation]."

Article 29 Working Party

Article 29 WP Releases Opinion on Data Processing at Work

On June 8, the Article 29 Working Party ("WP") adopted an Opinion on data processing in the workplace. The Opinion assesses how to balance employers' interests in data monitoring with their privacy expectations by outlining risks posed by new technologies. In addition to discussing the EU Data Protection Directive, the Opinion also examines the additional obligations placed on employers by the GDPR.

Article 29 WP Issues Guidance on International Transfers under GDPR

On June 13, the Article 29 WP addressed a letter to the European Securities and Markets Authority ("ESMA"). The letter provides guidance and recommendations to ESMA and European national financial supervisory authorities on how to frame international transfers of personal data under Article 46 of the GDPR and how to draft legal instruments for data transfers to countries that have not been recognized by the European Commission as offering adequate data protection.

Article 29 WP Publishes Letter on EU-U.S. Privacy Shield Annual Joint Review

On June 15, the Article 29 WP issued a letter to the European Commission in preparation for the annual Joint Review on the Privacy Shield. In the letter, the Article 29 WP discussed questions and recommendations that it will raise during the review relating to law enforcement and national security access.

European Network and Information Security Agency

ENISA Publishes 2016 Annual Incident Report

On June 16, the European Network and Information Security Agency ("ENISA") published its annual report on significant outage incidents in the European electronic communications sector. The incidents are reported by the national regulatory authorities of the EU Member States to ENISA and the European Commission under Article 13 (a) of the 2009/140/EC Framework Directive. The major findings within the report include: (i) mobile internet was the most affected service; (ii) malware caused the longest lasting incidents; and (iii) system failures affected on average more user connections per incident.

ENISA Publishes Security Guidelines on Website Authentication Mechanisms

On June 27, ENISA released a series of documents to assist parties using qualified electronic signatures, seals, time stamps, eDelivery, and website authentication certificates, as defined by Regulation 910/2014 on electronic identification and trust services for electronic transactions. The series explores possible applications and advises on how to use these web authentication services correctly as more financial transactions occur in the online marketplace.

ENISA Publishes Cyber Europe 2016: After Action Report

On June 30, ENISA released the Cyber Europe 2016: After Action Report on its fourth pan-European cyber crisis exercise. The exercise simulated a realistic crisis build-up over a time period of six months, and participants had to "follow existing business processes, agreements, communication protocols and regulations to mitigate effectively the situations presented to them."


Privacy Commission Releases Recommendation on Internal Records of Processing Activities

On June 14, the Privacy Commission released a Recommendation (source documents in French and in Dutch) providing guidance on the GDPR requirement to maintain records of data processing activities. Among other topics, the Recommendation covers the responsibility of maintaining internal records for both data controllers and data processors, the purpose of the requirement, the content of records of activities, and recipients of such internal records.


French Supreme Administrative Court Rules in Favor of Transfer to Heirs of Data Subject Status

On June 7, the Conseil d'Etat (French supreme administrative court) overturned a decision (source document in French) of the French Data Protection Authority (Commission Nationale Informatique et Libertés, or "CNIL"), which ruled that the personal data pertaining to a car accident victim could not be transferred to the victim's heirs. During the legal proceedings to obtain damages as a result of the accident, the heirs were denied access to the victim's personal data from the victim's insurance company, and CNIL subsequently rejected the heirs' complaint. On appeal, the Conseil d'Etat ruled that the right to request damages and access information as a data subject had been properly transferred to the heirs, provided that such access was limited to the information necessary to obtain damages within the frame of the proceedings.

CNIL Warns that Anti-Terrorist Bill Requires Enhanced Security Measures

On July 6, CNIL held a plenary meeting to discuss the anti-terrorist bill, concluding that the bill provides extended personal data processing that requires the involvement of CNIL in the draft bill process. CNIL noted the bill's intrusive personal data processing measures and the need for enhanced warranties. The CNIL also cautioned that the Passenger Name Record, as set by the bill, had a broader scope than Directive 2016/681 and that the bill provided spot controls but did not provide ex post control by CNIL (source documents in French).

Information Systems National Agency Releases "Agile" Guidelines

On July 26, the Information System National Agency and the Digital and Information system Interdepartmental Directorate released the "Agile" guidelines (source document in French), which aim to provide guidance and elaborate on information system security.


Federal Commissioner Publishes Guidance on Automated and Connected Driving

On June 1, the German Federal Commissioner for Data Protection and Freedom of Information published recommendations (source document in German) on automated and connected driving for users to maintain informational self-determination. Several of the Commissioner's recommendations discuss the principle of data minimization and limiting data processing activities to the extent necessary for the operability of the service.

DPA Issues Questionnaire for GDPR Implementation

On July 5, the Bavarian Data Protection Authority ("DPA") published its Questionnaire for GDPR Implementation in English. The questionnaire contains basic questions to ensure that a company complies with the requirements set out by the GDPR.

Germany Warns of Cyber Espionage Threats from State Actors

On July 21, BitKom (Germany's digital industry association) released a report (source document in German) titled "Business Protection in the Digital World," which details how 53 percent of German companies have been victims of economic espionage, and how more than €55 billion is lost each year due to espionage or sabotage within the German markets. The German domestic intelligence and security service warned in its annual Report on the Protection of the Constitution that state actors are key players in cyber espionage targeting Germany. In addition, both reports note that less than one third of companies turn to the government for assistance when dealing with an attack.


DPA Chairman States Six-Year Data Retention is Excessive

On July 25, the DPA Chairman Antonello Soro testified before the National Security Committee on the recent amendment (source document in Italian) introducing a six-year data retention period for telephone traffic data of Italian users. The Chairman stated that the data retention period is excessive and introduces data processing patterns that infringe existing law and regulations at the EU level.

The Netherlands

Transport Company Corrects Privacy Violations

On July 11, the Dutch Data Protection Authority ("DDPA") announced (source document in Dutch) that Nippon Express, a major transport company, ended the unlawful processing of its drivers' national identification numbers. According to the DDPA, the company checked the identity documents of its drivers using scanning equipment and services from an external service provider but did not take sufficient measures to ensure that identity fraud would not be committed with the scanned IDs. In addition, the DDPA stated that the company retained the scans for longer than necessary, given the purpose for which the scans were collected.


Spanish Government Publishes Preliminary Draft of Organic Law on Protection of Personal Data

In June 2017, the Spanish government published a preliminary draft of the Organic Law's 78 Articles on the Protection of Personal Data, which would repeal the Spanish Data Protection Law originally passed in 1999. The new data protection regulation adapts Spanish legislation to the changes introduced by the GDPR and clarifies the legislative provisions. The draft will be subject to hearings and a public information process before the regulation is formally approved and becomes effective.

Spanish DPA and ENAC Present Data Protection Officer Certificate

On July 13, the Spanish Data Protection Agency ("SDPA"), in collaboration with the National Entity of Accreditation ("ENAC"), presented the Data Protection Officer Certificate (source document in Spanish). The SDPA became the first European Data Protection Authority to implement a framework to appoint a Data Protection Officer and a Data Protection Officer Certificate. Although certification is not required to become a Data Protection Officer, the process will benchmark the standards and qualifications of Data Protection Officer candidates.

Spanish DPA Rewards Public and Private GDPR Compliance Initiatives

On August 7, the Spanish DPA published the criteria (source document in Spanish) used in the consideration of a candidate for the 2017 Personal Data Protection Awards. The awards recognize good practices carried out by private and public organizations, in addition to promoting knowledge of the new regulations taking effect on May 25, 2018.

United Kingdom

UK Announces New Data Protection Law

On August 7, the UK government released a statement of intent to update data protection laws through a new Data Protection Bill. The bill will make it simpler to withdraw consent for the use of personal data, provide a right to require that personal data be erased, make it easier for individuals to require an organization to disclose the personal data it holds, and move personal data between service providers. In addition, the bill will create new criminal penalties to deter organizations from intentionally or recklessly creating situations where individuals could be identified from anonymized data.

The following Jones Day lawyers contributed to this section: Paloma Bru, Laurent De Muyter, Undine von Diemar, Marina Foncuberta, Olivier Haas, Jörg Hladjk, Bastiaan Kout, Matthijs Lagas, Jonathon Little, Martin Lotz, Hatziri Minaudier, Giuseppe Mezzapesa, Selma Olthof, Audrey Paquet, Elizabeth Robertson, and Rhys Thomas.


Hong Kong

PCPD Investigates Personal Data Loss of Electors

On June 12, the Privacy Commissioner for Personal Data ("PCPD") released an investigation report on two lost laptops containing the personal information of electors. The report concluded that the Registration and Electoral Office responsible for securing the devices violated the Data Security Principle of the Personal Data Ordinance because it "lacked the requisite awareness and vigilance expected of it in protecting personal data, rules of application and implementation of various guidelines were not clearly set out or followed, internal communication was less than effective, and [it] failed to take all reasonably practicable steps in consideration of the actual circumstances and needs to ensure that the Electors' personal data was protected from accidental loss." The PCPD issued an enforcement notice to the registration office to prevent future violations.

PCPD Comments on Person-to-Person Telemarketing Practices

On July 31, the PCPD submitted comments in response to the public consultation on "Strengthening the Regulation of Person-to-Person Telemarketing Calls." The comments outlined the advantages and disadvantages of each several approaches to improve the regulatory framework and recommended a fusion of multiple approaches, including a trade-specific self-regulatory regime and a do-not-call register.


PDPC Fines Retail Mall for Failing to Secure Data

On July 6, the Personal Data Protection Commission ("PDPC") imposed a S$15,000 fine on a retail mall for failing to adequately secure personal data that the mall was storing on its server. The inadequate security allowed a hacker to send phishing emails to more than 24,000 users who subscribed to the mall's rewards program. In addition to the fine, the company must implement a host of new security measures and conduct training for its staff.

PDPC Issues Public Consultation on Approaches to Managing Personal Data

On July 27, the PDPC began seeking public comments on managing personal data in the digital economy. Specifically, the consultation paper asks for the public's comment on "proposed Notification of Purpose and Legal or Business Purpose approaches as parallel bases for collecting, using and disclosing personal data, and the proposed mandatory data breach notification regime under the PDPA." The comment period closes on September 21.


Personal Information Protection Commission and European Commission Issue Joint Press Release on Mutual Data Transfer

On July 3, the Commissioner of the Personal Information Protection Commission of Japan and the European Commissioner for Justice and Consumers met in Brussels to discuss how to achieve "smooth and mutual data transfer." The joint statement states that the parties are targeting a "simultaneous finding of an adequate level of protection by both sides" by early 2018.

People's Republic of China

National Intelligence Law Takes Effect

On June 28, China's new national intelligence law took effect. The law discusses the functions, powers, and privileges Chinese national intelligence agencies are afforded in their activities, including the right to seek and collect information on foreign entities and individuals. The law also mandates that organizations and citizens provide assistance and cooperation with intelligence work. For more information on the legislation, see the Jones Day Alert.

China Issues Draft Guidelines on De-Identification of Personal Information

On August 15, the National Standardization Committee of China and the General Administration of Quality Supervision, Inspection and Quarantine of China jointly submitted the draft version of "Information Security Technology—Guidelines on De-Identification of Personal Information" for public comment. The draft provides voluntary guidance to data collectors and processors regarding the de-identification of personal information, such as how to choose appropriate models and technologies and how to use the relevant software, technologies, and tools. The draft guidelines are open for public comment until October 9.

The following Jones Day lawyers contributed to this section: Michiru Takahashi, Li-Jung Huang, and Richard Zeng.


Information Commissioner Issues New Privacy Code for Australian Government Entities

On May 18, the Office of the Australian Information Commissioner announced that a new APS Privacy Governance Code will apply to all Australian government agencies currently subject to the Australian Privacy Principles. The current draft of the APS Code requires government agencies to: (i) implement a privacy management plan; (ii) appoint a dedicated "Privacy Officer"; (iii) appoint a "Privacy Champion" to promote attention to data privacy issues; and (iv) undertake "Privacy Impact Assessments" for all high-risk projects or initiatives that involve personal information. The APS Code was developed after the Australian Community Attitudes to Privacy Survey 2017 revealed that only 58 percent of the Australians surveyed consider government departments to be trustworthy with respect to data protection. The APS Code will take effect July 1, 2018.

The following Jones Day lawyers contributed to this section: Adam Salter and Nicola Walker.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jones Day | Attorney Advertising

Written by:

Jones Day

Jones Day on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at:

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit
  • New Relic - For more information on New Relic cookies, please visit
  • Google Analytics - For more information on Google Analytics cookies, visit To opt-out of being tracked by Google Analytics across all websites visit This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at:

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.