Selected Developments in U.S. Law
Alston & Bird Analyzes New California Privacy Rights Act
California voters approved a ballot initiative containing the California Privacy Rights Act of 2020. The ballot initiative significantly revises the existing California Consumer Privacy Act to create arguably the most comprehensive state privacy law in the United States. Alston & Bird has now issued a client advisory explaining key impacts of this law, outlining essential steps for compliance, explaining impacts on existing law, and outlining the operation of a dedicated new privacy regulator and enforcement authority, the California Privacy Protection Agency.
DOJ Announces Indictment of Russian Hackers for Destructive Cyber-Attacks, Including Deployment of NotPetya and Olympic Destroyer Malware
On October 19, 2020, the Department of Justice (DOJ) announced that six Russian GRU officers had been charged with a series of destructive cyber-attacks that affected victims around the globe and caused billions of dollars of damage.
State Financial Regulators Issue Ransomware Mitigation Tool
On October 13, 2020, state financial regulators in partnership with the Bankers Electronic Crimes Task Force and the U.S. Secret Service released the Ransomware Self-Assessment Tool (R-SAT) to help financial institutions mitigate the risks of ransomware. The R-SAT is a detailed questionnaire designed to evaluate the effectiveness of an institution’s general security controls and assist its executive management and board of directors in identifying, responding, and recovering from a ransomware attack.
California Department of Justice Releases Post-Finalization Modifications to CCPA Regulations
On October 12, 2020, the California Department of Justice released its first set of proposed post-finalization modifications to the California Consumer Privacy Act regulations. As many businesses know, the CCPA regulations were finalized on August 14, 2020. The department styled these new modifications as a “third set of proposed modifications” to the CCPA regulations, suggesting that it sees them as related to the two rounds of modifications it proposed before the regulations were finalized.
New Privacy Browser Extension Released Under CCPA Global Do Not Sell Rules
On October 7, 2020, Global Privacy Control issued a press release announcing an initiative to make a new “global privacy control” available to consumers as contemplated by the CCPA regulations. The CCPA regulations appear to revive the possibility for Do Not Track technology, albeit in the form of Do Not Sell signals automatically broadcast by user-controlled tools.
FinCEN Alerts Financial Institutions on Role in Facilitating Ransomware Attacks
With an increase in the frequency, sophistication, and cost of ransomware attacks, the Financial Crimes Enforcement Network (FinCEN) issued an advisory on October 1, 2020 alerting financial institutions to ransomware trends and typologies, and related financial red flags, that may result in a regulatory obligation to report and share information related to ransomware attacks.
OFAC Ransomware Advisory Warns Companies of Potential Civil Liability
On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued its “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.” The advisory begins with the observation that “ransomware attacks have become more focused, sophisticated, costly, and numerous,” citing certain FBI statistics, before making clear what was already well known to experienced practitioners: paying or facilitating ransomware payments to entities designated by OFAC risks civil penalties.
U.S. Department of Commerce Releases White Paper to Assist Organizations in Conducting Schrems II Assessments
In a letter from Deputy Assistant Secretary James Sullivan, the U.S. Department of Commerce introduced a white paper, “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers After Schrems II,” to assist organizations in conducting independent analyses of data transfers in light of the July 16, 2020 Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, (Schrems II) decision by the Court of Justice of the European Union (CJEU) and, ultimately, in making the case for transferring personal data to the United States using EU-approved transfer mechanisms.
SEC Focused on Protecting Customer Accounts from Credential-Stuffing Attacks
The Office of Compliance Inspections and Examinations has released a risk alert examining credential stuffing in the context of compliance with Regulation S-P and Regulation S-ID, and is encouraging firms to both (1) review and update their policies and procedures to address the risks associated with credential stuffing; and (2) consider proactive outreach to customers about measures taken to safeguard their accounts and personally identifiable information.
California Mandates COVID-19 Exposure and Outbreak Reporting to Employees, Government Agencies
On September 17, 2020, California Governor Gavin Newsom signed AB-685 into law. AB-685 amends a number of portions of California’s Labor Code to address the COVID-19 pandemic. In addition to provisions that regulate reopening activities at California worksites, AB-685 introduces two new COVID-19-related notification obligations for California employers: (1) a requirement to notify employees if there is a potential COVID-19 exposure at a worksite; and (2) mandatory reporting to local California public health departments when COVID-19 cases amount to a regulator-defined “outbreak.”
DOJ Charges Seven Individuals in Connection with Global Hacking Campaigns Against More Than 100 Companies
On September 16, 2020, the DOJ announced that seven individuals believed to be part of a hacking group known as APT41, or “Wicked Panda,” including five Chinese nationals and two Malaysian nationals, were charged in connection with a global hacking campaign that affected more than 100 companies around the world. The charges were included in three separate indictments in August 2019 and August 2020. The DOJ also announced that the two Malaysian residents had been arrested in Sitiawan, Malaysia, pursuant to a provisional arrest request from the United States.
Final CCPA Regulations Approved, Effective Immediately
On Friday, August 14, 2020, the California Office of Administrative Law (OAL) approved the California Office of the Attorney General’s (OAG) final CCPA regulations and filed them with California Secretary of State. The CCPA regulations became effective immediately. The OAL-approved CCPA regulations contain several modifications from prior versions. While many of the changes are purely stylistic, several changes substantively affect CCPA compliance moving forward.
Massachusetts AG Announces Division Focused on Data Privacy and Security
On August 13, Massachusetts Attorney General Maura Healey announced the creation of a Data Privacy and Security Division within the AG’s office, and named Sara Cable as chief of the new division. The new division is intended to protect Massachusetts consumers from increased threats to the privacy and security of their data.
Brazil’s General Data Protection Law: A Comparison Between Brazil’s Newly Effective Law and the GDPR
Although Brazil’s General Data Protection Law (LGPD), a law similar to the European Union’s General Data Protection Regulation (GDPR), has taken effect, the LGPD’s enforcement provisions will not take effect until August 1, 2021, and the provisions will be enforced by Brazil’s data protection authority, the Autoridade Nacional de Proteção de Dados Pessoais (ANPD), which the president established by decree in August. However, the LGPD’s private right of action for violations of data subjects’ rights is effective now.
EDPB Emphasizes Joint Controllership Between Social Media Providers and “Targeters” in Draft Guidance
On September 7, 2020, the European Data Protection Board (EDPB) published its draft guidelines on targeting of social media users. The EDPB accepted feedback from stakeholders on the guidelines until October 19, 2020. The guidelines not only provide guidance on the obligations of social media providers under the GDPR but also emphasize the fact that “targeters” (those that “use social media services in order to direct specific messages at a set of social media users”) will in many circumstances have a “joint controllership” relationship with providers. This entails a number of obligations under the GDPR.
EDPB Publishes Draft Guidelines on the Concepts of Controller and Processor
The EDPB has published draft guidelines on the concepts of controller and processor for public consultation. While its predecessor – the Article 29 Working Party – had issued guidance on the concepts of controller/processor back in 2010, many practical concerns have been raised since the GDPR became effective. These concerns relate in particular to the substance and implications of the concept of joint controllership (in Article 26 GDPR) and the specific obligations imposed on processors (mainly in Article 28 GDPR). The new EDPB guidelines will replace the previous opinion of the Article 29 Working Party but are currently open for stakeholder feedback.
European Parliament Committee Meeting Provides Insight into the Future of EU-U.S. Personal Data Flows
On September 3, 2020, the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) met to discuss the future of EU-U.S. personal data flows following the Schrems II decision. In particular, the session was attended by Max Schrems, EU Commissioner for Justice Didier Reynders, and Andrea Jelinek (head of the EDPB).
German DPA Publishes Schrems II Transfer Compliance Checklist and Suggested Modifications to SCCs
On August 24, 2020, the data protection authority of the German state of Baden-Württemberg published guidance on international transfers of personal data following the Schrems II judgment. This represents the first comprehensive guidance by a European privacy supervisor indicating how it intends to enforce the Schrems II decision.
EDPB Guidance on the Schrems II Ruling: An Early Response to the Cry for Clarity
On July 23, 2020, the EDPB adopted its first set of guidelines on the Schrems II judgment of the CJEU. In Schrems II, the CJEU analyzed two data transfer “mechanisms” to transfer personal data from the EU to third countries or international organizations.
After Schrems II: A Proposal to Meet the Individual Redress Challenge
On July 16, 2020, the CJEU invalidated the EU-U.S. Privacy Shield in the Schrems II case. In an article written by Georgia Tech professor and Alston & Bird senior counsel Peter Swire with Kenneth Propp, “After Schrems II: A Proposal to Meet the Individual Redress Challenge,” the authors argue that the core fundamental rights concerns expressed by the CJEU must be addressed in order for the EU and U.S. to negotiate a replacement agreement.