Senior Counsel Peter Swire to Debate European Privacy Activist Max Schrems. The debate, set to take place on January 26 in Brussels, will highlight key differences between certain European and U.S. attitudes towards U.S. surveillance law. Schrems was the plaintiff inSchrems v. Data Protection Commissioner, in which European Court of Justice (ECJ) ruled that the Safe Harbor framework for the transfer of personally identifiable information from the European Economic Area to the United States is invalid. Since the ECJ ruled on Schrems, Swire has challenged the factual basis underpinning the decision in the case and authored a white paper through the Future of Privacy Forum in which, among other things, he demonstrates the “fundamental equivalence of the United States and EU member States as constitutional democracies under the rule of law.”
The Cybersecurity Information Sharing Act Is Now Law. After years of vigorous debate and numerous bills aimed at incentivizing cyber threat intelligence sharing having failed to become law, on December 18, 2015, President Obama signed an omnibus spending bill containing the Cybersecurity Information Sharing Act of 2015 (CISA). The Alston & Bird Cybersecurity Preparedness & Response Team’s Cyber Alert on CISA provides an in-depth overview of this complex statute.
Swire and Future of Privacy Forum Release White Paper for EU Regulators on U.S. Surveillance Law and Safe Harbor. Peter Swire’s recently released paper was a submission to a forum sponsored by the Belgian Privacy Commission on “the consequences of the judgment in the Schrems case.” The white paper disputes the ECJ’s characterization of the U.S. as failing to ensure “a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order.” The paper also addresses certain European perceptions about U.S. national surveillance practices and law, highlighting that (contrary to some reports) only a “tiny fraction” of EU Internet users have been targeted by NSA surveillance activities.
EU Adopts the General Data Protection Regulation. The European Parliament, Council of Ministers and European Commission have come to an agreement on the General Data Protection Regulation (GDPR), which will take effect in early 2018 and replace the Data Protection Directive. The GDPR tightens existing privacy rules, establishes new requirements and creates a harmonized system of fines of up to 4% of annual worldwide turnover. The GDPR will be directly enforceable and will not require implementation by the member states.
FTC and Wyndham Settle Data Security Allegations. On December 9, the FTC announced that Wyndham had agreed to settle FTC charges that the company’s security practices unfairly exposed the payment card information of consumers to hackers in three separate data breaches between April 2008 and January 2010. Wyndham initially challenged the FTC’s authority to regulate private companies’ cybersecurity practices under the unfairness prong of Section 5 of the FTC Act. Subsequently, an August 2015 federal appellate court opinion confirmed the FTC’s authority to regulate cybersecurity practices. The settlement ends the case.
Effective Cybersecurity: The Evolving Regulatory Landscape for Investment Advisers, Investment Companies and Broker-Dealers. Cybersecurity has become a top concern for executives and boards across all sectors of commerce and critical infrastructure that rely on digital technologies—including financial services—and investment advisers, investment companies and broker-dealers fall squarely within that group. Over the last two years, regulators have increasingly set their sights on this group, which is being subjected to rigorous scrutiny both as part of examinations and through enforcement actions. As the SEC initiates its next round of cybersecurity sweeps, our Cybersecurity Preparedness & Response Team offers six strategies to make sure market participants’ cyber health is up to snuff.
EU Institutions Adopt First Pan-European Legislation on Cybersecurity. The European Union adopted the Directive on Network and Information Security (“NIS Directive”) on December 15. Under the NIS Directive, operators of essential services (akin to critical infrastructure) will be required to take appropriate security measures and report cybersecurity incidents. Under the NIS Directive, it appears that large-scale providers of information society services will also be subject to requirements of the NIS Directive. Covered operators will be required to notify the relevant national authority of security breaches that have a significant impact or serious disruptive effect on the provision of essential services and public safety. Member states will be required to implement the NIS Directive into their national laws within 21 months and will have an additional six months to identify the operators of essential services subject to reporting requirements.
Effective Cybersecurity: You Have a Breach Response Plan…Now How Do You Test It? Today, merely having an incident response policy or procedure is not enough. It is critical for companies to test their plans so that key personnel truly understand before the breach occurs the roles they will play and the decisions they will have to make during an actual breach. Plan testing is largely an art, not an absolute science. Our Cybersecurity Preparedness & Response Team offers five things you need to know about testing your incident response plans.
It’s Not Just Europe: Why 2016 Cloud Vendor Management Programs Should Address Evolving Global Privacy and Cybersecurity Risks. 2015 has seen landmark changes in privacy and cybersecurity laws and regulatory best practices. These developments have had a direct impact on cloud vendors. Our Privacy & Data Security Group highlights some of the top new privacy and cybersecurity developments that impact cloud vendor relationships in the U.S., EU, Israel, Dubai and beyond.
Moody’s Identifies Cyber Risk as Key Factor in Credit Ratings. On November 23, Moody’s Investors Service announced that the implications of cyber threats could start taking a higher priority in its credit analysis. Moody’s identified several key areas it would examine when looking at the impact of a potential cyber event, including the nature and scope of the targeted assets or businesses, the duration of potential service disruptions and the expected time to restore operations.
FTC and FCC Sign Consumer Protection MOU. The FTC and FCC recently entered into a memorandum of understanding, which implies that common carriers regulated by the FCC will now be subject to oversight by both agencies. The commissions also agreed to engage in “joint enforcement actions, when appropriate and consistent with their respective jurisdiction,” and agree to share consumer complaint data with one another, among other things.
FTC’s Ability to Regulate Data Security Potentially Limited. In a recent decision in FTC v. LabMD , ALJ Chappell found that, most likely, no one besides a security firm seeking work from LabMD had ever accessed or viewed a leaked file. He therefore concluded that the evidence did not show that LabMD’s allegedly unreasonable data security caused, or was likely to cause, substantial consumer injury and that a “significant risk” of harm is insufficient to show substantial consumer injury.
European Commission Releases Communication on Schrems and Safe Harbor 2.0. On November 6, the European Commission offered a statement assessing the impact of the invalidation of the U.S.-EU Safe Harbor framework. The communication states that the Commission hopes to reach an agreement with the U.S. government within the next three months on a new Safe Harbor framework, and in the meantime, companies may rely on the Commission’s model contracts or binding corporate rules (BCRs) as an alternative. Further, the Commission advises that, in limited circumstances, companies may transfer personal data based upon one of the derogations provided for in the Data Protection Directive.
A Busy Month for German Data Protection. After Schrems, 17 German data protection authorities (DPAs) began making decisions on how they would interpret and enforce the decision.
Alston & Bird Updates Safe Harbor Ruling FAQs. Alston & Bird’s Privacy & Data Security Group updated a set of Frequently Asked Questions (FAQs) regarding Schrems that will assist companies that rely on the Safe Harbor framework understand the scope of the ECJ decision and think through options to continue to move personal data from the European Economic Area to the United States.
Jan Dhont Authors Corporate Counsel Article on Safe Harbor Decision. Jan Dhont, Brussels partner and head of Alston & Bird’s European Privacy & Data Protection practice, released a new article titled “The Sinking of the Safe Harbor: Just Another Symbolic Decision?” In the article, Dhont discusses the concerns and uncertainty stemming from Schrems and where companies may go from here, particularly as companies could be exposed to high regulatory fines if they do not comply.