Data Law InsightsMaida Oringher Lerner

A victory for net neutrality; U.S. may join Irish Facebook Data-Transfer case; EU-U.S. Privacy Shield by early July?; French Data Protection Authority opens GDPR consultation; FTC addresses proposed TCPA changes; DOJ and DHS cybersecurity sharing guidelines.

Federal appellate court upholds net neutrality

The U.S. Court of Appeals for the D.C. Circuit upheld “net neutrality” rules that require all broadband providers to treat internet traffic the same regardless of source.  Last year, the Federal Communications Commission (“FCC”) issued its net neutrality decision, which reclassified broadband service as common carriers under the Communications Act and thus brought Internet service within the FCC’s power to regulate common carriers under Title II of the Communications Act.  The FCC then issued rules banning providers from blocking, throttling, or otherwise degrading internet traffic lawful content, and also from engaging in paid prioritization of traffic.

A number of Internet service providers and other groups challenged the FCC’s authority to reclassify broadband service and promulgate such regulations. They also challenged the legality of the net neutrality rules.  In a 115-page opinion, the D.C. Circuit rejected each challenge and, in doing so, affirmed the FCC’s power to regulate broadband service under Title II of the Communications Act.  The court also rejected the argument that net neutrality impacts service providers’ First Amendment rights, explaining that a service provider “does not . . . ‘speak’ when providing neutral access to Internet content as common usage.”

The petitioners are expected to appeal the ruling to the Supreme Court. Unless the Court reverses this ruling, the FCC retains broad power to regulate Internet service providers as common carriers, and may use that power to continue implementing and enforcing regulations concerning open access to content as well as consumer privacy.

U.S. Government contemplating to join Facebook Data-Transfer case before Irish High Court

The U.S. government would like to file an amicus brief in the EU-U.S. data transfer dispute between Schrems and Facebook before the Irish High Court. The proceedings, initiated by European privacy activist Max Schrems in December 2015 (and thus shortly after his success regarding the invalidation of the former “U.S.-EU Safe Harbor Framework” (“Safe Harbor”) before the European Court of Justice (“ECJ”) in October 2015), relate to the use of European Standard Contractual Clauses (“Model Clauses”) by Facebook as a legitimation for data transfers from Europe to the U.S.

In his new complaint, Schrems is arguing that the implementation of Model Clauses does not remedy Facebook being subject to U.S. mass surveillance, one of the chief issues in the original proceeding which led to the  ECJ invalidation of Safe Harbor. Model Contracts are currently the most popular remaining legitimation mechanism for companies who want to lawfully transfer personal data from the EU to the U.S., but might now also bear the risk of being invalidated, as the Irish DPA is planning to ask for referral to the ECJ.

Schrems said he would “very much welcome” the U.S. government being joined, to “finally get solid answers in a public procedure.” In addition, some EU and U.S. technology and data protection groups, including the Business Software Alliance, representing the interests of industry heavyweights such as Apple, Microsoft or Intel, have declared their interest to join the case as well.

EU-U.S. Privacy Shield to be finalized in early July?

The European Commission aims to finalize the “EU-U.S. Privacy Shield” framework for data transfers from Europe to the U.S. in early July. According to the updated timeline, the (partly) binding vote of the Article 31 Committee is scheduled for June 29, and the College approval might take place on July 5.

The draft for the new mechanism, which is about to replace the formerly invalidated “U.S.-EU Safe Harbor Framework” (“Safe Harbor”), had been announced in the beginning of February 2016 and published in March. Since then, it has been the subject to a vivid debate between privacy activists, politicians and the responsible EU and U.S. officials. In particular the Article 29 Working Party, an advisory body comprising of representatives of all 28 EU Member States, and the European Parliament, had heavily criticized the initial draft and called for amendments.

It remains to be seen whether the amendments negotiated between the EU and the U.S. will suffice to satisfy the Article 31 Committee, which, just as the Article 29 Working Party, is formed by EU Member States representatives. In a first meeting earlier this year, scheduled to vote on the initial draft, the committee had not been able to reach sufficient consensus for an approval.

French Data Protection Authority opens consultation on GDPR

On June 16, the ‘Commission Nationale de l’Informatique et des Libertés’ (“CNIL”), the French Data Protection Authority, has opened a consultation on the European rules regarding the protection of personal data. The French-speaking consultation gives companies, privacy professionals and other interested individuals and bodies the possibility to ask questions, make proposals or recommendations or open new discussion issues with regard to topics relevant under the new General Data Protection Regulation, which is about to enter into force in 2018.

Until July 15, 2016, contributions can be submitted with regard to the role of Data Protection Officers (“DPOs”), the right to Data Portability, Data Protection Impact Assessments, Certifications or any other subject which could be interesting for consultation.

FTC cautions against expanding TCPA exemptions

The Federal Trade Commission (“FTC”) filed comments this week suggesting the FCC strengthen consumer privacy protections under the Telephone Consumer Protection Act (“TCPA”).  The FCC issued proposed regulations after Congress amended the TCPA to permit robocalls, even without express consent, made solely for collecting debts “owed to or guaranteed by the United States.”  The FTC recommends that the FCC harmonize the proposed regulations with existing FTC rules governing debt collection and telemarketing.  The FTC comments also suggest (1) limiting robocalls to only persons obligated to pay the debt where the debt is in default, not merely delinquency, (2) prohibiting “debt servicing” calls that solicit fees in consideration for goods and services, and (3) imposing data security measures and limiting use of collected information.

The FCC must implement any exemptions by August 2. Future TCPA liability may be greatly impacted by the FCC’s distinctions between delinquency and default and between debt collection and debt servicing, as well rules governing the ability to contact third parties not obligated to pay debts.

DOJ and DHS issue guidelines for sharing cybersecurity threats

The Department of Justice and Department of Homeland Security jointly issued guidelines for federal and non-federal entities to voluntarily share information concerning cybersecurity threats and defensive measures.  For more on this announcement, see our recent C&M bullet point.