EU-U.S. Agreement on Law Enforcement Data; European Data Protection Supervisor Criticizes Privacy Shield; House Members Criticize FCC Privacy Proposal; NHTSA Targets Automotive Cybersecurity; Yahoo Releases National Security Letters; CareFirst Data Breach Lawsuit Dismissed; FDA Guidance on Data Protection in Investigations
EU and U.S. sign Umbrella Agreement on Law Enforcement Data
On June 2, 2016, Vera Jourová, European Commissioner for Justice and Consumer Protection, Dutch minister Ard van der Steur and U.S. Attorney General Loretta E. Lynch signed the “Umbrella Agreement”, a deal between the U.S. and the EU “on the protection of personal information relating to the prevention, investigation, detection and prosecution of criminal offenses”. The agreement aims at enhancing the cooperation of the EU and the U.S. in criminal enforcement (including terrorism), while at the same time protecting personal data of European citizens, when transferred from the EU to the U.S. for criminal investigations.
The text of the agreement, which was negotiated over a long period due in part to a Court of Justice of the EU (ECJ) finding that European citizens lacked adequate rights of redress, includes provisions on purpose limitation, information security, data retention, rights of data subjects, breach notifications and onward transfers. A “fact sheet”-FAQ is available on the Commission’s website. Before the agreement can be finally concluded, the European Parliament will still need to give its consent.
European Data Protection Supervisor criticizes “EU-U.S. Privacy Shield”
On May 30, the European Data Protection Supervisor (EDPS), Giovanni Buttarelli, issued an opinion on the draft “EU-U.S. Privacy Shield (“Privacy Shield”), which is in line with the criticism previously raised by the Article 29 Working Party and the European Parliament.
Buttarelli acknowledged that the draft was a “step in the right direction” and included a number of improvements compared to the former “U.S.-EU Safe Harbor Framework”, which had been invalidated by the ECJ in October 2015. Nevertheless, his prevailing opinion was that “significant improvements” and “additional” safeguards would be required in order to achieve a stable long-term framework for data transfers from Europe to the U.S. – the European Commission should obtain “additional reassurances in terms of necessity and proportionality, instead of legitimizing routine access to transferred data by U.S. authorities on the basis of criteria having a legal basis in the recipient country, but not as such in the EU.”
In the meantime, the Article 31 Working Party is still in discussions about the Privacy Shield. A binding supportive opinion of this committee, consisting of representatives of each EU Member State, is needed by the Commission to proceed with the implementation of Privacy Shield.
Legislators Criticize FCC Privacy Proposal for ISPs
On June 1, three members of the House Committee on Energy and Commerce, including its chairman, sent a letter to the chair of the Federal Communications Commission (FCC) criticizing proposed privacy and data breach rules for broadband internet service providers (ISPs). In April, the FCC released a notice of proposed rulemaking (NPRM) that set forth a framework governing use and sharing of information by broadband ISPs. The FCC’s NPRM creates three categories of information—opt-in, opt-out, and “consent inherent”—and security and notice requirements governing this information. The FCC stated its proposal aims to close a “gap” between “traditional principles of privacy protection” and “21st Century telecommunications services provided by broadband networks.”
However, the June 1 letter criticizes the FCC’s attempt to create a regime governing one group of Internet participants. The letter recommends that instead of creating rules specific to broadband ISPs, the FCC should follow “the [Federal Trade Commission’s] enforcement-oriented approach” that allows all participants in Internet commerce to “exist under the same set of privacy rules.” The legislators contend that “multiple and varying privacy regimes” would “inject new complexity and uncertainty” for consumers as well as companies operating in the Internet space. The notice and comment period for the NPRM closed last week. It remains to be seen how the FCC will react to these criticisms, or whether other agencies or officials similarly criticize the FCC’s proposal.
NHTSA: Some Automotive Cybersecurity Risks Could be Considered Defects
In recent months, the National Highway Transportation Administration (NHTSA) issued two publications discussing what types of automotive cybersecurity vulnerabilities present safety risks. The NHTSA released (1) a public service announcement regarding vehicle hacking risks and (2) a request for public comment on NHTSA’s guidance to manufacturers and enforcement regarding automotive cybersecurity. The publications offer useful guidance to manufacturers regarding how the NHTSA will assess automotive cybersecurity vulnerabilities that create safety risks, and at what point such risks constitute defects subject to recall. Furthermore, the NTSHA’s statements reflect its intent to play an active role in monitoring and addressing such risks. For more on the NHTSA’s statements, see the recent client alert by our Advertising and Product Risk Management Group.
Yahoo Releases National Security Letters
On Wednesday, Yahoo announced it would disclose three national security letters (NSLs) it received from the Federal Bureau of Investigation (FBI). NSLs typically contain nondisclosure requirements, which result an inability to confirm which entities receive these requests in connection with FBI investigations. These “gag orders” have been the subject of much controversy and come under criticism from both the public and the courts. However, the USA Freedom Act of 2015 requires the FBI to periodically review whether nondisclosure remains necessary and, if not, lift the “gag order.” As a result, private companies may exercise their discretion to disclose previously-received NSLs. While not very detailed, the Yahoo letters provide an example of what information the FBI may request through this process. For companies that have already received NSLs, discretionary disclosure may provide an opportunity for transparency with affected entities regarding their privacy and the security of their information. Yahoo is the first company to disclose NSLs. It remains to be seen how often the FBI will lift the gag orders on other entities and whether those entities will follow Yahoo’s lead.
Data Breach Class Action Against CareFirst Dismissed
A federal court has dismissed a class action against CareFirst BlueCross BlueShield, finding that the plaintiffs failed to state a non-speculative injury resulting from a 2014 data breach. The plaintiffs alleged that a data breach permitted access to policyholders’ names, birthdates, email addresses, and subscriber numbers, and that CareFirst’s failure to secure their information led to increased risk of identity theft and other future harm, as well as mitigation costs, decreased value of personal information, and lost benefit of their insurance. However, the court found the risk of theft speculative: plaintiffs did not allege any fraudulent charges or misuse, nor did they allege a loss of sensitive information, such as credit card numbers or social security numbers, that would suggest impending future harm. This comes on the heels of a decision last week from the same court finding that a data breach claim cannot go forward absent allegations of actual misuse or intent to breach for the purpose of misusing compromised data. Both cases also rejected “diminished value” and “lost benefit of the bargain” as sufficient injuries to maintain a data breach suit. As noted last week, this trend of dismissing suits lacking “concrete” or “impending” harm resulting from misuse of data will likely continue.
FDA Provides Guidance for Data Collection in Clinical Investigations
This week the Food and Drug Administration (FDA) released draft guidance on the use of electronic health data in FDA-regulated clinical investigations. This includes patient medical history, diagnoses, prescription history, and other health-related information. Companies involved in clinical studies should consider the FDA’s proposed guidance while the comment period remains open. Furthermore, while the document does not establish legally enforceable standards, firms should view the FDA’s best practices guidance as suggestive of how enforcement authorities may evaluate data collection and protection practices.