FCC adopts privacy rules; Privacy Shield challenge; Amendments to EU data transfer decisions; FTC data breach guidance; DOT vehicle cybersecurity best practices; HHS guidance on HIPAA and FTC compliance
FCC approves privacy rules for broadband providers
In a 3-2 vote, the Federal Communications Commission approved new rules governing internet service providers’ collection and use of consumer data. The largest impact may be the requirement that providers obtain affirmative consent before collecting and sharing data that could previously be collected without consumer permission. In a fact sheet released earlier this month, the FCC stated that its new privacy rules were intended to create an approach similar to the one used by the FTC. However, some criticize the FCC for veering too far off the path blazed by the FTC. The FCC’s rules require opt-in consent for using and sharing data categorized as sensitive. In addition to including the financial information and geolocation data, the FCC rules differ from the FTC’s approach in that the FCC also considers web browsing and mobile application usage data “sensitive.” The FCC also set forth requirements for breach notifications, conspicuous notice of collection and usage policies, data security practices, and exceptions to opt-in consent.
Digital Rights Ireland challenges Privacy Shield
Although it does not come as a surprise, the Irish privacy advocacy group Digital Rights Ireland ( “DRI”) has filed an action for annulment of the Privacy Shield with the General Court of the European Union (case number T-670/16). The new EU-U.S. Privacy Shield was agreed earlier this year to replace the Safe Harbor agreement allowing the transfer of personal data from the EU to the United States, which had been invalidated by the European Court of Justice in the Schrems case. To date, about 600 companies have signed up for the Privacy Shield agreement, including Google, Facebook, and Microsoft.
Based on public comments, the DRI contends that the Privacy Shield does not contain adequate privacy protections, but its specific legal grounds or concerns are not yet available, as the request has not yet been made public.
A threshold hurdle is the admissibility question, given that natural or legal persons may only challenge EU regulatory acts before the European Courts if they are of a direct concern to them (Article 263 (4) TFEU). Having regard to the restrictive interpretation of the required standing before the EU courts, it is questionable whether the annulment action by the DRI can overcome this hurdle. Only afterwards, the General Court will rule on the merits of this case, which is expected to easily take a year.
EU Commission to amend existing adequacy decisions for international transfer of personal data
It appears from the “Summary record of the 72nd meeting of the Committee on the Protection of Individuals with regard to the Processing of Personal Data (Article 31 Committee)” that the EU Commission presented two draft Commission Implementing Decisions amending the existing adequacy decisions and the decisions on standard contractual clauses (“SCCs”). The purpose of both draft decisions is to cure the illegality that follows from the findings in the Court of Justice’s (“ECJ”) Schrems ruling.
In Schrems, the ECJ invalidated Article 3 of the Safe Harbor adequacy decision after finding that the Commission exceeded its powers in imposing limitations on the powers of national supervisory authorities (“DPAs”) to suspend and prohibit data flows. Because, according to the Article 31 Committee communication, a comparable provision restricting the powers of DPAs is present in the existing adequacy and SCCs decisions, the main objective of the proposed draft amending decisions is to remove any such restriction, thereby ensuring that the DPAs can use all the powers provided under EU and national law.
The text of the two draft decisions has not been released yet. While a number of the Member States present at the meeting expressed favorable views on them, others were not yet ready to take a decision. The Article 29 Working Party will also be asked to present its views.
FTC issues guidance on handling data breaches
The Federal Trade Commission released a guide on responding to data breaches. Titled “Data Breach Response: A Guide for Businesses,” the FTC publication outlines steps businesses can take in the immediate wake of a security incident to minimize damage and comply with breach notice obligations. The FTC describes best practices for securing business operations, addressing already exploited or potentially exploitable vulnerabilities, and notifying the appropriate regulatory and enforcement entities as well as affected individuals and other entities. The publication also includes a model notice letter, which may be useful for both firms that need to create such a template and firms that have an existing notice template but want to ensure their notices satisfy FTC requirements.
DOT releases guidance on vehicle cybersecurity best practices
The Department of Transportation published best practices for improving vehicle cybersecurity and preventing malicious attacks on and unauthorized access to vehicles. The DOT recommends “risk-based prioritized identification and protection of critical vehicle controls and consumers’ personal data,” and also encourages manufacturers to provide rapid response to cybersecurity incidents throughout the life of a vehicle. DOT further includes guidance on researching, developing, and testing cybersecurity measures.
HHS guidance on sharing health information
A short publication from the Health and Human Services Office of Civil Rights confirms that businesses sharing health information must comply with both HIPAA and the FTC Act. OCR’s guidance explains that for businesses that share health information, compliance with HIPAA alone is not sufficient; firms must ensure that HIPAA-compliant disclosures are not deceptive under the FTC Act. OCR also provides recommended steps for complying with the FTC Act. One step is to draft disclosures in a manner that considers how consumers review the material, such that critical information is not “buried” in other documents linked to disclosures. A second recommendation is that businesses consider how consumers will review disclosures; a good practice is create an interface that avoids requiring extensive “scrolling” to locate key facts and information. OCR also recommends eliminating contradictions as to how data will be used.