Article 31 Committee approves Privacy Shield; House Cuts FCC Funding Over Attempted Broadband Privacy Regulations; No Charges for Clinton in Data Security Probe; European Commission launches public-privacy partnership on cybersecurity; European Parliament adopts NIS Directive; Privacy Code of Conduct for mHealth app providers finalized; French parliament about to make French Privacy act more severe; Russia introduces new data retention obligations.

Article 31 Committee approves Privacy Shield

On July 8, 2016, the Article 31 Committee has finally given its support for the adoption of the “EU-U.S. Privacy Shield”, the new framework for cross-Atlantic data transfers.

For more details, please see our latest client alert here.

House Defunds FCC’s Data Privacy Efforts for Broadband Providers

On July 7, the House of Representatives voted to cut off funding for the FCC’s proposed privacy regulations of broadband service providers. The measure, attached as an amendment to the 2017 Financial Services and General Government Appropriations Bill, cut the FCC’s funding by more than 17%. Calling the FCC’s proposed rules “extreme,” Rep. Marsha Blackburn (R-TN), the amendment’s author, claimed the measure was necessary to reassert the Federal Trade Commission’s status as the go-to federal data privacy regulator. The FCC, Rep. Blackburn asserted, “simply doesn’t have the requisite technical expertise to regulate privacy.”

The proposed regulations, which the FCC announced in March 2016, would require ISPs to disclose how data regarding customers’ online activities could be collected and recorded. These proposed rules represented the FCC’s first major attempt to regulate broadband providers in the aftermath of the agency’s February 2015 decision to treat broadband as a public utility. Several broadband providers had expressed public reservations about the FCC’s proposed rulemaking and actively lobbied legislators to act. The bill, which passed in a 239-185 vote, next heads to the Senate for consideration.

FBI Director Stresses Lack of Intent in Clinton No-Charging Decision

On July 5, FBI Director James Comey publicized the Bureau’s recommendation that the Justice Department not file criminal charges against presumptive Democratic presidential nominee Hillary Clinton. This announcement followed a yearlong investigation into Clinton’s use of a private email server for official communications while Secretary of State. Comey noted that FBI investigators identified 110 emails on Clinton’s email server that contained classified information “at the time they were sent or received.” Director Comey identified “evidence of potential violations of the statutes regarding the handling of classified information,” including:

  • Sending and receiving classified information on an unsecured email account.
  • Housing classified emails on “unclassified personal servers not even supported by full-time security staff”
  • Using personal email servers “extensively while outside the United States, including sending and receiving work-related e-mails in the territory of sophisticated adversaries”

Despite this fact, Director Comey noted that the “strength of the evidence, especially regarding intent” leaned against recommending criminal charges. In his announcement, Comey stressed that although Secretary Clinton and her employees were “extremely careless in their handling of very sensitive, highly classified information,” the FBI “did not find clear evidence that Secretary Clinton or her colleagues intended to violate laws governing the handling of classified information.”  (emphasis added).  The Justice Department heeded the FBI’s recommendation on July 6 by closing its investigation without filing charges.

European Commission launches public-private partnership on cybersecurity

On July 5, 2016, the European Commission has launched a public-private partnership on cybersecurity based on signing a cooperation agreement with industry. The initiative, which is part of the Digital Market Strategy and aims to strengthen cybersecurity in Europe, is expected to trigger € 1.8 billion of investment by 2020.

Through the agreement, the Commission hopes to reinforce cooperation between all actors and sectors throughout the EU to fight cyber-threats. “Without trust and security, there can be no Digital Single Market. Europe has to be ready to tackle cyber-threats that are increasingly sophisticated and do not recognise borders,” Andrus Ansip, Vice-President for the Digital Single Market, was quoted.

The Commission’s approach comes together with the Network and Information Security (NIS) Directive, which was adopted by the European Parliament on July 6, 2016 (see below).

European Network and Information Security (NIS) Directive Adopted by European Parliament

On July 6, the Network and Information Security (NIS) Directive, establishing the first set of EU-wide cybersecurity rules, has been adopted by the European Parliament. The Directive obliges operators in critical infrastructure sectors such as energy, health, transport and banking, to ensure that they are appropriately protected against cyber-threats. It also requires that such companies notify the relevant authority if there is a security incident that would significantly impact the services they provide.

Whilst the Parliament almost uniformly voted in favor of the NIS Directive (34 to 2 with no abstentions), it has been the subject of controversial discussions in particular in the industry. “As it stands, the directive itself is nowhere near as specific as it needs to be in order to cause any meaningful change,” the marketing director of a company, which is likely to fall under the Directive, was quoted. Other members of industry were also criticizing the lack of security expertise having been involved in the design process of the new legislation and its lack of practicality.

The Directive still needs to be formally endorsed by the Council and the full Parliament, but should pass this step without troubles, a spokesperson of the Parliament anticipated.

Code of Conduct on privacy for mHealth apps finalized

On July 7, 2016, the European Commission has announced that a Code of Conduct on privacy for mobile health apps has been finalized and submitted to the Article 29 Working Party for approval. Once the independent EU advisory body has okayed the Code, app developers will be able to voluntarily commit to adhere to the Code in order to easily show and establish compliance with EU Data Protection law.

The Code covers issues ranging from ‘user consent’ over ‘privacy by design and default’ up to ‘principles of advertising in mHealth apps’ or ‘data transfers’. Therefore, although currently still based on Article 27 of the Data Protection Directive (Directive 95/46/EC), the Code is likely continue to exist under the General Data Protection Regulation, which will enter into force on May 25, 2018.

French bill about to impose new privacy compliance requirements on multinationals

A French Parliament Committee in the beginning of July has adopted a digital economy bill, which is about to strengthen the 1978’s law on Information Technology and Liberties. If enacted, the new law would significantly increase the current maximum fines for privacy offences from € 300,000 to € 3 million and to introduce new provisions on consumer data portability.

Although the toughest proposal, a data localization requirement that would have obliged companies to store data in EU-based data centers, was finally excised from the bill, the new law means new privacy compliance requirements for multinationals: If the bill was finally put into effect, it would would implement a GDPR-like data portability right for users of e-mail services, which would require providers to allow users to transfer their e-mails and contact lists directly to another service provider. There would also be a “data recovery right”, requiring providers of online public communication services to allow users to recover data associated with their account.

Russia introduces new data retention obligations for telecommunication providers

On July 7, 2016, Vladimir Putin, president of the Russian Federation, has announced a new law, obliging telecommunication providers to store consumer data, including personal data, for a period of between 3 months up to 6 years.

The law raises concerns in particular with regard to cross-border data transfers and data-related business activities of multinational companies in Russia, as in Europe, a similar law (the European Data Retention Directive) had been invalidated by the European Court of Justice based on violation of fundamental rights of individuals.