FCC adopts privacy rules; Privacy Shield challenge; Amendments to EU data transfer decisions; FTC data breach guidance; DOT vehicle cybersecurity best practices; HHS guidance on HIPAA and FTC compliance

FCC approves privacy rules for broadband providers

In a 3-2 vote, the Federal Communications Commission approved new rules governing internet service providers’ collection and use

Privacy law meets antitrust – EU Commissioner Vestager on data in competition law; ECJ to rule on admissibility of Privacy class actions; Northern District of California Sends Yelp Privacy Suit to the Jury; EU Advocate General finds EU-Canadian PNR pact unlawful; New York Unveils New Cyber Security Rules for Financial Services Organizations; New Jersey Senate Passes Shopping Privacy Bill; NIST Issues Mobile Threat Guidance

Privacy law meets antitrust – EU Commissioner Vestager on when privacy issues can lead to antitrust concerns

European Competition Commissioner Margarethe Vestager has commented on the relevance of privacy issues with regard to EU antitrust rules. According to Vestager, current investigations of the German Federal Cartel Office regarding Facebook’s “privacy issues” would “not necessarily” lead to competition law concerns, even though both fields of law might correlate under certain circumstances.

In the investigations at issue, the German Federal Cartel Office is alleging Facebook of abusing an alleged ‘dominant position’ in the market for social networks by imposing unfair conditions regarding the privacy settings for Facebook accounts on its users. The German antitrust regulator is arguing that users would have “no choice” whether to accept the conditions or to terminate their account, because there is no real alternative to the well-known social network. Under Article 102 of the Treaty on the Functioning of the European Union (‘TFEU’), “dominant companies are subject to special obligations. These include the use of adequate terms of service as far as these are relevant to the market.”

It still remains to be seen whether Facebook will ultimately be found in breach of EU antitrust rules relating to its Privacy Policy. On a more general matter, however, the Commissioner’s statements seem to confirm that indeed, companies controlling vast amounts of data may be considered able to prevent market entry by withholding this data from potential competitors who could not reproduce comparable datasets themselves and therefore might violate Article 102 TFEU. Companies that might fall in this category should therefore be prepared that not only privacy regulators, but also antitrust authorities might potentially be questioning them regarding their use of data in the future. Nevertheless, “simply holding a lot of data” would not be enough to raise antitrust suspicions, Vestager appeased.Continue Reading Privacy & Cybersecurity Weekly News Update

ICO investigating into Facebook and WhatsApp Data Sharing Plans; Germany and France publish joint action plan against encryption; PrivacyShield now covering 200 U.S. companies.

UK DPA investigating into Facebook and WhatsApp Data Sharing Plans

The United Kingdom’s Information Commissioner (‘ICO’) is taking a closer look into WhatsApp’s plan to share more user data with parent company Facebook for the purposes of targeted advertising.

According to a recent WhatsApp blog post, WhatsApp has changed its Privacy Policy on August 25. This move will allow the company to share further personal information, in particular the mobile phone numbers of its users, with parent company Facebook. According to information published earlier this week, users should have 30 days to decide whether they want to receive targeted advertising, but they should not be allowed to object the data sharing as such.

Actually, the new approach of WhatsApp is not such a big surprise, as similar concerns had already been raised in the debate around the acquisition of WhatsApp by Facebook. However, the European Commission had explicitly made clear that the assessment of privacy issues does not fall within its competence as a Competition authority, and approved the merger.Continue Reading Privacy & Cybersecurity Weekly News Update – Week of August 21

U.S.-EU Data Sharing Pact Invalidated; Two Lawsuits Based on October Breaches; Dow Jones & Co. Breached; California’s New Comprehensive Privacy Law; California Revises Breach Notification Requirements; California Smart TV Notice Requirements; California Targets “Hackers for Hire”; Cybercrime Costs Increase

Top EU Court Invalidates U.S.-EU Safe Harbor

On October 6, 2015, the European Court of Justice (ECJ) invalidated the safe harbor agreement that governed the transfer of digital information between the U.S. and the European Union.  The ECJ found U.S. data protection policies offer inadequate protection to EU citizens’ privacy rights, a result of the broad data access practices for U.S. national security and law enforcement purposes.  The European Commission announced its intent to provide guidance on transatlantic sharing policies in light of the decision, and also identified other mechanisms for data sharing in the absence of the safe harbor agreement.  For more coverage of this decision and its impact, see our recent alert here.

California Class Action Suits Filed Based on October 2015 Data Breaches

Two proposed class action suits have been filed in California federal courts in connection with recent breaches announced by T-Mobile and Scottrade.  One suit alleges that T-Mobile and Experian’s negligence and breaches of contract led to the exposure of more than 15 million T-Mobile subscribers’ information.  The compromised information includes encrypted Social Security numbers and driver’s license information.  The complaint also alleges that Experian’s failure to secure customer information recklessly violated the Fair Credit Reporting Act. The second suit seeks relief from Scottrade for a breach affecting 4.6 million users of the brokerage firm’s services.  Scottrade confirmed that customer mailing information was compromised, but could not rule out exposure of more sensitive data. In addition to the California class action against Experian, a coalition of more than 20 consumer advocacy organizations have asked both the CFPB and the FTC to investigate Experian’s privacy and data security practices in light of the T-Mobile breach.Continue Reading Key Privacy & Cybersecurity Developments: October 5, 2015 – October 11, 2015