When the European Commission re-approved the Privacy Shield agreement during its first annual review in the fall of 2017, permitting the transatlantic transfer of personal information to compliant U.S. companies to continue, it did so with a number of reservations. As the Privacy Shield agreement fast approaches its second annual review at the end of this week, it remains to be seen if the steps taken by the U.S. government at the close of the summer will be enough to satisfy skeptical European lawmakers.
Continue Reading Outcome of Privacy Shield Review Uncertain, Despite U.S. Steps Toward Compliance

NHTSA Issues Voluntary Driverless Car Guidelines; European Privacy Supervisor proposes Digital Clearing House for coherent handling of Big Data cases; Facebook and Power Ventures Battle Over the Scope of the CFAA; Arizona Supreme Court: Police Cannot Search Unlocked, Unattended Phone; German consumer group urges Whatsapp to stop sharing data with Facebook; German DPA issues guidelines

Privacy law meets antitrust – EU Commissioner Vestager on data in competition law; ECJ to rule on admissibility of Privacy class actions; Northern District of California Sends Yelp Privacy Suit to the Jury; EU Advocate General finds EU-Canadian PNR pact unlawful; New York Unveils New Cyber Security Rules for Financial Services Organizations; New Jersey Senate Passes Shopping Privacy Bill; NIST Issues Mobile Threat Guidance

Privacy law meets antitrust – EU Commissioner Vestager on when privacy issues can lead to antitrust concerns

European Competition Commissioner Margarethe Vestager has commented on the relevance of privacy issues with regard to EU antitrust rules. According to Vestager, current investigations of the German Federal Cartel Office regarding Facebook’s “privacy issues” would “not necessarily” lead to competition law concerns, even though both fields of law might correlate under certain circumstances.

In the investigations at issue, the German Federal Cartel Office is alleging Facebook of abusing an alleged ‘dominant position’ in the market for social networks by imposing unfair conditions regarding the privacy settings for Facebook accounts on its users. The German antitrust regulator is arguing that users would have “no choice” whether to accept the conditions or to terminate their account, because there is no real alternative to the well-known social network. Under Article 102 of the Treaty on the Functioning of the European Union (‘TFEU’), “dominant companies are subject to special obligations. These include the use of adequate terms of service as far as these are relevant to the market.”

It still remains to be seen whether Facebook will ultimately be found in breach of EU antitrust rules relating to its Privacy Policy. On a more general matter, however, the Commissioner’s statements seem to confirm that indeed, companies controlling vast amounts of data may be considered able to prevent market entry by withholding this data from potential competitors who could not reproduce comparable datasets themselves and therefore might violate Article 102 TFEU. Companies that might fall in this category should therefore be prepared that not only privacy regulators, but also antitrust authorities might potentially be questioning them regarding their use of data in the future. Nevertheless, “simply holding a lot of data” would not be enough to raise antitrust suspicions, Vestager appeased.Continue Reading Privacy & Cybersecurity Weekly News Update

ICO investigating into Facebook and WhatsApp Data Sharing Plans; Germany and France publish joint action plan against encryption; PrivacyShield now covering 200 U.S. companies.

UK DPA investigating into Facebook and WhatsApp Data Sharing Plans

The United Kingdom’s Information Commissioner (‘ICO’) is taking a closer look into WhatsApp’s plan to share more user data with parent company Facebook for the purposes of targeted advertising.

According to a recent WhatsApp blog post, WhatsApp has changed its Privacy Policy on August 25. This move will allow the company to share further personal information, in particular the mobile phone numbers of its users, with parent company Facebook. According to information published earlier this week, users should have 30 days to decide whether they want to receive targeted advertising, but they should not be allowed to object the data sharing as such.

Actually, the new approach of WhatsApp is not such a big surprise, as similar concerns had already been raised in the debate around the acquisition of WhatsApp by Facebook. However, the European Commission had explicitly made clear that the assessment of privacy issues does not fall within its competence as a Competition authority, and approved the merger.Continue Reading Privacy & Cybersecurity Weekly News Update – Week of August 21

First self-certifications accepted under Privacy Shield; EU Commission considers extension of telecommunication rules to apps.

U.S. Department of Commerce accepts first bunch of self-certifications under Privacy Shield

About 2 weeks after the announced start of the certification procedure under the “EU-U.S. Privacy Shield” (‘Privacy Shield’) on August 1, 2016, the U.S. Department of Commerce (‘DoC’) has officially granted certification status to a first set of approximately 40 U.S.-based multinational companies. According to a DoC spokesperson, “nearly 200 additional certifications” are still pending and hundreds more are expected in the next few weeks.

According to the publicly accessible Privacy Shield list, companies already approved under the new framework are predominantly major U.S. tech companies, such as i.a. Microsoft Corporation and Salesforce.

Companies which have not yet registered, but plan to do so, should consider signing up within the next 1 ½ months: for those submitting their certification until September 30, the DoC grants a grace period of 9 months from the date of certification to meet the necessary compliance requirements.Continue Reading Privacy & Cybersecurity Weekly News Update – Week of August 14

Article 31 Committee approves Privacy Shield; House Cuts FCC Funding Over Attempted Broadband Privacy Regulations; No Charges for Clinton in Data Security Probe; European Commission launches public-privacy partnership on cybersecurity; European Parliament adopts NIS Directive; Privacy Code of Conduct for mHealth app providers finalized; French parliament about to make French Privacy act more severe; Russia introduces new data retention obligations.

Article 31 Committee approves Privacy Shield

On July 8, 2016, the Article 31 Committee has finally given its support for the adoption of the “EU-U.S. Privacy Shield”, the new framework for cross-Atlantic data transfers.

For more details, please see our latest client alert here.

House Defunds FCC’s Data Privacy Efforts for Broadband Providers

On July 7, the House of Representatives voted to cut off funding for the FCC’s proposed privacy regulations of broadband service providers. The measure, attached as an amendment to the 2017 Financial Services and General Government Appropriations Bill, cut the FCC’s funding by more than 17%. Calling the FCC’s proposed rules “extreme,” Rep. Marsha Blackburn (R-TN), the amendment’s author, claimed the measure was necessary to reassert the Federal Trade Commission’s status as the go-to federal data privacy regulator. The FCC, Rep. Blackburn asserted, “simply doesn’t have the requisite technical expertise to regulate privacy.”

The proposed regulations, which the FCC announced in March 2016, would require ISPs to disclose how data regarding customers’ online activities could be collected and recorded. These proposed rules represented the FCC’s first major attempt to regulate broadband providers in the aftermath of the agency’s February 2015 decision to treat broadband as a public utility. Several broadband providers had expressed public reservations about the FCC’s proposed rulemaking and actively lobbied legislators to act. The bill, which passed in a 239-185 vote, next heads to the Senate for consideration.Continue Reading Privacy & Cybersecurity Weekly News Update- Week of July 3

Adoption of Privacy Shield expected in early July; Federal Court limits VPPA liability; Belgian Court overturns Facebook fine; FTC robocall crackdown; A rare HIPAA criminal conviction; UK’s ICO fines Brexit campaigners for mass text messages; House report calls for national encryption commission.

European Commission expects adoption of Privacy Shield for beginning of July

European officials are hoping to finally formalize the “EU-U.S. Privacy Shield”, the cross-Atlantic data transfer pact aiming at replacing the formerly invalidated “U.S.-EU Safe Harbor” Framework, on July 5. The initial draft agreement has been amended to include new explanations of U.S. governmental entities and further limitations on the bulk collection of data and mass surveillance. The European Commission is now confident that also the Article 31 Committee will give its approval to the draft framework.

Many European Privacy regulators and EU bodies, such as the European Parliament and the European Data Protection Supervisor, had argued that the initial draft did not sufficiently protect the fundamental rights of European data subjects. The revised version now “only” allows bulk collection “exceptionally”, where targeted collection is “not feasible”, although it remains open how ‘feasibility’ should be determined.Continue Reading Privacy & Cybersecurity Weekly News Update- Week of June 26

Brexit effect on EU and UK Privacy rules; EU and U.S. to strengthen ‘Privacy Shield’; Ponemon Study on Healthcare Data Security; Mobile ad provider fined for deceptive conduct FTC comments on the Internet of Things

Brexit – what does it mean for EU and UK Privacy rules?

On June 23, 2016, the population of Great Britain in a historical referendum voted to leave the European Union with a majority of 52% vs 48%.  Although this decision does not have immediate impact on the membership of the United Kingdom in the EU (the UK is still a Member of the European Union and will remain so until at least 2018, see also FAQ on the further procedure by the European Commission), waves of discussion are rising high, among others about the future of UK Privacy laws and the implementation of the General Data Protection Regulation (GDPR).

In a statement of June 24, 2016, the UK’s Data Protection Authority (ICO) has stressed that “the Data Protection Act remains the law of the land irrespective of the referendum.” This means that on the short term, in principle nothing will change. This also applies with regard to the ongoing EU reform, as a result of which the GDPR will enter into force on May 25, 2018, and thus in any event before the earliest possible day for a definite exit of the UK out of the European Union.  It will therefore – at least for a short period of time – also apply to UK businesses.

What will certainly have an impact, however, is the moment in which the UK factually leaves the European Union. Although the ICO has stressed that it aims to stay as close to European Privacy laws as possible also post-Brexit, this situation would have an immediate impact on businesses sending data to the UK.  As soon as the UK would be no longer part of the European Union, due to the absence of an ‘Adequacy Decision’ of the European Commission relating to the UK, companies would have to put in place other transfer mechanisms such as Standard Contractual Clauses or Binding Corporate Rules, in order to lawfully continue to transfer personal data from European countries to the UK as soon as the exit is completed. This could only be avoided if the UK would guarantee an adequate level of Data Protection standards, which would have to be acknowledged by the European Commission.

The ICO has made its position clear: “Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.” Continue Reading Privacy & Cybersecurity Weekly News Update- Week of June 20, 2016

A victory for net neutrality; U.S. may join Irish Facebook Data-Transfer case; EU-U.S. Privacy Shield by early July?; French Data Protection Authority opens GDPR consultation; FTC addresses proposed TCPA changes; DOJ and DHS cybersecurity sharing guidelines.

Federal appellate court upholds net neutrality

The U.S. Court of Appeals for the D.C. Circuit upheld “net neutrality” rules that require all broadband providers to treat internet traffic the same regardless of source.  Last year, the Federal Communications Commission (“FCC”) issued its net neutrality decision, which reclassified broadband service as common carriers under the Communications Act and thus brought Internet service within the FCC’s power to regulate common carriers under Title II of the Communications Act.  The FCC then issued rules banning providers from blocking, throttling, or otherwise degrading internet traffic lawful content, and also from engaging in paid prioritization of traffic.

A number of Internet service providers and other groups challenged the FCC’s authority to reclassify broadband service and promulgate such regulations. They also challenged the legality of the net neutrality rules.  In a 115-page opinion, the D.C. Circuit rejected each challenge and, in doing so, affirmed the FCC’s power to regulate broadband service under Title II of the Communications Act.  The court also rejected the argument that net neutrality impacts service providers’ First Amendment rights, explaining that a service provider “does not . . . ‘speak’ when providing neutral access to Internet content as common usage.”

The petitioners are expected to appeal the ruling to the Supreme Court. Unless the Court reverses this ruling, the FCC retains broad power to regulate Internet service providers as common carriers, and may use that power to continue implementing and enforcing regulations concerning open access to content as well as consumer privacy.Continue Reading Privacy & Cybersecurity Weekly News Update- Week of June 13

EU-U.S. Agreement on Law Enforcement Data; European Data Protection Supervisor Criticizes Privacy Shield; House Members Criticize FCC Privacy Proposal; NHTSA Targets Automotive Cybersecurity; Yahoo Releases National Security Letters; CareFirst Data Breach Lawsuit Dismissed; FDA Guidance on Data Protection in Investigations

EU and U.S. sign Umbrella Agreement on Law Enforcement Data

On June 2, 2016, Vera Jourová, European Commissioner for Justice and Consumer Protection, Dutch minister Ard van der Steur and U.S. Attorney General Loretta E. Lynch signed the “Umbrella Agreement”, a deal between the U.S. and the EU “on the protection of personal information relating to the prevention, investigation, detection and prosecution of criminal offenses”. The agreement aims at enhancing the cooperation of the EU and the U.S. in criminal enforcement (including terrorism), while at the same time protecting personal data of European citizens, when transferred from the EU to the U.S. for criminal investigations.

The text of the agreement, which was negotiated over a long period due in part to a Court of Justice of the EU (ECJ) finding that European citizens lacked adequate rights of redress, includes provisions on purpose limitation, information security, data retention, rights of data subjects, breach notifications and onward transfers. A “fact sheet”-FAQ is available on the Commission’s website. Before the agreement can be finally concluded, the European Parliament will still need to give its consent.

European Data Protection Supervisor criticizes “EU-U.S. Privacy Shield”

On May 30, the European Data Protection Supervisor (EDPS), Giovanni Buttarelli, issued an opinion on the draft “EU-U.S. Privacy Shield (“Privacy Shield”), which is in line with the criticism previously raised by the Article 29 Working Party and the European Parliament.Continue Reading Privacy & Cybersecurity Weekly News Update- Week of May 30, 2016