Risks and considerations when storing crypto-assets

Following the sudden death of its co-founder and CEO, Gerald Cotten, in December 2018, Quadriga, Canada’s largest cryptocurrency exchange, is unable to gain access to about $145 million of bitcoin and other digital assets. Quadriga reports that Cotton stored the digital assets in a “cold wallet” on his encrypted laptop and repeated attempts by his widow to gain access to the laptop have proven unsuccessful.

Quadriga has been forced to stop trading on its platform, which has affected its ability to serve its customers. The company is attempting to obtain an order for creditor protection in accordance with Canada’s Companies’ Creditors Arrangement Act to provide it with an opportunity to resolve this issue.

To review the full article on our FinTech Update blog, click here.

President prioritizes research, development, and deployment of artificial intelligence technology

The President has made artificial intelligence technology a policy priority. On February 11, 2019, the President issued an Executive Order to direct most federal executive agencies to promote and protect American advancements in artificial intelligence while working with private industry. The order recognized that public trust in artificial intelligence is an important factor in the development and use of the technologies, and highlights the need to “protect civil liberties, privacy, and American values in their application in order to fully realize the potential of AI technologies for the American people.”

Specifically, the President ordered the agencies to consider artificial intelligence as a research and development priority and

  • Invest in artificial intelligence (for example, machine learning) research and development.
  • Enhance access to data, models, algorithms, and computing resources to promote artificial intelligence research and development (consistent with obligations to maintain safety, security, privacy, and confidentiality).
  • Reduce barriers to the use of artificial intelligence (for example, machine learning) technologies.
  • Help develop technical standards that minimize vulnerability to attacks and “reflect Federal priorities for innovation, public trust, and public confidence in systems that use AI technologies.”
  • Train a workforce that can develop and take advantage of developments in artificial intelligence.
  • Develop an action plan to “to protect the advantage of the United States in AI and technology critical to United States economic and national security interests against strategic competitors and foreign adversaries.”

Continue Reading

Comprehensive data privacy legislation introduced in Massachusetts – includes private right of action without a need to prove harm

Massachusetts state Senator Cynthia Creem has introduced a consumer data privacy bill, SD 341, that would give Massachusetts consumers the right to sue in the event their personal information or biometric data is improperly collected or distributed or for any other potential violation of the new law. Under SD 341, and similar to Illinois’s Biometric Information Privacy Act (BIPA), consumers may not be required to demonstrate or have suffered monetary or property losses in order to seek damages for an alleged violation. Any violation of the proposed new law could be grounds for a valid private action.

The proposed bill is the latest signal that state legislatures are going to be increasingly active in regulating data protection issues. California’s new California Consumer Privacy Act (CCPA) is considered an expansion of privacy-related regulation beyond any existing federal or state law. Although the CCPA will not go into effect until January 2020, businesses are busy implementing compliance policies and procedures, including making plans now to ensure they can adequately and accurately respond to consumers’ requests regarding the type and nature of personal information they may possess on California residents. The Massachusetts bill appears to have many of the same characteristics as the CCPA, but its private right of action provision would be a boon for the plaintiff’s bar. Like Illinois’ BIPA and the Telephone Consumer Protection Act (TCPA), which have spawned scores of class action lawsuits, SD 341 does not require proof of actual damages. It states that “a violation of this chapter shall constitute an injury in fact to the consumer who has suffered the violation, and the consumer need not suffer a loss of money or property as a result of the violation in order to bring an action for a violation of this chapter.” A prevailing plaintiff can receive the greater of $750 “per consumer incident” or actual damages and can also receive attorneys’ fees.

Continue Reading

The interplay between the Clinical Trials Regulation and the GDPR

The European Data Protection Board (EDPB) recently adopted its opinion on the interplay between the Clinical Trials Regulation 536/2014 (CTR) and the General Data Protection Regulation 2016/679 (GDPR) (the opinion). The opinion was given at the request of the European Commission.

The CTR seeks to harmonise the rules for conducting clinical trials throughout the European Union, and the request for an opinion stemmed from an acknowledgement of the crucial interplay between these two pieces of EU legislation. The EDPB emphasised that interplay by clearing stating in the opinion that the CTR cannot be used as an exemption for compliance with the GDPR.

The opinion distinguishes between the primary use of data and the secondary use of data in clinical trials.

Continue Reading

German supervisory authority audited 40 websites on the use of tracking tools – and none of them was compliant

The Bavarian Data Protection Authority (‘Bavarian DPA’) audited major Bavarian websites for their use of tracking tools on Safer Internet Day. It calls its findings “desolate”. None of the tracking tools were implemented in a compliant manner.

Audit by the Bavarian DPA

Tracking and the requirements for using cookies have been a highly debated topic by the EU data protection authorities since last spring. The Conference of German Data Protection Authorities released a position paper on 26 April 2018, stating that tracking and profiling cookies require opt-in consent (‘Position Paper’; read more on the Position Paper in our blog here and find more background on cookies under GDPR in the German-language videos here).

The Bavarian DPA audited 40 Bavarian websites. In a summary report (‘Summary Report’, available here), the Bavarian DPA stated that all websites that were reviewed used third-party tracking tools, but none was implemented in compliance with data protection law. The websites tested relate to the following industries: online shops, sports, insurances, banks, media, cars and houses.

The Bavarian DPA emphasised its audit on transparency and consent.

Continue Reading

Notable challenges from the updated Massachusetts data breach notification law

The update to the existing Massachusetts data breach notification statute (set to go into effect on April 11, 2019) introduces novel requirements for notices to both affected individuals and regulators and requires credit monitoring services to be offered in some instances for at least 18 months. The legislation updates the statute in a number of particulars, but we focus here on the most notable new requirements.

Notable updates

Notices to affected individuals. The updated statute may require an organization to provide affected individuals with multiple (that is, repeat) notifications if after the initial notice the organization discovers information that updates or corrects the information required to be in such notifications. Other breach notification laws, like the EU’s General Data Protection Regulation and Canada’s breach notification law, may impose an ongoing obligation on organizations to notify regulators with updated information about breaches, but the Massachusetts statute may apply that same obligation to individual notices. The statute also sets forth additional content categories that the notices must contain.

Continue Reading

Electric industry should focus efforts in 2019 to meet additional cybersecurity and supply chain requirements

In late 2018, the Federal Energy Regulatory Commission (FERC) published a final rule updating and adding to the Critical Infrastructure Protection (CIP) Reliability Standards, which are intended to help protect the bulk electric system (BES) in North America against cybersecurity risks. The final rule:

  • Creates a new Supply Chain Risk Management Reliability Standard (CIP-013-1)
  • Updates the Electronic Security Perimeter(s) Reliability Standard (CIP-005-6)
  • Updates the Configuration Change Management and Vulnerability Assessments Reliability Standard (CIP-010-3)

Organizations subject to the Reliability Standards have until July 1, 2020, to develop and implement the necessary policies, procedures, and systems to meet these new obligations.

To read the full article, click here.

Free flowing data for 127 million people: Japan and the EU break down personal data transfer barriers

On 23 January 2019, the European Commission adopted an adequacy decision for Japan, with immediate effect. The decision certifies Japan as having a comparable level of data protection to that of the European Union.

On the same day, Japan adopted an equivalent decision regarding the EU’s data protection regime. This is the first example of mutual recognition of the adequate level of data protection.

According to Věra Jourová, European Commissioner for Justice, Consumers and Gender Equality, the mutual adequacy findings have created “the world’s largest area of safe data transfers”. Data is now able to flow freely between the EU and Japan without the need for further safeguards or authorisations. Ms. Jourová recognised the decision as providing “an example for future partnerships in this key area” and setting “global standards”.

The adequacy decision

In order to align itself with EU standards, Japan introduced a number of additional safeguards. These include:

  1. Supplementary rules, adopted by Japan’s independent data protection authority, the Personal Information Protection Commission (PPC). The rules bridge the differences between the two data protection regimes by providing for a higher level of protection of individuals’ rights. The rules are binding on Japanese companies that receive EU data based on the adequacy decision, and are enforceable by the PPC and the Japanese courts.
  2. Safeguards for public authority access to personal data. Assurances were given to the European Commission regarding safeguards concerning Japanese public authorities’ access to personal data for criminal law enforcement and national security purposes. Such access is limited to what is necessary and proportionate.
  3. Complaints mechanism. The PPC will administer and supervise a new mechanism for investigating and resolving complaints from Europeans regarding access to their data by Japanese public authorities.

Comment

Japan’s adequacy decision complements the EU-Japan Economic Partnership Agreement, which will enter into force in February 2019, by facilitating commercial exchanges. This demonstrates a clear relationship between international trade, and the protection of personal data, while acknowledging that dialogues about each issue must remain separate.

The adequacy decision will be reviewed by the European Commission after two years. After this, a review will take place every four years.

Singapore announces series of initiatives to boost cybersecurity in the telecoms sector

Singapore has set up a new Telecom Cybersecurity Strategic Committee (TCSC) to develop a plan to tackle ‘next-generation cyber threats’ in the telecommunications sector.

The committee is expected to publish a strategy report and outline a roadmap for telecommunications operators to develop cybersecurity capabilities later in 2019. The report and roadmap will include recommendations for new initiatives such as capability development, technology innovation, regulation and international partnerships.

In his opening address at the inaugural Infocomm Media Cybersecurity Conference on 25 January 2018, Dr Janil Puthucheary, senior minister of state for the Ministry of Communications and Information, highlighted the following points.

As “Singapore aims to be a Smart Nation and a leading digital economy”, there is a vital need for cybersecurity. He added that the telecom industry is key and fundamental to secure Singapore’s connectivity infrastructure and services.

The government and telecommunication industry players should collaborate on cybersecurity matters. To date, some examples of such collaborative efforts include:

  • The Infocomm Media Development Authority of Singapore (IMDA)’s launch of the Infocomm Singapore Computer Emergency Response Team in 2015 to respond to cybersecurity threats within the telecommunications and media sectors; and
  • IMDA’s revision in 2018 of the Telecommunications Cybersecurity Code of Practice to ensure that best practices from the industry can be applied to the telecom space.
  • The TCSC will identify challenges, key telecommunication technologies and market developments that will shape the cyber threat landscape. This is to ensure that Singapore keeps up to date on global, technological and industry trends.

Continue Reading

First sanction decision rendered by the CNIL under the GDPR: GDPR awareness 2.0 has begun

In an interview dated February 2018,[1] Isabelle Falque-Pierrotin, at the Head of the French data protection authority (CNIL), stated that the CNIL would adopt a flexible and pragmatic approach from May 2018 onwards when controlling compliance with data protection requirements. The first decision of sanction rendered by the CNIL on Monday January 21, 2019, which is to date the most severe sanction ever imposed to a web giant (‘GAFA’) under the GDPR, gives a sense of what that flexible approach might be in the eyes of the French regulator.

Background: a wave of awareness among users at the EU level shows a new face of data protection

In a notice dated November 2018,[2] the CNIL reported that the number of claims related to privacy issues had significantly increased (by 34 percent) since the adoption of GDPR in May 2018. The protection of personal data seems therefore to be becoming an ever more important issue, especially since nonprofit associations are able to collectively report breaches and issue claims on behalf of users to EU data protection authorities, pursuant to Article 80 of the GDPR.

The January 21, 2019 decision of the CNIL against Google recalls the admissibility of complaints filed by nonprofit associations, which have a mandate to represent users. The decision thus follows the collective complaints filed a few days after the entry into force of the GDPR, on May 25 and 28, 2018, by the organization None of your business and the French organization La Quadrature du Net.

As reflected by the length and documented character of the decision (31 pages), delivered in an extremely short time frame after an expeditive procedure (barely 10 weeks), the CNIL shows a clear willingness to implement a far-reaching control over GAFAs regarding the information given to users and consent management, highlighting that the GDPR is aimed at fighting any form of “forum shopping.”

Continue Reading

LexBlog