Launching New Multistate Assessment Tool for Data Breach Notification Obligations

Nearly every state in the United States requires notification when certain personal information is lost, stolen, or misused. However, the many state laws vary in subtle but crucial respects, making it difficult to get to a bottom line quickly. Reed Smith’s Information Technology, Privacy & Data Security practice is thrilled to release a first-of-its-kind tool designed to help companies clarify their notification strategy in response to a data loss incident. Breach RespondeRS guides companies through a series of basic factual questions and shares immediate initial assessment reports as to the likelihood that notification is required.

The app’s release was accompanied by the below animated video short showing how Breach RespondeRS can aid in both post-incident response as well as pre-incident assessment for identifying risks under different scenarios to help companies to prepare accordingly.

CIPL produces roadmap for potential certification standards under GDPR

As part of its GDPR Implementation Project, the Centre for Information Policy Leadership (‘CIPL’) has released a discussion paper on certifications, seals and marks. The paper stresses the benefits of certifications that can be adapted to different companies and contexts, all while retaining common cross-border baselines. As no such measure is currently in place ahead of the GDPRs adoption, the paper intends to: (i) facilitate the development of certifications; (ii) envisions what would work best in practice; (iii) and sets out what will be required to achieve GDPR-compliant certification mechanisms.

A useful feature of the paper is that it identifies the benefits of certifications from individuals, controllers and data protection authorities (‘DPAs’) perspective, which allows entities considering certification to see the benefits from all points of view.

The core of the certification network, according to the paper, would be an EU-wide certification standard. While the paper is very comprehensive, what appears to be missing is exactly how realistic it is that such a standard can be developed. The CIPL does, however, acknowledge that an ideal GDPR certification would be interoperable with other similar mechanisms, such as ISO standards, the EU-U.S. Privacy Shield, and the Japan Privacy Mark. The paper has very strong arguments for how the system could work in practice but, in order to implement such wide-ranging, cross-border standards, it will likely take years of development, as well as substantial resource from all stakeholders involved. The benefits, however, are substantial, creating the potential for a wholly positive data protection environment to work towards.

Some key points from the paper are as follows:

  • Certifications, seals, and marks, could potentially allow companies to demonstrate “organisational accountability” in respect of GDPR compliance;
  • Certified organisations would be seen by DPAs as having a lower risk profile, thus potentially reducing the need for data protection impact assessments;
  • Business-to-business due diligence process may be streamlined; and
  • The workload of DPAs could be reduced, as certification bodies may take the burden of supervision and oversight, and due to enhanced compliance processes, enforcement burdens and complaint handling would reduce.

GDPR: Countdown to Compliance Breakfast Roundtable

On 23 May 2017, our European IT, Privacy and Data Security team hosted a breakfast roundtable to discuss the most pertinent GDPR questions that our clients are facing, with only 12 months to go until the GDPR comes fully into effect. With the many new and enhanced obligations that the GDPR is introducing for businesses, we are working with clients across all industry sectors to help them take the crucial steps to get ahead on the path to compliance.

Team members gave a brief presentation on the key issues that we focus on most frequently, giving advice and tips on planning compliance activities for the next 12 months. We took questions throughout the event and, since then, have prepared further guidance on the topics for which we received the most queries.

Please download the 12-page booklet that we have prepared following this event, which features 10 steps you should aim to complete between now and 25 May 2018. Click here to download.

We would like to extend our grateful thanks to those who attended our roundtable and who contributed to the discussion. We plan to host another breakfast roundtable in November addressing the key GDPR issues with six months to go.

If you have any questions on the GDPR, or any other feature of our changing data-protection landscape, please contact a member of our team


One year to go – European Commission issues statement on benefits of GDPR

“A year from now, the European Union will start benefiting from the new data protection standards.”

This week, the European Commission’s most senior voices gave an official statement promoting the benefits of the new General Data Protection Regulation (GDPR). Andrus Ansip (Vice-President) and Věra Jourová (Commissioner) of the European Commission aimed their statement at all those who will be affected by GDPR changes, from individual data subjects, to processing organisations and Member States. In the spirit of harmonisation of EU rules, the statement made clear that the GDPR will be one “single set of rules across the EU”, which is intended to create more legal certainty for businesses in order to foster growth within the Digital Single Market.

Member States are encouraged to ‘step up’ their work this year by engaging with companies and ensuring a harmonised approach so that the law, once implemented, is not fragmented across the EU. It is also noted that there will be a European Commission-led EU-wide campaign later this year to raise awareness. The statement notes that, in order to make compliance cheaper and less complicated, companies will only have to deal with one single supervisory authority, rather than 28 as now.

Other benefits highlighted are the fact that public services can be modernised, and that citizens can become more empowered as their data protection rights are clarified by the GDPR.

Despite the grey areas that are still present in how the GDPR will work in practice, the statement also proposes more legislation around the free flow of data, to be released later in 2017.

Please stay tuned to our blog for further GDPR updates.

Still no clarity on data protection on websites: EU ePrivacy Regulation will not come into force by May 2018

The Council of the European Union (“Council”) has predicted that the ePrivacy Regulation will not come into force by 25 May 2018. The ePrivacy Directive (Directive 2002/58/EC) will, therefore, continue to apply.

The new ePrivacy Regulation

The new European data protection regime will enter into force in about one year. The General Data Protection Regulation (“GDPR”) will provide the general framework.

Besides the GDPR, the European Commission has adopted a proposal for a Regulation on Privacy and Electronic Communications (“ePrivacy Regulation”) on 10 January 2017. The ePrivacy Regulation will provide specific data protection rules for the online space on cookies, online communications, analytics and spamming. It seeks to align the rules for electronic communications with the new standards of the GDPR. We have previously provided a summary of the main provisions of the proposed ePrivacy Regulation here.

The January draft of the ePrivacy Regulation was – rightfully – criticized heavily from various stakeholders. The online community criticized, for example, the various consent requirements in context of website analytics, and that it covers OTT. The ePrivacy Regulation is currently under review.

Review by Council

The ePrivacy Regulation was originally planned to enter into force 25 May 2018 – together with the GDPR. While many have already questioned the timeline, the Council stated in a Report on the ePrivacy Regulation of 19 May 2017 that the proposed date of application is “unrealistic”.

Some of the most important issues raised by the Council in its review of the ePrivacy Regulation include:

  • A detailed analysis of possible overlaps, duplications or contradictions with other legislation, including the GDPR, is necessary.
  • The impact of the extension of scope of the ePrivacy Regulation to over-the-top players needs clearer explanations.
  • It is unclear if the proposed solution for cookies (consent via browser settings) will achieve its objectives. The impact on online advertising companies must be further analysed.

The Council will continue its analysis until approximately end of June 2017.

Review by WP29

On 4 April 2017, the Article 29 Working Party (“WP29”) has also issued an Opinion on the ePrivacy Regulation. WP29 stated that it generally welcomes the ePrivacy Regulation and the approach chosen in the Regulation of broad prohibitions and narrow exceptions, and the targeted application of the concept of consent. However, WP29 also raised concerns that the ePrivacy Regulation would lower the level of protection enjoyed under the GDPR regarding (i) the tracking of location of terminal equipment, (ii) the conditions under which analysis of content and metadata is allowed, (iii) the default settings of terminal equipment, and (iv) tracking walls.

What’s next?

It remains to be seen when the ePrivacy Regulation will enter into force and what its final content will look like. Organizations that are getting ready for the new data protection regime – in particular those that use cookies and direct marketing – should continue to follow the developments regarding the ePrivacy Regulation, and review their respective processes. However, as the GDPR will also provide for the basis for data protection in the online space, organizations should continue to include online data protection into their GDPR readiness plans.

The new ePrivacy Regulation will be just as important for organizations as the GDPR. A violation could also lead to fines of up to EUR20 million or 4% of the worldwide annual turnover.



Impact of online sales restrictions on EU and German competition enforcement

In the course of its E-commerce Sector Inquiry (Sector Inquiry) launched in May 2015, the European Commission gained an insight into the standard business practices engaged in by producers of consumer goods when distributing their products online. The Sector Inquiry, which formed part of the Commission’s wider Digital Single Market Strategy, was recently completed, with the European Commission publishing its long-awaited final report (Report) on 10 May 2017. Information on the Sector Inquiry and all related documents can be found here.

According to the Report, manufacturers of branded goods often restrict their retailers’ online sales activities or prohibit them from selling via online marketplaces and platforms (Platform Ban). Some manufacturers claim that increasing online sales activities of their retailers will lead to an erosion of end-consumer prices as selling through the internet puts a significant pressure on pricing due to the high level of transparency and consumer reach it generates.

The actual online sales generated via online channels are, of course, adding to manufacturers’ overall sales figures and would therefore be expected to be in their overall commercial interests. However, some brand manufacturers claim that they experience a decrease in both overall sales and profitability in the medium and long term due to the increasing pricing pressure resulting from online sales. They maintain that such development could harm their retailers’ brick-and-mortar sales performance, which may require higher investments especially when specific customer services are provided.

To ensure that brick-and-mortar sales remain attractive to consumers, retailers seek to match the cheaper online prices offline. Accordingly, ‘hybrid’ retailers tend to request cheaper sell-in prices or higher front margins for products sold offline (as compared to online sales) in order to ensure profitability. Larger retailers with a certain degree of buyer power may even threaten the manufacturer concerned with the de-listing of their branded goods from their brick-and-mortar offerings, which could have a significant impact on the manufacturer’s sales performance.

Statistics suggest an increasing shift in sales from offline to online, a trend which is effectively set by consumer shopping preferences. The replacement of offline by online sales is leading to a decrease in brick-and-mortar infrastructure and offline sales activity by retailers. Manufacturers that take a sceptical view of, and in some cases restrict, online sales argue that however well-trained and consumer service-oriented online shops are, they simply cannot provide a ‘look and feel’ experience to consumers.

Brand-makers wishing to retain a presence for their products in the offline retail world may therefore wish to support offline retail activity with a performance-oriented approach and/or by keeping control over online prices. However, both these approaches are likely to be at odds with applicable German and European competition rules. Maintaining resale prices and adopting pricing strategies which restrict online sales are considered a hardcore restriction of competition under Article 4 of the European Commission’s Vertical Block Exemption Regulation (VBER).

In its Report, the Commission identifies that pricing limitations, dual pricing (i.e., charging different prices according to the channel through which a product is sold) and Platform Bans are among the most widespread vertical competition restraints in e-commerce. The European Commission takes the following view on these restrictions of competition in its Report:

  • Measures seeking to control retailers’ prices in online sales by restricting the retailers’ freedom to set their final prices to customers is clearly a hardcore restriction of competition within the meaning of Article 4a) of the VBER. The Commission’s position is generally in line with its guidance provided regarding resale price maintenance in its Vertical Guidelines, and is further evidenced by the enforcement practices at both EU and national level.
  • In relation to dual pricing, the Report mentions that several respondents to the Sector Inquiry criticised the current competition rules as being too strict. Under the prevailing rules, manufacturers are generally prohibited from charging different prices to hybrid retailers according to whether they sell the manufacturers’ products online or offline. Further, the Report refers to critical voices which claim that only by engaging in dual prices can a level playing field between online and offline trade be established by taking into account the different cost structures of these channels. The Commission also mentions that there is a call for a more flexible, performance-oriented approach, i.e. a differentiation in pricing according to the channel, which would encourage the retailers’ investments in more costly (typically offline) value added services. The Commission goes on to refer to the existing guidance provided in relation to the VBER when it concludes that dual pricing is generally considered to constitute a hardcore infringement under the VBER, and that exempting dual pricing under the efficiency defence of Article 101(3) of the Treaty on the Functioning of the European Union is only permissible in limited circumstances. In Germany, where enforcement in relation to dual pricing is particularly strict, the German Federal Cartel Office has so far refused to accept an exemption on the grounds of the efficiency defence.
  • One of the main aims of the Sector Inquiry was to better understand the prevalence and characteristics of marketplace restrictions and the importance of marketplaces as a sales channel for retailers and manufacturers. The Report contains some data concerning the relevance of online marketplaces which suggests that Germany is the Member State with by far the highest proportion of marketplace restrictions (including direct Platform Bans and indirect restrictions on platform sales through quality requirements) and that these restrictions are mostly found in selective distribution agreements and typically concern branded goods (while not being limited to luxury, complex or technical products). Regarding the admissibility of Platform Bans under competition law, the Report makes reference to the preliminary ruling currently pending before the European Court of Justice (CJEU) in Case C-230/16 – Coty Germany GmbH v Parfümerie Akzente GmbH. In this case, a manufacturer of branded cosmetic products wanted to prohibit its retailers within a selective distribution system from selling its products via a certain online marketplace. The Higher Regional Court of Frankfurt is staying its proceeding while it seeks guidance from the CJEU on the question of whether or not the relevant Platform Ban constitutes a hardcore restriction within the meaning of Article 4b) and/or c) of the VBER. The outcome of this case is still open but hopefully the ruling will provide for specific guidance beyond this case as to when Platform Bans comply with competition rules.
  • In its Report, the Commission concludes that Platform Bans do not necessarily amount to a hardcore restriction of competition within the meaning of Article 4 of the VBER because they do not generally amount to a de facto prohibition of sales via the internet (which would in turn be seen as a hardcore infringement) as there are alternative ways of selling online (e.g., through retailers’ own websites) which a Platform Ban does not prevent. While Platform Bans may not be in line with competition law under any circumstances (and the degree to which they might infringe competition law would depend, in particular, on the relevant market size of both the manufacturer and retailer concerned, the type of product and the distribution system within which the restriction occurs), the Commission’s position regarding Platform Bans expressed in the Report can be interpreted as potentially loosening up enforcement policy in this area.

It should be noted that the Commission indicates in the Report that it intends to conduct a targeted enforcement in the e-commerce sector in the near future aimed at those business practices with the greatest potential to harm competition. Against this background, it is wise for manufacturers to take a close look at the relevant distribution terms in their agreements with retailers in order to minimise risk exposure.

European Commission Fines Facebook US$122 Million for Providing Inaccurate Information in WhatsApp Merger Review

The European Commission has imposed a fine of EUR110 million (US$122 million) on Facebook for providing misleading or incorrect information to the European Commission when it filed the acquisition of WhatsApp for merger approval in 2014.

In the notification, Facebook stated that it would be unable to establish a reliable automated matching between Facebook users’ accounts and WhatsApp users’ accounts. However, two years later, Facebook updated its terms of service, which then allowed for a matching of Facebook and WhatsApp user accounts. According to the Commission’s ensuing investigation, the ability to automatically match users existed already at the time of the WhatsApp acquisition, when Facebook filed the WhatsApp acquisition for merger approval.

Implications: A Warning Shot for Business

The Commission sees this as a warning shot, says Margrethe Vestager, the EU’s competition commissioner: “Today’s decision sends a clear signal to companies that they must comply with all aspects of EU merger rules, including the obligation to provide correct information.” On her Twitter account, she posted: “We need accurate #facts to do our job.”

The merger clearance approving Facebook’s acquisition of WhatsApp will not be affected by today’s decision. Although the Commission has the power to withdraw the clearance if it is based on incorrect or misleading information, the clearance in this case was based on facts beyond the possibility for automated matching, and even analyzed the effects of such an automated matching. The Commission therefore decided not to withdraw the clearance of the transaction.

Risk of Major Fines Even for Procedural Violations: 1% of Global Turnover

While today’s decision is the first fine for providing incorrect or misleading information, the Commission over recent years has repeatedly fined companies for violation of procedural requirements. Under the applicable rules, the Commission can fine companies up to 1 percent of their global annual turnover for violation of procedural requirements, while violations of substantive EU competition law can be fined of up to 10 percent of global annual turnover. Based on 2016 data, the Commission could have imposed a fine on Facebook of up to EUR248 million (US$276 million) for the procedural violation.

Earlier, the Commission had fined Germany’s E.On EUR38 million (US$42.2 million) and France’s Suez Environnement EUR8 million (US$8.9 million) for breaching seals during inspections, as well as Belgium’s Electrabel and Norway’s Marine Harvest each EUR20 million (US$22.2 million) for gun-jumping in acquisitions. A Czech energy company had been fined EUR2.5 million (US$3.3 million) for obstruction during an inspection by not blocking email accounts of employees, and failure to disclose complete information.

WhatsApp Acquisition Raises Antitrust Jurisdictional Debate

Facebook’s WhatsApp acquisition had sparked a discussion on whether the current turnover-based jurisdictional test in European merger control was suitable to deal with acquisitions in the digital economy. The US$19 billion acquisition was initially not reportable to the European Commission, as WhatsApp in 2013 generated only US$10 million in annual turnover. However, the transaction triggered market-share-based tests in various EU Member States, and was referred to the Commission upon application of Facebook. Current discussions include the introduction of a transaction value-based system, and Germany has just updated its merger control rules to capture transactions valued at EUR400 million or more, even where the target company has only minimal turnover.

Similarly, the transaction has shown a spotlight on the question of whether platforms that are seemingly free to end users are subject to the antitrust rules, as end users do not pay for the platform’s services in money. However, competition authorities in Europe have clearly stated that they see these interactions as business transactions in which users pay for the platform’s services with their personal data. Germany has, for example, very recently amended its Competition Act to clarify that markets that are subject to antitrust review will not require a payment in money. In addition, the amendment sets the parameters according to which market power in digital markets is measured.

Today’s decision will not affect ongoing national antitrust procedures (such as in Germany), or privacy, data protection, or consumer protection issues, which may arise following the August 2016 update of WhatsApp terms of service and privacy policy.



Cross-border data flows: FAQs released for Swiss-U.S. Privacy Shield

For organisations with data flows between the United States and Switzerland, it is now possible to self-certify into the Swiss-U.S. Privacy Shield Framework. This process became available on 12 April 2017. The Swiss-U.S. Privacy Shield will operate in a substantially similar way to the EU-U.S. Privacy Shield. There are, however,  key differences, including: (1) the definition of ‘sensitive data’ under the Swiss-U.S. Privacy Shield is modified and includes ideological views or activities, information on social security measures, and administrative or criminal proceedings and resulting sanctions (which are treated outside pending proceedings); and (2) the U.S. Department of Commerce is to work with the Swiss Government to incorporate binding arbitration into Annex I of the Swiss-U.S. Privacy Shield Framework.

Frequently Asked Questions (FAQs) have been produced to assist organisations with the voluntary self-certification process, setting out the respective frameworks for the EU and Switzerland. Specifically, the FAQs provide guidance on how to certify to either or both frameworks, and importantly for those already certified to the EU-U.S. Privacy Shield, how to also certify to the Swiss-U.S. Privacy Shield. The procedure can be completed via the Privacy Shield website by following this link.

The FAQs also outline the fact that an annual fee for the Swiss-U.S. Privacy Shield will become payable; this fee is tiered based on the relevant organisation’s annual revenue. It is noted that organisations’ recertification date for both the Swiss-U.S. and EU-U.S. frameworks will be one year from the date that the earliest of its two certifications is finalised.

Regarding the now defunct Swiss-U.S. Safe Harbor Framework, organisations will automatically be withdrawn from the old regime upon self-certifying to the Swiss-U.S. Privacy Shield. The FAQs do, however, expressly state that as well as updating privacy policies to align with Privacy Shield requirements, prior to certifying, organisations must remove all references to the Swiss-U.S. Safe Harbor Framework. In order to assist in this regard, the FAQs provide sample wording for organisations participating in either or both of the frameworks.

Although certification is voluntary, it is beneficial for organisations to commit to the Swiss-U.S. Privacy Shield if the relevant data transfers occur. The Privacy Shield commitment will then become enforceable under U.S. law and will also demonstrate compliance with Swiss data transfer regulations.

President Trump Signs Executive Order on Cybersecurity Focusing on Critical Infrastructure, Federal Networks and Public Cybersecurity Policy

On Monday, May 11, 2017, President Donald Trump signed an Executive Order on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.”  The Executive Order comes after Trump had postponed signing a similar executive order on cybersecurity on Feb. 1, and another draft executive order had been circulated Feb. 10.

The final Executive Order aligns with the preceding Executive Order 13636, “Improving Critical Infrastructure Security,” signed by the Obama administration on Feb. 12, 2013.  Like the 2013 order, Trump’s Executive Order directs federal agencies to take actions related to the cybersecurity of critical infrastructure and of federal networks.  Trump’s order goes beyond its predecessor to address key public policy issues relating to cybersecurity, including workforce development and international cooperation.

Cybersecurity of Critical Infrastructure

The Executive Order provides that agencies will take actions both relating to the protection of critical infrastructure in general and to specific sectors and issues. At a general level, the order provides that the Secretary of Defense, the Attorney General, the Director of National Intelligence, and the Director of the FBI, and the heads of the appropriate agencies, including the Department of Health and Human Services, will  identify “authorities and capabilities” agencies could use to support “critical infrastructure entities.”  The order also directs the Secretaries of Commerce and Homeland Security to examine the market transparency of the cybersecurity risk management practices by critical infrastructure entities, and provide a report within 90 days.

At a sector-specific level, the Executive Order also addresses cybersecurity for the energy and defense sectors. The order stipulates that the Secretaries of Homeland Security and of Energy are to assess and provide a report within 90 days on the vulnerability of the energy sector, and the possibility for a “prolonged power outage” resulting from a cyber incident.  With regard to defense, the Secretaries of Defense and of Homeland Security, and the Director of the FBI, are instructed to provide a classified report on the cybersecurity risks and recommendations for the defense industrial base, including supply chain and military platforms, systems, networks, and capabilities.

Finally, the order also specifically addresses the threat posed by botnets and other automated, distributed threats, providing that the Secretaries of Commerce and of Homeland Security shall take steps to reduce such threats by identifying and promoting actions by appropriate stakeholders, including private sector entities. The two agencies are to provide a preliminary report within 240 days.  Threats posed by botnets have become increasingly prevalent as malware such as Mirai exploit “Internet of Things” devices (e.g., smart TVs, web cameras) to launch cyberattacks. This month, the WannaCry ransomware computer worm infected more than 230,000 computers in 150 countries, locking users out of their data and demanding a payment in exchange for the restoration of files.

Accordingly, organizations that operate critical infrastructure may expect increased engagement and scrutiny from federal agencies regarding their cybersecurity practices. This is particularly true for organizations in the energy, communications, and defense industrial base sectors. Critical infrastructure entities are organizations in sectors whose “assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”  These sectors were identified in Presidential Policy Directive 21 (PPD-21) and include, in addition to the sectors mentioned above, financial services, critical manufacturing, health care and public health, and transportation systems.

Cybersecurity of Federal Networks

The Executive Order furthermore addresses federal agencies’ own cybersecurity risk management and IT modernization. The order requires agencies to use the “Framework for Improving Critical Infrastructure Cybersecurity,” published by the National Institute of Standards and Technology (NIST) to manage cybersecurity risk, and to provide a risk-management report detailing their plan to implement the framework within 90 days.  The NIST Framework is a set of industry standards and best practices intended to help organizations manage cybersecurity risk in a cost-effective way.  With regard to IT modernization, the order directs agencies to show preference in procurement for shared IT services, such as email, cloud, and cybersecurity services, and instructs the Director of the American Technology Council to provide a report on the modernization of federal IT within 90 days.

Cybersecurity for the Nation

Finally, the Executive Order addresses several public policy issues relating to cybersecurity, including cybersecurity workforce development and international cooperation. The order directs the Secretary of State and several other agencies to provide a report documenting an engagement strategy for international cooperation in cybersecurity in 90 days.  Likewise, the order directs that the Secretaries of Commerce and Homeland Security produce a report within 120 days assessing efforts to educate and train the American cybersecurity workforce, and providing recommendations.  The Director of National Intelligence and the Secretary of Defense are similarly directed to produce their own reports respectively examining foreign cybersecurity workforce development practices, and assessing the sufficiency of U.S. efforts in maintaining its advantage in national cybersecurity capabilities.