On February 26 and 27, 2019, the House Subcommittee on Consumer Protection and Commerce, and the Senate Committee on Commerce, Science, and Transportation, respectively, held hearings to explore the potential passage of a national privacy law. In both houses, members of Congress and the panelists agreed that the federal government should enact legislation to protect consumers’ private data without stifling innovation or hurting small businesses. Both hearings were full of much discussion but minimal agreement about the scope and framework of such a law. There were, however, a few takeaways that could offer insight into what a national privacy law might – eventually – look like.
Continue Reading Preemption, enforcement and consumer choice, oh my! The House and Senate explore a federal privacy law
enforcement
ICO brings prosecution against SCL Elections
Earlier this month, the Information Commissioner’s Office (ICO) brought a criminal prosecution against the parent company of Cambridge Analytica, SCL Elections, for failing to comply with an enforcement notice issued by the ICO. SCL was fined £15,000 and ordered to pay costs.
The criminal prosecution may not sound surprising – after all, SCL had failed to comply with an enforcement notice. Clearly the ICO is taking a hard-line approach to enforcement. SCL, however, was in administration at the time of the enforcement notice and therefore a key point to note here is that a company is still required to ensure it complies with its data protection responsibilities, including any enforcement, even when it is in administration.
Background
In January 2017, U.S. citizen Professor David Carroll made a subject access request to SCL. SCL responded disclosing some personal data, but Professor Carroll suspected that SCL had not disclosed everything. The response from SCL also contained inadequate information about where the data had been obtained and how it would be used. He complained to the ICO, who shared his concerns.
The ICO contacted SCL in September 2017 to ask for further information. SCL was not cooperative, incorrectly claiming that Professor Carroll had no legal right to access the data because he was not a UK citizen or based in the United Kingdom. In rejecting SCL’s claim that a U.S. citizen has no legal right to access the data, the ICO confirmed that “anyone who requests their personal information from a UK-based company or organisation is legally entitled to have that request answered, in full, under UK data protection law.”
Continue Reading ICO brings prosecution against SCL Elections
Regulating the tech giants
“2018 was the year that people have woken up to the importance of privacy and have begun to bite back at big tech”.
This was the view expressed by James Dipple-Johnstone, Deputy Commissioner (Operations) at the UK Information Commissioner’s Officer (ICO), during his recent speech at the Institute of Directors in London.
The speech focused on the ICO’s regulation of tech giants in the digital age. It highlighted the many benefits of big tech and big data, indicating that their influence and importance is only likely to grow. However, his speech also stressed that there are deep public concerns about the business models of some tech giants and their increasingly opaque uses of personal data.Continue Reading Regulating the tech giants
ICO brings criminal prosecution for data misuse
The Information Commissioner’s Office (ICO) has prosecuted an individual under the Computer Misuse Act 1990 (CMA 1990), resulting in a six-month prison sentence. This prosecution is the first of its kind by the ICO.
The facts
The defendant was a man named Mustafa Kasim. Mr Kasim was employed in the motor repair industry and had used a colleague’s log-in details to access a software system. This allowed Mr Kasim to access the personal data of customers, such as their names, phone numbers, and vehicle and accident information, without permission. Mr Kasim continued to access the software after moving to a different organisation.
Continue Reading ICO brings criminal prosecution for data misuse
DOJ issues updated best practices on cyber incidents; incorporates CISA
On September 27, 2018, as part of the Department of Justice’s (DOJ) cybersecurity roundtable discussion, the DOJ’s Cybersecurity Unit issued Best Practices for Victim Response and Reporting of Cyber Incidents (the Best Practices), including a Cyber Incident Preparedness Checklist. As noted by the DOJ, the Best Practices do not have the force of law, and they are “not intended to have any regulatory effect.” Regardless, the Best Practices provide insight into the DOJ’s concerns with respect to cybersecurity and its expectations regarding organizations’ levels of effort on cybersecurity.
The newly published Best Practices are an update to the Best Practices issued in April 2015. Notable items in the updated Best Practices are:
- Integration of CISA to the Best Practices: The Best Practices incorporate the Cybersecurity Information Sharing Act of 2015 (CISA), which “provides private entities with broad authority to conduct cybersecurity monitoring of their own networks, or a third party’s networks with appropriate consent.” CISA provides an exception to other potentially conflicting laws, such as the Wiretap Act and the Pen Register/Trap and Trace Act, as long as the CISA requirements are met. Under CISA, private entities are permitted to monitor information or an information system for a “cybersecurity purpose,” which means a “purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.” CISA is also meant to promote sharing information about cybersecurity threats by affording protections to private entities against certain liabilities (as long as CISA requirements are met).
- Descriptions of basic cybersecurity procedures: The Best Practices describe several protocols as basic cybersecurity procedures. Specifically, they recommend: (i) a reasonable patch management program to address software vulnerabilities; (ii) access controls and network segmentation to limit the data at risk; and (iii) maintenance of copies of server logs
Continue Reading DOJ issues updated best practices on cyber incidents; incorporates CISA
FTC continues aggressive enforcement of Privacy Shield
On Thursday, September 27, the Federal Trade Commission (FTC) announced settlements with four companies, IDmission, LLC, mResource LLC (doing business as Loop Works, LLC), SmartStart Employment Screening, Inc., and VenPath, Inc., following allegations that the companies falsely claimed to be certified under the EU-U.S. Privacy Shield.
Specifically, the FTC alleged that IDmission, LLC misrepresented participation in the program by claiming certification on its website despite never completing the steps necessary to participate following the company’s October 2017 application. On the other hand, mResource LLC, SmartStart Employment Screening, Inc., and VenPath, Inc. each successfully obtained Privacy Shield certification in 2016 but failed to properly renew expired certifications. Therefore, the FTC alleged the three companies misrepresented that they were current participants in the program.
Further, the FTC alleged that SmartStart Employment Screening, Inc. and VenPath, Inc. additionally misrepresented that they adhere to the Privacy Shield Principles by failing to withdraw or affirm the commitment to protect personal information acquired during participation in the program. The Privacy Shield Principles require that if a company ceases to participate, the company must affirm to the U.S. Department of Commerce that it will continue to apply the Privacy Shield Principles to such personal information.Continue Reading FTC continues aggressive enforcement of Privacy Shield
SEC Increases Focus on Cyber Incident Response
In the past few years, we have seen an uptick in agencies beginning to focus on the cybersecurity readiness and response of organizations subject to their jurisdiction.
The U.S. Securities and Exchange Commission (SEC), for example, has identified cybersecurity as a top priority for many years. This past June, the SEC named Stephanie Avakian and…
In the age of Big Data, the EDPS issues an Opinion on enforcement and upholding fundamental rights
The European Data Protection Supervisor (“EDPS”) issued an Opinion on “coherent enforcement of fundamental rights in the age of big data”. This is an update to the EDPS’ Preliminary Opinion in 2014 on “Privacy and competitiveness in the age of big data”. The Preliminary Opinion observed a tendency for EU rules of data protection, consumer protection, and antitrust enforcement and merger control to be applied in “silos”. The new Opinion develops the notion and suggests that the Digital Single Market Strategy provides an opportunity for a “coherent approach”, and makes recommendations to support this.
New data-driven technologies and services are important for economic growth, which have become reliant on the “covert tracking” of individuals who are likely unaware of the tracking. There is the danger that larger companies may be able to block smaller companies from entering the market. This might also have the knock-on effect of creating an imbalance between the providers and consumers which may ultimately impact on choice, innovation and the protection of their personal data.
When considering the rights and freedoms set out in the Charter of Fundamental Rights of the EU – including the right to privacy, the protection of personal data and freedom of expression – it has been recognised that these rights are “threatened by normative behaviour and standards that now prevail in cyberspace.” So the latest Opinion encourages regulators to engage in dialogue and share lessons learned to work collaboratively and uphold the interests of individuals and society in the ever-growing digital environment.
Continue Reading In the age of Big Data, the EDPS issues an Opinion on enforcement and upholding fundamental rights
New FAA Drone Rules
On June 21, 2016, the FAA issued its long-awaited regulations governing “Small Unmanned Aircraft,” or drone operation. The regulations allow the use of drones weighing less than 55 pounds, traveling less than 100 mph groundspeed, and up to 400 feet above the ground, for a wide variety of purposes during daylight hours. The regulations allow…
Hong Kong Commissioner upgrades rules for processing biometric data
The Hong Kong Commissioner has published guidance (‘Guidance’) to assist data users in complying with Hong Kong’s privacy laws when processing biometric data, and takes a broader approach than previous guidance dealing with when and how biometric data may be handled by an organisation.
Although no distinction is drawn between personal data and sensitive personal data in Hong Kong’s data protection legislation, biometric data appears worthy of greater protection because of its sensitive nature. As a result, the Guidance outlines stricter standards expected of organisations when they handle both physiological and behavioural biometric data.Continue Reading Hong Kong Commissioner upgrades rules for processing biometric data