Header graphic for print

Inside Privacy

Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

EU General Data Protection Regulation – First day of ‘trilogue’ discussions

Posted in European Union

By Monika Kuschewsky and Vera Coughlan

Today, the first meeting between the European Parliament (“EP”), the Council and the Commission (called “trilogue”) took place with the aim of reaching an agreement on the General Data Protection Regulation (“GDPR”) by the end of the year.  (For background, please see our previous InsidePrivacy post on the Council’s recently agreed general approach.)  The three EU institutions also discussed the status and timetable for the trilogue negotiations on the proposed Data Protection Directive in the law enforcement context (“Law Enforcement DP Directive”).

Right after the meeting,  the EP’s rapporteur on the GDPR, Green MEP Jan-Philipp Albrecht, the Chair of the Civil Liberties, Justice and Home Affairs (‘LIBE’) committee, S&D MEP Claude Moraes, justice ministers from the outgoing (Latvia) and incoming (Luxembourg) Council Presidencies, and the EU Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, gave a joint press conference on the state of play of the talks and next steps.

Continue Reading

Highlights of the Canada Digital Privacy Act 2015

Posted in Canada

On June 18, 2015, the Canadian Parliament passed the Digital Privacy Act (DPA), Senate Bill S-4, into law.  The DPA amends Canada’s federal data protection statute, the Personal Information Protection and Electronic Documents Act (PIPEDA) in important respects, including introducing a new data breach notification requirement (which is not yet in force) and making other material changes to PIPEDA.  This post summarizes key changes to PIPEDA brought about by the DPA.

Continue Reading

Supreme Court Strikes Down Ordinance Authorizing Warrantless Searches of Hotel Records

Posted in Litigation

On June 22, the Supreme Court issued its decision in Los Angeles v. Patel, striking down a Los Angeles city ordinance that allowed law enforcement to inspect hotel guest registers on demand as facially unconstitutional.  Writing for a 5-4 majority, Justice Sotomayor held that the ordinance violated the Fourth Amendment by failing to provide for any form of review of search requests before hotels were forced to comply with law enforcement demands.  According to the Court, this failure was fatal to the City of Los Angeles’ argument that the ordinance satisfies the requirements for the administrative search exception to the Fourth Amendment’s warrant requirement. Continue Reading

FCC Ruling Tightens TCPA Restrictions; Dissenters Warn of Increased Class-Action Abuse

Posted in Federal Communications Commission, Litigation

In an order adopted at Thursday’s Open Meeting, the Federal Communications Commission acted on 23 petitions or other requests for clarification regarding the application of the Telephone Consumer Protection Act, a federal law that restricts telemarketing  and certain other types of calls.  The FCC has issued a news release describing yesterday’s order as an effort to “clos[e] loopholes and strengthen[] consumer protections already on the books.”  The text of the order is expected to be released in the coming days.

Continue Reading

Covington Webinar: The EU General Data Protection Regulation – What’s Next and What It Means For Your Business

Posted in European Union

As we recently covered on this blog, on June 15, the Council of Ministers of the EU reached a long-awaited ‘common approach’ on a revised text of the proposed General Data Protection Regulation (GDPR).

Covington will be running a webinar on July 1, repeated on July 2 to accommodate attendees from different timezones, at which specialists from Covington’s London and Brussels office will explain:

  • the current status of the GDPR proposal,
  • the next steps in the legislative process,
  • the expected main changes to the current legal framework, and
  • how companies can prepare in advance.

For more information, and to register for either of the sessions, please click here.

Updates to State Data Security and Breach Notification Laws — Connecticut and Oregon

Posted in Data Security

Last week, both Connecticut and Oregon amended their respective data security and breach notification laws that will now levy stricter requirements on entities that store or process personally identifiable information (“PII”) or health-related information.  A full analysis of each bill is below.

Continue Reading

Council Agrees Common Approach on EU General Data Protection Regulation – Negotiations With Parliament and Commission on Final Text To Begin Imminently

Posted in European Union

In today’s Justice and Home Affairs (“JHA”) Council meeting (see here), the Council of Ministers of the EU agreed the Council’s long-awaited common approach on a revised text of the proposed General Data Protection Regulation (“GDPR”). The Presidency of the Council of the EU had published a compromise text for approval by the JHA Council last Thursday, June 11 (the text can be downloaded here).

The Council’s vote fires the starting gun for three-way negotiations between the European Parliament, the Council and the Commission (the so-called “trilogue”) to reach an overall agreement on a final GDPR text.  Once passed, the GDPR will bring about a major reform to the EU’s general data protection regime.

The largest political group in the European Parliament (the “EPP”) has released a tentative timetable for the GDPR trilogue (see here), with two meetings scheduled before the summer break.  In the first (scheduled for June 24), the parties will try to agree, among other things, on an overall roadmap for the trilogue discussions. A second meeting, potentially on July 14, may discuss territorial scope and international transfers.

The EU’s legislators are targeting the end of 2015 for the adoption of the GDPR (reconfirmed at today’s JHA meeting), meaning that the GDPR could possibly come into force in late 2017 or early 2018 (after a transition period likely to last around two years).

The Council vote marks the end of an intense push over the past few months to agree on a draft at Council level. It comes more than a year after the Parliament finalized its own position, and three years in total since the Commission’s publication of the underlying proposal.

As of July, the Council will be represented by Luxembourg in the negotiations, which assumes the rotating Presidency of the Council for the next six months. The Parliament’s negotiating team, meanwhile, will continue to be led by Jan Philip Albrecht, a Green party MEP from Germany with overall responsibility for the GDPR in the Parliament.

Broadly speaking, the Council has tended to take a more business-friendly approach on a number of issues than the Parliament, and the Council text differs from the original Commission proposal in a number of areas, including:

  • the lawfulness of processing, in particular further processing and formalities around obtaining consent;
  • the degree to which each EU Member State should be allowed to maintain or introduce more specific provisions or further conditions in their own national laws;
  • transparency requirements;
  • the rights of data subjects, such as the right to object to use of data, the right to be forgotten, and the right to ‘data portability';
  • controllers’ and processors’ obligations, and the attribution of responsibility between them; and
  • the powers of supervisory authorities, the “one-stop shop” mechanism and the role of a new European Data Protection Board.

Despite a number of proposed changes to the chapter on Remedies, Liability and Sanctions, the text proposed by the Luxembourg Presidency for approval did not change the level of the fines as proposed by the Commission in its initial proposal.

Given the discrepancy between the positions of the Council and of the Parliament in a number of areas, it is difficult to predict the outcome of the trilogue. Moreover, following the Parliament’s elections in May last year, the Parliament has a different make-up to the one that agreed the Parliament’s GDPR draft, further adding to the uncertainty over the parties’ priorities and positions for trilogue.

Update on the Cybersecurity Directive – over to Luxembourg?

Posted in Cybersecurity, Data Breaches, Data Security, European Union

Next week we expect to find out if the Council of the EU will finally agree (“adopt a general approach”) on its version of the proposed General Data Protection Regulation (GDPR).  Progress with a “little brother” of the GDPR – namely the proposed Network and Information Security (NIS) Directive, tagged the Cybersecurity Directive – continues in parallel.  Before providing news next week on the GDPR, we thought that it would be useful to provide a quick update on NIS, especially as some of the issues with the GDPR – such as jurisdiction and supervision of companies – also are proving to be difficult in relation to NIS.

Continue Reading

FTC Announces First Consent Order on Misrepresentation in Crowdsourcing

Posted in Federal Trade Commission, Litigation

The Federal Trade Commission (“FTC”) announced today that it has entered into a proposed consent order against the founder of a failed Kickstarter project, marking the first time that the agency has taken a consumer protection action in the rapidly-emerging field of crowdsourcing.  According to the complaint, the defendant, Erik Chevalier misused money raised through Kickstarter for personal expenses despite promises to use this money to develop a board game, or otherwise to return the contributions.  While State Attorneys General have brought similar enforcement actions in the past against misrepresentations in crowdsourcing campaigns, this action breaks new ground for the FTC as part of its self-described efforts to “protect consumers taking advantage of new and emerging financial technology.”

Kickstarter provides a platform for aspiring creators to raise funds for a project directly from backers.  In exchange for a “pledge,” a backer is generally entitled to a “reward,” often a finished version of the product or service being created.  To date, over 8.8 million people have pledged more than 1.8 billion dollars through Kickstarter.

Mr. Chevalier’s campaign began in May 2012 when he pitched the idea of a Monopoly-like board game taking place in Atlantic City, where players take the role of H.P. Lovecraft’s Great Old Ones laying waste to the city.  The idea quickly garnered attention from the internet, raising $122,874, almost four times the original funding goal.  Backers were promised a copy of the completed board game, and those who pledged more were promised exclusive pewter figurines that could be used as game pieces.  However, the project quickly ran into significant delays, and in June 2013, Mr. Chevalier announced that the project had been cancelled because the majority of the money had already been spent on game development with no end in sight.  He also posted on Kickstarter that: “My hope is .[] to eventually refund everyone in full.”

Yet according to the FTC complaint, Erik Chevalier had actually used these funds for “miscellaneous personal equipment, rent for a personal residence, and licenses for a separate project,” contrary to his representations to consumers.  While the proposed consent order does not admit fault, Mr. Chevalier agreed to a judgment of $111,794 (suspended due to an inability to pay); a prohibition against using, disclosing, or benefiting from customer information obtained through the fundraising campaign; a promise to refrain from making misrepresentations to consumers in future projects, and an ongoing duty for compliance reporting and record keeping for the next 18 years.

Cybersecurity Discussions at the 2015 G-7 Summit

Posted in Cybersecurity

On Monday, the 2015 G-7 Summit ended with the President and other Leaders of the G-7 focused generally on a wide range of economic, security, and development issues, and specifically discussing the energy sector’s cybersecurity posture.  According to the White House, the Leaders “launched a new cooperative effort to enhance cybersecurity of the energy sector . . . [to] include analysis of different approached across the G-7; exchange of methodologies for identifying cyber threats, vulnerabilities, and best practices; and investment in cybersecurity capabilities and capacity building.”

The G-7’s international effort appears to model the ongoing U.S. domestic efforts to protect the electric grid.  In the United States, the electric grid relies inextricably upon its key sector stakeholders to deliver essential services, and each of them have substantial networked information systems that must remain interconnected, from industrial controls within the power generation facilities to the sensors found in energy delivery systems.  Since 1998, the Electricity Sector Information Sharing and Analysis Center (“ES-ISAC”) has served the energy sector by providing a platform for industry participants, the federal government, and other critical infrastructures to share cybersecurity information.  The ES-ISAC share “threat indications, analyses and warnings, and interpretations to assist industry in taking protective actions.”  The goal of the ES-ISAC and its participating members is to share such information that could help prevent cyber-related incidents, and it appears the Leaders of the G-7 hope to accomplish the same for their countries.