NTIA Multistakeholder Group Reaches Consensus on Best Practices for Drone Privacy

By Stephen Kiehl and Hannah Lepow

Over the last year, the National Telecommunications and Information Administration, an arm of the Department of Commerce, has convened a series of meetings regarding voluntary best practices for privacy, accountability and transparency in the use of drones (“UAS”) by commercial and private users.  A number of stakeholders have participated in these meetings, including representatives of insurance companies, technology companies, news organizations, drone manufacturers, and consumer and privacy groups.  This week the stakeholders reached consensus on a “Best Practices” draft document that contains voluntary privacy guidance, which the NTIA has posted on its website.

Importantly, the document recognizes that the benefits of UAS are substantial, and that UAS integration will have a significant positive economic impact in the United States.  The document also stresses that the best practices it outlines are voluntary and do not create a legal or regulatory standard, nor should they be used as a basis for any local, state or federal law or regulation.  The privacy guidance focuses on data collected by a UAS — and not on data collected by any other means.  And, as we discuss below, the best practices do not cover newsgathering activities. Continue Reading

Supreme Court Issues Highly Anticipated Spokeo Decision

The Supreme Court released its highly anticipated decision yesterday in Spokeo, Inc. v. Robins, which addresses whether plaintiffs have standing to pursue statutory damages even in the absence of actual harm under the Fair Credit Reporting Act (“FCRA”).  As we previously reported, the case was expected to have significant down-stream implications for standing in privacy class action litigation, because numerous privacy-related federal laws have been construed to allow statutory damages even in the absence of actual injury (e.g., the Telephone Consumer Protection Act). Continue Reading

EU Cyber Security Directive To Enter Into Force In August

The EU Network and Information Security (NIS) Directive now looks likely to enter into force in August of this year.  Member States will then have 21 months to implement it into national law before the new security and incident notification obligations will start to apply to the following entities:

  • designated* “operators of essential services” within the energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure sectors; and
  • certain “digital service providers” that offer services within the EU, namely online market places, online search engines and cloud computing services, excluding small/micro enterprises.

* Once implemented in national law, Member States will have a further 6 months to apply criteria laid down in the Directive to identify specific operators of essential services covered by national rules; they do not need to undertake this exercise in relation to digital service providers, which shall be deemed to be under the jurisdiction of the Member State in which it has its “main establishment” (i.e., its head office in the Union). Continue Reading

EU Advocate General Considers Dynamic IP Addresses To Be Personal Data

On May 12, 2016, EU Advocate General (“AG”) Manuel Campus Sanchez-Bordona issued an Opinion in Case C-582/14 Patrick Breyer v Germany, which is pending before the EU’s highest court (the Court of Justice).  The Court is not legally bound by this Opinion, but in practice often follows the opinions of its Advocate Generals in its rulings.  See here for the German language version; an English version is awaited.

The AG essentially considered that dynamic ‘IP’ addresses qualify as personal data, even if the website operator in question cannot identify the user behind the IP address, since the users’ internet access providers have data which, in connection with the IP address, can identify the users in question.

The AG went on to consider that the collection and use of IP address data, for the purpose of ensuring the functioning of the website, might be justified on the basis of the “balancing of legitimate interests” test under the EU Data Protection Directive 95/46/ EC (the “Directive”), notwithstanding more restrictive national rules in Germany.

If followed by the Court of Justice, the Opinion will have broad implications for EU data protection law, even the forthcoming General Data Protection Regulation (the “GDPR”).  In particular, the Opinion will be relevant for any industries that handle de-identified personal data, and re-confirms the limits that national legislators need to respect when deviating from EU-level data protection legislation.

Continue Reading

Video Privacy Protection Act Rulings in Gannett and CNN Reach Opposite Conclusions

In two cases last week, two courts entered widely divergent rulings on the central question of the specific definition of “personally identifiable information,” or “PII,” under the Video Privacy Protection Act (“VPPA”).  The VPPA defines PII as information that “identifies a person as having [obtained a video]” from a video tape service provider (“VTSP”).

In Yershov v. Gannett, the First Circuit took a broad view of that definition, deciding that even information such as unique device IDs in connection with GPS coordinates can be PII.  In Perry v. CNN, issued just a few days before Yershov, a federal district court in Georgia took a far more limited view under Eleventh Circuit precedent, holding that MAC addresses are not PII because they are tied to devices, not specific individuals.  Continue Reading

White House Announces Artificial Intelligence Workshops and Working Group

Yesterday, the White House announced a series of workshops and an interagency working group devoted to the benefits and risks of artificial intelligence (AI).  The announcement cited the growing influence of AI, and specifically its potential applications in healthcare, education, and transportation.  On the other hand, the announcement noted the potential risks and policy challenges of AI, such as the potential for job losses and the challenges of predicting and controlling AI technology. Continue Reading

China Likely to Impose New Cybersecurity Regulations in 2016

As readers of this blog know, China has been increasingly active in proposing new cybersecurity and privacy regulations. In late 2015, China enacted a new counter-terrorism law.  In August 2015, it issued a draft network security law.  Also last summer, China issued new draft regulations on Internet advertising and clarified requirements for text marketing.  And, of course, China’s Internet regulator announced that China will move forward with new legislation on the protection of personal information.

In keeping with this whirlwind of activity, China now is moving ahead with a new cybersecurity and privacy framework that will focus on data localization, regulations on cross-border data transfer, and require security reviews of network products and services. Tim Stratford, the managing partner of Covington’s Beijing office, and his colleague Yan Luo recently published an article in Law360 explaining the three ways in which cybersecurity regulation in China is likely to change.  That informative article now is available to readers of this blog on Covington’s website at https://www.cov.com/-/media/files/corporate/publications/2016/05/3_ways_cybersecurity_law_in_china_is_about_to_change.pdf.  We hope that you find it useful.

House Unanimously Passes Email Privacy Act

On April 27, the House of Representative unanimously passed the Email Privacy Act.  As previously reported, the proposed changes would strengthen the privacy protections for email and other cloud-storage services by closing a loophole that allowed law enforcement to access older data without obtaining a warrant.

However, while there is widespread support to require warrants for older emails, there remain some substantial disagreements about other proposed reforms to the 30-year-old law.  For example, the House Judiciary committee rejected proposed provisions that would have (1) required government agencies to notify targets of a warrant after their information was provided to the government; and (2) applied the warrant requirement to a customer’s geolocation information ; and (3) created a carve-out for regulators like the FTC and the SEC, who asked for a way to obtain customer emails without a criminal warrant, which may be unavailable in civil cases.

Now that the Act has passed the House, there is renewed pressure on the Senate to take up its version, the Electronic Communications Privacy Act Amendments Act of 2015, which is currently in front of the Judiciary Committee.  Senator Chuck Grassley, the Chairman of the Senate Judiciary Committee, promised that he “plan[s] on taking a close look at the bill that passed the House, and talking with interested stakeholders and members of this committee to try to find a path forward for ECPA reform here in the Senate.”  However, he noted that “members of this committee on both sides of the aisle have expressed concerns about the details of this reform and whether it’s balanced to reflect issues raised by law enforcement.”  Senator Patrick Leahy and Senator Mike Lee, two of the co-sponsors to the Senate bill, urged the Senate to “take up and pass this bipartisan, common-sense legislation without delay.”

FTC’s Jessica Rich Argues IP Addresses and Other Persistent Identifiers Are “Personally Identifiable”

In a blog post published on the Federal Trade Commission (FTC) website, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, recently stated that:

“we regard data as ‘personally identifiable,’ and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test.”

The post (which reiterates Ms. Rich’s remarks at the Network Advertising Initiative’s April meeting) suggests a shift in the FTC’s treatment of IP addresses and other numbers that identify a browser or device.   The FTC previously has taken the position that browser and device identifiers are deserving of privacy protections, but the FTC generally has avoided classifying these identifiers as equivalent to personally identifiable information (such as name, email, and address) except in the narrow context of children’s privacy.  (The FTC’s rule implementing the Children’s Online Privacy Protection Act defines “personal information” to include a “persistent identifier that can be used to recognize a user over time and across different Web sites or online services.”) Continue Reading

Verizon Releases 2016 Data Breach Investigations Report

Verizon recently released its 2016 Data Breach Investigations Report (“DBIR”) that outlines cybersecurity threats, vulnerabilities, and trends from 2015.  Verizon, with the assistance of more than 60 contributors, analyzed over 64,000 information security incidents (security events that affect the integrity of an information system) and 2,200 data breaches (incidents that result in the “confirmed disclosure of data to an unauthorized party”) affecting organizations in 82 countries. Items of particular interest in this year’s report include among others:  (1) an analysis of attacks by industry; (2) an increase in breach discovery time; and (3) a list of the most prevalent attacks or types of threats.  A brief description of each of these items follows.

Continue Reading

LexBlog