Wyden Releases Draft Privacy Bill Increasing FTC Authority, Providing for Civil Fines and Criminal Penalties

Senator Ron Wyden last week released a discussion draft of a federal privacy bill that would amend Section 5 of the Federal Trade Commission Act to expand the FTC’s authority, create significant civil fines, and enforce certain provisions through criminal penalties.

The draft Consumer Data Protection Act is among a growing number of proposals for federal privacy legislation in the United States. (See our related coverage here and here.) These federal proposals follow on the EU’s enactment of the General Data Privacy Regulation (“GDPR”), which took effect in May, and the June enactment of the California Consumer Privacy Act (“CCPA”). The Wyden measure has not yet been introduced in the Senate.

Below we highlight key aspects of the draft legislation.

Canadian Privacy Commissioner Releases Official Guidance as Data Breach Law Takes Effect

By Sari Sharoni on November 5, 2018 Posted in Canada, Cybersecurity, Data Breaches, Data Security, International

Canada’s new data breach law, The Personal Information Protection and Electronic Documents Act (“PIPEDA”), took effect on November 1. Official guidance released by the country’s Privacy Commissioner explains a few of the law’s key provisions that will affect organizations, specifically, breach reporting and notification obligations, their triggers, and record retention.

Reporting & Notification Obligations

Under the new law, an organization must report and notify individuals of a data breach involving personal information under its control if it reasonably determines the breach creates a “real risk of significant harm” to an individual, regardless of the number of individuals affected. (The guidance states a covered breach that affects only one individual would nonetheless require reporting and notification.) Importantly, the organization that controls the data is required to report and notify individuals of the breach—the guidance clarifies that even when an organization has transferred data to a third-party processor, the organization remains ultimately responsible for reporting and notification. The guidance encourages organizations to mitigate their risk in the event their third-party processor faces a breach by entering sufficient contractual arrangements.

Notification to individuals must be given “as soon as feasible” after the organization has determined a covered breach has occurred. The guidance states the notification must be conspicuous, understandable, and given directly to the individual in most circumstances. It must include enough information to communicate the significance of the breach and allow the those affected to take any steps possible to reduce their risk of harm. The regulations further specify the information a notification must include. In certain circumstances, organizations are also required to notify governmental institutions or organizations of a covered breach; for example, an organization may be required to notify law enforcement if it believes it may be able to reduce the risk of harm.

NIST Begins Developing a Voluntary Online Privacy Framework

By Inside Privacy on November 1, 2018 Posted in Data Privacy

The Department of Commerce’s National Institute of Standards and Technology (“NIST”) announced in early September intention to create a Privacy Framework. This Privacy Framework would provide voluntary guidelines that assist organizations in managing privacy risks. The NIST announcement recognized that the Privacy Framework is timely because disruptive technologies, such as artificial intelligence and the internet of things, not only enhance convenience, growth, and productivity, but also require more complex networking environments and massive amounts of data.

Litigation Options For Post-Cyberattack ‘Active Defense’

By Alexander Berengaut and Tarek Austin on October 29, 2018 Posted in Cybersecurity, Data Security, Litigation

[This article also was published in Law360.]

In March 2017, Rep. Tom Graves, R-Ga., introduced a draft bill titled the Active Cyber Defense Certainty Act. The bill would amend the Computer Fraud and Abuse Act to enable victims of cyberattacks to employ “limited defensive measures that exceed the boundaries of one’s network in order to monitor, identify and stop attackers.”[1] More specifically, the ACDC would empower individuals and companies to leave their own network to ascertain the perpetrator (i.e., establish attribution), disrupt cyberattacks without damaging others’ computers, retrieve and destroy stolen files, monitor the behavior of an attacker, and utilize beaconing technology.[2] An updated, bipartisan version of the bill was introduced by Rep. Graves and Rep. Kyrsten Sinema, D-Ariz., in October 2017.[3]

Portuguese hospital receives and contests 400,000 € fine for GDPR infringement

By Anna Oberschelp de Meneses and Kristof Van Quathem on October 26, 2018 Posted in Data Privacy, Data Security, European Union

On July 17, 2018, the Portuguese Supervisory Authority (“CNPD”) imposed a fine of 400.000 € on a hospital for infringement of the European Union General Data Protection Regulation (“GDPR”). The decision has not been made public. Earlier this week, the hospital publicly announced that it will contest the fine.

According to press reports, the CNPD carried out an investigation at the hospital which revealed that the hospital’s staff, psychologists, dietitians and other professionals had access to patient data through false profiles. The profile management system appeared deficient – the hospital had 985 registered doctor profiles while only having 296 doctors. Moreover, doctors had unrestricted access to all patient files, regardless of the doctor’s specialty. The CNPD reportedly concluded that the hospital did not put in place appropriate technical and organizational measures to protect patient data.

In its defense, the hospital apparently indicated that it uses the IT system provided to public hospitals by the Portuguese Health Ministry. The CNPD, however, decided that it was the hospital’s responsibility to ensure that the IT system it uses complies with the GDPR.

While Portugal has not “implemented” the GDPR yet, the CNPD applied the GDPR principles to this case and relied on the GDPR to determine the fine. This is one of the highest fines imposed by the CNPD as of yet. The current law allocates half of the fine to the CNPD budget – the future implementing law will likely contain a similar provision.

FERC Approves New Cybersecurity Standards for Supply Chain Risk Management

By Caleb Skeath on October 26, 2018 Posted in Cybersecurity, Internet of Things (IoT)

The Federal Energy Regulatory Commission (“FERC”) released a final rule approving three new Critical Infrastructure Protection (“CIP”) standards which address supply chain risk management for bulk electric systems (“BES”) operations. The new standards were developed by the North American Electric Reliability Corporation (“NERC”) in response to FERC Order No. 829, which directed NERC to create new CIP standards to address risks associated with the supply chain for grid-related cyber systems. The final rule will take effect sixty days after it is published in the Federal Register. The new standards must be implemented in eighteen months. More details regarding the new CIP standards, which may be of interest to entities that develop, implement, or maintain hardware or software for industrial control systems associated with bulk electric systems (“BES”), are provided below.

Dutch Supervisory Authority releases guidance on the interaction between the GDPR and PSD2

By Kristof Van Quathem on October 26, 2018 Posted in Data Privacy, European Union, Financial Institutions, Financial Privacy

On October 18, 2018, the Dutch Supervisory Authority for data protection adopted guidance on the second Payment Service Directive (“PSD2”). The PSD2 intends to open the financial services market to a larger scale of innovative online services. To that effect, the PSD2 sets out rules for obtaining access to the financial information of bank customers. Among other things, it provides that in most cases service providers’ access to this personal data is subject to consent.

The Supervisory Authority points out that the required consent is an additional protection imposed by the PSD2. It is not a legal basis for the processing of personal data under the General Data Protection Regulation (“GDPR”). In fact, under the GDPR the processing should not be based on consent, but rather on an alternative legal basis – namely, the execution of an agreement. Interestingly, while the regulator acknowledges that PSD2 consent is not a GDPR consent, it applies the same standard to both. As a result, according to the authority, the consent must be obtained separately from the main agreement (for example, in the form of a pop-up consent request), and customers must be able to retract their consent at any time, an action that would likely result in the end the agreement, since a provider would be unable to process any new data thereafter.

Italian court decides that a data protection officer does not have to be a certified ISO 27001 Auditor

By Anna Oberschelp de Meneses and Kristof Van Quathem on October 25, 2018 Posted in Data Privacy, EU Data Protection, European Union

On September 5, 2018, a first instance Administrative Court in Italy decided that a public company cannot reject an application for the position of data protection officer (“DPO”) on the basis that the applicant is not a certified ISO 27001 Auditor / Lead Auditor (decision available here).

ISO 27001 is an international information security standard. The standard sets out conditions that an individual must meet to become a certified ISO 27001 Auditor / Lead Auditor, such as attending dedicated courses and passing an exam.

The court noted the DPO requirements set out the General Data Protection Regulation (“GDPR”), in particular that the “data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill [its] tasks” (Article 37(5) GDPR).

The court held that an ISO 27001 Auditor / Lead Auditor certification “does not (or does not fully) capture the specific qualities inherent to the task [of DPO], whose main function is not (…) to increase the levels of efficiency and security in the information management, but rather, the ability to safeguard the fundamental right of the individual to the protection of personal data (…)”. The lack of this certification does not mean that an applicant cannot adequately fulfill the role of a DPO.

China Releases New Regulation on Cybersecurity Inspection

By Yan Luo, Ashden Fein, Huanhuan Zhang and Moriah Daugherty on October 23, 2018 Posted in China, Cybersecurity, Data Privacy, Data Security

On September 30, 2018, China’s Ministry of Public Security (“MPS”) released the Regulation on the Internet Security Supervision and Inspection by Public Security Organs (the “Regulation”;《公安机关互联网安全监督检查规定》), which will take effect on November 1, 2018.

The Implications of the GDPR on Clinical Trials in Europe

By Kristof Van Quathem on October 22, 2018 Posted in European Union, Health Privacy

On October 23, 2018, the European Federation of Pharmaceutical Industries in cooperation with the Future of Privacy Forum and the Center for Information Policy Leadership will organize a workshop entitled, “Can GDPR Work for Health Research.” In the first session, the workshop will discuss the implications of the General Data Protection Regulation (“GDPR”) on clinical trials in the EU. The second session is devoted to further use of health data for scientific research. Among other things, this session will discuss the relationship between the Clinical Trials Regulation (“CTR”) and the GDPR.

The CTR appears to subject further use of clinical trial data (i.e., any use outside the protocol) to consent. In a note available here, we point out that such a reading is overly restrictive. At the very least, the derogations in the GDPR for the use of health data for scientific research without consent should continue to apply.