Dutch Supervisory Authority Announces GDPR Investigation

On July 17, 2018, the Dutch Supervisory Authority announced that it will start a preliminary investigation to assess whether certain large corporations comply with the EU’s General Data Protection Regulation (“GDPR”) – see the official press release here (in Dutch).  To that end, the authority will review the “records of processing activities” from thirty randomly selected corporations which are located in the Netherlands.

Article 30 of the GDPR requires data controllers and processors to maintain a record of their processing activities.  These records must, among other things, include a description of the categories of data subjects and types of personal data processed, as well as the recipients of the data and the transfer mechanisms used.  While small organizations with less than 250 employees are generally exempted, but there are several exceptions to the exemption which may still cause this obligation to apply to them as well.

The thirty corporations will be selected from ten different economic sectors across the Netherlands, namely: metal industry, water supply, construction, trade, catering, travel, communications, financial services, business services and healthcare.

According to the authority, the correct maintenance of records of processing activities is an important first indication of an organization’s compliance with the new EU data protection rules.

Covington Artificial Intelligence Update: China’s Framework of AI Standards Moves Ahead

China has set out on an ambitious agenda of aiming to become the world leader in artificial intelligence by 2030. Policy experiments for a critical part of China’s AI development strategy, and to that end multiple government think tanks have set out formulating standards that may impact AI innovation in China.

The China Electronics Standardization Institute (“CESI”), the major think tank responsible for standardization work under the Ministry of Industry and Information Technology (“MIIT”), is one of the key players in AI standardization in China. On January 24, 2018, CESI released the Artificial Intelligence Standardization Whitepaper, which summarizes current developments in AI technology, standardization processes in other countries, China’s AI standardization framework and China’s plan for developing AI capabilities going forward.

Since the release of that whitepaper, CESI continued its standardization work on two parallel tracks.  As the lead agency for China, CESI has been actively engaged in developing international standards. It is an active member of the ISO/IEC JTC 1/SC 42 subcommittee that develops international standards for the AI industry.

To both support CESI’s international standard-setting work and to develop China’s domestic AI standardization framework, CESI has established three working groups: one working group aiming to produce guidelines for establishing the AI standardization system in China, one working group focusing on AI and open source, and another on AI and social ethics. The three working groups are due to produce papers that will guide China’s standardization efforts in the years to come by the end of this year.  CESI aims to leverage China’s domestic standardization work in the development of international standards, while at the same time to learn from international stakeholders when formulating its own standards.

Some of the national AI standards led by CESI have already been finalized, such as Specification of Programming Interfaces for Chinese Speech Recognition Internet Services. More standards are under development or slated for development in the near future.  These standards cover the categories of testing and evaluation, AI platforms, edge intelligent computing and chip, machine learning, computer vision, human-machine interaction, augmented reality, virtual reality, robotics, smart home, intelligent medicine and AI security.

In parallel, other government think tanks are also moving forward on developing industry standards for AI. The Artificial Intelligence Industry Alliance (AIIA), an industry alliance established by China’s regulators with about 200 members, is seeking to develop industry standards on assessment and certification industry systems for AI products and services. These standards will set out requirements and testing methods for AI hardware and AI platforms for services based on voice, language and images.

Interested stakeholders may wish to closely follow progress being made by CESI, AIIA, and other agencies.

Many thanks to Zhijing Yu and Runze Li for their contributions to this post.

China Seeks Public Comments for Draft Cybersecurity Regulations

On June 27, 2018, China’s Ministry of Public Security (“MPS”) released for public comment a draft of the Regulations on Cybersecurity Multi-level Protection Scheme (“the Draft Regulation”). The highly anticipated Draft Regulation sets out the details of an updated Multi-level Protection Scheme, whereby network operators (defined below) are required to comply with different levels of protections according to the level of risk involved with their networks. The comment period ends on July 27, 2018.

China’s Cybersecurity Law (“CSL”), which took effect on June 1, 2017, requires the government to implement a Multi-level Protection Scheme (“MLPS”) for cybersecurity (Article 21). The Draft Regulation, a binding regulation once finalized, echoes this requirement and provides guidance for network operators to comply with the Cybersecurity Law.

The Draft Regulation updates the existing MLPS, which is a framework dating back to 2007 that classifies information systems physically located in China according to their relative impact on national security, social order, and economic interests if the system is damaged or attacked. The classification levels range from one to five, one being the least critical and five being the most critical. Information systems that are classified (initially self-assessed and proposed by operators and then confirmed by MPS) at level 3 or above are subject to enhanced security requirements.

Obligations for network operators

The obligations set out apply to network operators, which Article 21 of the CSL broadly defines  to include all entities using a network (including the Internet) to operate or provide services.  Network operators will be subject to different cybersecurity requirements corresponding to their MLPS classification level.

  • Self-assessment of security level. All network operators are responsible for determining the appropriate security level for their networks at the design and planning stage, taking into account the functions of the network, scope and targets of service, and the types of data being processed.  When network functions, services scope and types of data processed are significantly changed, network operators are required to re-assess their classification level.In addition, operators of networks classified level 2 or above are required to arrange for “expert review” of the classification level and may also be required to obtain approval from industry regulators and the MPS.
  • Cybersecurity requirements.
    • All network operators. The Draft Regulation sets out requirements generally applicable to all network operators regardless of classification level, which largely track the requirements under Article 21 of the CSL. All network operators are required to conduct a self-review on their implementation of the cybersecurity MLPS system and the status of their cybersecurity at least once per year and should timely rectify identified risks and report such risks and remediation plans to MPS with which the operator is registered.
    • Operators of networks classified level 3 and above. Additional requirements apply for operators of networks classified level 3 and above—some of them are repetitive or overlap with general requirements above. New level 3 networks must be tested by MLPS testing agencies accredited by MPS (a list of accredited testing agencies available here) before they can come online. (By way of comparison, network operators of networks level 2 and below can test their own new network before it comes online.) Operators of networks classified level 3 and above are also required to formulate cybersecurity emergency plans and regularly carry out cybersecurity emergency response drills (e.g., table top exercises).
  • Security incident reporting. The Draft Regulation briefly mentions that network operators are required to report incidents within 24 hours to MPS. Although the Draft Regulation does not elaborate the reporting process or the information required for such notifications, this requirement imposes a new reporting timeline on network operators because the CSL, itself, does not have a specific time frame for reporting.

Additional requirements for operators of networks classified level 3 and above

Operators of networks classified level 3 and above are also subject to other requirements, including relating to procurement of products and services, technical maintenance performed overseas, and the use and testing of encryption measures.  In addition, the Draft Regulation restricts the ability of certain personnel to attend “offensive and defensive activities organized by foreign organizations” without authorization.

Enforcement and Liability

The Draft Regulation stipulates a wide array of investigative powers for MPS and sanctions for non-compliant companies, ranging from on-site inspection, investigation, and “summoning for consultation” to monetary fines and criminal liability.

* * * * *

While the meanings of certain terms in these requirements are still not clear and may require further interpretation, multinational companies operating in China may wish to closely follow developments relating to the Draft Regulation and understand how recent developments may affect their business operations. Companies have until July 28 to provide feedback to the Chinese government on possible amendments.

For a more in-depth analysis of the Draft Regulation, please refer to our recent client alert here.

Post GDPR: ECHR Ruling Confirms the Prevalence of Freedom of Expression and Information Over the Right of Erasure

By Kristof Van Quathem and Anna Sophia Oberschelp de Meneses

The European Court of Human Rights (“ECHR”) decided on 28 June 2018 that the right to request the erasure of personal data on prior convictions, may be trumped by the right to freedom of expression and information.  The court confirmed prior case law deciding that the public’s legitimate right of access to electronic press archives is protected by the fundamental right of freedom of expression and information and that limitations to this right must be justified by particularly compelling reasons.

Facts of the case

The case concerns two German nationals (ML and WW) who were sentenced to life imprisonment back in 1993 for murdering a popular actor.  ML and WW disputed their conviction and filed several unsuccessful applications for a revision of the procedure and reached out to the press for support.

After being released on probation in 2007 and 2008 respectively, ML and WW initiated three proceedings against different media outlets asking that their names (and individualizing information) be erased from articles published between 1992 and 2000.  ML and WW argued that due to passage of time, their right to privacy outweighed the interest of the public to be informed about the proceedings.  ML and WW also claimed that the articles jeopardized their social reintegration.  Continue Reading

UK Regulators Publish Joint Discussion Paper on Operational Resilience in the UK Financial Sector

By Mark Young and Gemma Nash

The UK Financial Conduct Authority (“FCA”) published on July 5 a joint Discussion Paper with the Prudential Regulation Authority (“PRA”) and the Bank of England (“BoE”) on “Building the UK financial sector’s operational resilience.”

The Discussion Paper focuses on the ability of regulated firms and financial market infrastructures (“FMIs”) to “respond to, recover and learn from operational disruptions,” most notably cyber-attacks.  The supervisory authorities recognise that a lack of operational resilience represents a threat to financial stability and describe it “as no less important than financial resilience.

The supervisory authorities invite feedback on several questions in the Discussion Paper from firms, trade associations, and consumer bodies as well as from individuals and businesses who use authorised or recognised entities’ business services.  The authorities will use responses to help develop potential proposals for consultation and develop their respective approaches.  The deadline to respond is October 5, 2018.

Continue Reading

California Adopts Expansive Consumer Privacy Law

On June 28, 2018, California enacted the California Consumer Privacy Act of 2018 (“CCPA”), which is aimed at strengthening consumer privacy rights and data security protections.  The CCPA takes effect on January 1, 2020 and is considered the most stringent privacy law in the country.

The CCPA applies to for-profit entities that conduct business in California.  Under the statute, a covered business is defined to include those that collect personal data from consumers and either (1) have gross revenues exceeding $25 million; (2) annually buys, sells, receives, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (3) derives 50 percent or more of its annual revenues from selling personal information.

Notably, the measure goes beyond existing state law in defining personal information.  Under the CCPA, personal information is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  The extensive list of identifiers covered in the CCPA’s definition includes data from internet or network activity, such as browsing and search history; data from a consumer’s interaction with a website, application, or advertisement; biometric and geolocation data; and any inferences that can be drawn from such information.

California residents are afforded a number of new rights under the CCPA.  Key provisions include:

  • Data Access Requests.  Verified consumers can request copies of the specific pieces of personal information that the business has collected, along with other categories of information.  The business must respond to these requests within 45 days (subject to an additional 45-day or 90-day extension).  Responses generally must be provided free of charge by mail, electronically, or through the consumer’s account (depending on the circumstances).  If provided electronically, the copy of the data must be “portable” and, if technically feasible, in a “readily useable format” that allows the consumer to transmit this information to another entity.
  • Data Deletion Requests:  Upon a consumer’s request, a business is required to delete any personal information that it has collected and direct service providers to do the same, unless one of several key exceptions applies.  These exceptions include, for example, completing the transaction or providing other goods or services requested by the consumer; engaging in activities reasonably anticipated within the context of an ongoing business relationship with the consumer; protecting against fraud or other illegal activity; exercising free speech; complying with law; and enabling internal uses that are reasonably aligned with consumer expectations.
  • Opt Out of the Sale of Personal Information:  Consumers can opt out of the sale of their personal information by a business, and businesses that sell consumers’ personal information must notify consumers that they have the right to opt out of the sale of their personal information.
  • Prohibitions Against Discrimination:  The CCPA explicitly prohibits businesses from discriminating against consumers that request to access, delete, or opt out of the sale of their personal information.  If a consumer exercises their rights under the CCPA, businesses are proscribed from, among other things, charging a consumer a different price or providing a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.
  • “Do Not Sell” Link and New Privacy Policy Disclosures:  A new link must be added to Internet homepages titled “Do Not Sell My Personal Information.”  This link must enable the consumer to opt out of the sale of the consumer’s personal information.  Businesses also will need to provide additional notice to California consumers about their rights, typically through online privacy policies.
  • Consent For Minors:  Minors 13 to 16 years old must “affirmatively authorize” the sale of their personal information.  Consent of a parent or guardian is required for children under the age of 13.
  • Private Right of Action for Certain Data Breaches:  The law allows consumers, in coordination with the state Attorney General, to sue for damages if a subset of personal information is accessed and exfiltrated, stolen, or disclosed without authorization, and both (1) the data was neither encrypted nor redacted and (2) the breach was the result of the business failing to implement and maintain reasonable security procedures or practices appropriate to the nature of the information.  In addition, the consumer must provide the business written notice 30 days before initiating any action and a business has 30 days to cure.  To protect against nuisance suits, the state Attorney General can bar the action from proceeding.
  • Attorney General Authority: The California Attorney General is authorized to enact a number of regulations implementing the statute.  The CCPA requires the California Attorney General to solicit public feedback on or before January 1, 2020 for any additional regulations implementing the new law.

The legislation was enacted as a stop-gap measure to prevent an unworkable state-wide ballot initiative from being included on the November ballot in California.  The sponsor of the ballot initiative agreed to withdraw the measure from the ballot if the compromise legislation was passed by June 28th.  The legislature is expected to further revise the legislation before it takes effect in 2020.

Supreme Court’s Carpenter Decision Requires Warrant for Cell Phone Location Data

In a decision that defines how the Fourth Amendment applies to information collected in the digital age, the Supreme Court today held that police must use a warrant to obtain from a cell phone company records that detail the location and movements of a cell phone user.  The opinion in Carpenter v. United States limits the application of the third-party doctrine, holding that a warrant is required when an individual “has a legitimate privacy interest in records held by a third party.”

The 5-4 decision, written by Chief Justice John Roberts, emphasizes the sensitivity of cell phone location information, which the Court described as “deeply revealing” because of its “depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection.”  Given its nature, “the fact that such information is gathered by a third party does not make it any less deserving of Fourth Amendment protection,” the Court held. Continue Reading

FTC Announces Series of Hearings on Competition and Consumer Protection

Earlier today, the Federal Trade Commission (“FTC”) announced that it will host a series of public hearings on whether “broad-based changes in the economy, evolving business practices, new technologies, or international developments might require adjustments to competition and consumer protection enforcement law, enforcement priorities, and policy.”

FTC Chairman Joe Simons noted that “important and significant questions recently have been raised about whether we should rethink our approach to some of these issues,” and expressed that “[w]e are excited about this new hearings project, and anticipate and look forward to substantial participation from our stakeholders.”

The FTC’s press release noted that the “multi-day, multi-part hearings” will be similar to the FTC’s “Global Competition and Innovation Hearings,” which took place in 1995 at the direction of then-Chairman Robert Pitofsky.  Those hearings were held to address “whether there have been broad-based changes in the contemporary competitive environment that require any adjustments in antitrust and consumer protection enforcement in order to keep pace with those changes.”  The 1995 hearings resulted in a two-volume report, released in May 1996, articulating the FTC’s analysis and recommendations on competition and consumer protection policy. Continue Reading

FS-ISAC Launches Information Sharing Forum for Government Entities

On June 11, 2018, the Financial Services Information Sharing and Analysis Center (“FS-ISAC”) announced the launch of the CERES Forum, an information sharing initiative for central banks, regulators, and supervisors designed to strengthen responses to cyber and physical threats.  The new forum will become operational on July 1, 2018.

Although FS-ISAC primarily comprises private financial institutions and over three dozen government entities, membership in the CERES Forum will be limited to government participants.  To protect the confidentiality of existing FS-ISAC members and ensure information shared within the CERES Forum is kept separate, government participants will be required to follow different processes and access the new forum through a secure standalone portal.

In addition to serving as a trusted medium for central banks, regulators, and supervisors, the CERES Forum’s stated mission is to:

  • Gather and share best practices related to regulatory and compliance controls;
  • Collect feedback about which controls are most effective; and
  • Distribute timely threat intelligence about cyber threats, vulnerabilities, and incidents that could affect CERES Forum members and the wider global financial system.

The launch of FS-ISAC’s CERES Forum reflects the growing trend of sophisticated cyberattacks and data breaches targeting financial institutions, including central banks, around the world.  It is the first information sharing forum tailored to address the needs of central banks, regulators, and supervisors.

Eleventh Circuit LabMD Decision Potentially Limits FTC’s Remedial Powers

The Eleventh Circuit has issued its decision in LabMD v. FTC, a closely watched case in which LabMD challenged the Federal Trade Commission’s authority to regulate the data security practices of private companies. The Court of Appeals declined to decide that issue, instead finding that the FTC’s order requiring LabMD to implement certain data security reforms was unenforceable because it lacked specificity. The court’s decision may nevertheless impact many of the FTC’s consent orders—even those not having to do with data security. Continue Reading

LexBlog