Photo of David Bender

David Bender is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity practice group.

In the wake of the Court of Justice of the European Union’s (“ECJ”) Schrems II decision invalidating the EU-U.S. Privacy Shield (“Privacy Shield”) but upholding the validity of standard contractual clauses (“SCCs”), the U.S. government has released a White Paper entitled “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II.”  The Schrems II ruling requires companies relying on SCCs “to verify, on a case-by-case basis,” whether the level of protections afforded by the SCCs are respected and observed in the recipient country.  According to the cover letter accompanying the White Paper, it “outlines the robust limits and safeguards in the United States pertaining to government access to data” as part of “an effort to assist organizations in assessing whether their transfers offer appropriate data protection in accordance with the ECJ’s ruling.”

The cover letter emphasizes that while the White Paper is intended to help companies make the case that they can transfer personal data from the EU to the United States in compliance with EU law, it does not “eliminate the urgent need for clarity from European authorities or the onerous compliance burdens generated by the Schrems II decision.”  It concludes by citing the importance of the “$7.1 trillion transatlantic economic relationship” and stating that “the Trump Administration is exploring all options at its disposal and remains committed to working with the European Commission to negotiate a solution that satisfies the ECJ’s requirements while protecting the interests of the United States.”
Continue Reading U.S. Government Issues White Paper on Privacy Safeguards Following Schrems II

At the Black Hat conference in Las Vegas last week, a security researcher presented his research on using access rights available under the GDPR for identity theft purposes (slides available here; whitepaper available here).  Specifically, the researcher “attempted to steal as much information as possible” about his fiancé by submitting GDPR access requests

On January 24, the European Data Protection Board (“EDPB”) adopted a report (“Report”) regarding the second annual review of the EU-U.S. Privacy Shield (“Privacy Shield”).  In a press release accompanying the Report, the EDPB welcomed efforts by EU and U.S. authorities to implement the Privacy Shield,  including in particular the recent appointment of a permanent Ombudsperson.  But the EDPB also noted that certain concerns remain with respect to the implementation of the Privacy Shield.

The EDPB, which is made up of representatives of various European data protection authorities, is established by the GDPR, and advises on the consistent application of data protection rules throughout the EU.  The Report is not binding on the EU or U.S. authorities directly; instead it will serve to guide regulators considering the implementation of the Privacy Shield.  The Report is also likely to influence the EU Commission’s assessment of the Privacy Shield, and to contribute to political pressure in the European Parliament to continue to reform the Shield.    
Continue Reading European Data Protection Board Releases Report on the Privacy Shield

Earlier this week, the European Commission (“Commission”) published its Report on the second annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) (the Report is accompanied by a Staff Working Document).  The Report concludes that the Privacy Shield “continues to ensure an adequate level of protection” for personal data transferred from the EU to the United States.  The Commission also found that the implementation of a number of the recommendations following the first annual review last year improved several aspects of the Privacy Shield, but that certain recommendations still required implementation and/or monitoring.

In another Privacy Shield-related development this week, the International Trade Administration’s Privacy Shield Team announced new guidance on the applicability of the Privacy Shield to the United Kingdom following the UK’s pending withdrawal from the EU. 
Continue Reading Privacy Shield Updates: Second Annual Review and Brexit Guidance

A class-action lawsuit filed last month alleges that Wal-Mart’s video recording technology at its self-service checkout kiosks collects “personal identification information” in violation of the California Song-Beverly Act Credit Card Act of 1971 (“Song-Beverly Act”).  The Song-Beverly Act, like analogous statutes in several other states, generally prohibits businesses from recording customers’ “personal identification information” as

On Tuesday, Joseph Simons was sworn in as the new Chairman of the Federal Trade Commission.  The five-member Commission will soon be at full strength, as Simons is set to be joined by four other new FTC Commissioners, each of which were confirmed for seven-year terms by the Senate on April 26: Democrats Rebecca Kelly Slaughter and Rohit Chopra, and Republicans Noah Phillips and Christine Wilson.  Slaughter, Chopra, and Phillips are each expected to be sworn in this week, although Wilson will not take office until the Senate confirms Commissioner Ohlhausen’s nomination as a judge on the U.S. Court of Federal Claims.

The new Commissioners, with the exception of Slaughter, have backgrounds focusing more on competition and antitrust matters, as opposed to privacy and consumer protection.  As such, we will have to wait and see as to their views on privacy issues, and the FTC’s resulting priorities.
Continue Reading Changes Are Underway at the FTC As New Commissioners Are Sworn In

Today, 34 global technology and security companies announced that they have signed a Cybersecurity Tech Accord, which publicly commits them “to protect and empower civilians online and to improve the security, stability and resilience of cyberspace.”  The signatories include Cisco, Dell, Facebook, HP, Intuit, and Microsoft.

The text of the Accord references recent events that have put online security at risk, and sets forth four principles:
Continue Reading Tech & Security Companies Sign Cybersecurity Tech Accord

In a ruling with implications for both net neutrality and privacy, the Ninth Circuit ruled en banc today that the common carrier exemption in Section 5 of the FTC Act is activity-based, reversing a 2016 panel ruling that the exemption was status-based.  Today’s decision bolsters the FTC’s authority to bring consumer protection (including privacy) and competition actions against providers of Internet access service, which the FCC has ruled is not a common carrier service in connection with that agency’s repeal of net neutrality rules.

This appeal arises from the FTC’s lawsuit against AT&T alleging that AT&T’s practice of throttling the speed of customers with unlimited data plans once they reached a certain data usage threshold violated Section 5 of the FTC Act.  AT&T had challenged the FTC’s authority to bring the case, arguing that the company was immune from FTC oversight because it also offers common carrier (e.g., voice telephone) service.  Although the district court sided with the FTC on this question, a 2016 Ninth Circuit panel went the other way and, in doing so, created what the FTC and FCC agreed was a potential ‘gap’ in authority in which neither agency would have the right to police many actions by telecommunications companies. 
Continue Reading Ninth Circuit Decision Provides Critical Win to FTC in its Authority over Internet Service Providers

Last week, the FCC issued a forfeiture order against Dialing Services, LLC (“Dialing Services”) $2,880,000, finding that Dialing Services made automated calls to wireless phones without prior express consent, in violation of the Telephone Consumer Protection Act (“TCPA”).  Dialing Services is a platform that offers automated calling services to its customers, and this Order is the culmination of the FCC’s investigation of the company dating back to 2012.

In 2012, FCC staff determined that Dialing Services had made more than 4.7 million calls to wireless phones in violation of the TCPA during a three-month period.  The Enforcement Bureau (“Bureau”) issued a citation in March 2013, directing the company to certify that it had stopped making calls in violation of the TCPA.  During a follow-up investigation, the staff determined that Dialing Services had continued placing calls after the citation, including 184 additional unauthorized calls to wireless phones in May 2013.  As a result, the FCC issued a Notice of Apparent Liability (“NAL”) in May 2014, proposing a $2.94 million fine.  (The ultimate forfeiture order reduced this amount to $2.88 million based on evidence that some of the calls were made with consent.)

In response to the NAL, Dialing Services asserted (among other things) that unlike its customers, it was merely a platform and therefore did not “make” or “initiate” the calls at issue under the TCPA.  The FCC applied its test for determining whether a party “initiated” or “made” a call for TCPA purposes from the 2013 Dish Network declaratory ruling:  whether the party “takes the steps necessary to physically place a telephone call” or, alternatively, is “so involved in the placing of a specific telephone call as to be directly liable for making it.” 
Continue Reading FCC Fines Calling Platform $2.88 Million for TCPA Violations