House Energy and Commerce Committee Circulates Draft Privacy Bill Expanding FTC Authority

On December 18, 2019, staffers on the House Energy and Commerce Committee circulated a draft of a bipartisan privacy bill.  The draft is currently unnamed and unfinished, but it lays out a comprehensive framework that expands both individuals’ rights to their data and the FTC’s enforcement role over digital privacy.  Rep. Cathy McMorris-Rodgers (R-Wash.) and Rep. Jan Schakowsky (D-Ill.) have been particularly involved in working on the bill.

“We welcome input from all interested stakeholders and look forward to working with them going forward,” an Energy and Commerce spokesperson told The Hill.  “This draft seeks to protect consumers while also giving data collectors clear rules of the road.  It reflects many months of hard work and close collaboration between Democratic and Republican Committee staff.”

The draft bill echoes many of the provisions in the Consumer Online Privacy Rights Act (COPRA) introduced last month by Democratic senators.  However, unlike COPRA, the bill is silent on two notable issues: whether individuals have a private right of action to assert violations and whether the bill would preempt state laws.  Continue Reading

EDPB Publishes Article 28 Standard Clauses Adopted by Danish Supervisory Authority

On December 11, 2019, the European Data Protection Board (“EDPB”) published the final text of the standard clauses adopted by the Danish Supervisory Authority (Datatilsynet, hereafter “Danish SA”) pursuant to Article 28(8) of the General Data Protection Regulation (“GDPR”).  The Danish clauses are now accessible on the EDPB’s register of decisions taken by Supervisory Authorities.  The Danish clauses serve as a standard data processing agreement that controllers and processors may choose to adopt to fulfill the requirements of Article 28(3) and (4) of the GDPR.  However, note that these SCCs are not standard data protection clauses under Article 46(2)(c) or (d) of the GDPR, and as such, cannot serve as a valid legal mechanism to transfer personal data outside the European Economic Area (“EEA”).

Continue Reading

India Proposes Updated Personal Data Protection Bill

More than a year after the Government of India’s Committee of Experts released a draft Personal Data Protection Bill in July 2018 (the “2018 draft”), India is one step closer to passing a comprehensive data privacy law.  On December 11, 2019, India’s Minister for Electronics and Information Technology introduced an updated draft of Personal Data Protection Bill (the “Bill”) in the Lok Sabha, India’s lower house of Parliament. The Bill was referred to a Joint Select Committee composed of parliamentarians from both the lower and upper houses.

The Joint Select Committee is due to report back to the Lok Sabha before the 2020 Budget Session of Parliament, which, although dates have not yet been set, usually runs from February to March.  At that point, the government is likely to table the Bill for discussion in Parliament either in the Budget Session or in the Monsoon session, which usually runs between July and September.

The updated Bill retains the core structure of the previous draft, which closely adheres to the model provided by the GDPR.  There are, however, noteworthy changes in this most recent Bill, including to some of the more controversial features of the 2018 draft, such as data localization requirements and provisions carrying criminal penalties.  The Bill also includes requirements that did not appear in the first draft, such as an enhanced right to erasure, obligations that attach to “anonymous data,” and specific requirements for “social media intermediaries.”  A new requirement for rulemaking by the data protection authority (“DPA”) could provide additional opportunities for public consultation.

Below we summarize the key changes in this most recent draft of the Bill.  To see all the changes from the 2018 draft, please click here. Continue Reading

German Telecommunications Company Fined 9.5 Million Euros for GDPR Violation

On December 9, 2019, the German Federal Data Protection Supervisory Authority (BfDI) imposed a 9.55 million Euro fine on the telecommunications company 1&1 Telecom GmbH.  The BfDI found that the authentication procedures used by 1&1’s customer helpline were insufficient and failed to satisfy the requirements of Art. 32 GDPR.  The company announced that it will challenge the order, arguing that the size of the fine is disproportionate.

The BfDI’s investigation was initiated following a complaint by a customer whose mobile telephone number was provided to his former partner in 2018.  The caller provided only the name and birth date of the customer to the helpline worker.  According to the company, the helpline employee acted in accordance with the company’s guidelines at the time, which required a two-factor authentication and were in line with standard industry practices.  But the BfDI found that this procedure created risks for “far-reaching information” on customers.

The BfDI stated that it is currently investigating other telecommunications providers, thereby relying on its own findings in this case and pursuing tips from third parties and customer complaints.

We reported on a German supervisory authority’s guidance regarding a similar topic – the requirements for authentication of data subjects exercising information rights under the GDPR – in an earlier post in July 2019.

German Supervisory Authorities Propose Changes to the GDPR

On December 2, 2019, the German Supervisory Authorities issued a report evaluating the implementation of the EU General Data Protection Regulation (“GDPR”) in Germany.  The report describes the Supervisory Authorities’ experience thus far in applying the GDPR and lists the provisions of the GDPR they see as problematic in practice.  For each of these provisions, the report discusses the perceived problem and proposes a solution.

The report begins by noting that the GDPR has significantly increased the workload of German Supervisory Authorities over the past year and a half.  This is due not only to an “enormous growth” in the number of complaints and consultation requests received, but also additional work resulting from the GDPR’s cross-border cooperation procedure.  Since the increased workload has not always been met with increased resources, the authorities have found it difficult to effectively supervise compliance.  Controllers are apparently aware of this and, as a result, have neglected their duties to be GDPR compliant.

Continue Reading

UK ICO and The Alan Turing Institute Issue Draft Guidance on Explaining Decisions Made by AI

The UK’s Information Commissioner’s Office (“ICO”) has issued and is consulting on draft guidance about explaining decisions made by AI.  The ICO prepared the guidance with The Alan Turing Institute, which is the UK’s national institute for data science and artificial intelligence.  Among other things, the guidance sets out key principles to follow and steps to take when explaining AI-assisted decisions — including in relation to different types of AI algorithms — and the policies and procedures that organizations should consider putting in place.

The draft guidance builds upon the ICO’s previous work in this area, including its AI Auditing Framework, June 2019 Project ExplAIN interim report, and September 2017 paper ‘Big data, artificial intelligence, machine learning and data protection’.  (Previous blog posts that track this issue are available here.)  Elements of the new draft guidance touch on points that go beyond narrow GDPR requirements, such as AI ethics (see, in particular, the recommendation to provide explanations of the fairness or societal impacts of AI systems).  Other sections of the guidance are quite technical; for example, the ICO provides its own analysis of the possible uses and interpretability of eleven specific types of AI algorithms.

Organizations that develop, test or deploy AI decision-making systems should review the draft guidance and consider responding to the consultation. The consultation is open until January 24, 2020.  A final version is expected to be published later next year.

Continue Reading

New E-Privacy Proposal on the Horizon?

On December 3, 2019, the EU’s new Commissioner for the Internal Market, Thierry Breton, suggested a change of approach to the proposed e-Privacy Regulation may be necessary.  At a meeting of the Telecoms Council, Breton indicated that the Commission would likely develop a new proposal, following the Council’s rejection of a compromise text on November 27.

The proposed Regulation is intended as a replacement to the existing e-Privacy Directive, which sets out specific rules for traditional telecoms companies, in particular requiring that they keep communications data confidential and free from interference (e.g., preventing wiretapping).  It also sets out rules that apply regardless of whether a company provides telecoms services, including restrictions on unsolicited direct marketing and on accessing or storing information on users’ devices (e.g., through the use of cookies and other tracking technologies).

Continue Reading

German Constitutional Court Reshapes “Right to be Forgotten” and Expands Its Oversight of Human Rights Violations

In two recent landmark decisions issued on November 6, 2019, the German Constitutional Court (“BVerfG”) presented its unique perspective on the “right to be forgotten” and announced that it will assume a greater role in safeguarding German residents’ fundamental rights from now on.

Continue Reading

Commission Expert Group Report on Liability for Emerging Digital Technologies

On November 21, 2019, the European Commission’s Expert Group on Liability and New Technologies – New Technologies Formation (“NTF”) published its Report on Liability for Artificial Intelligence and other emerging technologies.  The Commission tasked the NTF with establishing the extent to which liability frameworks in the EU will continue to operate effectively in relation to emerging digital technologies (including artificial intelligence, the internet of things, and distributed ledger technologies).  This report presents the NTF’s findings and recommendations.

Continue Reading

UPDATE: AG Opinion in Schrems II Delayed

The Advocate General’s (“AG”) Opinion in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”), has been delayed until the 19th December 2019.  (The original publication date was set for the week before, on the 12th December.)

The primary question before the European Court of Justice (“ECJ”), and the AG, in Schrems II is whether the European Commission’s standard contractual clauses (“SCCs”) are valid for transfers of personal data to the United States. Given the widespread reliance on the SCCs for data transfers to the United States and other countries around the world, the ECJ’s judgment is likely to have significant ramifications for many organizations.  The AG’s Opinion, while not binding, will likely give an initial indication of where the ECJ will land.

Covington represents the Software Alliance (“BSA”) in Schrems II and in a second case of equal significance, involving a challenge to the EU-U.S. Privacy Shield. That case, Case T-738/16, La Quadrature du Net and Others v Commission (“LQDN”), is currently pending before the EU General Court. Both the Schrems II and LQDN cases could dramatically affect the global business community.

For a re-cap on the oral hearing in Schrems II that took place in July this year, please see our client alert here.  Our team will continue to provide updates as the case develops.

LexBlog