Washington Becomes the Third State with a Biometric Law

By Rebecca Yergin

On May 16, 2017, Governor Jay Inslee signed into law H.B. 1493—Washington’s first statute governing how individuals and non-government entities collect, use, and retain “biometric identifiers,” as defined in the statute.  The law prohibits any “person” from “enroll[ing] a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.”  It also places restrictions on the sale, lease, and other disclosure of enrolled biometric identifiers.  With the new law, Washington has become only the third state after Illinois and Texas to enact legislation that regulates business activities related to biometric information.  Although the three laws seek to provide similar consumer protections around the collection, use, and retention of biometric data, the Washington law defines the content and activity it regulates in different terms, and, similar to Texas, but unlike Illinois, the Washington law does not provide a private right of action.

The Washington statute, as compared to existing biometrics laws, is notable for its definition of “biometric identifier.”   In the law, a “biometric identifier” is “data generated by automatic measurements of an individual’s biological characteristics,” including “fingerprints, voiceprints, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.”  Washington’s definition of “biometric identifier” may be broader than that in the Texas statute, but Washington’s definition does not specifically provide for a “scan of hand or face geometry,” as is the case in the Illinois statute.  Washington’s definition of “biometric identifiers” specifically excludes “physical or digital photograph, video or audio recording or data generated therefrom” (in addition to certain health-related data), suggesting the statute will have limited application in the context of facial recognition technology. Continue Reading

European Cloud in Health Advisory Council Calls For Review of eHealth Rules and Ethics of Medical Data Re-Use

In a new post on the Covington Digital Health blog, our colleagues discuss a new European Cloud in Health Advisory Council whitepaper calling for a review of European healthcare data protection rules holding back greater adoption of cloud computing and AI; and for more discussion about the ethics and governance of re-use of patient data for research and planning.  To read the post, please click here.

New Proposed Standard Sheds Light on Cross-Border Security Assessment in China

On May 27, 2017, China’s National Information Security Standardization Technical Committee (“NISSTC”), a standard-setting committee jointly supervised by the Standardization Administration of China (“SAC”) and the Cyberspace Administration of China (“CAC”), released Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (Draft Version) (the “draft Standard”) for public comments.  The official Chinese version of the draft Standard is available here, and the comment period is open until June 27, 2017.

Once adopted, the new standard will be part of the comprehensive regime governing China’s cross border data transfers, supplementing the draft implementing regulation issued recently by the CAC, Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data (“the Measures”). (See Covington’s alert on the Measures here.)  Although the family of “Information Security Technology” standards are voluntary national standards and are not legally binding, we expect this draft Standard to provide important guidance to companies with respect to the security assessment of their cross border data flows.

As we have previously discussed (see our alert here), China’s Cybersecurity Law requires operators of “Critical Information Infrastructure” (“CII”) to store within China Chinese citizens’ personal information and “important data” collected or generated in the course of operations within China.  To transfer that data outside of China, a security assessment must be performed.

CII operators, however, are not the only entities required to conduct a security assessment of cross-border data transfers.  The Measures, which is expected to be finalized in the coming days, require “network operators” (a broad term encompassing entities that “own or manage networks in China”) to perform a security assessment before transferring outside of China personal information and “important data.”  The Measures provide, among other things, the substantive criteria of the security assessment.

The draft Standard, elaborating on the substantive criteria mentioned in the Measures, details the risk factors regulators are likely to analyze when reviewing or conducting security assessments of companies’ cross-border data transfers flowing out of China.  If these security assessments reveal major risks, Chinese regulators may require a company to step up its data protection efforts, or such transfers may be blocked entirely.

As a threshold matter, the draft Standard requires that the transfers should be “lawful and legitimate.”  This is not a high threshold.  Generally, transfers for a genuine business purpose are legitimate.  For example, the draft Standard provides that transfers for the purpose of “fulfilling business contracts” would qualify as legitimate.

If this bar is met, regulators are instructed to evaluate the risks associated with the transfers.  This analysis includes considering the features of data to be transferred and the likelihood of a security incidents during and post transfer.  The draft Standard further lists over fifteen risk factors, including these related to a data controller’s data protection program, the data recipient’s level of protection, and the country to which the data will be sent.  For example, the draft Standard contemplates that the transfer of fewer than 1 million records of personal data would have a lower risk level than the transfer of a greater number.  Transfers of over 50 million records are presumed to be high risk.  Regulators will also assess a company’s data protection program from two perspectives: data protection governance and technical measures used to protect the data.  Factors such as whether companies having a security policy governing the transfers, or whether the companies are using encryption to protect data in-transit, will be taken into account.  The absence of any data protection practices may be deemed as increasing the overall risk of the transfers.  Finally, regulators consider a review of the data recipient’s security practices and the “political and legal environment” of the country or region in which the data recipient is located to be necessary in order to assess the overall risk of the transfer.

Risk factors identified in the draft Standard will be used to assess a company’s data transfer practices.  For each risk factor, the regulator will assign a risk level.  Once all risk factors are assessed, a regulator can decide the overall risk level of the transfers.  If the overall risk level is low, such transfers should be allowed to continue.  Once a company conducts a self-security assessment, the record of such an assessment must be retained for at least five years.

In addition to describing the risk factors for security assessment, for the first time, the draft Standard sheds light on what data Chinese regulators consider to be “important.”  At a high level, “important data” is defined to include data that could have “severe consequences” for national security or societal and public interests in the event of leak or misuse after transfer outside of China.  To inform companies of what kind of data may fall into the scope of “important data,” Annex A of the draft Standard explicitly lists, on a sector-by-sector basis, examples of data that Chinese regulators believe to be “important.”  This includes specific examples (e.g., personal health records, e-commerce transaction records, payment/financial information) as well as potentially expansive categories (e.g., “information relating to natural persons, legal persons, and organizations acquired and kept in the process of establishing business relationships with natural persons, legal persons, and other organizations”).  Despite releasing these examples of “important data,” the draft Standard confirms that the precise determination of whether certain data will be classified as “important data” will ultimately be made on a case by case basis by sectoral regulators.

Cloud Security Alliance Releases Guidance for Securing Connected Vehicles

The increasing connectivity of vehicles has raised questions about how to maintain the security of connected vehicles.  In response, the Cloud Security Alliance released on May 25, 2017 a 35-page research and guidance report on Observations and Recommendations on Connected Vehicle Security.  The Cloud Security Alliance is a not-for-profit organization dedicated to promoting a secure cloud computing environment and whose members include individuals and technology leaders such as Microsoft, Amazon Web Services, HP, Adobe, and Symantec.  The comprehensive report includes a background on connected vehicle security design, highlights potential attack vectors, and provides recommendations for addressing security gaps.

The report discusses the multitude of ways that our vehicles are connected to the Internet, including through diagnostic tools, infotainment systems (such as satellite radio, traffic services, etc.), and remote entry and startup.  Vehicles also communicate with other vehicles, with infrastructure and with applications, providing information such as vehicle position, speed, acceleration, and braking status.  And, as the development of driverless cars continues, those vehicles will need to rely on communications with traffic lights, other vehicles, and pedestrians to maintain the safety of our roadways.  Vehicles have also begun to be integrated into other IoT devices, such as Amazon Echo and NEST, which allow consumers to use those applications to remotely start, set environmental controls for, or track the location of vehicles.

As a result of this interconnectedness, the security risk to connected vehicles and the ecosystems that support them is great.  In controlled situations, hackers were able to turn off the transmission of a Jeep Cherokee and reduce the speed of a Tesla Model S.  Hackers could hijack a vehicle’s safety-critical operations, track a vehicle (and its occupants), or disable a vehicle, despite actions taken by the driver.  The Cloud Security Alliance’s report provides a chart of approximately twenty possible attacks against connected vehicles. Continue Reading

FCC Releases NPRM on Broadband ISPs and Net Neutrality Rules

The FCC has released the Notice of Proposed Rulemaking (“NPRM”) on “Restoring Internet Freedom” that was adopted by a 2-1 vote at the Commission’s open meeting on May 18.  The NPRM is substantively very similar to the draft released by Chairman Pai on April 27, and the comment deadlines remain the same: July 17 for initial comments and August 16 for reply comments.

Of possible relevance from a privacy perspective, the NPRM now asks about the jurisdictional effects of finding broadband to be an interstate information service.  As he explained in his statement approving adoption of the NPRM, Commissioner O’Rielly had asked that this question be added to the NPRM, and he expressed the view that this finding should foreclose states and localities from regulating the privacy practices of ISPs (among other matters).  Whether the FCC would attempt to make such a broad preemption finding remains to be seen.    Continue Reading

New Republican Privacy Bill Would Expand Scope of “Sensitive” Data

Representative Marsha Blackburn (R-TN) has introduced a bill, the “Balancing the Rights of Web Surfers Equally and Responsibly Act of 2017” (“BROWSER Act,” H.R. 2520) that would  create new online privacy requirements.  The BROWSER Act would require both ISPs and edge providers (essentially any service provided over the Internet) to provide users with notice of their privacy policies, obtain opt-in consent for sensitive data, and opt-out consent for non-sensitive data.  In its current form, the BROWSER Act would define sensitive data more broadly than in existing FTC guidelines—mirroring the since-repealed privacy rules that the FCC adopted last year for ISPs, but applying those standards to ISPs and edge providers alike.

The BROWSER Act defines “sensitive user information” to include financial information, health information, children’s data, social security numbers, precise geo-location information, contents of communications, and, most notably, web browsing or app usage histories.  ISPs and edge providers must obtain “opt-in approval” from users prior to using, disclosing, or permitting access to such sensitive information.  For “non-sensitive user information,” the BROWSER Act requires opt-out consent.  And companies may not condition the provision of services, or otherwise refuse services, based on the waiver of privacy rights under the BROWSER Act. Continue Reading

First Annual Privacy Shield Review Will Comprehensively Assess the Framework

The first annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) is scheduled to occur in September 2017 in Washington, D.C.  The first review is particularly important for the nascent framework, as regulators in both the U.S. and the EU are expected to closely scrutinize the operation of the first year of the Privacy Shield, address concerns that have been raised, and seek to ensure that the Privacy Shield is well positioned to continue operating as a valid legal basis for transfers of personal data from the EU to the U.S.

Under the Privacy Shield, an “Annual Joint Review” is conducted by the U.S. Department of Commerce (“Commerce”) and the European Commission (“Commission”), with participation by the FTC, EU data protection authorities and representatives of the Article 29 Working Party, and “other departments and agencies involved in the implementation of the Privacy Shield,” including the U.S. Intelligence Community and the Privacy Shield Ombudsperson for matters pertaining to national security.  Regulators have also indicated that they plan to solicit and incorporate feedback and comments from other Privacy Shield stakeholders as part of the review process, including from self-certified companies and other interested organizations.

Although this is the first annual review, it is important to note that the Privacy Shield has already been the subject of intense public scrutiny.  The draft text of the framework was released in February, several months prior to the final release in July, and a number of stakeholders took the opportunity to comment on the text, leading to several revisions designed to improve and strengthen the Privacy Shield.  Continue Reading

White House Issues New Cybersecurity EO

On May 11, 2017, President Trump signed an Executive Order titled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” (the “Order”).  The long-anticipated directive was issued months after the White House originally planned to release a cybersecurity order in February.  Since then, revised drafts of the order were circulated, including a version from February 10, 2017 (the “Revised Draft”) that differed significantly from the initial draft order, but aligned with Executive Order 13636, “Improving Critical Infrastructure Security,” which was signed by President Obama on February 12, 2013.  With few exceptions, the Order signed yesterday mirrors the Revised Draft that we previously analyzed in our February 17, 2017 blog post titled “Release of Cybersecurity EO May Have Notable Impact in Communications, Energy, and Defense Industrial Base Critical Infrastructure Sectors.”  Here, we highlight key differences between the Revised Draft and the final Order.

Section 1:  Cybersecurity of Federal Networks

The first section of the Order continues to primarily address cybersecurity risk management and IT modernization within the executive branch consistent with the Revised Draft and Executive Order 13636 signed by President Obama.  The Order incorporates nearly all of the Revised Draft’s language in this section, with minor exceptions. Continue Reading

Parties Discuss Privacy Issues in Advance of FTC, NHTSA Workshop on Connected Cars

Automated vehicle technology is accelerating, and regulators are racing to keep up.  On June 28, 2017, the Federal Trade Commission and the National Highway Traffic Safety Administration (“NHTSA”) will hold a workshop to examine the consumer privacy and security issues posed by automated and connected vehicles.  The workshop comes several months after the Department of Transportation and NHTSA promulgated a Notice of Proposed Rulemaking (“NPRM”) that would require all new passenger vehicles to be capable of vehicle-to-vehicle (“V2V”) communications by the early 2020s. Continue Reading

Ninth Circuit Will Rehear Dismissal of FTC Throttling Suit

The Ninth Circuit announced today that the full court will rehear the case in which the three-judge panel opinion had dismissed the FTC’s lawsuit against AT&T for allegedly violating Section 5 of the FTC Act due to past “throttling” practices around unlimited data plans.  According to the panel opinion, the FTC lacked jurisdiction over AT&T’s practices because of AT&T’s status as a common carrier, even though AT&T was engaging in non-common carrier activities.

The FTC had previously filed a petition for en banc review of the panel opinion, and that petition was supported by the FCC, among others.  This case  has important consequences for the scope of the FTC’s enforcement jurisdiction over non-common carrier activities of communications providers—a subject of particular relevance following FCC Chairman Pai’s recent proposal to re-classify broadband Internet access service as an “information service” under the Communications Act.

The Ninth Circuit has announced that the en banc oral argument will take place during the week of September 18, 2017, with the specific date and time to be determined later.

LexBlog