It has been a busy year for privacy and cybersecurity. Here is a look back at the highlights of 2018 and a preview of what 2019 may have in store in the United States, Europe, and China:
On December 12, 2018, Senator Brian Schatz (D-HI) led a group of fifteen Democratic senators in introducing the “Data Care Act of 2018,” which would impose duties of care, loyalty, and confidentiality on online service providers with respect to processing and securing user data. The bill would also provide the FTC with rulemaking authority and the ability to levy substantial civil penalties for noncompliance with its provisions.
This bill comes on the heels of Senator Ron Wyden’s release of a draft “Consumer Data Protection Act,” which also expanded FTC authority and created significant civil fines. (See analysis of Senator Wyden’s bill here, and related coverage on the Senate’s approach to data privacy here and here.) Several other privacy frameworks have already been introduced this year by both Democratic and Republican lawmakers, and additional bills may be introduced in 2019.
On December 11, 2018, the Vermont Office of the Attorney General published new guidance on the state’s data broker law (Act 171 of 2018), which imposes new data breach notification requirements on “data brokers” and takes effect on January 1, 2019. The new guidance clarifies the definitions of key statutory terms and the scope of the law’s various requirements.
Earlier this week, the European Commission (“Commission”) published its Report on the second annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) (the Report is accompanied by a Staff Working Document). The Report concludes that the Privacy Shield “continues to ensure an adequate level of protection” for personal data transferred from the EU to the United States. The Commission also found that the implementation of a number of the recommendations following the first annual review last year improved several aspects of the Privacy Shield, but that certain recommendations still required implementation and/or monitoring.
In another Privacy Shield-related development this week, the International Trade Administration’s Privacy Shield Team announced new guidance on the applicability of the Privacy Shield to the United Kingdom following the UK’s pending withdrawal from the EU. Continue Reading
On 18 December 2018, the EU High-Level Expert Group on Artificial Intelligence (the “AI HLEG”) published new draft guidance on “AI Ethics” (the “guidance”). The AI HLEG is a European Commission-backed working group made up of representatives from industry, academia and NGOs, and was formed as part of the Commission’s ongoing work to develop EU policy responses to the development, challenges and new opportunities posed by AI technologies. Stakeholders are invited to comment on the draft through the European AI Alliance before it is finalized in March 2019.
The guidance recognizes the potential benefits of AI technologies for Europe, but also stresses that AI must be developed and implemented with a “human-centric approach” that results in “Trustworthy AI”. The guidance then explains in detail the concept of “Trustworthy AI” and the issues stakeholders should navigate in order to achieve it. A more detailed summary of the guidance is set out below.
This guidance is not binding, but it is likely to influence EU policymakers as they consider whether and how to legislate in the AI space going forwards. AI HLEG also envisages that the final version of the guidance in March 2019 will include a mechanism to allow stakeholders to voluntarily endorse its principles. The guidance also states that the AI HLEG will consider making legislative recommendations in its separate deliverable on “Policy & Investment Recommendations,” due May 2019.
On December 13, 2018, the Information Commissioner’s Office (“ICO”) in the United Kingdom issued guidance on the state of UK data protection law should the country leave the European Union (“EU”) without having reached an agreement on the terms of its withdrawal. Much of this latest guidance is consistent with the ICO’s earlier guidance on the topic, published in September 2018. But as the UK’s expected withdrawal from the EU on March 29, 2019, inches closer, organizations that process the personal data of individuals resident in the UK or in other countries in the European Economic Area (EEA) should now take steps to prepare themselves for the possibility of a “no-deal” scenario. Continue Reading
On December 6, 2018, the Australian Parliament passed a bill that aims to address concerns raised by national security and law enforcement agencies regarding encrypted communications.
Introduced in September, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (the Act) may affect technology companies around the globe. As discussed in our previous post, the Act requires “designated communications providers” (a definition that includes foreign and domestic communications providers) to provide support to Australian government agencies under new legal bases provided by the Act’s framework. A Technical Assistance Notice (TAN), for example, will permit certain government entities to require assistance that a designated communications provider is already capable of giving. If the provider lacks the capability to assist, a Technical Capability Notice (TCN) may require the provider to build such capability.
As described in greater detail in the Act’s accompanying Explanatory Memorandum, the ability to issue TANs and TCNs is not without limitation. Importantly, neither forms of Notice may require providers to implement or build a “systemic weakness or systemic vulnerability” into their electronic protections, or prevent providers from patching such weaknesses or vulnerabilities. Recent additions to the Act took this prohibition even further—requiring that in any case where a weakness is selectively introduced to a “target” technology connected with a particular person, the prohibition against systemic weaknesses or vulnerabilities extends to anything that would “jeopardize the security of information held by any other person” aside from the intended target. The phrase “jeopardize the security of information” is defined by the Act as any “act or thing that creates a material risk that otherwise secure information can be accessed by an unauthorized party.”
Last month in In the Matter of 1-800 Contacts, Inc., the Federal Trade Commission (“FTC”) provided insight into the circumstances under which retail price competition may take place in the 21st century internet economy. In the Opinion authored by Chairman Joseph J. Simons (“Commission’s Opinion”) the Commission decided that 1-800 Contacts, the country’s largest online retailer of contact lenses, unlawfully entered into anticompetitive agreements with 14 rival online sellers (“Agreements”). The Agreements, which, in most cases were trademark litigation settlements, required the parties, when bidding as part of search engine advertising auctions, to take measures ensuring their advertisements do not appear in response to searches for the other party’s trademark terms. According to the Commission’s Opinion, approved 3-1-1, the “decision will affect not only the price that consumers pay for some contact lenses but also the very manner in which substantial parts of price competition will occur throughout consumer markets today and tomorrow.” This week, 1-800 Contacts filed an application with the FTC for a partial stay pending review by the U.S. Court of Appeals.
The Agreements between 1-800 Contacts and Rival Retailers
By way of background, more than a decade ago, 1-800 Contacts began bringing trademark infringement actions against rival contact retailers, who were selling lenses at lower prices. The infringement claims were based on the retailers’ online advertisements appearing in response to consumers’ searches for “1-800 Contacts.” The Agreements, which resulted from the litigation, restricted the parties’ ability to bid on certain “keywords” in search engine auctions. “Keywords” are words or phrases that trigger the display of a party’s advertisements as “sponsored links” on a search engine when the words or phrases “match” a user’s search. As relevant here, the Agreements specifically prohibited each party from bidding on keywords that allegedly infringe upon the other party’s trademarks and additionally required the parties to employ “negative” keywords to prevent their advertisements from displaying whenever a search included the other party’s trademarks. Continue Reading
As many data breach litigation cases have demonstrated over recent years, the question of a plaintiff’s standing can be quite important to the outcome of each case. While the Supreme Court has addressed standing issues in several cases with potential applicability in the data breach litigation context, most recently in Spokeo, Inc. v. Robins and Clapper v. Amnesty International, the Court has not yet addressed head-on the question of standing requirements for plaintiffs in data breach litigation. More recently, a cert petition in another data breach standing case (In re Zappos.com), discussed below, has been distributed for conference this Friday, December 7, 2018. As the Court considers whether to grant cert and address this issue, this post provides an overview of the circuit split on standing in data breach litigation cases and efforts to convince the Court to revisit the issue and provide more precise guidance. Continue Reading
On December 4, 2018, the Federal Trade Commission (“FTC”) announced that it is accepting public comments regarding its Identity Theft Detection Rules, 16 C.F.R. Part 681 (the “Rules”), as part of a systematic review of the Commission’s regulations and guidelines. The review of the Rules is particularly noteworthy because identity theft is among the top consumer complaints to the FTC, and has been an enforcement priority for the FTC’s Bureau of Consumer Protection.