On Friday, December 4, President Obama signed the Fixing America’s Surface Transportation (“FAST”) Act, a $300 billion-plus highway and transportation law and the first comprehensive transportation spending law in a decade. Despite its title, the bill impacts a number of regulated sectors. Nestled within this 490-page law are 13 pages that pertain to cybersecurity and other protections for the electric grid. As detailed below, the FAST Act also includes a number of privacy and cybersecurity provisions relating to privacy notices by financial institutions as required by the Gramm Leach Bliley Act, event data records in vehicles, Internet of Things technologies, and connected cars.
On October 27, 2015, the Senate passed S. 754, the Cybersecurity Information Sharing Act (“CISA”), with bi-partisan support. Although some raised privacy concerns, CISA received backing from the Administration and support from many industry participants. The Senate bill must be reconciled with similar bills in the House (H.R. 1560 and H.R. 1731) before a conference version is produced. This process may be contentious as privacy advocates seek to strengthen protections for personal information, and Senator Richard Burr, Chairman of the Senate Intelligence Committee and co-sponsor of CISA, indicated that the conferencing process is unlikely to produce a resolution before January 2016.
On October 29, 2015, the European Parliament adopted a resolution on the electronic mass surveillance of EU citizens (the “Resolution”). Positioned as a follow-up to its resolution of 12 March 2014 in which the Parliament called for the immediate suspension of Safe Harbor and put forward a number of recommendations to limit access to personal data of European citizens as part of mass surveillance, the Resolution calls on the European Commission to “reflect immediately on alternatives to Safe Harbor and on the impact of the judgment [from the Court of Justice of the European Union in the Schrems case] on any other instruments for the transfer of personal data to the U.S.” It also calls for the European Commission to “report on the matter by the end of 2015.” In addition, the European Parliament demanded that the Commission urgently provide an update on the ongoing negotiations between US authorities and the Commission.
In Schrems v. Data Protection Commissioner, the Court of Justice of the European Union invalidated the US-EU Safe Harbor agreement on the basis that the European Commission had failed to sufficiently assess the protection of personal data of Europeans under the U.S. data protection regime. The Court alluded to U.S. surveillance activities under the PRISM program authorized by Section 702 of the Foreign Intelligence Surveillance Act, and appeared to assume U.S. law permits mass surveillance of Europeans with few limits, little clarity, and no opportunity for redress. However, the Court did not actually review or assess the applicable legal authorities, remedies, or array of checks and balances, safeguards, and independent oversight. If it had done so, it would have found numerous overlapping controls that assure that such surveillance is neither massive nor indiscriminate, but instead targeted to specific individuals and limited purposes, and provides legal remedies for Europeans. Indeed, prior to the scheduled expiration of the 702 program in 2017, U.S. congressional oversight committees will likely be comparing whether privacy safeguards in place for similar foreign programs are as effective as those of Section 702.
Significantly, the independent Privacy and Civil Liberties Oversight Board reviewed surveillance under Section 702 and found: “[T]the Section 702 program is not based on the indiscriminate collection of information in bulk. Instead the program consists entirely of targeting specific [non-U.S.] persons about whom an individualized determination has been made.” Key safeguards and controls include…
In an effort to address growing concerns about security vulnerabilities in both the public and private sectors, the National Institute of Standards and Technology (NIST) has released a flurry of new and updated information security recommendations. The latest recommendations address protections for sensitive data held by federal contractors, encryption standards, and security for federal Smart ID cards.
On July 1, 2015, China’s top legislature adopted a new National Security Law (中华人民共和国国家安全法), highlighting cyber security and paving the way for a coordinated crisis management system. The law aims to provide a general legislative framework to cover a wide range of areas, ranging from finance, politics, the military and cyber security to culture, ideology and religion.
The European Parliament has voted in a plenary session on March 12, 2014 to fully endorse the draft EU Data Protection Regulation (the Regulation) and the draft EU resolution calling for the immediate suspension of Safe Harbor (the Resolution), both of which were adopted previously by the European Parliament’s Civil Liberties Committee (the LIBE Committee).
According to the European Commission’s press release “today’s plenary vote means the position of the Parliament is now set in stone and will not change even if the composition of the Parliament changes following the European elections in May.”
On February 12, the White House released the widely anticipated Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”). Developed pursuant to Executive Order 13636 (issued in February 2013), the Framework strongly encourages companies across the financial, communications, chemical, transportation, healthcare, energy, water, defense, food, agriculture, and other critical infrastructure sectors to implement and comply with its voluntary standards. The provisions set forth in the Framework may establish a new baseline for industry standard practices, and may impact or guide FTC enforcement actions and plaintiff data breach lawsuits.
A draft report by the European Parliament’s Civil Liberties Committee (the LIBE Committee) indicates that it is attempting to fundamentally alter the existing compliance mechanisms for transferring personal data from Europe. The recently leaked draft is dated December 23, 2013 and expresses the LIBE Committee’s response to the U.S. NSA surveillance programs, surveillance in various EU Member States and the impact on EU citizen’s fundamental rights and on transatlantic cooperation (the Report).
The European Commission has released a comprehensive package of communications, reports and papers that set out actions which the Commission believes can restore trust in transatlantic data flows between the European Union and the United States following recent concerns over access to data by intelligence agencies.
The package included the following:
- Communication: ‘Rebuilding Trust in EU-U.S. Data Flows’;
- Communication: on the Functioning of the Safe Harbor from the Perspective of EU Citizens and Companies Established in the EU’;
- Report on the findings of the EU-U.S. Working Group; and
- Review of the existing agreements on Passenger Name Records and the Terrorist Finance Tracking Program.
The Commission’s announcement focused attention on the EU-U.S. Safe Harbor, which is discussed in below in this Alert, but a number of other key statements by the Commission are potentially relevant to multinationals, as well as Internet and technology companies. The Commission stressed the need for swift adoption of the EU’s data protection reform; strengthening data protection safeguards in the law enforcement area, including an agreement to guarantee a high level of protection for citizens who should benefit from the same rights on both sides of the Atlantic (EU citizens not resident in the U.S. should benefit from judicial redress mechanisms); addressing European concerns in the on-going U.S. reform process (including extending the safeguards available to U.S. citizens to EU citizens not resident in the U.S., increased transparency and better oversight); and promoting privacy standards internationally, advocating in particular that the U.S. should accede to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention 108”). Significantly, the Commission also makes clear that standards of data protection will not be part of the on-going negotiations for a Transatlantic Trade and Investment Partnership. The Commission also noted that its proposed new data protection regulation “includes clear rules on the obligations and liabilities of data processors such as cloud providers, including on security. As the revelations about U.S. intelligence collection programs have shown, this is critical because these programs affect data stored in the cloud. Also, companies providing storage space in the cloud which are asked to provide personal data to foreign authorities will not be able to escape their responsibility by reference to their status as data processors rather than data controllers.”
One of the main actions by the Commission as part of the package is a review of the U.S.-EU Safe Harbor agreement that was agreed in 2000 and allows for transfer of personal data from the EU to companies in the U.S. that self-certify with the U.S. Department of Commerce as complying with certain privacy principles. Safe Harbor has proved popular as a means of allowing for international transfers of personal data from the EU to the U.S. with over 3,200 U.S. companies having self-certified.
However, there has been growing concern among some EU Data Protection Authorities about Safe Harbor and in particular its reliance on self-certification and lack of enforcement. In July 2013, Data Protection Authorities in the Germany commented that they had decided not to issue new permissions for data transfers to countries outside the EU and would examine whether data transfers on the basis of Safe Harbor should be suspended. The Commission in its Communication on the Functioning of Safe Harbor comments that “Given the weaknesses identified, the current implementation of Safe Harbor cannot be maintained. However, its revocation would adversely affect the interests of member companies in the EU and the U.S. The Commission considered that Safe Harbor should rather be strengthened.”
So Safe Harbor is to be retained but amended to add further privacy protections. More specifically, the European Commission makes thirteen recommendations that are designed to strengthen Safe Harbor related to transparency, enforcement, the Safe Harbor principles and the use of the exception for national security which allows for the principles to be limited “to the extent necessary” to meet national security, public interest or law enforcement requirements:
1. Self-certified companies should publicly disclose their privacy policies: this recommendation makes it clear that it is no longer sufficient for Safe Harbor companies to disclose a mere description of their policy. Privacy policies should be made publicly available on the company website.
2. Privacy policies of self-certified companies’ websites should always include a link to the Department of Commerce Safe Harbor website which has the list of all current members adhering to the scheme: this recommendation would allow for immediate verification of a Safe Harbor company and would lessen the ability for false claims of adherence by non-adhering companies.
3. Self-certified companies should publish privacy conditions of any contracts they conclude with subcontractors e.g. cloud computing services: Safe Harbor allows for onward transfers from the Safe Harbor company to third parties acting “as agents” (e.g. cloud providers) but the third party should enter into a contract with the Safe Harbor company under which the third party agrees to provide the same level of privacy protection as the Safe Harbor principles. The Commission recommends that the Department of Commerce should be notified of such contracts and the privacy safeguards should be made public.
4. Clearly flag on the website of the Department of Commerce all companies which are not current members of the scheme: the Commission recommends that the label ‘Not current’ be included on the Department of Commerce list of Safe Harbor members which should be accompanied by a clear warning that a company is currently not fulfilling Safe Harbor requirements.
5. The privacy policies on companies’ websites should include a link to ADR (Alternative Dispute Resolution) providers and/or the EU panel: the Safe Harbor principles require that a readily available and affordable independent mechanism must be in place by which complaints and disputes are investigated. The Commission considers that providing a link to the ADR provider or the EU panel would allow for an individual to immediately contact the ADR provider or the EU panel in the case of problems.
6. ADR should be readily available and affordable: this recommendation is meant to eliminate the charging of fees by some ADR providers under the Safe Harbor scheme.
7. Department of Commerce should monitor more systematically ADR providers regarding the transparency and accessibility of information they provide concerning the procedure used and follow-up they give to complaints: according to the Commission this recommendation should make the dispute resolution an effective and trusted mechanism with publication of findings for non-compliance included within sanctions of ADR providers.
8. A certain percentage of certified or re-certified companies under Safe Harbor should be subject to investigations of effective compliance of their privacy policies. This recommendation is based on the Commission’s view that although privacy policies are reviewed by the U.S. Department of Commerce when a company renews its certification there is no evaluation of the actual practice of compliance by that company with the Safe Harbor principles.
9. Whenever there has been a finding of non-compliance, following a complaint or an investigation, the company should be subject to a follow-up investigation after one year.
10. In the case of doubts about a company’s compliance or pending complaints, the Department of Commerce should inform the competent EU Data Protection Authority.
11. False claims of adherence of Safe Harbor adherence should continue to be investigated. According to the Commission companies that claim to be complying with Safe Harbor requirements while not listed by the Department of Commerce is misleading and weakens the credibility of the system and so such companies should be investigated.
Access by U.S. authorities
12. Privacy policies of self-certified companies should include information on the extent to which U.S. law allows public authorities to collect and process data transferred under the Safe Harbor scheme. This recommendation is also extended so privacy policies should explain how the company would apply exceptions to the Safe Harbor principles to the extent necessary to meet requirements of national security, public interest or law enforcement.
13. The exception of national security under Safe Harbor should only be used to the extent that it is strictly necessary or proportionate: the Safe Harbor Communication further specifies that EU data subjects have no opportunity for access, redress or rectification relating to the processing of their personal data under U.S. surveillance, therefore there is a need to restrict exceptions to that which is strictly necessary or proportionate to the reason for which the exception is being used.
According to the Commission for Safe Harbor to work as intended, the monitoring and supervision by U.S. authorities of compliance of self-certified companies with the Safe Harbor Principles needs to be more effective and systematic and the thirteen recommendations are intended to achieve this. The Commission will now engage with the U.S. authorities to discuss how to strengthen Safe Harbor with amendments to be identified by summer 2014 and, according to the Commission, implemented as soon as possible. At the same time the Commission will be undertaking a more detailed review of Safe Harbor which will involve an open consultation and a debate in the European Parliament and at the Council of Ministers.
For companies that are currently self-certified under Safe Harbor, or in the process of becoming self-certified, it will be a relief to know that the Commission is not currently intending to suspend Safe Harbor, however, it is likely that a number of measures will be looked at to strengthen it and therefore the position should be closely monitored with other international data transfer solutions such as Binding Corporate Rules also considered.
If you have any questions regarding this update, please contact the following or the Sidley lawyer with whom you usually work:
William Long, Partner
John Casanova, Partner
Edward McNicholas, Partner
Alan Raul, Partner
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.