Heads Up for Privacy, Data Protection and Cybersecurity in 2014

The new year will ring in significant privacy, data protection and cybersecurity changes in the U.S., Europe, Asia and elsewhere around the world. Below are some key developments and possible concrete action items for General Counsels, Chief Privacy Officers and Chief Information Officers:

Focus on Cybersecurity

A new cybersecurity framework will be published in February 2014 by the National Institute for Standards and Technology (“NIST”) pursuant to President Obama’s Executive Order. New EU standards are also in process. Additionally, numerous data breaches are likely to trigger more legislation and class action litigation. Finally, courts are developing negligence standards for cybersecurity breaches.

  • Corporate boards of directors and CEOs should direct legal, compliance and IT staff to review, conduct and enhance (i) cybersecurity safeguards, (ii) data vulnerability assessments (which are mandated in the healthcare sector, (iii) incident response and reporting protocols, (iv) review insurance coverage and (iv) service provider commitments.
  • Companies should consider mapping their corporate cybersecurity standards to their industry’s evolving standards being shaped by state law requirements (e.g., Massachusetts), NIST and ISO standards, recommendations of the European Network and Information Security Agency (“ENISA”), safeguards mandated by HIPAA and Gramm-Leach-Bliley, Payment Card Industry Standards, etc.

New International Privacy Laws

New privacy and data protection laws continue to be adopted around the world. Significant legislative developments will be in force in 2014 in China, Kazakhstan, Malaysia, Russia, South Africa, etc.

  • Multinational companies should assess how new laws – including new international data transfer restrictions – might apply to their operations.
  • Companies without global privacy and data protection compliance programs should consider implementing such processes.

Do Not Track Developments

California’s “Do Not Track” disclosure requirement goes into effect in January 2014. Federal and international regulators are also focused on Internet tracking, but the likelihood of new rules is unclear.

  • Website privacy policies should be updated for all sites that collect personal information about California residents.
  • Companies must understand how their organizations are collecting, using, sharing, and disposing of information as reliance on form policies can be worse than no policy at all.

Forced Data Localization Requirements and Cloud Computing

Numerous countries have recently implemented (China, Greece, Malaysia, Russia, South Korea, Venezuela, Vietnam, etc.) or are actively considering (Argentina, Brazil, India, Indonesia, etc.) local data server requirements.

  • Global companies should review potentially relevant local data requirements and restrictions on cloud computing.
  • Multinationals with sufficient interest should consider monitoring and participating in international trade policy initiatives to challenge forced localization as a technical barrier to trade.

Controlling Cookies

EU data protection authorities continue to update their enforcement policies and guidance regarding required disclosures and consents for the use of website cookies.

  • Companies with internationally directed websites should evaluate their compliance with and amenability to the jurisdiction of EU cookie requirements.
  • In the U.S., companies with child-directed websites, or with actual knowledge that children under 13 use their websites, should determine how the FTC’s amended children’s privacy (“COPPA”) rule applies to their cookie, tracking and “plug-in” practices.

Disequilibrium for Safe Harbor and Cross-Border Data Transfers

Following Snowden revelations, the EU Commission issued a report supporting retention of the U.S.-EU Safe Harbor, but recommending significant revisions, including required disclosure of cloud computing and other service provider contracts relied upon by Safe Harbor members.

  • Safe Harbor member companies should monitor possible new requirements or scrutiny by the U.S. Commerce Department, FTC and EU data protection authorities.
  • Multinationals relying on EU-approved standard contractual clauses (“model contracts”) and binding corporate rules (“BCRs”) should also prepare for increased scrutiny.
  • Companies should assess their systems for responding to law enforcement and national security requests and demands and ensure these align with their posted privacy policies

Anticipating Big Data, Internet of Things and New Technologies

Companies are rushing to invest significant resources to collect, analyze and monetize vast new arrays of transactional, locational and technical data from and about customers, device users, equipment sensors, etc.

  • Companies with data-driven agendas should implement information governance controls incorporating privacy and security “by design” to anticipate possible FTC, State Attorneys General and consumer actions.
  • New data collection, profiling and analytic initiatives should be tracked, controlled and justified within companies.
  • Companies adopting new data collection technologies like facial recognition and drones should anticipate privacy considerations.

New EU Data Protection Regulation

It is unclear whether the current Parliament will vote on and approve a new General Data Protection Regulation, and if so, whether the EU Council of Ministers will take up the same draft. Significant revisions to EU data protection standards are inevitable, however, even though the precise timing and contours of such changes are not entirely predictable. Regardless, very substantial new penalties and citizen remedies are almost certain to be a part of the EU’s new Data Protection Regulation, including fines of up to 5% of annual worldwide turnover or €100 million, whichever is the greater.

  • International companies should prepare their international privacy and data protection compliance programs for inevitable increased stringency.
  • BCRs may be an increasingly attractive option for promoting global compliance.

Granular State Privacy Legislation and Aggressive Enforcement

States like California and Texas have adopted specific new health privacy standards, and Attorneys General around the US are increasingly aggressive about enforcing consumer protection statutes with respect to online marketing, data breaches, HIPAA, collection of consumer information, etc.

  • Companies should carefully survey state law requirements regarding all privacy sectors, information security requirements and consumer protection standards.
  • Document compliance efforts to mitigate risks of possible AG enforcement.

Who Is in Charge and What Jurisdiction Applies?

Authority to make and enforce rules for privacy, data protection, cybersecurity, cloud computing, data transfers, online advertising, consumer profiling, Internet law, etc., has become increasingly complicated around the world even within countries. The EU is considering an efficient but controversial “one stop shop” to establish a lead data protection regulator for all of a company’s European operations, but the EU is also considering asserting jurisdiction over all foreign websites that interact with European residents. In the U.S., jurisdiction is shared between the FTC and State Attorneys General and, even at the federal level, between the FTC, Consumer Financial Protection Bureau, Office for Civil Rights, HHS, etc. The President’s surveillance review group has recommended a White House official to coordinate federal privacy policy. Trade negotiations with the EU and Asia may include efforts to promote greater regulatory alignment and interoperability on privacy, ecommerce and cross-border data flows. Complexity, confusion and contention, however, are likely to remain relevant throughout 2014.

  • Companies should map their international and domestic privacy and data protection obligations and develop a clear understanding about which authorities could assert jurisdiction over their operations.
  • Choice of law and private dispute resolution clauses should be made clear and balanced so as to enhance their enforceability.

* * *
Happy New Year and Best Wishes for 2014 from the Privacy, Data Security and Information Law group of Sidley Austin LLP!

If you have any questions regarding this update, please contact the Sidley lawyer with whom you usually work.

Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.