Apr 152015

Data Protection Legislative Hot Topic

Sidley Data Matters Contributors
, , , , ,

Cyberthreat Sharing Bills Gain Momentum.  On March 12, the Senate Intelligence Committee approved the Cybersecurity Information Sharing Act of 2015 (“CISA”) to increase sharing of cybersecurity threat information by U.S. companies on a vote of 14-1. The legislation grants liability protections for companies that voluntarily share cybersecurity threat information with the government or industry partners. The measure should be scheduled for a vote on the Senate floor shortly.

The joint statement issued by members of the Senate Intelligence Committee states that the bill is designed to increase “purely voluntary” cyberthreat sharing by U.S. companies, and it includes “numerous” privacy protections to prevent government abuse. Government use of the information would be limited to cybersecurity and prevention of “serious crimes” and would require the removal of personal information. The Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General would be directed to develop procedures to increase sharing of classified and unclassified threat information.

CISA would provide broader liability protections than the White House’s proposed information sharing bill. Under the White House’s proposed bill, companies would receive liability protection only for information shared with the Department of Homeland Security’s National Cybersecurity and Communication Integration Center and with private sector information sharing and analysis organizations. Such limitations were criticized by industry, and the Senate bill appears to remedy such concerns by providing broader protection to any threat information shared with the government and industry partners.  CISA also would extend antitrust protections to companies that share information with competitors.

A week after the Senate Intelligence Committee acted on CISA, the House version, the Protecting Cyber Networks Act (“PCNA”), was unanimously approved out of the House Intelligence Committee.  Both are primed for full votes.  The House bill also provides for liability protection and a double sanitation process to where companies must make reasonable efforts to scrub shared data of personal information prior to sharing it with the government, and that the government itself must further scrub the data prior to disclosures to the NSA or DOD.  The House bill also includes explicit prohibitions on the use of the data for surveillance purposes.

The cyberthreats sharing bills still face opposition from privacy advocates, however, that feel there are still not enough protections to guard against abuse by US intelligence organizations.  For example, the only member of the Senate Intelligence Committee to vote against the bill, Senator Ron Wyden, cited privacy concerns in opposing CISA, echoing concerns that the legislation will provide greater latitude to surveillance programs.

White House releases language for omnibus consumer privacy bill.  On February 27, the White House released the language for a proposed omnibus consumer privacy bill—titled the Consumer Privacy Bill of Rights Act—that would regulate information collection and use practices.  The proposal set forth “baseline protections for individual privacy in the commercial arena and to foster timely, flexible implementations of these protections through enforceable codes of conduct developed by diverse stakeholders.”  In particular, the Bill would impose notice and consent requirements and implement other principles derived from Fair Information Practice Principles to facilitate the right for consumers to manage their personal information.

The bill focuses on public-private partnerships, industry self-regulation and existing regulatory authorities for enforcement.  It encourages the creation of privacy review boards to establish industry best practices for consumer privacy.  The bill would also allow the FTC to continue to exercise its authority under Section 5 of the FTC Act, but would bar the FTC from bringing enforcement actions against companies that implement FTC-approved codes of conduct.  The penultimate draft of the bill within the White House apparently would have moved privacy authority over telecommunications carriers from the FCC to the FTC.  Last minute agency lobbying, however, proved successful in keeping the FCC’s privacy authority intact in the President’s draft.

Already, the draft language is receiving criticisms from multiple players. Industry, privacy advocates, federal agencies, members of Congress, and EU officials have opposed language in the draft bill and expressed significant concerns. It has not yet been introduced in Congress, and given such opposition, it is unlikely the bill will find a sponsor to advance it in its present form.

Sidley Data Matters Contributors

Sidley Austin Privacy Group

1n-licensing@onenorth.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).