2016 was a year of seismic changes in the global data protection and privacy landscape. Here, we look back at the top ten events and issues that shaped 2016, and are poised to shape the year ahead as well.
Year In Review
1. GDPR Adoption
On April 14, the European Parliament voted to adopt the long-awaited EU General Data Protection Regulation (GDPR), formally completing adoption of the GDPR. The GDPR was published in the Official Journal of the EU on May 25, 2016, giving companies and Member States until the May 25, 2018 effective date to implement the Regulation fully. In the wake of its adoption, businesses should have planning under way for implementation of the significantly expanded Regulation by evaluating whether they are subject to the expanded jurisdiction, and if so, completing an internal gap analysis of current data protection practices as compared with the new requirements and rights under the Regulation. Some of the key aspects to consider include data breach response planning under the new 72-hour notice requirement, reviewing existing data protection notices and consents for the more robust obligations, identifying current profiling activities and existing data protection and retention policies and procedures, ensuring privacy impact assessments are carried out where required, and evaluating whether there is an obligation to appoint a data protection officer. Despite the time until the effective date, the extensive preparation necessary to comply presents a challenge as companies around the world refocus resources to develop compliance plans.
2. Political Cyber Warfare
There is a new front in geopolitical battles. On August 11, the FBI announced its conclusion that the hacking of the Democratic Party in late July was the work of the Russian government. The federal investigation of the hack revealed that, in addition to the DNC and DCCC, other party-affiliated groups were targeted in the hack, which likely included the breach of personal email accounts of the groups and group leaders. Intelligence agencies have also expressed confidence that the Russian government is behind the less aggressive hacking efforts against the Republican National Committee’s (“RNC”) computer systems. Notably, an early October statement by the Department of Homeland Security and Office of the Director of National Intelligence asserted that the purpose of the attack was to interfere with the U.S. election process. They also stated that the highest Russian officials had authorized the activities. Responding to the attack, President Obama imposed additional sanctions on Russia and expelled 35 Russian diplomats. Responding to the implications that his election was not legitimate given the interference, then President-elect Trump first expressed skepticism, then signaled he might accept Russia’s involvement if the FBI and other agencies present sufficient evidence. Ultimately, President Trump has dismissed the allegations as a “political witch hunt.” In any case, the dimension of state-sponsored exploitation of hacked information for political purposes became a significant part of the electoral narrative, and is likely to shape elections—and possibly political warfare—for years to come.
The Supreme Court in Spokeo, Inc. v. Robins, decided May 16, ruled that plaintiffs who allege violations of statutes that contain a private right of action and statutory damages do not have automatic ‘‘standing’’ to sue. The Court instead found that to meet the constitutional requirement of standing, the plaintiff must establish not only the ‘‘invasion of a legally protected interest’’ defined by Congress, but also that the plaintiff suffered a “concrete and particularized” harm to that interest. The Supreme Court held that the Ninth Circuit erred by analyzing only whether the plaintiff’s claim—that he was injured by dissemination of inaccurate information—was “particular” to the plaintiff, without separately considering whether the injury was “concrete.” The Court remanded to the Ninth Circuit to determine the concreteness of the claimed informational injury. The Court also acknowledged that while intangible injuries can indeed be “real” and “concrete,” such injuries can give rise to standing only where they pose some de facto risk of harm to the plaintiff. “Bare” or immaterial procedural violations will not suffice. This holding has enhanced the ability of companies to defend lawsuits under privacy, data security, informational rights statutes, and perhaps other consumer protection statutes, where the plaintiffs advance procedural violations whose practical effects on the plaintiffs’ own interests are so abstract, ethereal, or implausible as to appear unreal.
4. Major Data Breaches Drew Increased Focus to Cybersecurity Risks
Attention to data breaches continued to grow in 2016, as bigger and more complex breaches were discovered and litigation ensued. These breaches resulted in various consequences for the breach suffering entities, including closely followed class action suits, some massive settlements, effects to negotiations for corporate acquisitions, regulator actions, and as always, significant media scrutiny. Indeed, several breaches in 2016 carried a significant national security dimension. As a result, regulator guidance and regulations on cybersecurity continued to proliferate in 2016, further complicating the compliance burden.
The FTC issued guidance on cybersecurity in multiple forums and media, including a usable 16-page guide for businesses on how to respond to data breaches. While this guidance did not impose explicit legal requirements, the FTC has previously used such non-binding publications to establish that businesses had notice of FTC requirements. Cybersecurity guidance and regulations proliferated particularly in the financial sector.
In September, the Commodity Futures Trading Commission (CFTC) approved final rules requiring commodities and derivatives firms, including exchanges and clearinghouses. The rules clarify the CFTC’s system safeguards rules for all designated contact markets, swap execution facilities, and swap data repositories by specifying and defining the types of cybersecurity testing essential to fulfilling system safeguards testing obligations. It also emphasized, among other requirements, that vulnerability testing must be conducted at least quarterly and penetration testing must be conducted at least annually.
Also in September, the New York State Department of Financial Services (“NYDFS”) proposed regulations outlining minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Proposed Regulations”). The extensive Proposed Regulations covered staffing of a CISO, business continuity, and other operational factors including a 72 hour data breach notice and annual certification to the Superintendent by the entity’s Board of Directors (or alternatively a senior officer) that the entity is in compliance with the regulations. Proposed mandated technical security controls – without reference to the cost of such controls or a risk balancing for application of the measures – included multi-factor authentication, and security of data accessible to third-parties and data encryption. In December, NYDFS revised the proposed regulations to incorporate a “risk based” approach. However, a number of controversial elements remain, including the annual certification.
In October, federal banking regulators—the Federal Deposit Insurance Corporation, the Federal Reserve, and the Office of the Comptroller of the Currency—approved an advance notice of proposed rulemaking inviting comment on a set of enhanced cybersecurity risk-management and resilience standards that would apply to large and interconnected entities under their supervision. The proposal would require banking organizations with total U.S. assets of $50 billion or more to have in place procedures that would allow their sector-critical systems to recover from a cyber attack within two hours. The proposal would also impose additional governance, risk management, and audit requirements.
These developments sharpened focus on cybersecurity policy. In December, the presidential Commission on Enhancing Cybersecurity issued its report review cybersecurity policies and programs and making recommendations for the next administration. The Trump White House is expected to soon issue a cybersecurity executive order setting in motion a promised 90-day review of cybersecurity preparedness.
5. Microsoft SCA Case
In July, the U.S. Court of Appeals for the Second Circuit declined to extend the warrant provision of the Stored Communications Act (SCA) to data stored on foreign servers. The long-awaited decision—to the surprise of most observers—rejected the government’s construction of the SCA and instead embraced a more restrictive view that Microsoft had advanced, backed by much of the tech industry and many privacy groups. Microsoft Corp. v USA, In the Matter of a Warrant to Search a Certain E‐Mail Account Controlled and Maintained by Microsoft Corporation (2d Cir. July 14, 2016)( Docket No. 14‐2985). (Sidley Austin LLP represented a number of amici in support of Microsoft before the Court of Appeals and District Court.) The decision held that electronic communications that are stored exclusively on foreign servers cannot be reached by U.S. prosecutors under the SCA’s warrant provisions—not even where the warrant is served on a U.S. provider that can access the foreign-stored information, and deliver it to U.S. officials, by using computers and personnel based here in the United States.
On Tuesday, January 24, the Second Circuit narrowly denied a request by the United States for an en banc rehearing of the panel’s decision. Three judges recused themselves from the vote, and the remaining active judges voted 4-4 to deny rehearing. (Because it takes a majority vote to grant a petition for rehearing, a tie vote operates as a denial.) Judge Susan Carney, who wrote the panel opinion, authored a second opinion concurring in the order denying rehearing. In her concurrence, Judge Carney again concluded that the SCA’s “focus” is on “protecting the privacy of the content of a user’s stored electronic communications.” She reasoned that the point of divergence between the panel and the dissenters lay in how to identify the interest that is the “focus” of the SCA. Whereas the panel thought “privacy” interests were central, the dissenters saw the focus as “resting on disclosure.” The dissenting judges reasoned that because the SCA focuses on disclosure, the location of the disclosure, rather than the location of storage, determines whether the warrant would be executed domestically or extraterritorially.
6. Encryption Debates
Following 2015 and 2016 terrorist attacks, government officials—including FBI Director James Comey and officials at the CIA and DOJ—called for Apple and Google to provide access to encrypted data on smartphones. The DOJ filed suit to force Apple to assist in decryption of the iPhone of the San Bernardino attacker, though dropped the suit weeks later after hacking the phone without Apple’s assistance. However, the case over access to the San Bernardino attacker’s iPhone was only an example of a much larger debate. Some called on Congress to pass legislation requiring designers of smartphone operating systems sold in the US to grant access to data under search warrants, and proposals continue to be debated in the Senate. With a new administration, many expect a fresh look at the issues involved in the Executive Branch.
7. Privacy Shield Negotiations, Adoption and Challenges
After months of negotiation, debate, and even some criticism of the proposal from the Article 29 Working Party, the European Parliament, and the European Data Protection Supervisor, Giovanni Buttarelli, the European Commission formally adopted the EU-US Privacy Shield on July 12, 2016. The Privacy Shield became available for certification on August 1, and the Department of Commerce promised a nine-month grace period for compliance with the third party contractual requirements of the onward transfer principle for all entities that signed up by September 30, 2016. Thus far, more than 1,500 companies have self certified and many more are in the process.
Critics of early drafts of Privacy Shield conceded that it was significantly stronger than Safe Harbor but recommended a number of additional measures. These views were taken into account in the revised draft of the Privacy Shield and data subjects and companies should have greater protection and remedies in the new arrangement. Nevertheless, not long after its approval, the Privacy Shield was subject to two court challenges that are currently pending. These cases will be closely watched as companies continue to weigh risks in selecting a compliance mechanism for cross border data transfers that are often critical to the business. In addition, the Commission and others in Europe will be watching closing to see if the Trump administration does anything that undermines the U.S. commitments in the Privacy Shield and causes the Commission to consider suspending the arrangement.
8. First IoT-Powered Cybersecurity Attack
In October, a massive distributed denial-of-service (“DDOS”) attack disrupted U.S. internet traffic in one of the first cybersecurity attacks powered by the Internet of Things (IoT). IoT comprises all manner of connected devices, from cameras and DVRs to thermostats and fitness trackers. The attack was caused at least in part by malware that can build botnets out of IoT devices, according to network security companies. The attack interrupted access to popular websites by flooding a DNS service provider with crushing traffic. It was estimated that more than 500,000 devices were infected with the malware.
9. NIS Directive
On July 6, the European Parliament adopted the Network and Information Security directive (the “NIS Directive”), following formal adoption by the European Council in May. The EU Parliament’s rapporteur Andreas Schwab (EPP, DE) hailed the NIS Directive as a “huge success and a big first step to establishing a comprehensive regulatory framework for platforms in the EU.” In addition, members of the European Parliament stated that having harmonized cybersecurity standards and increased cooperation between Member States should help organizations protect themselves against cyber attacks and should also help to prevent attacks on Member States.
Key elements of the NIS Directive include: a requirement for “operators of essential services” in critical infrastructure sectors (e.g., energy, transportation, healthcare and banking) and digital service providers (e.g., search engine operators, cloud computing services and ecommerce platforms) to implement appropriate technical and organizational measures to manage security risks and to notify the national competent authority of serious incidents; the adoption by Member States of a national strategy to include policies and measures to maintain a level of network and information security; the designation of a national competent authority to implement and enforce the NIS Directive and create Computer Security Incident Response Teams (“CSIRT”) responsible for investigating data security incidents and cybersecurity risks; and the creation of a Cooperation Group to support and facilitate strategic cooperation and information exchange between Member States and a CSIRT Network to “promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks.”
10. China Cybersecurity legislation
In November, China promulgated the Cybersecurity Law of the People’s Republic of China (the “Cybersecurity Law”) after three rounds of readings in June 2015, June and October 2016, respectively. The Cybersecurity Law will become effective June 1, 2017. The introduction of the concept of “cyber space sovereignty” in the Cybersecurity Law echoes the views of President Xi Jinping, who is also the head of the Office of the Central Leading Group for Cyberspace Affairs, and who has stated in February 2014 “[n]o cyber safety means no national security.” Critically, the Cybersecurity Law may have global implications, as the Law applies to both Chinese and international businesses engaging in the construction, operation, maintenance, or use of information networks in China. It requires data localization in certain circumstances, as well as approval of certain uses of encryption technologies.
With the momentum of 2016, the coming year promises to continue the fast paced evolution of threats, challenges, regulatory changes and perhaps even some policy surprises. In 2017, we are keeping a particularly close eye on the following “top ten” issues to watch.
- GDPR implementation guidance
- Privacy Shield implementation and litigation
- The dawning of IOT Regulations – starting with connected cars and medical devices
- AI-powered technologies continued spread and effects across the economy
- The Trump administration on surveillance and national security matters
- The Trump administration’s effects on international data transfers, including the future of the Privacy Shield
- The future of standing in privacy litigation, and potentially a Spokeo redux
- The Trump administration’s policy influence on the FCC and FTC enforcement
- Constitutional privacy rights
- Election cyber hacking investigations