Despite having previously stated it would not issue further clarifications, in August 2015, the Russian Ministry of Communications and Mass Media (Minkomsvyaz) issued a further statement regarding the data localization law. The Ministry of Communications is empowered to supervise the data protection authority (Roskomnadzor) and to provide interpretations of laws that fall within their purview (including the data localization law). The Minkomsvyaz statement reiterated that the law does not have retroactive effect – personal data of Russians collected prior to September 1, 2015 may reside in foreign jurisdiction so long as they are not updated or changed, at which point they would be subject to the localization requirement. The clarification further noted that data localization requirement would not apply to entities that are not resident in Russia. This statement is notable for being issued in writing, and providing companies with a statement of standards and expectations that may be cited by companies should issues arise.
See previous coverage in Data Matters July 21, 2015 Post: Impending Russian Data Localization Law
Sidley does not practice law in Russia, so the information here is based on our understandings from public sources and discussions with local counsel. This article should not be construed as advice about Russian law.
On Monday, the U.S. Court of Appeals for the Third Circuit issued its much-anticipated decision in Federal Trade Commission v. Wyndham Worldwide Corp., No. 14-3514 (3d Cir. Aug. 24, 2015), holding that the Federal Trade Commission has the authority to bring an action under Section 5 of the FTC Act for allegedly “unfair” cybersecurity practices.
On July 27, 2015, the Cybersecurity Task Force (Cybersecurity Task Force) of the National Association of Insurance Commissioners (NAIC) released a draft cybersecurity “Bill of Rights” suggesting certain rights for insurance consumers to have their personal information protected by insurance companies, insurance producers and other entities regulated by state insurance departments. Comments on the draft were due by close of business on August 10, 2015 and a final version could be adopted during the NAIC’s upcoming National Meeting in Chicago in mid-August 2015. The Cybersecurity Bill of Rights is one of several insurance regulatory measures designed to safeguard personal information of insurance consumers, which is particularly vulnerable in data breaches because it often contains social security numbers, financial information, addresses and sensitive medical information. Cybersecurity has become an even higher priority among insurance regulators since the Anthem, Inc. data breach and the NAIC formed the Cybersecurity Task Force to coordinate regulatory efforts in this area.
On April 10, 2015, the FTC closed its data security investigation of a securities firm after one of its employees moved the personal information of the certain of the firm’s wealth management clients to personal devices and a personal website. Ultimately, the personal data became available on publicly accessible websites.
On June 29, the FTC and New Jersey Attorney General announced the filing of a joint complaint, and proposed, stipulated settlement, against an Ohio-based app developer, Equiliv Investments LLC and an individual officer of the company. The federal and state enforcement agencies alleged that Equiliv marketed a free app that users believed would let them earn rewards points for playing games or downloading affiliated apps. The agencies alleged that Equiliv explicitly represented the app was free of malware when in fact the app’s main purpose was actually to load malicious software on the users’ phone to mine virtual currency. Allegedly, the app took control of the devices’ computing resources and degraded the phones’ performance by draining battery life and data plans, and causing the devices to charge slowly. The malware was alleged to pool the computing resources of consumers’ mobile devices to benefit the company’s effort to generate virtual currencies through a peer-to-peer network to compete with other devices in solving complex mathematical equations – a process known as “mining.”
Following meetings between President Obama and Brazilian President Dilma Rousseff this week, the leaders issued a joint communiqué addressing a number of cyber issues. It would appear that post-Snowden tensions have ameliorated. In 2013, President Rousseff condemned alleged US spying. In their statement this week, the Presidents expressed a “share[d] understanding that global Internet governance must be transparent and inclusive, ensuring full participation of governments, civil society, private sector and international organizations, so that the potential of the Internet as a powerful tool for economic and social development can be fulfilled” and they reaffirmed “their adherence to the multistakeholder model of Internet governance.”
This week we moved one step closer to the adoption of the proposed EU Data Protection Regulation with the agreement by the Council of Ministers on its proposals for the draft Regulation. The Regulation has been described as the most lobbied piece of European legislation in history and, once adopted, will have a significant impact on governments, businesses and individuals.
Although a frequent topic of discussion on Capitol Hill, no single standard for private-sector cybersecurity programs has yet to emerge. The National Institute of Standards and Technology (NIST) Cybersecurity Framework is often considered foremost among existing guidance, but several other agencies are also expressing views, including the following recent guidance from the Department of Justice (DOJ), the Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC). Significantly, both the DOJ and FTC tout the advantages of cooperating with law enforcement after a data breach by noting that such cooperation may lead to “regulatory” benefits.
The first edition of The Privacy, Data Protection and Cybersecurity Law Review appears at a time of extraordinary policy change and practical challenge for this field of law and regulation. Several Sidley lawyers in the Privacy, Data Security and Information Law practice have contributed to this publication.
Editor’s Preface, Alan Charles Raul
- Chapter 1, “European Union Overview,” William Long, Geraldine Scali and Alan Charles Raul
- Chapter 2, “APEC Overview,” Catherine Valerio Barrad and Alan Charles Raul
- Chapter 9, “Hong Kong,” Yuet Ming Tham and Joanne Mok
- Chapter 12, “Japan,” Takahiro Nonaka
- Chapter 16, “Singapore,” Yuet Ming Tham, Ijin Tan and Teena Zhang
- Chapter 20, “United Kingdom,” William Long and Geraldine Scali
- Chapter 21, “United States,” Alan Charles Raul, Tasha D Manoranjan and Vivek Mohan
BNA’s Privacy & Security Law Report
Following meetings held Feb. 24-25, the Council of the European Union released its ‘‘Conclusions’’ in response to the EU Commission’s Nov. 4, 2010 ‘‘Communication’’ proposing ‘‘a comprehensive approach on personal data protection in the European Union.’’ The Council is the main decision-making body of the European Union, comprising the ministers of the Member States. Depending on the issue on the agenda, each country is represented by the minister responsible for that subject (foreign affairs, finance, social affairs, transport, agriculture, etc.).