This piece originally appeared in the Wall Street Journal on October 25, 2015.
As the world’s privacy commissioners gather Monday in Amsterdam for their annual conference, they face a data-flow dilemma that is roiling international commerce. The predicament is the result of a ruling by the Court of Justice of the European Union and the United States that facilitates the trans-Atlantic flow of digital information …Read More.
In Schrems v. Data Protection Commissioner, the Court of Justice of the European Union invalidated the US-EU Safe Harbor agreement on the basis that the European Commission had failed to sufficiently assess the protection of personal data of Europeans under the U.S. data protection regime. The Court alluded to U.S. surveillance activities under the PRISM program authorized by Section 702 of the Foreign Intelligence Surveillance Act, and appeared to assume U.S. law permits mass surveillance of Europeans with few limits, little clarity, and no opportunity for redress. However, the Court did not actually review or assess the applicable legal authorities, remedies, or array of checks and balances, safeguards, and independent oversight. If it had done so, it would have found numerous overlapping controls that assure that such surveillance is neither massive nor indiscriminate, but instead targeted to specific individuals and limited purposes, and provides legal remedies for Europeans. Indeed, prior to the scheduled expiration of the 702 program in 2017, U.S. congressional oversight committees will likely be comparing whether privacy safeguards in place for similar foreign programs are as effective as those of Section 702.
Significantly, the independent Privacy and Civil Liberties Oversight Board reviewed surveillance under Section 702 and found: “[T]the Section 702 program is not based on the indiscriminate collection of information in bulk. Instead the program consists entirely of targeting specific [non-U.S.] persons about whom an individualized determination has been made.” Key safeguards and controls include…
Originally posted by the Council on Foreign Relations Net Politics Blog on October 8, 2015.
In a decision Tuesday that was as shocking as it was predictable, the Court of Justice of the European Union (CJEU) invalidated the U.S.-EU Safe Harbor for westward bound international transfers of personal data. The companies whose information flows to the United States will be impeded by the EU decision need to look to the U.S. government and not just the EU for letting this mess happen.
The case stems from a complaint Max Schrems filed with the Irish Data Protection Authority about the privacy risks of using Facebook. He was concerned that electronic communications transferred to the United States would end up in the hands of the NSA’s PRISM program. PRISM involves the NSA’s use of a provision in the Foreign Intelligence Surveillance Act, section 702, that allows it to target non-U.S. persons located outside the United States for foreign intelligence purposes. This section only applies to collections from electronic communication service providers located in the United States.
In a seismic recommendation, Advocate General Yves Bot at the European Court of Justice (ECJ) issued his opinion in the closely watched Max Schrems case challenging the U.S.-EU Safe Harbor Agreement and has found Safe Harbor to be invalid. The opinion is not legally binding on the ECJ, although the Court most often follows the opinions of the Advocate General. The Advocate General recommendation makes the status of the existing Safe Harbor agreement even more uncertain, but acknowledges negotiations between the European Commission and the U.S. for an updated agreement and may leave room for a different result if such an agreement addresses concerns in the opinion about U.S. bulk surveillance.
On September 22, 2015, the SEC announced that R.T. Jones Capital Equities Management, a St. Louis-based investment adviser, settled charges with the SEC for failing to establish cybersecurity policies and procedures as required by the SEC’s safeguards rule. In July 2013, R.T. Jones was the victim of a cybersecurity breach that exposed the personally identifiable information (PII) of approximately 100,000 individuals, including firm clients. Although the firm promptly provided notice of the breach to all affected individuals and retained cybersecurity consultants to trace the attack, the firm’s prompt response did not – according to the SEC – make up for its alleged failure to adopt written cybersecurity policies and procedures in the four years prior to the attack.
On September 15, 2015, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert announcing a new Cybersecurity Examination Initiative. The Alert provides the agency’s areas of focus for its next round of cybersecurity examinations of broker-dealers and investment advisers.
Despite having previously stated it would not issue further clarifications, in August 2015, the Russian Ministry of Communications and Mass Media (Minkomsvyaz) issued a further statement regarding the data localization law. The Ministry of Communications is empowered to supervise the data protection authority (Roskomnadzor) and to provide interpretations of laws that fall within their purview (including the data localization law). The Minkomsvyaz statement reiterated that the law does not have retroactive effect – personal data of Russians collected prior to September 1, 2015 may reside in foreign jurisdiction so long as they are not updated or changed, at which point they would be subject to the localization requirement. The clarification further noted that data localization requirement would not apply to entities that are not resident in Russia. This statement is notable for being issued in writing, and providing companies with a statement of standards and expectations that may be cited by companies should issues arise.
See previous coverage in Data Matters July 21, 2015 Post: Impending Russian Data Localization Law
Sidley does not practice law in Russia, so the information here is based on our understandings from public sources and discussions with local counsel. This article should not be construed as advice about Russian law.
On Monday, the U.S. Court of Appeals for the Third Circuit issued its much-anticipated decision in Federal Trade Commission v. Wyndham Worldwide Corp., No. 14-3514 (3d Cir. Aug. 24, 2015), holding that the Federal Trade Commission has the authority to bring an action under Section 5 of the FTC Act for allegedly “unfair” cybersecurity practices.
On July 27, 2015, the Cybersecurity Task Force (Cybersecurity Task Force) of the National Association of Insurance Commissioners (NAIC) released a draft cybersecurity “Bill of Rights” suggesting certain rights for insurance consumers to have their personal information protected by insurance companies, insurance producers and other entities regulated by state insurance departments. Comments on the draft were due by close of business on August 10, 2015 and a final version could be adopted during the NAIC’s upcoming National Meeting in Chicago in mid-August 2015. The Cybersecurity Bill of Rights is one of several insurance regulatory measures designed to safeguard personal information of insurance consumers, which is particularly vulnerable in data breaches because it often contains social security numbers, financial information, addresses and sensitive medical information. Cybersecurity has become an even higher priority among insurance regulators since the Anthem, Inc. data breach and the NAIC formed the Cybersecurity Task Force to coordinate regulatory efforts in this area.
On April 10, 2015, the FTC closed its data security investigation of a securities firm after one of its employees moved the personal information of the certain of the firm’s wealth management clients to personal devices and a personal website. Ultimately, the personal data became available on publicly accessible websites.