Now You See Them, Now You Don’t: Regulatory Risks of Ephemeral Messages
Corporate use of ephemeral messaging applications (communications that disappear after a set time) has become increasingly common across the globe in recent years, with companies recognizing its value in decreasing data storage costs and providing employees a convenient method for communicating quickly with customers and clients. However, the prevalence of these messaging applications in the corporate context has caused regulators to grow concerned about how encrypted and ephemeral messaging might affect regulatory obligations related to data preservation, employee monitoring, and compliance.
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing
On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule). The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.
UK FCA Expectations on Call Recording in a Remote Working Environment — Market Watch 66
On 11 January 2021, the UK Financial Conduct Authority (FCA) published the 66th edition of its Market Watch newsletter. The newsletter sets out the FCA’s expectations for firms on recording telephone conversations and electronic communications when alternative working arrangements are in place, including increased homeworking in light of the COVID-19 pandemic.
The newsletter follows on from an update on 8 January 2021 to the market trading and reporting statement on the FCA’s Coronavirus (Covid-19): Information for firms webpage. In that update, the FCA notes that, given the extensive duration of alternative working arrangements during the pandemic, the FCA now expects firms to record all relevant communications (including voice calls) when working outside the office.
Lawfare Publishes Article on “Why Schrems II Might Not Be a Problem for EU-U.S. Data Transfers”
Lawfare recently published “Why Schrems II Might Not Be a Problem for EU-U.S. Data Transfers*,” written by Sidley Partner Alan Charles Raul. This article was adapted from a longer article on our Data Matters blog, “Schrems II Concerns Regarding U.S. National Security Surveillance Do Not Apply to Most Companies Transferring Personal Data to the U.S. Under Standard Contractual Clauses.”
(*Note that this article was published by the Lawfare Institute in cooperation with Brookings.)
Schrems II Concerns Regarding U.S. National Security Surveillance Do Not Apply to Most Companies Transferring Personal Data to the U.S. Under Standard Contractual Clauses
The thesis articulated in the article linked here is that (1) nearly all companies relying on standard contractual clauses for data transfers to the US under the EU General Data Protection Regulation are not electronic communications service providers for purposes of FISA 702 (i.e., only companies in the business of providing communications services would be covered) and (2) data transfers from Europe to the US under SCCs may not be targeted under FISA 702 and EO 12333 because they are (i) quintessential “US person communications” because either the data exporter is a U.S. person or the data importer is a U.S. person, or more likely, both are US persons and (ii) received by a person located in the U.S. Accordingly, the concerns expressed by the EU Court of Justice in Schrems II should not be problematic for nearly all U.S. companies relying on SCCs.