UK ICO Commissioner Liz Denham, who serves as Conference Chair, welcomed attendees at the public session and provided a brief summary of what transpired at the Commissioners’ closed door sessions. She noted that “privacy” has gone “mainstream.” People around the world expect more information about how their data is used. She stressed the importance of future international collaboration and regulatory cooperation to develop shared strategies and tactics “to protect people from big companies.”
Commissioner Denham also highlighted the increased focus on the role of data protection as a relevant consideration in competition analysis by international regulators. She noted that the International Privacy Commissioners’ Conference, and the ongoing assembly of global regulators, resolved to be more transparent in the future with respect to the regulated community and other interested parties. Finally, she hinted that a new name for the group would be announced before the 2019 conference concludes.
The U.S. Court of Appeals for the Seventh Circuit has struck a major blow to Federal Trade Commission (FTC) enforcement authority, holding that the agency cannot seek its preferred remedy of monetary restitution in federal court.
In recent years, the FTC has used Section 13(b) of the Federal Trade Commission Act (FTC Act)1 as its preferred enforcement mechanism, and it has done so to great effect. In 2017, for example, the FTC obtained $5.29 billion in restitution under this section. Civil penalties, which are authorized under a different part of the statute, totaled just $176 million that same year.
On February 27, 2019, the Federal Trade Commission (“FTC”) announced a record-setting $5.7 million civil penalty against makers of the popular free video creation and sharing app, Musical.ly (now known as TikTok), for violations of U.S. children’s privacy rules. This is the largest civil penalty the FTC has issued concerning violations of the Children’s Online Privacy Protection Act (“COPPA”).
Over the last few years, States have enacted increasingly aggressive legislation concerning data privacy and security, raising concerns that companies will be subject to a patchwork of different standards. Congress has recently taken notice, convening hearings on potential federal privacy legislation, with the possibility of preemption a hot topic during the hearings. Last week, the Federal Trade Commission (“FTC”) got into the act as well, releasing two notices of proposed rulemaking (“NPRM”) on potential changes to its the Standards for Safeguarding Customer Information (“Safeguards Rule”) and Privacy of Consumer Financial Information Rule (“Privacy Rule”) under the Gramm-Leach-Bliley Act. The proposed amendments – and particularly the proposed changes to the Safeguard Rule – signal the FTC’s desire to align its rules with those of key states and to further protect customer information held by financial institutions.
* This article originally appeared in Law360 on September 27, 2018.
*This article first appeared in the July 2018 issue of Digital Health Legal
Massive data breaches. Threats to medical devices. The Internet of Persons. Healthcare entities are all too familiar with the rising cyber threat. But they are also familiar with the complex array of laws and regulations in the United States that attempt to address the threat and the potentially significant compliance costs and risks caused by that complexity. The US Court of Appeals for the Eleventh Circuit’s recent and long-awaited decision in LabMD v. Federal Trade Commission, which trimmed the sails of one of the primary regulators of the healthcare information security landscape, may thus appear to some, at first blush, to be a necessary corrective. Yet closer inspection shows that the Eleventh Circuit’s decision raises more questions than it answers – and that its true implications will only become clear once we see how federal regulators, the courts, and perhaps Congress respond.
*Originally Published July 12, 2018 by Chambers and Partners Data Protection & Cyber Security 2018
There is a lot going on with privacy around the world. As discussed in the chapters of this book, significant new laws are being adopted or taking effect, important judicial decisions are being decided to interpret existing legal requirements, and citizens are contending with their own expectations about confounding new technologies and business models. It is not clear, however, that the public policy being developed in any country is a thoughtful reaction to the promises and perils of today’s digital economy, rather than a knee-jerk over-reaction to imagined harms and a handful of high-profile incidents. (more…)
In recent years, the Federal Trade Commission has increasingly exercised its enforcement authority to target deceptive and unfair information security practices. During this time, enforcement actions have targeted companies for failing to honor their promises to implement “reasonable” or “industry standard” security practices, defend against well-known security threats, put in place basic security measures, or take many other basic data security steps. And despite challengers arguing that the FTC provided insufficient notice before pursuing these actions or that the actions otherwise exceeded the FTC’s Section 5 enforcement authority, the Commission generally has a track record of successfully defending its prerogatives. (more…)
Whether you are marking today with a glass of champagne, a shot of whiskey, or a hot cup of tea, today marks a significant day for privacy professionals world-wide.
Here’s to all of the privacy professionals who have put in so many hours to prepare for the GDPR, fully effective as of Friday May 25, 2018 at midnight in Brussels; that is 6 PM eastern on Thursday, May 24th for toasting purposes.
For business executives, policymakers, and consumers who have become aware of the GDPR in recent weeks and are interested in learning more, visit our GDPR resource page here.