FTC Hosts Fourth Start with Security Event in Chicago

The Federal Trade Commission hosted its fourth Start with Security event in Chicago, IL on June 15, 2016. This event was the latest installment of the Start with Security business education initiative launched last summer to engage in proactive outreach with the business community on information security standards and FTC expectations at a time when the FTC’s authority to reactively regulate data security was being challenged in federal court.  In addition to the Start with Security events, the FTC also responded by synthesizing their 50+ data security settlements into “10 practical lessons” to guide companies looking to proactively comply with FTC data security expectations.


The New Privacy Cop Patrolling the Internet

*This piece originally appeared in Fortune Magazine on May 10, 2016.

As our online footprints grow in size and scope, it is more important than ever for Internet companies to protect us against hackers and disclose how they use our personal data. The Federal Trade Commission was long the main privacy cop enforcing these essential consumer protections. But last year, the FTC’s sister agency—the Federal Communications Commission—reclassified broadband ISPs as common carriers outside the FTC’s jurisdiction. Unless the courts reverse that decision, there are now two privacy cops on the Internet beat. The FCC polices ISPs like Verizon, Charter, and Sprint, while the FTC continues policing everyone else, from Google and Facebook to Apple and Amazon.


Supreme Court to Ninth Circuit in Spokeo–Get ‘Real’ on Injury

This article originally appeared in the Bloomberg BNA Privacy and Security Law Report on May 23, 2016.

In Spokeo, Inc. v. Robins, decided May 16, the U.S. Supreme Court ruled that plaintiffs who allege violations of statutes that contain a private right of action and statutory damages do not have automatic ‘‘standing’’ to sue. The Court instead found that to meet the constitutional requirement of standing, the plaintiff must establish not only the ‘‘invasion of a legally protected interest’’ defined by Congress, but also that the plaintiff suffered a “concrete and particularized” harm to that interest.


The Supreme Court Remands Injury Question In Spokeo Class Action Privacy Claim

On Monday, May 16, the Supreme Court addressed the question of whether an alleged violation of the Fair Credit Reporting Act (FCRA), without allegation of concrete injury, is ever sufficient for Article III standing. The case, Spokeo Inc. v. Robbins, No. 13-1339 (2016), involved a class action against data broker Spokeo Inc.. The plaintiff, Thomas Robins, alleged that Spokeo violated the FCRA by inaccurately reporting online that he was a wealthy, married man with children and a graduate degree when he was actually unmarried and out of work. He argued that those inaccuracies could have hurt his chances with potential employers. The district court dismissed Mr. Robins’s case for failure to show any actual harm from the false information, but in 2014, the U.S. Court of Appeals for the Ninth Circuit allowed the case to move forward based on its analysis that Mr. Robins’s injury allegation was particularized because he alleged that Spokeo violated his individual rights when it handled his information.


White House Announces Initiative Focused on Artificial Intelligence, Builds on Big Data Initiatives

This month, the White House announced a series of workshops and a working group to address the “benefits and risks” of artificial intelligence.  The workshops, which are to be held in Seattle, Washington, Pittsburgh, and New York City, will take place between May 24 and July 7, and are expected to result in a public report issued by the end of the year.  The workshops and report are expected to address familiar themes – “privacy, security, regulation, law, and research and development to be taken into account when effectively integrating this technology into both government and private-sector activities.”   Participation by all stakeholders – academia, industry, the research community, civil society, and others – will be key to shaping a report that is likely provide an initial roadmap for regulatory and policy initiatives in the next administration.


Sidley’s 2nd Annual Privacy and Cybersecurity Roundtable Provides Cross-Industry Insights from Senior Government Officials

Senior legal, economic and privacy leadership from U.S. and European government joined Sidley partners and senior counsel as panel participants at the 2nd Annual Privacy and Cybersecurity Roundtable.  An audience of more than 70 privacy professionals across financial, healthcare and technology industries heard from three panels that focused on the latest developments and prospective issues in cybersecurity, big data and EU privacy.


Article 29 Working Party Releases Its Wish List for the EU-U.S. Privacy Shield

On April 13, the Article 29 Working Party announced that it had completed its assessment of the EU-U.S. Privacy Shield documentation. The announcement was followed by the release of a 58-page Opinion on the European Commission’s draft adequacy decision on the Privacy Shield.


EU General Data Protection Regulation has been Adopted

On Thursday, April 14, 2016, the European Parliament voted to adopt the long-awaited EU General Data Protection Regulation (the GDPR). During the plenary session Jan Philipp Albrecht, rapporteur of the European Parliament for the GDPR, welcomed the adoption following what he described as years of “democratic debate and legislative process.” Albrecht further described the adoption as “a huge step forward towards creating a single legal environment for the digital world of tomorrow.” Today’s parliamentary vote completes the legislative process for adoption of the GDPR.  The final step will be for the GDPR to be published in the Official Journal of the EU which will likely take place in May 2016. Companies and regulators will then have two years from the date of publication in which to implement the requirements under the GDPR. Businesses should now seriously consider the impact of the GDPR and start planning for implementation.

EU General Data Protection Regulation Takes Significant Steps Towards Adoption

The past several days, the GDPR (the EU General Data Protection Regulation) took two significant steps towards adoption.  On Friday, April 8, 2016, the European Council adopted the GDPR at first reading.  Then today, Tuesday, April 12, 2016, the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (the LIBE Committee) approved the GDPR by a 54-3 vote with one abstention. The European Parliament is due to vote on the GDPR in a second reading at a plenary session this coming Thursday. That will complete the legislative process for adoption of the GDPR. The final step will be for the GDPR to be published in the Official Journal of the EU which will likely take place in May 2016. After publication, the GDPR will apply two years after the date of publication, allowing companies and regulators a grace period to prepare. The interpretation of the GDPR will be shaped by guidance from the new European Data Protection Board.


Leaked Extracts on Working Party Opinion Indicate Approval of Privacy Shield May Not Be Imminent

Today, alleged extracts from the impending Article 29 Working Party Opinion on the adequacy of the Privacy Shield were leaked.  These extracts indicate that a number of clarifications on the Privacy Shield documents will be required before the Working Party can confirm that the Privacy Shield, in its view, ensures a level of protection that is essentially equivalent to that in the EU.  The full opinion is due to be published on Wednesday 13 April, and will form part of the package for consideration by the European Commission.