Members of the UK House of Lords have amended the Investigatory Powers Bill to make privacy a fundamental concern by inserting the following in clause 1 –
“This Act sets out the extent to which certain investigatory powers may be used to interfere with privacy.”
The amendment, proposed by Lord Janvrin, a member of the UK parliament’s Intelligence and Security Committee (“ISC“), was approved on Tuesday 11 October 2016, after a debate in which many members highlighted the need for safeguards against disproportionate use of the Bill by public authorities.
On August 10, 2016, the National Institute of Standards and Technology (“NIST”) issued a notice requesting public comment on the current and future state of cybersecurity in the digital economy. The Request for Information (“RFI”) will serve to facilitate the work of the Commission on Enhancing National Cybersecurity (“CENC”) in delivering detailed cybersecurity recommendations for the public and private sectors pursuant to Executive Order 13718. The February 2016 Executive Order created CENC to develop a plan of action for the next decade to strengthen cybersecurity in the public and private sectors and reinforce partnerships between federal, state and local governments and the private sector. The Executive Order directs the Commission and the Secretary of Commerce to work with NIST to carry out its mission.
The DHS and DOJ have issued final rules and guidance for receipt of cyber threat indicators and defensive measures, including Guidelines for privacy and civil liberties protections. On June 15, the DHS and DOJ announced the release of their joint rules for government handling of cybersecurity information shared by companies, along with expanded guidance for companies wishing to share cybersecurity threat information and take advantage of CISA’s liability shields for certain information sharing and defensive monitoring activities. The newly released rules incorporate and implement provisions of the Cybersecurity Information Sharing Act (CISA) which was passed in December 2015. CISA authorizes and protects information-sharing for certain cybersecurity purposes. It applies to all organizations and it offers companies a broad safeguard from liability for voluntarily sharing “cyber threat indicators” or engaging in certain cybersecurity “defensive measures.”
On May 17, 2016, the European Council formally adopted the Network and Information Security Directive (the “NIS Directive“) at first reading. According to the Council press release, the NIS Directive is meant to increase cooperation among EU Member States on the vital issues of cybersecurity.
The NIS Directive was first proposed by the European Commission in 2013 as part of the EU’s Cyber Security Strategy. The formal adoption of the NIS Directive by the Council follows on from the political agreement reached in December 2015. It must now be approved by the Parliament at second reading. The NIS Directive is expected to enter into force in August 2016, after which Member States will have 21 months to implement it into their national laws.
*This post originally appeared in the Council on Foreign Relations’ Net Politics Blog on March 1, 2016.
When the Court of Justice of the European Union (CJEU) struck down Safe Harbor last year, it did so on the basis that the European Commission had not determined whether European data transferred to the United States enjoyed the same protections as in the European Union. Despite the fact a recent Sidley Austin report found that many U.S. privacy protections are essentially equivalent—if not stronger—than the European Union’s in national security matters and comparable in other areas, the Commission clearly needed to replace Safe Harbor with something else to satisfy the CJEU and domestic privacy activists.
On January 1, 2016, China’s National People’s Congress Standing Committee enacted the new Anti-Terrorism Law (反恐怖主义法) that gives broad powers to the Chinese authorities to access and handle data held by telecommunications operators and internet providers (together, “Technology Companies”). This law provides a legal framework to compel Technology Companies to cooperate and assist the Chinese authorities to combat the threat of “terrorism.”
*This post originally appeared in Lawfare on February 25, 2016.
Let’s not pretend that that the outcome the Justice Department seeks in the Apple case is limited to only a single case and just this particular phone.
This unquestionably involves a special case. Because of the specter of an ISIS connection, the San Bernardino attacks send chills down the spine of every American. The ISIS connection makes this case different from other cases of homegrown radicalization. And the actual owner of the iPhone has consented to the search.
It is these special characteristics that make the San Bernardino case a compelling vehicle for the FBI to press its concerns about end-to-end encryption on devices and apps. … [Read More]
President Obama today unveiled a “Cybersecurity National Action Plan.” The administration’s proposed budget includes $19 billion for cybersecurity spending, $3 billion of which will be devoted to updating agency systems. The plan includes the creation of a Federal Chief Information Security Officer to guide the implementation of increased security across the federal government and reside within the Office of Management and Budget. President Obama also issued two executive orders. The first establishes the Commission on Enhancing National Cybersecurity within the Department of Commerce to be composed of technology, national security, and business leaders. The Commission is charged with developing by December 1, 2016 “detailed recommendations to strengthen cybersecurity in both the public and private sectors.” The second requires the establishment of a Senior Agency Official for Privacy at each agency and creates the Federal Privacy Council as “the principal interagency forum to improve the Government privacy practices of agencies and entities acting on their behalf.” The OMB Director will be chair of the Federal Privacy Council, which will have the focus of coordinating internal agency policies.
In a milestone decision on transatlantic data protection, the Court of Justice of the European Union (CJEU) issued its judgment in the Schrems case, declaring the Commission decision on the EU-U.S. Safe Harbor agreement invalid. The CJEU declared that such a decision requires a finding that the level of protection of fundamental rights and freedoms in the laws and practices of the third country is “essentially equivalent” to that guaranteed within the EU. Given the CJEU’s decision, the Commission and data protection authorities are now called upon to examine the legal order in the U.S. and compare its level of protection to that within the EU.
This report provides a roadmap and resource for this comparison. Following the analysis laid out by the CJEU in Schrems, it shows how privacy values deeply embedded in U.S. law and practice have resulted in a system of protection of fundamental rights and freedoms that meets the test of essential equivalency.
*This post originally appeared in Law360 on January 7, 2016.
While 2015 was a big year in data, 2016 may prove to be even bigger. Many hot button and game changing topics are being debated in legislative bodies and campaign trails, regulators are focused, and privacy-related litigation continues to rise. Below, we count down the top ten cybersecurity, data protection and privacy issues to watch in 2016.