2016 was a year of seismic changes in the global data protection and privacy landscape. Here, we look back at the top ten events and issues that shaped 2016, and are poised to shape the year ahead as well.
Year In Review
1. GDPR Adoption
On April 14, the European Parliament voted to adopt the long-awaited EU General Data Protection Regulation (GDPR), formally completing adoption of the GDPR. The GDPR was published in the Official Journal of the EU on May 25, 2016, giving companies and Member States until the May 25, 2018 effective date to implement the Regulation fully. In the wake of its adoption, businesses should have planning under way for implementation of the significantly expanded Regulation by evaluating whether they are subject to the expanded jurisdiction, and if so, completing an internal gap analysis of current data protection practices as compared with the new requirements and rights under the Regulation. Some of the key aspects to consider include data breach response planning under the new 72-hour notice requirement, reviewing existing data protection notices and consents for the more robust obligations, identifying current profiling activities and existing data protection and retention policies and procedures, ensuring privacy impact assessments are carried out where required, and evaluating whether there is an obligation to appoint a data protection officer. Despite the time until the effective date, the extensive preparation necessary to comply presents a challenge as companies around the world refocus resources to develop compliance plans.
2. Political Cyber Warfare
There is a new front in geopolitical battles. (more…)
On December 28, 2016, former President Obama issued Executive Order 13757, Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities (E.O. 13757). E.O. 13757 amends an earlier Executive Order 13694 (E.O. 13694) of April 1, 2015, under which the President declared a “national emergency” to deal with the “unusual and extraordinary threat” to U.S. national security, foreign policy and the economy posed by malicious cyber-enabled activities conducted by persons outside the United States in relation to the November 2016 election. Through the December 2016 amendment, President Obama took “additional steps” to deal with such malicious cyber activities in view of their increasing use “to undermine democratic processes or institutions.”
*This post first appeared in Lawfare on January 17, 2017.
As the new administration takes office this week, we will start to see just how literally to take Donald Trump’s pronouncements and the promised targeting of his predecessor’s executive orders for immediate destruction. Trade policy appointments signal that statements about being aggressive against barriers to trade should be taken very literally. Wilbur Ross, the prospective Commerce Secretary; Peter Navarro, tapped to lead a new Trade Council on the White House staff; and Robert Lighthizer, designated U.S. Trade Representative, all have been vociferous in calling out China’s mercantilist policies and advocating a more transactional approach to breaking down market barriers in the world’s second largest national economy.
On 11 April 2016, the European Commission consulted on Directive 2002/58/EC on privacy and electronic communications (the “ePrivacy Directive”), seeking input from a wide range of businesses, organizations and individuals on the effectiveness of the ePrivacy Directive and their views for its revision. The European Commission’s review is a key element of its Digital Single Market Strategy, which aims to reinforce trust and security in digital services in the EU.
The European Commission released the results of this consultation on 19 December 2016. The consultation received 421 replies from stakeholders in all Member States and outside the EU, which included 162 replies from citizens; 186 contributions from industry actors; 40 public authorities, including competent authorities which enforce the ePrivacy Directive at national level; 33 contributions from civil society associations. The largest number of respondents came from Germany (25.9%), UK (14.3%), Belgium (10%) and France (7.1%).
The third edition of The Privacy, Data Protection and Cybersecurity Law Review appears as the world is converging on more privacy laws that cover more areas of business and are subject to more enforcement. Several Sidley lawyers in the Privacy, Data Security and Information Law practice have contributed to this publication.
After having received over 150 comments on proposed cybersecurity regulations, the New York Department of Financial Services will delay implementation and initiate a new round of notice and comment on a further revised version of cybersecurity regulations. As we reported previously, NYDFS proposed new cybersecurity regulations for the financial sector in September of this year, and the comment period closed mid-November. NYDFS previously announced that the new rules would be effective January 1, 2017 and that covered entities would have 180 days to comply. Reuters reports that NYDFS will now publish a further revised version of proposed regulations on December 28 for public comment with a new effective date of March 1, 2017.
On December 19, 2016 the Joint Committee of the European Supervisory Authorities (“ESAs”) launched a public consultation (the “Consultation”) on the potential benefits and risks of Big Data for consumers and financial firms to determine whether any regulatory or supervisory actions will be required. The ESAs are three EU-wide supervisory authorities, the European Banking Authority (“EBA”), European Securities and Markets Authority (“ESMA”) and the European Insurance and Occupational Pensions Authority (“EIOPA”).
On October 25, 2016 the European Commission (the “Commission“) adopted its 2017 Work Programme (the “Work Programme”) which sets out what the Commission intends to do over the next 12 months. The Work Programme is the third to be presented under Jean-Claude Junker’s presidency of the Commission and will also be the first Work Programme to be adopted following consultation with the European Parliament (the “Parliament“) and the European Council (the “Council“).
The future of privacy and cybersecurity under President-elect Trump – with a Republican-controlled House and Senate – is far from certain, but his campaign comments indicate an emphasis on robust cybersecurity, perhaps with more openness to both offensive as well as defensive initiatives.
On Oct. 19, the Board of Governors of the Federal Reserve System (the Board), the Office of the Comptroller of the Currency (the OCC) and the Federal Deposit Insurance Corporation (the FDIC, and collectively with the Board and the OCC, the Agencies) issued a joint advanced notice of proposed rulemaking (ANPR) inviting comment regarding enhanced cyber risk management standards for large and interconnected entities under their supervision and those entities’ service providers. As financial technology continues to advance, the largest, most complex financial institutions have relied more and more on technology to carry out their banking activities and to provide critical services to the financial sector and the U.S. economy. In the event of a cyber attack on a covered entity, the ANPR is intended to enhance the covered entity’s ability to continue to function and to reduce the overall impact on the financial system resulting from interconnectedness.